The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does not properly validate the colormap index in a WPG palette, which allows remote attackers to cause a denial of service (use of uninitialized data or invalid memory allocation) or possibly have unspecified other impact via a malformed WPG file. Reproducible: Always ImageMagick issue: https://github.com/ImageMagick/ImageMagick/issues/851 Patch referenced in CVE works: https://github.com/ImageMagick/ImageMagick/commit/e04cf3e9524f50ca336253513d977224e083b816
@Maintainers could you confirme if SLOT 6.x.x is affected? Thank you
6.x is affected, https://github.com/ImageMagick/ImageMagick/commit/e04cf3e9524f50ca336253513d977224e083b816
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34286ccffab7bd989b57e3876707d630b339e9fb commit 34286ccffab7bd989b57e3876707d630b339e9fb Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2017-11-28 23:38:01 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2017-11-28 23:38:19 +0000 media-gfx/imagemagick: Bump to v6.9.9.23 / 7.0.7.11 Bug: https://bugs.gentoo.org/638110 Package-Manager: Portage-2.3.16, Repoman-2.3.6 media-gfx/imagemagick/Manifest | 2 + media-gfx/imagemagick/imagemagick-6.9.9.23.ebuild | 185 ++++++++++++++++++++++ media-gfx/imagemagick/imagemagick-7.0.7.11.ebuild | 185 ++++++++++++++++++++++ 3 files changed, 372 insertions(+)}
@ Arches, please test and mark stable: =media-gfx/imagemagick-6.9.9.23: alpha amd64 arm hppa ia64 ppc ppc64 x86 sparc =media-gfx/imagemagick-7.0.7.11: alpha amd64 arm hppa ia64 ppc ppc64 x86 aparc
x86 stable
Stable on alpha.
ia64/ppc/ppc64 stable
arm stable
obsoleted by 640692
amd64 stable https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4f7fb6982f5b6d79b81ebd232eecba3598f8e61
I think I have covered all reverse deps stable bugs now.. but, please, next time remember to check for reverse deps (specially in this case that a tracker bug existed) before CCing arches to stab Thanks
Obsoleted by bug 640692, sparc was already handled there.
sparc stabled 7.0.7.14
Newer versions already stabilized and tree is clean of vulnerable versions WRT this bug. The stable request bugs should not be blocking this. 7.x is also stable on all stable arches. GLSA Vote: No