Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 593528 (CVE-2016-5841) - <media-gfx/imagemagick-6.9.5.5: Integer overflow in MagickCore/profile.c
Summary: <media-gfx/imagemagick-6.9.5.5: Integer overflow in MagickCore/profile.c
Status: RESOLVED FIXED
Alias: CVE-2016-5841
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-12 03:26 UTC by Ian Zimmerman
Modified: 2016-12-05 01:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2016-09-12 03:26:42 UTC
According to the RedHat summary [1]:

An integer overflow vulnerability was found in MagickCore/property.c that can potentially lead to code execution.

Upstream fix is at [2].  Please note that the patch must be adjusted by approximately 's/MagickCore/magick/g' to apply to the 6.9.x series.

[1]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5841

[2]
https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b



Reproducible: Always
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-11 11:41:57 UTC
I am not seeing any code base similair to this in 6.9.6.2.  The same functions and values are integers in the vulnerable code vice shorts as seen in 6.9.6.2.

@zx2c4, could you take a look please?
Comment 2 Jason A. Donenfeld archtester Gentoo Infrastructure gentoo-dev Security 2016-10-18 12:13:21 UTC
If it doesn't apply cleanly, just backport the codeblocks that have the comment "Corrupt EXIF". I saw 4 places. I'm not sure if the integer casting reworking of the earlier part actually fix a vulnerability, but if they do, it means the problem is much deeper, since miscomputing read values of an input file shouldn't wind up in a vulnerability no matter what.

Alternatively, wait for ImageMagick to provide the backport or new release.
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-12-05 01:39:43 UTC
When this bug was filed this was already backported, see https://github.com/ImageMagick/ImageMagick/commit/070d7f8a59b1516b166826cb25ac5556968dec84

$ git tag --contains 070d7f8a59b1516b166826cb25ac5556968dec84 | sort
6.9.4-10
6.9.5-0
6.9.5-1
[...]

First version which landed in Gentoo repository containing the fix was v 6.9.5.5.

First able version is =media-gfx/imagemagick-6.9.5.10. No vulnerable version left in repository.


@ Security: Please vote!
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-12-05 01:44:35 UTC
GLSA Vote: No