Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 628702 (CVE-2017-13139, CVE-2017-13140, CVE-2017-13141, CVE-2017-13142, CVE-2017-13143, CVE-2017-13144, CVE-2017-13145, CVE-2017-13146) - <media-gfx/imagemagick-{6.9.8.6,7.0.5.7}: Multiple Vulnerabilities in coders.c (CVE-2017-{13139,13140,13141,13142,13143,13144,13145,13146})
Summary: <media-gfx/imagemagick-{6.9.8.6,7.0.5.7}: Multiple Vulnerabilities in coders....
Status: RESOLVED FIXED
Alias: CVE-2017-13139, CVE-2017-13140, CVE-2017-13141, CVE-2017-13142, CVE-2017-13143, CVE-2017-13144, CVE-2017-13145, CVE-2017-13146
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-23 10:34 UTC by D'juan McDonald (domhnall)
Modified: 2017-11-11 14:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-08-23 10:34:54 UTC
(CVE-2017-13139):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13139
In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, the ReadOneMNGImage function in coders/png.c has an out-of-bounds read with the MNG CLIP chunk.

(CVE-2017-13140):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13140
In ImageMagick before 6.9.9-1 and 7.x before 7.0.6-2, the ReadOnePNGImage function in coders/png.c allows remote attackers to cause a denial of service (application hang in LockSemaphoreInfo) via a PNG file with a width equal to MAGICK_WIDTH_LIMIT.

(CVE-2017-13141):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13141
In ImageMagick before 6.9.9-4 and 7.x before 7.0.6-4, a crafted file could trigger a memory leak in ReadOnePNGImage in coders/png.c.

(CVE-2017-13142):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13142
 In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, a crafted PNG file could trigger a crash because there was an insufficient check for short files.

(CVE-2017-13143):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13143
In ImageMagick before 6.9.7-6 and 7.x before 7.0.4-6, the ReadMATImage function in coders/mat.c uses uninitialized data, which might allow remote attackers to obtain sensitive information from process memory

(CVE-2017-13144):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13144
In ImageMagick before 6.9.7-10, there is a crash (rather than a "width or height exceeds limit" error report) if the image dimensions are too large, as demonstrated by use of the mpc coder.

(CVE-2017-13145):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13145
In ImageMagick before 6.9.8-8 and 7.x before 7.0.5-9, the ReadJP2Image function in coders/jp2.c does not properly validate the channel geometry, leading to a crash

(CVE-2017-13146):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13146
In ImageMagick before 6.9.8-5 and 7.x before 7.0.5-6, there is a memory leak in the ReadMATImage function in coders/mat.c
Comment 1 D'juan McDonald (domhnall) 2017-08-23 20:51:07 UTC
@maintainer(s), pulled this from the site. 

<quote mikayla-grace  commented Aug 22, 2017 •  edited  
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.
See #77fcc8d92 and #d3144a8be. ></quote>

...please follow-up with comment.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-10-23 17:07:25 UTC
CVE-2017-13146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13146):
  In ImageMagick before 6.9.8-5 and 7.x before 7.0.5-6, there is a memory leak
  in the ReadMATImage function in coders/mat.c.

CVE-2017-13145 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13145):
  In ImageMagick before 6.9.8-8 and 7.x before 7.0.5-9, the ReadJP2Image
  function in coders/jp2.c does not properly validate the channel geometry,
  leading to a crash.

CVE-2017-13144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13144):
  In ImageMagick before 6.9.7-10, there is a crash (rather than a "width or
  height exceeds limit" error report) if the image dimensions are too large,
  as demonstrated by use of the mpc coder.

CVE-2017-13143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13143):
  In ImageMagick before 6.9.7-6 and 7.x before 7.0.4-6, the ReadMATImage
  function in coders/mat.c uses uninitialized data, which might allow remote
  attackers to obtain sensitive information from process memory.

CVE-2017-13142 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13142):
  In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, a crafted PNG file
  could trigger a crash because there was an insufficient check for short
  files.

CVE-2017-13141 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13141):
  In ImageMagick before 6.9.9-4 and 7.x before 7.0.6-4, a crafted file could
  trigger a memory leak in ReadOnePNGImage in coders/png.c.

CVE-2017-13140 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13140):
  In ImageMagick before 6.9.9-1 and 7.x before 7.0.6-2, the ReadOnePNGImage
  function in coders/png.c allows remote attackers to cause a denial of
  service (application hang in LockSemaphoreInfo) via a PNG file with a width
  equal to MAGICK_WIDTH_LIMIT.

CVE-2017-13139 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13139):
  In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, the ReadOneMNGImage
  function in coders/png.c has an out-of-bounds read with the MNG CLIP chunk.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-28 15:46:23 UTC
This is an old one, in repository via https://github.com/gentoo/gentoo/commit/c5ace3d24cc6a01f7840d8f3f30cf36365d0d329
Comment 4 D'juan McDonald (domhnall) 2017-10-28 20:39:11 UTC
Added to existing GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-11-11 14:17:19 UTC
This issue was resolved and addressed in
 GLSA 201711-07 at https://security.gentoo.org/glsa/201711-07
by GLSA coordinator Aaron Bauman (b-man).