|
|
Subscribe / Log in / New account

Arch Linux alert ASA-201607-13 (imagemagick)



From:
    	      Remi Gacogne <rgacogne@archlinux.org> 


To:
    	      arch-security@archlinux.org 


Subject:
    	      [arch-security] [ASA-201607-13] imagemagick: information leakage 


Date:
    	      Fri, 29 Jul 2016 20:36:27 +0200


Message-ID:
    	      <89debf65-6f83-5b79-f44c-42e5032db24a@archlinux.org>


Arch Linux Security Advisory ASA-201607-13
==========================================

Severity: Low
Date    : 2016-07-29
CVE-ID  : CVE-2016-6491
Package : imagemagick
Type    : information leakage
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package imagemagick before version 6.9.5.3-1 is vulnerable to
information leakage.

Resolution
==========

Upgrade to 6.9.5.3-1.

# pacman -Syu "imagemagick>=6.9.5.3-1"

The problem has been fixed upstream in version 6.9.5-3.

Workaround
==========

None.

Description
===========

An out-of-bounds read has been found in ImageMagick's Get8BIMProperty()
function. This issue can lead to memory leak since the data read is
written to the output image afterwards.

Impact
======

A remote attacker can access sensitive information present in memory by
submitting a crafted image file.

References
==========

http://git.imagemagick.org/repos/ImageMagick/commit/5cb6c...
http://seclists.org/oss-sec/2016/q3/194
https://access.redhat.com/security/cve/CVE-2016-6491
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds