[Secure-testing-team] Bug#845634: CVE-2016-8862: imagemagick: memory allocation failure in AcquireMagickMemory (memory.c)
Bastien ROUCARIES
roucaries.bastien at gmail.com
Fri Nov 25 12:57:00 UTC 2016
Package: src:imagemagick
version: 8:6.8.9.9-5+deb8u5
Severity: grave
Tags: patch security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
control: found -1 8:6.7.7.10-5+deb7u7
control: fixed -1 8:6.9.6.2+dfsg-2
control: forwarded -1
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30908#p140255
https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/
Fixed by: https://github.com/ImageMagick/ImageMagick/commit/aea6c6507f55632829e6432f8177a084a57c9fcc
The initial patch was initiall meant to be incomplete and resulted in
CVE-2016-8866. So when fixing
this CVE make sure to fix it completely to not open up CVE-2016-8866.
The "incomplete fix" though is not a real problem, cf.
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30908#p140255
http://www.openwall.com/lists/oss-security/2016/10/17/4
More information about the Secure-testing-team
mailing list