Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 606654 (CVE-2016-10144, CVE-2016-10145, CVE-2016-10146, CVE-2017-5506, CVE-2017-5507, CVE-2017-5508, CVE-2017-5509, CVE-2017-5510, CVE-2017-5511) - <media-gfx/imagemagick-6.9.7.4: multiple vulnerabilities
Summary: <media-gfx/imagemagick-6.9.7.4: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-10144, CVE-2016-10145, CVE-2016-10146, CVE-2017-5506, CVE-2017-5507, CVE-2017-5508, CVE-2017-5509, CVE-2017-5510, CVE-2017-5511
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://openwall.com/lists/oss-securit...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-21 00:06 UTC by Ian Zimmerman
Modified: 2017-03-02 18:07 UTC (History)
1 user (show)

See Also:
Package list:
=media-gfx/imagemagick-6.9.7.4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2017-01-21 00:06:52 UTC
It has been reported on the oss-security mailing list, imagemagick [IM] suffers from multiple flaws that have been fixed upstream and in Debian.  The followup message on the same mailing list provides the CVE numbers:

> [] coders/ipl.c: "ipl file missing malloc check"
> Debian Bug: https://bugs.debian.org/851485
> Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/97566cf2806c0a5a86e884c96831a0c3b1ec
6c20

Use CVE-2016-10144.

> [] coders/wpg.c: off-by-one error
> Debian Bug: https://bugs.debian.org/851483
> Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/d23beebe7b1179fb75db1e85fbca3100e495
93d9

Use CVE-2016-10145.

> [] magick/profile.c: double-free memory corruption
> Debian Bug: https://bugs.debian.org/851383
> Upstream Bug: https://github.com/ImageMagick/ImageMagick/issues/354
> Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/6235f1f7a9f7b0f83b197f6cd0073dbb6602
d0fb

Use CVE-2017-5506.


> [] coders/mpc.c: memory leak in mpc file handling
> Debian Bug: https://bugs.debian.org/851382
> Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/4493d9ca1124564da17f9b628ef9d0f1a6be
9738

Use CVE-2017-5507.


> [] PushQuantumPixel heap buffer-overflow
> Debian Bug: https://bugs.debian.org/851381
> Upstream report:
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31161
>
https://github.com/ImageMagick/ImageMagick/commit/c073a7712d82476b5fbee74856c46b88af9c
3175

Use CVE-2017-5508.

> [] memory leak in caption and label handling
> Debian Bug: https://bugs.debian.org/851380
> Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/aeff00de228bc5a158c2a975ab47845d8a1d
b456

Use CVE-2016-10146.


> [] coders/psd.c: out-of-bounds write flaw in psd file handling
> Debian Bug: https://bugs.debian.org/851377
> Upstream report: https://github.com/ImageMagick/ImageMagick/issues/350

Use CVE-2017-5509.


> [] coders/psd.c: out-of-bounds write flaw in psd file handling
> (different issue from the above)
> Debian Bug: https://bugs.debian.org/851376
> Upstream report: https://github.com/ImageMagick/ImageMagick/issues/348

Use CVE-2017-5510.


> [] coders/psd.c: memory corruption heap overflow
> Debian Bug: https://bugs.debian.org/851374
> Upstream report: https://github.com/ImageMagick/ImageMagick/issues/347

Use CVE-2017-5511.


Reproducible: Always
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-21 00:40:44 UTC
Thanks for the report!


(In reply to behemothchess from comment #0)
> It has been reported on the oss-security mailing list, imagemagick [IM]
> suffers from multiple flaws that have been fixed upstream and in Debian. 
> The followup message on the same mailing list provides the CVE numbers:
> 
> > [] coders/ipl.c: "ipl file missing malloc check"
> > Debian Bug: https://bugs.debian.org/851485
> > Fixed by:
> https://github.com/ImageMagick/ImageMagick/commit/
> 97566cf2806c0a5a86e884c96831a0c3b1ec
> 6c20
> 
> Use CVE-2016-10144.

$ git tag --contains 97566cf2806c0a5a86e884c96831a0c3b1ec | sort -u
6.9.7-1
6.9.7-2
6.9.7-3
6.9.7-4


> > [] coders/wpg.c: off-by-one error
> > Debian Bug: https://bugs.debian.org/851483
> > Fixed by:
> https://github.com/ImageMagick/ImageMagick/commit/
> d23beebe7b1179fb75db1e85fbca3100e495
> 93d9
> 
> Use CVE-2016-10145.

