Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 599744 (CVE-2016-9298) - <media-gfx/imagemagick-{,}: Off by one memory allocation in WaveletDenoiseImage()
Summary: <media-gfx/imagemagick-{,}: Off by one memory allocation in Wav...
Alias: CVE-2016-9298
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Reported: 2016-11-15 00:32 UTC by Thomas Deutschmann
Modified: 2017-02-17 08:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
kensington: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2016-11-15 00:32:41 UTC
media-gfx/imagemagick before 3cbfb163cff9e5b8cdeace8312e9bfee810ed02b
suffer from a heap overflow in WaveletDenoiseImage(). This problem is
easily trigerrable from a perl script.

Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-15 00:39:03 UTC
Patched version is already in the Gentoo repository:

@ Maintainer(s): In case we need to stabilize the package, please let us know if it is ready for the stabilization or not (there's currently a package.mask in place, see
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-11-29 19:13:30 UTC
Lars told me today that the fix should also be in 6.9.x and he is right:

$ git tag --contains d2d9c8feb028570c592a438a5f4d4191391402bd | sort

v6.9.6-4, the first version containing the fixed, landed in Gentoo repository via

@ Arches,

please test and mark stable: =media-gfx/imagemagick-
Comment 3 Markus Meier gentoo-dev 2016-11-30 19:39:31 UTC
arm stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-12-01 12:52:13 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-01 12:54:54 UTC
x86 stable
Comment 6 Tobias Klausmann gentoo-dev 2016-12-02 14:21:31 UTC
Stable on alpha.
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-19 14:39:41 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-19 15:16:11 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-20 09:49:12 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-22 09:37:48 UTC
ppc64 stable
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-11 03:36:44 UTC
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-12 09:31:44 UTC
Stable for HPPA.
Comment 13 Thomas Deutschmann gentoo-dev Security 2017-01-21 00:47:06 UTC
New GLSA request filed.

@ Maintainer(s): Please cleanup and drop =media-gfx/imagemagick-!
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-02-17 08:13:24 UTC
This issue was resolved and addressed in
 GLSA 201702-09 at
by GLSA coordinator Thomas Deutschmann (whissi).