Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 596004 (CVE-2016-7906) - <media-gfx/imagemagick-6.9.6.2: use after free
Summary: <media-gfx/imagemagick-6.9.6.2: use after free
Status: RESOLVED FIXED
Alias: CVE-2016-7906
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718, CVE-2016–3714 CVE-2016-5010 CVE-2016-5842 CVE-2016-6491 595200 CVE-2016-7799
  Show dependency tree
 
Reported: 2016-10-03 03:18 UTC by Ian Zimmerman
Modified: 2017-02-17 08:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2016-10-03 03:18:00 UTC 
According to the announcement on oss-security:

imagemagick identify suffers of a use after free issue, which I reported
and has been patched, you can find a reproducer in the github bug tracker
issue link

issue:
https://github.com/ImageMagick/ImageMagick/issues/281

patch:
https://github.com/ImageMagick/ImageMagick/commit/d63a3c5729df59f183e9e110d5d8385d17caaad0


Reproducible: Always
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-10-11 12:27:32 UTC 
@arches, please stabilize:

=media-gfx/imagemagick-6.9.6.2
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2016-10-11 14:18:34 UTC 
Stable on alpha
Comment 3 Agostino Sarubbo gentoo-dev 2016-10-11 15:51:37 UTC 
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-10-12 10:09:36 UTC 
Stable for PPC64.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-10-14 05:43:07 UTC 
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2016-10-24 18:07:58 UTC 
arm stable
Comment 7 Markus Meier gentoo-dev 2016-10-26 16:34:58 UTC 
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-11-20 13:46:30 UTC 
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-11-27 11:40:29 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-11-28 09:35:43 UTC 
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-11-28 09:38:56 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-11-30 21:45:47 UTC 
This issue was resolved and addressed in
 GLSA 201611-21 at https://security.gentoo.org/glsa/201611-21
by GLSA coordinator Aaron Bauman (b-man).
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-11-30 21:55:55 UTC 
@graphics, please clean:

media-gfx/imagemagick-6.9.5.10
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-17 08:05:27 UTC 
Repository is now clean, all done.