Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635664 (CVE-2017-13768, CVE-2017-13769) - <media-gfx/imagemagick-{6.9.9.18,7.0.7.6}: Multiple vulnerabilities (CVE-2017-{13768,13768})
Summary: <media-gfx/imagemagick-{6.9.9.18,7.0.7.6}: Multiple vulnerabilities (CVE-2017...
Status: RESOLVED FIXED
Alias: CVE-2017-13768, CVE-2017-13769
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/ImageMagick/ImageM...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-28 08:15 UTC by GLSAMaker/CVETool Bot
Modified: 2017-11-11 14:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-28 08:15:09 UTC
CVE-2017-13769 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13769):
  The WriteTHUMBNAILImage function in coders/thumbnail.c in ImageMagick
  through 7.0.6-10 allows an attacker to cause a denial of service (buffer
  over-read) by sending a crafted JPEG file.

CVE-2017-13768 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13768):
  Null Pointer Dereference in the IdentifyImage function in
  MagickCore/identify.c in ImageMagick through 7.0.6-10 allows an attacker to
  perform denial of service by sending a crafted image file.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-28 08:16:46 UTC
@Maintainers please let us know when tree is clean.

Thank you
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-28 15:34:46 UTC
Upstream patch for IM7: https://github.com/ImageMagick/ImageMagick/commit/152e510e2b7858efe5992ed95090d8e0049417f3

In:

7.0.7-0
7.0.7-1
7.0.7-2
7.0.7-3
7.0.7-4
7.0.7-5
7.0.7-6
7.0.7-8
7.0.7.7


Upstream patch for IM6: https://github.com/ImageMagick/ImageMagick/commit/2c1b360d80e5f8f7c7108c0afedde64ab79318ff

In:

6.9.9-11
6.9.9-12
6.9.9-13
6.9.9-14
6.9.9-15
6.9.9-17
6.9.9-18
6.9.9-19
6.9.9-20

Fixed in Gentoo via https://github.com/gentoo/gentoo/commit/e55c500d5efec48f8fb7aa3da8b27b9dc0b30dbf#diff-c3da9b5318c1a67d6927fb8032d46fe5
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-11-11 14:18:29 UTC
This issue was resolved and addressed in
 GLSA 201711-07 at https://security.gentoo.org/glsa/201711-07
by GLSA coordinator Aaron Bauman (b-man).