Bug 1350461 (CVE-2016-5842) - CVE-2016-5842 ImageMagick: Information leak in MagickCore/property.c
Summary: CVE-2016-5842 ImageMagick: Information leak in MagickCore/property.c
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-5842
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1350462
Blocks: 1350463
TreeView+ depends on / blocked
 
Reported: 2016-06-27 13:59 UTC by Adam Mariš
Modified: 2021-02-17 03:39 UTC (History)
13 users (show)

Fixed In Version: ImageMagick 7.0.2-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-18 10:06:29 UTC
Embargoed:


Attachments (Terms of Use)

Description Adam Mariš 2016-06-27 13:59:48 UTC
An information leak vulnerability was found in MagickCore/property.c by partially controlling the pointer for reading arbitrary data from the memory of ImageMagick process.

Upstream patch:

https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b

CVE request:

http://seclists.org/oss-sec/2016/q2/586

Comment 1 Adam Mariš 2016-06-27 14:00:55 UTC
Created ImageMagick tracking bugs for this issue:

Affects: fedora-all [bug 1350462]

Comment 2 Stefan Cornelius 2016-08-18 10:06:29 UTC
Although we do have affected code snippets, I could not find an attack vector to exploit this prior to the following commit:
https://github.com/ImageMagick/ImageMagick/commit/e9438e2a82d35b6657e908ff38ec0303f432b655

Statement:

This issue did not affect the versions of ImageMagick as shipped with Red Hat Enterprise Linux 5, 6, and 7.


Note You need to log in before you can comment on or make changes to this bug.