636676 – (CVE-2017-16545) <media-gfx/graphicsmagick-1.3.27: Invalid colormapped index in ReadWPGImage() in coders/wpg.c

Bug 636676 (CVE-2017-16545) - <media-gfx/graphicsmagick-1.3.27: Invalid colormapped index in ReadWPGImage() in coders/wpg.c

Summary: <media-gfx/graphicsmagick-1.3.27: Invalid colormapped index in ReadWPGImage()...

Status:	RESOLVED FIXED

Alias:	CVE-2017-16545

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://hg.code.sf.net/p/graphicsmagic...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-11-06 00:22 UTC by D'juan McDonald (domhnall)
Modified:	2018-03-26 01:46 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description D'juan McDonald (domhnall) 2017-11-06 00:22:04 UTC

CVE-2017-16545(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16545):

The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 does not properly validate colormapped images, which allows remote attackers to cause a denial of service (ImportIndexQuantumType invalid write and application crash) or possibly have unspecified other impact via a malformed WPG image.






@maintainer(s), after bump, please call stabilization when ready, thank you.

Gentoo Security Padawan
(jmbailey/mbailey_j)

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2018-03-26 01:30:43 UTC

@maintainer(s), please clean the vulnerable version from the tree.

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2018-03-26 01:46:30 UTC

cleanup will be tracked in bug #640690

GLSA Vote: No