Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 643560 (CVE-2017-17879, CVE-2017-17914) - <media-gfx/imagemagick-{6.9.9.31,7.0.7.19}: multiple vulnerabilities
Summary: <media-gfx/imagemagick-{6.9.9.31,7.0.7.19}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-17879, CVE-2017-17914
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-05 15:20 UTC by GLSAMaker/CVETool Bot
Modified: 2018-04-21 19:17 UTC (History)
1 user (show)

See Also:
Package list:
media-gfx/imagemagick-6.9.9.31 media-gfx/imagemagick-7.0.7.19
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-01-05 15:20:25 UTC
CVE-2017-17879 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17879):
  In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based buffer
  over-read in ReadOneMNGImage in coders/png.c, related to length calculation
  and caused by an off-by-one error.

CVE-2017-17914 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17914):
  In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the function
  ReadOnePNGImage in coders/png.c, which allows attackers to cause a denial of
  service (ReadOneMNGImage large loop) via a crafted mng image file.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-05 15:30:51 UTC
@ Arches,

please test and mark stable:

  =media-gfx/imagemagick-6.9.9.31
  =media-gfx/imagemagick-7.0.7.19
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-06 05:26:04 UTC
x86 stable
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-06 11:42:44 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 4 Agostino Sarubbo gentoo-dev 2018-01-06 17:54:18 UTC
amd64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-06 21:35:27 UTC
ppc/ppc64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-06 22:32:10 UTC
ia64 stable
Comment 7 Markus Meier gentoo-dev 2018-01-07 20:53:02 UTC
arm stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-09 07:52:06 UTC
hppa stable (thanks to Rolf Eike Beer)
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2018-01-20 18:49:08 UTC
Stable on alpha.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 19:41:00 UTC
All arches stable.

@maintainer(s), please clean the vulnerable versions from the tree:

GLSA Vote: No

=media-gfx/imagemagick-6.9.9.23
=media-gfx/imagemagick-6.9.9.26

=media-gfx/imagemagick-7.0.7.11
=media-gfx/imagemagick-7.0.7.14
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2018-04-21 19:17:23 UTC
Cleaned up, repository is clean, all done.