904357 – (CVE-2023-1906) <media-gfx/imagemagick-{6.9.12.84, 7.1.1.6}: Multiple vulnerabilities

Bug 904357 (CVE-2023-1906) - <media-gfx/imagemagick-{6.9.12.84, 7.1.1.6}: Multiple vulnerabilities

Summary: <media-gfx/imagemagick-{6.9.12.84, 7.1.1.6}: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2023-1906

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+]
Keywords:

Depends on:	905295
Blocks:
	Show dependency tree

Reported:	2023-04-15 08:00 UTC by Sam James
Modified:	2024-05-04 06:16 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-04-15 08:00:12 UTC

* CVE-2023-1906 (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247)

"A heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service."

* No CVE (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr)

"A specially created SVG file that loads by itself and make segmentation fault. Remote attackers can take advantage of this vulnerability to cause a denial of service of the generated SVG file."

Comment 1 Larry the Git Cow gentoo-dev

2023-04-15 08:08:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de00957023df685dd3802adbb29a19265f0c0d45

commit de00957023df685dd3802adbb29a19265f0c0d45
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-04-15 08:07:10 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-04-15 08:07:23 +0000

    media-gfx/imagemagick: add 6.9.12.84
    
    Bug: https://bugs.gentoo.org/904357
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/imagemagick/Manifest                     |   1 +
 media-gfx/imagemagick/imagemagick-6.9.12.84.ebuild | 271 +++++++++++++++++++++
 2 files changed, 272 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b1886cc41914b916e56044289e385dab34496178

commit b1886cc41914b916e56044289e385dab34496178
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-04-15 07:57:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-04-15 08:07:23 +0000

    media-gfx/imagemagick: add 7.1.1.6
    
    Bug: https://bugs.gentoo.org/904357
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/imagemagick/Manifest                   |   1 +
 media-gfx/imagemagick/imagemagick-7.1.1.6.ebuild | 281 +++++++++++++++++++++++
 2 files changed, 282 insertions(+)

Comment 2 Andreas K. Hüttel archtester

2023-05-06 20:36:24 UTC

Cleanup done

Comment 3 Larry the Git Cow gentoo-dev

2024-05-04 06:14:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4a7120d937eaaec2a14046c3d00320bd902c32bf

commit 4a7120d937eaaec2a14046c3d00320bd902c32bf
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-04 06:13:29 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-04 06:14:05 +0000

    [ GLSA 202405-02 ] ImageMagick: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/835931
    Bug: https://bugs.gentoo.org/843833
    Bug: https://bugs.gentoo.org/852947
    Bug: https://bugs.gentoo.org/871954
    Bug: https://bugs.gentoo.org/893526
    Bug: https://bugs.gentoo.org/904357
    Bug: https://bugs.gentoo.org/908082
    Bug: https://bugs.gentoo.org/917594
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-02.xml | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)