Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 625404 (CVE-2017-11352) - <media-gfx/imagemagick-{6.9.9.0,7.0.6.1}: Improper EOF handling in coders/rle.c can trigger crash
Summary: <media-gfx/imagemagick-{6.9.9.0,7.0.6.1}: Improper EOF handling in coders/rle...
Status: RESOLVED FIXED
Alias: CVE-2017-11352
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2017/q3/172
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-6497, CVE-2017-6498, CVE-2017-6499, CVE-2017-6500, CVE-2017-6501, CVE-2017-6502
  Show dependency tree
 
Reported: 2017-07-17 13:13 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-09-17 20:53 UTC (History)
1 user (show)

See Also:
Package list:
media-gfx/imagemagick-6.9.9.0
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-17 13:13:45 UTC 
From $URL:

In ImageMagick before 7.0.5-10, a crafted RLE image can trigger a
crash because of incorrect EOF handling in coders/rle.c. This is
caused by an incomplete fix of CVE-2017-9144.

Upstream reference:
https://github.com/ImageMagick/ImageMagick/issues/502

Upstream fix (ImageMagick-7):
https://github.com/ImageMagick/ImageMagick/commit/86cb33143c5b21912187403860a7c26761a3cd23

Upstream fix (ImageMagick-6):

https://github.com/ImageMagick/ImageMagick/commit/7f1f01b695e869c410ee10e2176f8fd764f09373

MITRE has assigned CVE-2017-11352 for this issue.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-07-21 11:27:02 UTC 
@ Arches,

please test and mark stable: =media-gfx/imagemagick-6.9.9.0
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-07-21 21:03:58 UTC 
ia64 stable
Comment 3 Markus Meier gentoo-dev 2017-07-25 18:52:57 UTC 
arm stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-31 11:37:36 UTC 
Stable on amd64.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-18 21:04:15 UTC 
x86 stable
Comment 6 Matt Turner gentoo-dev 2017-08-31 15:21:56 UTC 
alpha stable
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2017-09-05 05:37:15 UTC 
PPC / PPC please complete stabilization on this security bug.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-08 22:50:08 UTC 
hppa/sparc stable (tested by Dakon)
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-09 17:17:13 UTC 
stable 6.9.9.0 for ppc/ppc64

Last arches are done.
Comment 10 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-09 17:28:37 UTC 
Thank you.

@Maintainers please drop vulnerable versions.

@Security please vote.


Gentoo Security Padawan
ChrisADR
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-09-17 20:53:02 UTC 
GLSA Vote: No

Tree is clean.