[arch-security] [ASA-201607-13] imagemagick: information leakage
Remi Gacogne
rgacogne at archlinux.org
Fri Jul 29 18:36:27 UTC 2016
Arch Linux Security Advisory ASA-201607-13
==========================================
Severity: Low
Date : 2016-07-29
CVE-ID : CVE-2016-6491
Package : imagemagick
Type : information leakage
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package imagemagick before version 6.9.5.3-1 is vulnerable to
information leakage.
Resolution
==========
Upgrade to 6.9.5.3-1.
# pacman -Syu "imagemagick>=6.9.5.3-1"
The problem has been fixed upstream in version 6.9.5-3.
Workaround
==========
None.
Description
===========
An out-of-bounds read has been found in ImageMagick's Get8BIMProperty()
function. This issue can lead to memory leak since the data read is
written to the output image afterwards.
Impact
======
A remote attacker can access sensitive information present in memory by
submitting a crafted image file.
References
==========
http://git.imagemagick.org/repos/ImageMagick/commit/5cb6c1acd3e3b12f9260daf207db432df7f792c2
http://seclists.org/oss-sec/2016/q3/194
https://access.redhat.com/security/cve/CVE-2016-6491
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160729/763c5f78/attachment.asc>
More information about the arch-security
mailing list