It has been reported on the oss-security mailing list, imagemagick [IM] suffers from multiple flaws that have been fixed upstream and in Debian. The followup message on the same mailing list provides the CVE numbers: > [] coders/ipl.c: "ipl file missing malloc check" > Debian Bug: https://bugs.debian.org/851485 > Fixed by: https://github.com/ImageMagick/ImageMagick/commit/97566cf2806c0a5a86e884c96831a0c3b1ec 6c20 Use CVE-2016-10144. > [] coders/wpg.c: off-by-one error > Debian Bug: https://bugs.debian.org/851483 > Fixed by: https://github.com/ImageMagick/ImageMagick/commit/d23beebe7b1179fb75db1e85fbca3100e495 93d9 Use CVE-2016-10145. > [] magick/profile.c: double-free memory corruption > Debian Bug: https://bugs.debian.org/851383 > Upstream Bug: https://github.com/ImageMagick/ImageMagick/issues/354 > Fixed by: https://github.com/ImageMagick/ImageMagick/commit/6235f1f7a9f7b0f83b197f6cd0073dbb6602 d0fb Use CVE-2017-5506. > [] coders/mpc.c: memory leak in mpc file handling > Debian Bug: https://bugs.debian.org/851382 > Fixed by: https://github.com/ImageMagick/ImageMagick/commit/4493d9ca1124564da17f9b628ef9d0f1a6be 9738 Use CVE-2017-5507. > [] PushQuantumPixel heap buffer-overflow > Debian Bug: https://bugs.debian.org/851381 > Upstream report: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31161 > https://github.com/ImageMagick/ImageMagick/commit/c073a7712d82476b5fbee74856c46b88af9c 3175 Use CVE-2017-5508. > [] memory leak in caption and label handling > Debian Bug: https://bugs.debian.org/851380 > Fixed by: https://github.com/ImageMagick/ImageMagick/commit/aeff00de228bc5a158c2a975ab47845d8a1d b456 Use CVE-2016-10146. > [] coders/psd.c: out-of-bounds write flaw in psd file handling > Debian Bug: https://bugs.debian.org/851377 > Upstream report: https://github.com/ImageMagick/ImageMagick/issues/350 Use CVE-2017-5509. > [] coders/psd.c: out-of-bounds write flaw in psd file handling > (different issue from the above) > Debian Bug: https://bugs.debian.org/851376 > Upstream report: https://github.com/ImageMagick/ImageMagick/issues/348 Use CVE-2017-5510. > [] coders/psd.c: memory corruption heap overflow > Debian Bug: https://bugs.debian.org/851374 > Upstream report: https://github.com/ImageMagick/ImageMagick/issues/347 Use CVE-2017-5511. Reproducible: Always
Thanks for the report! (In reply to behemothchess from comment #0) > It has been reported on the oss-security mailing list, imagemagick [IM] > suffers from multiple flaws that have been fixed upstream and in Debian. > The followup message on the same mailing list provides the CVE numbers: > > > [] coders/ipl.c: "ipl file missing malloc check" > > Debian Bug: https://bugs.debian.org/851485 > > Fixed by: > https://github.com/ImageMagick/ImageMagick/commit/ > 97566cf2806c0a5a86e884c96831a0c3b1ec > 6c20 > > Use CVE-2016-10144. $ git tag --contains 97566cf2806c0a5a86e884c96831a0c3b1ec | sort -u 6.9.7-1 6.9.7-2 6.9.7-3 6.9.7-4 > > [] coders/wpg.c: off-by-one error > > Debian Bug: https://bugs.debian.org/851483 > > Fixed by: > https://github.com/ImageMagick/ImageMagick/commit/ > d23beebe7b1179fb75db1e85fbca3100e495 > 93d9 > > Use CVE-2016-10145. $ git tag --contains d23beebe7b1179fb75db1e85fbca3100e495 | sort -u 6.9.7-1 6.9.7-2 6.9.7-3 6.9.7-4 > > [] magick/profile.c: double-free memory corruption > > Debian Bug: https://bugs.debian.org/851383 > > Upstream Bug: https://github.com/ImageMagick/ImageMagick/issues/354 > > Fixed by: > https://github.com/ImageMagick/ImageMagick/commit/ > 6235f1f7a9f7b0f83b197f6cd0073dbb6602 > d0fb > > Use CVE-2017-5506. $ git tag --contains 6235f1f7a9f7b0f83b197f6cd0073dbb6602 | sort -u 6.9.7-4 > > [] coders/mpc.c: memory leak in mpc file handling > > Debian Bug: https://bugs.debian.org/851382 > > Fixed by: > https://github.com/ImageMagick/ImageMagick/commit/ > 4493d9ca1124564da17f9b628ef9d0f1a6be > 9738 > > Use CVE-2017-5507. $ git tag --contains 4493d9ca1124564da17f9b628ef9d0f1a6be | sort -u 6.9.7-4 > > [] PushQuantumPixel heap buffer-overflow > > Debian Bug: https://bugs.debian.org/851381 > > Upstream report: > https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31161 > > > https://github.com/ImageMagick/ImageMagick/commit/ > c073a7712d82476b5fbee74856c46b88af9c > 3175 > > Use CVE-2017-5508. $ git tag --contains c073a7712d82476b5fbee74856c46b88af9c | sort -u 6.9.7-3 6.9.7-4 > > [] memory leak in caption and label handling > > Debian Bug: https://bugs.debian.org/851380 > > Fixed by: > https://github.com/ImageMagick/ImageMagick/commit/ > aeff00de228bc5a158c2a975ab47845d8a1d > b456 > > Use CVE-2016-10146. $ git tag --contains aeff00de228bc5a158c2a975ab47845d8a1d | sort -u 6.9.6-8 6.9.7-0 6.9.7-1 6.9.7-2 6.9.7-3 6.9.7-4 > > [] coders/psd.c: out-of-bounds write flaw in psd file handling > > Debian Bug: https://bugs.debian.org/851377 > > Upstream report: https://github.com/ImageMagick/ImageMagick/issues/350 > > Use CVE-2017-5509. https://github.com/ImageMagick/ImageMagick/commit/37a1710e2dab6ed91128ea648d654a22fbe2a6af $ git tag --contains 37a1710e2dab6ed91128ea648d654a22fbe2a6af | sort -u 6.9.7-4 > > [] coders/psd.c: out-of-bounds write flaw in psd file handling > > (different issue from the above) > > Debian Bug: https://bugs.debian.org/851376 > > Upstream report: https://github.com/ImageMagick/ImageMagick/issues/348 > > Use CVE-2017-5510. https://github.com/ImageMagick/ImageMagick/commit/e87af64b1ff1635a32d9b6162f1b0e260fb54ed9 $ git tag --contains e87af64b1ff1635a32d9b6162f1b0e260fb54ed9 | sort -u 6.9.7-4 > > [] coders/psd.c: memory corruption heap overflow > > Debian Bug: https://bugs.debian.org/851374 > > Upstream report: https://github.com/ImageMagick/ImageMagick/issues/347 > > Use CVE-2017-5511. https://github.com/ImageMagick/ImageMagick/commit/7d65a814ac76bd04760072c33e452371692ee790 $ git tag --contains 7d65a814ac76bd04760072c33e452371692ee790 | sort -u 6.9.7-3 6.9.7-4 @ Maintainer(s): To catch all reported vulnerabilities please bump to >=media-gfx/imagemagick-6.9.7.4!
commit fe5350e4d1132f9428348c0a9af0f0fb384786a6 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sat Jan 21 02:52:25 2017 media-gfx/imagemagick: Security bump to versions 6.9.7.4 and 7.0.4.4 Gentoo bug #606654 Package-Manager: Portage-2.3.3, Repoman-2.3.1
@ Arches, please test and mark stable: =media-gfx/imagemagick-6.9.7.4
Stable on alpha.
amd64 stable
x86 stable
ppc stable
sparc stable
Stable for HPPA.
ia64 stable
ppc64 stable
arm stable, all arches done.
GLSA request filed
This issue was resolved and addressed in GLSA 201702-09 at https://security.gentoo.org/glsa/201702-09 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup. @ Maintainer(s): Please cleanup and drop =media-gfx/imagemagick-6.9.6.6!
Repository is now clean.