Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 625404 (CVE-2017-11352) - <media-gfx/imagemagick-{6.9.9.0,7.0.6.1}: Improper EOF handling in coders/rle.c can trigger crash
Summary: <media-gfx/imagemagick-{6.9.9.0,7.0.6.1}: Improper EOF handling in coders/rle...
Status: RESOLVED FIXED
Alias: CVE-2017-11352
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2017/q3/172
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-6497, CVE-2017-6498, CVE-2017-6499, CVE-2017-6500, CVE-2017-6501, CVE-2017-6502
  Show dependency tree
 
Reported: 2017-07-17 13:13 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-09-17 20:53 UTC (History)
1 user (show)

See Also:
Package list:
media-gfx/imagemagick-6.9.9.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-17 13:13:45 UTC
From $URL:

In ImageMagick before 7.0.5-10, a crafted RLE image can trigger a
crash because of incorrect EOF handling in coders/rle.c. This is
caused by an incomplete fix of CVE-2017-9144.

Upstream reference:
https://github.com/ImageMagick/ImageMagick/issues/502

Upstream fix (ImageMagick-7):
https://github.com/ImageMagick/ImageMagick/commit/86cb33143c5b21912187403860a7c26761a3cd23

Upstream fix (ImageMagick-6):

https://github.com/ImageMagick/ImageMagick/commit/7f1f01b695e869c410ee10e2176f8fd764f09373

MITRE has assigned CVE-2017-11352 for this issue.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-07-21 11:27:02 UTC
@ Arches,

please test and mark stable: =media-gfx/imagemagick-6.9.9.0
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-07-21 21:03:58 UTC
ia64 stable
Comment 3 Markus Meier gentoo-dev 2017-07-25 18:52:57 UTC
arm stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-31 11:37:36 UTC
Stable on amd64.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-18 21:04:15 UTC
x86 stable
Comment 6 Matt Turner gentoo-dev 2017-08-31 15:21:56 UTC
alpha stable
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2017-09-05 05:37:15 UTC
PPC / PPC please complete stabilization on this security bug.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-08 22:50:08 UTC
hppa/sparc stable (tested by Dakon)
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-09 17:17:13 UTC
stable 6.9.9.0 for ppc/ppc64

Last arches are done.
Comment 10 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-09 17:28:37 UTC
Thank you.

@Maintainers please drop vulnerable versions.

@Security please vote.


Gentoo Security Padawan
ChrisADR
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-09-17 20:53:02 UTC
GLSA Vote: No

Tree is clean.