[manjaro-security] [arch-security] [ASA-201607-13] imagemagick: information leakage

Remi Gacogne rgacogne at archlinux.org
Fri Jul 29 20:36:27 CEST 2016


Arch Linux Security Advisory ASA-201607-13
==========================================

Severity: Low
Date    : 2016-07-29
CVE-ID  : CVE-2016-6491
Package : imagemagick
Type    : information leakage
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package imagemagick before version 6.9.5.3-1 is vulnerable to
information leakage.

Resolution
==========

Upgrade to 6.9.5.3-1.

# pacman -Syu "imagemagick>=6.9.5.3-1"

The problem has been fixed upstream in version 6.9.5-3.

Workaround
==========

None.

Description
===========

An out-of-bounds read has been found in ImageMagick's Get8BIMProperty()
function. This issue can lead to memory leak since the data read is
written to the output image afterwards.

Impact
======

A remote attacker can access sensitive information present in memory by
submitting a crafted image file.

References
==========

http://git.imagemagick.org/repos/ImageMagick/commit/5cb6c1acd3e3b12f9260daf207db432df7f792c2
http://seclists.org/oss-sec/2016/q3/194
https://access.redhat.com/security/cve/CVE-2016-6491

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20160729/763c5f78/attachment.pgp>


More information about the manjaro-security mailing list