Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 684320 (CVE-2019-11473, CVE-2019-11474) - <media-gfx/graphicsmagick-1.3.32: multiple vulnerabilities
Summary: <media-gfx/graphicsmagick-1.3.32: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2019-11473, CVE-2019-11474
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://http://www.graphicsmagick.org/...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-25 02:37 UTC by D'juan McDonald (domhnall)
Modified: 2019-10-26 23:55 UTC (History)
1 user (show)

See Also:
Package list:
=media-gfx/graphicsmagick-1.3.32
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-04-25 02:37:30 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-11473):
coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (out-of-bounds read and application crash) by crafting an XWD image file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009.

Upstream Reference: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd

(https://nvd.nist.gov/vuln/detail/CVE-2019-11474):
coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (floating-point exception and application crash) by crafting an XWD image file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009.

Upstream Reference: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8

GraphicsMagick 1.3.31 is vulnerable; other versions may also be affected.



Gentoo Security Padawan
(domhnall)
Comment 1 D'juan McDonald (domhnall) 2019-04-25 03:04:24 UTC
ack: wrong order... should be (https://nvd.nist.gov/vuln/detail/CVE-2019-11473):
coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (out-of-bounds read and application crash) by crafting an XWD image file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009.

Upstream Reference: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8

(https://nvd.nist.gov/vuln/detail/CVE-2019-11474):
coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (floating-point exception and application crash) by crafting an XWD image file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009.

Upstream Reference:http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd
Comment 2 Tim Harder gentoo-dev 2019-06-16 03:55:02 UTC
Arches, feel free to stabilize =media-gfx/graphicsmagick-1.3.32 which should fix these security issues.
Comment 3 Rolf Eike Beer archtester 2019-06-18 08:11:06 UTC
sparc stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-06-18 11:11:06 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-06-18 11:43:40 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-06-18 11:49:26 UTC
ppc64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2019-06-18 18:25:46 UTC
x86 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-06-22 10:30:23 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-06-27 08:23:24 UTC
alpha stable
Comment 10 Rolf Eike Beer archtester 2019-07-03 18:05:45 UTC
hppa stable
Comment 11 Larry the Git Cow gentoo-dev 2019-10-26 23:54:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37e9f5380a87559967bdc6dbacaf2c89ef89f222

commit 37e9f5380a87559967bdc6dbacaf2c89ef89f222
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 23:54:26 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 23:54:26 +0000

    media-gfx/graphicsmagick: security cleanup (#684320)
    
    Bug: https://bugs.gentoo.org/684320
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-gfx/graphicsmagick/Manifest                  |   1 -
 .../graphicsmagick/graphicsmagick-1.3.30.ebuild    | 135 ---------------------
 2 files changed, 136 deletions(-)
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 23:55:10 UTC
Repository is clean, all done!