Bug 1471835 (CVE-2017-11352)

Summary: CVE-2017-11352 ImageMagick: Improper EOF handling in coders/rle.c can trigger crash (Incomplete fix for CVE-2017-9144)
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, ethan, jhorak, nmurray, pahan, tiwillia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:16:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1471837    
Bug Blocks:    

Description Pedro Sampaio 2017-07-17 14:12:30 UTC 
In ImageMagick before 7.0.5-10, a crafted RLE image can trigger a
crash because of incorrect EOF handling in coders/rle.c. This is
caused by an incomplete fix of CVE-2017-9144.

Upstream bug:

https://github.com/ImageMagick/ImageMagick/issues/502

Upstream patch (ImageMagick-7):

https://github.com/ImageMagick/ImageMagick/commit/86cb33143c5b21912187403860a7c26761a3cd23

Upstream patch (ImageMagick-6):

https://github.com/ImageMagick/ImageMagick/commit/7f1f01b695e869c410ee10e2176f8fd764f09373

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868469
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9144
Comment 1 Pedro Sampaio 2017-07-17 14:12:53 UTC 
Created ImageMagick tracking bugs for this issue:

Affects: fedora-all [bug 1471837]