(CVE-2017-13131):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13131 In ImageMagick 7.0.6-8, a memory leak vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (memory consumption in NewLinkedList in MagickCore/linked-list.c) via a crafted file. (CVE-2017-13132):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13132 In ImageMagick 7.0.6-8, the WritePDFImage function in coders/pdf.c operates on an incorrect data structure in the "dump uncompressed PseudoColor packets" step, which allows attackers to cause a denial of service (assertion failure in WriteBlobStream in MagickCore/blob.c) via a crafted file. (CVE-2017-13133):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13133 In ImageMagick 7.0.6-8, the load_level function in coders/xcf.c lacks offset validation, which allows attackers to cause a denial of service (load_tile memory exhaustion) via a crafted file. (CVE-2017-13134):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13134 In ImageMagick 7.0.6-6, a heap-based buffer over-read was found in the function SFWScan in coders/sfw.c, which allows attackers to cause a denial of service via a crafted file.
@maintainer(s), @security, upstream has already fixed these issues. https://github.com/ImageMagick/ImageMagick/issues?q=label%3Abug+is%3Aclosed
Patch:CVE-2017-13134( https://github.com/ImageMagick/ImageMagick/commit/1b234b4fe2ec864b2d5af898a31c06c9736da904 ) Patch:CVE-2017-13132( https://github.com/ImageMagick/ImageMagick/commit/73a2bad43d157acfe360595feee739b4cc4406cb ) Patch:CVE-2017-13131( https://github.com/ImageMagick/ImageMagick/commit/3ac6c73d39d59a7b0285b3756810272121759a31 ) Patch:CVE-2017-13133( https://github.com/ImageMagick/ImageMagick/commit/19dbe11c5060f66abb393d1945107c5f54894fa8 )
Fixed in Gentoo via https://github.com/gentoo/gentoo/commit/c1a4d3964144758b282be963b36aaddcef3a4db8#diff-c3da9b5318c1a67d6927fb8032d46fe5
This issue was resolved and addressed in GLSA 201711-07 at https://security.gentoo.org/glsa/201711-07 by GLSA coordinator Aaron Bauman (b-man).