Bug 214514 - security/vuxml: Multiple security vulnerabilities in ImageMagick7
Summary: security/vuxml: Multiple security vulnerabilities in ImageMagick7
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Mark Felder
URL:
Keywords: security
Depends on:
Blocks: 214511
  Show dependency treegraph
 
Reported: 2016-11-14 18:45 UTC by VK
Modified: 2016-12-04 23:57 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)


Attachments
VuXML entry for ImageMagick7 (2.38 KB, patch)
2016-11-14 22:15 UTC, VK
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description VK freebsd_triage 2016-11-14 18:45:41 UTC
There are currently several known security vulnerabilities in ImageMagick 7, one of which is still without a fix. VuXML entry patch pending, I'm waiting for latest CVE assignment, and compiling a list of issues.

* Heap overflow (CVE pending)
  https://github.com/ImageMagick/ImageMagick/issues/296

* Incomplete fix for CVE-2016-8862 (CVE-2016-8866)
  https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/

* Memory allocation failure (CVE-2016-8862)
  https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/
Comment 1 VK freebsd_triage 2016-11-14 19:15:00 UTC
Okay, CVE assigned for this one:

* Heap overflow (CVE-2016-9298)
  https://github.com/ImageMagick/ImageMagick/issues/296
Comment 2 VK freebsd_triage 2016-11-14 22:15:57 UTC
Created attachment 177007 [details]
VuXML entry for ImageMagick7
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-12-04 23:57:00 UTC
A commit references this bug:

Author: feld
Date: Sun Dec  4 23:55:55 UTC 2016
New revision: 427818
URL: https://svnweb.freebsd.org/changeset/ports/427818

Log:
  Document ImageMagick7 vulnerabilities

  PR:		214514
  Security:	CVE-2016-9298
  Security:	CVE-2016-8866
  Security:	CVE-2016-8862

Changes:
  head/security/vuxml/vuln.xml