It was discovered that the upstream fix for this issue was not complete. There is still a memory allocation failure in memory.c References: http://seclists.org/oss-sec/2016/q4/197 https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/
Created ImageMagick tracking bugs for this issue: Affects: fedora-all [bug 1381145]
Upstream patch: https://github.com/ImageMagick/ImageMagick/commit/ab2c9d6a8dd6d71b161ec9cc57a588b116b52322 Analysis: Basically lowers map_length from 32 (fix for CVE-2016-8862) to the new value 22. Even without the previous fix, this flaw affects ImageMagick shipped with Red Hat Enterprise Linux, hence marking as affected.