$ git tag --contains d23beebe7b1179fb75db1e85fbca3100e495 | sort -u
6.9.7-1
6.9.7-2
6.9.7-3
6.9.7-4


> > [] magick/profile.c: double-free memory corruption
> > Debian Bug: https://bugs.debian.org/851383
> > Upstream Bug: https://github.com/ImageMagick/ImageMagick/issues/354
> > Fixed by:
> https://github.com/ImageMagick/ImageMagick/commit/
> 6235f1f7a9f7b0f83b197f6cd0073dbb6602
> d0fb
> 
> Use CVE-2017-5506.

$ git tag --contains 6235f1f7a9f7b0f83b197f6cd0073dbb6602 | sort -u
6.9.7-4


> > [] coders/mpc.c: memory leak in mpc file handling
> > Debian Bug: https://bugs.debian.org/851382
> > Fixed by:
> https://github.com/ImageMagick/ImageMagick/commit/
> 4493d9ca1124564da17f9b628ef9d0f1a6be
> 9738
> 
> Use CVE-2017-5507.

$ git tag --contains 4493d9ca1124564da17f9b628ef9d0f1a6be | sort -u
6.9.7-4


> > [] PushQuantumPixel heap buffer-overflow
> > Debian Bug: https://bugs.debian.org/851381
> > Upstream report:
> https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31161
> >
> https://github.com/ImageMagick/ImageMagick/commit/
> c073a7712d82476b5fbee74856c46b88af9c
> 3175
> 
> Use CVE-2017-5508.

$ git tag --contains c073a7712d82476b5fbee74856c46b88af9c | sort -u
6.9.7-3
6.9.7-4


> > [] memory leak in caption and label handling
> > Debian Bug: https://bugs.debian.org/851380
> > Fixed by:
> https://github.com/ImageMagick/ImageMagick/commit/
> aeff00de228bc5a158c2a975ab47845d8a1d
> b456
> 
> Use CVE-2016-10146.

$ git tag --contains aeff00de228bc5a158c2a975ab47845d8a1d | sort -u
6.9.6-8
6.9.7-0
6.9.7-1
6.9.7-2
6.9.7-3
6.9.7-4


> > [] coders/psd.c: out-of-bounds write flaw in psd file handling
> > Debian Bug: https://bugs.debian.org/851377
> > Upstream report: https://github.com/ImageMagick/ImageMagick/issues/350
> 
> Use CVE-2017-5509.

https://github.com/ImageMagick/ImageMagick/commit/37a1710e2dab6ed91128ea648d654a22fbe2a6af

$ git tag --contains 37a1710e2dab6ed91128ea648d654a22fbe2a6af | sort -u
6.9.7-4


> > [] coders/psd.c: out-of-bounds write flaw in psd file handling
> > (different issue from the above)
> > Debian Bug: https://bugs.debian.org/851376
> > Upstream report: https://github.com/ImageMagick/ImageMagick/issues/348
> 
> Use CVE-2017-5510.

https://github.com/ImageMagick/ImageMagick/commit/e87af64b1ff1635a32d9b6162f1b0e260fb54ed9

$ git tag --contains e87af64b1ff1635a32d9b6162f1b0e260fb54ed9 | sort -u
6.9.7-4


> > [] coders/psd.c: memory corruption heap overflow
> > Debian Bug: https://bugs.debian.org/851374
> > Upstream report: https://github.com/ImageMagick/ImageMagick/issues/347
> 
> Use CVE-2017-5511.

https://github.com/ImageMagick/ImageMagick/commit/7d65a814ac76bd04760072c33e452371692ee790

$ git tag --contains 7d65a814ac76bd04760072c33e452371692ee790 | sort -u
6.9.7-3
6.9.7-4





@ Maintainer(s): To catch all reported vulnerabilities please bump to >=media-gfx/imagemagick-6.9.7.4!
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-01-21 01:54:14 UTC
commit fe5350e4d1132f9428348c0a9af0f0fb384786a6
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sat Jan 21 02:52:25 2017

    media-gfx/imagemagick: Security bump to versions 6.9.7.4 and 7.0.4.4

    Gentoo bug #606654

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-21 02:04:30 UTC
@ Arches,

please test and mark stable: =media-gfx/imagemagick-6.9.7.4
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-21 11:44:13 UTC
Stable on alpha.
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-21 17:18:43 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-21 17:30:09 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-21 20:39:07 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-22 16:33:58 UTC
sparc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-22 16:57:59 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-23 16:31:50 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-24 11:48:41 UTC
ppc64 stable
Comment 12 Markus Meier gentoo-dev 2017-02-05 17:05:20 UTC
arm stable, all arches done.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-02-05 22:47:36 UTC
GLSA request filed
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-02-17 08:13:33 UTC
This issue was resolved and addressed in
 GLSA 201702-09 at https://security.gentoo.org/glsa/201702-09
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-17 08:15:20 UTC
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop =media-gfx/imagemagick-6.9.6.6!
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-02 18:07:46 UTC
Repository is now clean.