Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 687030 (CVE-2019-11037) - <dev-php/pecl-imagick-3.4.4: out-of-bounds write to memory in ImagickKernel::fromMatrix() (CVE-2019-11037)
Summary: <dev-php/pecl-imagick-3.4.4: out-of-bounds write to memory in ImagickKernel::...
Status: RESOLVED FIXED
Alias: CVE-2019-11037
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-30 18:43 UTC by Brian Evans
Modified: 2020-03-19 15:58 UTC (History)
1 user (show)

See Also:
Package list:
dev-php/pecl-imagick-3.4.4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Evans Gentoo Infrastructure gentoo-dev 2019-05-30 18:43:11 UTC
Fixes upstream Bug 77791 - ImagickKernel::fromMatrix() out of bounds write. CVE-2019-11037
Comment 1 Larry the Git Cow gentoo-dev 2019-05-30 19:03:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bd492eb1f98937bf9cb0f2e62d7e9bb58391384

commit 2bd492eb1f98937bf9cb0f2e62d7e9bb58391384
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2019-05-30 19:02:51 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2019-05-30 19:03:17 +0000

    dev-php/pecl-imagick: Version bump to 3.4.4
    
    Bug: https://bugs.gentoo.org/687030
    Closes: https://bugs.gentoo.org/685496
    Package-Manager: Portage-2.3.67, Repoman-2.3.13
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-php/pecl-imagick/Manifest                  |  1 +
 dev-php/pecl-imagick/pecl-imagick-3.4.4.ebuild | 25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+)
Comment 2 Brian Evans Gentoo Infrastructure gentoo-dev 2019-05-30 19:05:08 UTC
Arches, please test and mark stable.

The following tests failed locally so they may not be working correctly..
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Test Tutorial, svgExample [tests/243_Tutorial_svgExample_basic.phpt]
Imagick::setImageAlpha [tests/274_imagick_setImageAlpha.phpt]
=====================================================================

=====================================================================
WARNED TEST SUMMARY
---------------------------------------------------------------------
Test ImagickDraw, getDensity [tests/268_ImagickDraw_getDensity_basic.phpt] (warn: XFAIL section but test passes)
ImagickPixel iterator [tests/bug_73840.phpt] (warn: XFAIL section but test passes)
=====================================================================
Comment 3 Thomas Deutschmann gentoo-dev Security 2019-06-04 15:18:00 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-06-05 06:49:46 UTC
amd64 stable.

Maintainer(s), please cleanup.
Comment 5 Larry the Git Cow gentoo-dev 2019-06-05 12:34:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c53b02794259f83b7a1a9e57c54bc3d8f183bdd

commit 0c53b02794259f83b7a1a9e57c54bc3d8f183bdd
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2019-06-05 12:34:43 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2019-06-05 12:34:43 +0000

    dev-php/pecl-imagick: Drop vulnerable versions
    
    Bug: https://bugs.gentoo.org/687030
    Package-Manager: Portage-2.3.67, Repoman-2.3.13
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-php/pecl-imagick/Manifest                      |  2 --
 .../pecl-imagick-3.4.3-tsrm_ls-is-undeclared.patch | 18 ------------
 dev-php/pecl-imagick/pecl-imagick-3.4.3.ebuild     | 25 -----------------
 .../pecl-imagick-3.4.3_p20181129.ebuild            | 32 ----------------------
 4 files changed, 77 deletions(-)
Comment 6 Thomas Deutschmann gentoo-dev Security 2020-03-17 14:24:14 UTC
New GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-03-19 15:58:04 UTC
This issue was resolved and addressed in
 GLSA 202003-38 at https://security.gentoo.org/glsa/202003-38
by GLSA coordinator Thomas Deutschmann (whissi).