Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 617922 (CVE-2017-8343, CVE-2017-8344, CVE-2017-8345, CVE-2017-8346, CVE-2017-8347, CVE-2017-8348, CVE-2017-8349, CVE-2017-8351, CVE-2017-8352, CVE-2017-8353, CVE-2017-8354, CVE-2017-8355, CVE-2017-8356, CVE-2017-8357, CVE-2017-8765) - <media-gfx/imagemagick-6.9.8.6: Multiple vulnerabilities
Summary: <media-gfx/imagemagick-6.9.8.6: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-8343, CVE-2017-8344, CVE-2017-8345, CVE-2017-8346, CVE-2017-8347, CVE-2017-8348, CVE-2017-8349, CVE-2017-8351, CVE-2017-8352, CVE-2017-8353, CVE-2017-8354, CVE-2017-8355, CVE-2017-8356, CVE-2017-8357, CVE-2017-8765
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C4 [noglsa cve]
Keywords:
Depends on: CVE-2017-6497, CVE-2017-6498, CVE-2017-6499, CVE-2017-6500, CVE-2017-6501, CVE-2017-6502
Blocks: CVE-2017-8350
  Show dependency tree
 
Reported: 2017-05-09 04:44 UTC by GLSAMaker/CVETool Bot
Modified: 2017-09-20 18:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-05-09 04:44:36 UTC
CVE-2017-8765 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8765):
  The function named ReadICONImage in coders\icon.c in ImageMagick 7.0.5-5 has
  a memory leak vulnerability which can cause memory exhaustion via a crafted
  ICON file.

CVE-2017-8357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8357):
  In ImageMagick 7.0.5-5, the ReadEPTImage function in ept.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8356):
  In ImageMagick 7.0.5-5, the ReadSUNImage function in sun.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8355):
  In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8354):
  In ImageMagick 7.0.5-5, the ReadBMPImage function in bmp.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8353):
  In ImageMagick 7.0.5-5, the ReadPICTImage function in pict.c allows
  attackers to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8352):
  In ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8351 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8351):
  In ImageMagick 7.0.5-5, the ReadPCDImage function in pcd.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8350):
  In ImageMagick 7.0.5-5, the ReadJNGImage function in png.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8349):
  In ImageMagick 7.0.5-5, the ReadSFWImage function in sfw.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8348):
  In ImageMagick 7.0.5-5, the ReadMATImage function in mat.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8347 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8347):
  In ImageMagick 7.0.5-5, the ReadEXRImage function in exr.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8346 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8346):
  In ImageMagick 7.0.5-5, the ReadDCMImage function in dcm.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8345):
  In ImageMagick 7.0.5-5, the ReadMNGImage function in png.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8344 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8344):
  In ImageMagick 7.0.5-5, the ReadPCXImage function in pcx.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.

CVE-2017-8343 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8343):
  In ImageMagick 7.0.5-5, the ReadAAIImage function in aai.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.
Comment 1 Agostino Sarubbo gentoo-dev 2017-05-09 07:02:14 UTC
I know that via glsamaker we track the CVEs but I suggested to the author that a leak does not worth a cve unless you can demostrate the damage:
https://github.com/ImageMagick/ImageMagick/issues/462#issuecomment-298251168
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2017-05-09 07:18:38 UTC
ago, granted. But if a CVE is issued (which is a problem on MITRE side). We are going to try and report it here. If upstream closes it, then we can close it as wont fix.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-22 16:45:45 UTC
> CVE-2017-8765 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8765):
>   The function named ReadICONImage in coders\icon.c in ImageMagick 7.0.5-5 has
>   a memory leak vulnerability which can cause memory exhaustion via a crafted
>   ICON file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/466

Upstream patch: 82c0f060628c5d955e6a36b3579cc81086132092


> CVE-2017-8357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8357):
>   In ImageMagick 7.0.5-5, the ReadEPTImage function in ept.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/453

Upstream patch: d340012f201619d57bc418e21b8569403f9453f1


> CVE-2017-8356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8356):
>   In ImageMagick 7.0.5-5, the ReadSUNImage function in sun.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue:

Upstream patch:


> CVE-2017-8355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8355):
>   In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/449

Upstream patch: 59a1f6136fb2ee9d32cc03d00a3de6883ed206b1


> CVE-2017-8354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8354):
>   In ImageMagick 7.0.5-5, the ReadBMPImage function in bmp.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/451

Upstream patch: cc8bafff80b7a87288e49defc50c3d3c58ff680f


> CVE-2017-8353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8353):
>   In ImageMagick 7.0.5-5, the ReadPICTImage function in pict.c allows
>   attackers to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/454

Upstream patch: d41fb52eb5b30e70cdc85ab6649ccac000924511


> CVE-2017-8352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8352):
>   In ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/452

Upstream patch: 2917930679a3543e52070668c3adb3d8c183d1f6


> CVE-2017-8351 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8351):
>   In ImageMagick 7.0.5-5, the ReadPCDImage function in pcd.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/448

Upstream patch: 23071f835d44e661177957fde0add67db7788a69


> CVE-2017-8350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8350):
>   In ImageMagick 7.0.5-5, the ReadJNGImage function in png.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/447

Upstream patch: 7a8d04796a94852c72fd90441a0805c27f1b3210


> CVE-2017-8349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8349):
>   In ImageMagick 7.0.5-5, the ReadSFWImage function in sfw.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/443

Upstream patch: bfda0b62fb5de2d7d2c229c432e1650f7d2973bf


> CVE-2017-8348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8348):
>   In ImageMagick 7.0.5-5, the ReadMATImage function in mat.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/445

Upstream patch: 0c60e6ead120fe2036ceb87662de91d52a4ec4aa


> CVE-2017-8347 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8347):
>   In ImageMagick 7.0.5-5, the ReadEXRImage function in exr.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/441

Upstream patch: babb3b6c992bef4098ba40353c16d3beba5920a4


> CVE-2017-8346 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8346):
>   In ImageMagick 7.0.5-5, the ReadDCMImage function in dcm.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/440

Upstream patch: 528b8990f86c19d9f78c90b06fb5dd76f399ce3d


> CVE-2017-8345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8345):
>   In ImageMagick 7.0.5-5, the ReadMNGImage function in png.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/442

Upstream patch: fd6144f89f33f3065b0a8436f9af81ab9561459f


> CVE-2017-8344 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8344):
>   In ImageMagick 7.0.5-5, the ReadPCXImage function in pcx.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/446

Upstream patch: 4c6289b2f39a47a430ce27b61d3e3967201e77e8


> CVE-2017-8343 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8343):
>   In ImageMagick 7.0.5-5, the ReadAAIImage function in aai.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/444

Upstream patch: c52b177e0cb11c896b8cc9525a3184c5c0f322c3


All reported vulnerabilities are fixed in upstream version >=6.9.8-5
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-22 16:49:25 UTC
Correction:

> CVE-2017-8356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8356):
>   In ImageMagick 7.0.5-5, the ReadSUNImage function in sun.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/449

Upstream patch: 59a1f6136fb2ee9d32cc03d00a3de6883ed206b1


> CVE-2017-8355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8355):
>   In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows attackers
>   to cause a denial of service (memory leak) via a crafted file.

Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/450

Upstream patch: d22fd1ff6b41dc81369e255fab81e409049a6e15
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-23 09:19:07 UTC
Stabilization will happen in bug 612668
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-09-17 20:55:59 UTC
GLSA Vote: No
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2017-09-20 18:16:48 UTC
Freeing alias CVE-2017-8350 for new tracker bug 631560.