Bug 1017317 (CVE-2016-10058) - VUL-0: CVE-2016-10058: ImageMagick: Memory leak in psd file handling
Summary: VUL-0: CVE-2016-10058: ImageMagick: Memory leak in psd file handling
Status: RESOLVED WORKSFORME
: 1016586 (view as bug list)
Alias: CVE-2016-10058
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Petr Gajdos
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2016-10058:4.3:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-27 09:22 UTC by Johannes Segitz
Modified: 2017-01-30 15:24 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-12-27 09:22:31 UTC 
Debian bug: https://bugs.debian.org/845239
Reference URL: https://security-tracker.debian.org/845239
Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/4ec444f4eab88cf4bec664fafcf9cab50bc5ff6a
Upstream issue: N/A
Upstream version fixed: 6.9.6-3

Use CVE-2016-10058.
Comment 1 Swamp Workflow Management 2016-12-27 23:01:59 UTC 
bugbot adjusting priority
Comment 2 Johannes Segitz 2016-12-28 10:22:56 UTC 
*** Bug 1016586 has been marked as a duplicate of this bug. ***
Comment 3 Johannes Segitz 2016-12-28 10:23:37 UTC 
From  Matthias Gerstner 

ImageMagick:

[affected] SLE-12:Update in coders/psd.c:1432
[affected] SLE-11:Update in coders/psd.c:1101
[affected] openSUSE:13.2:Update in coders/psd.c:1454

GraphicsMagick:

[unclear] SLE-11:Update in coders/psd.c:1118:
  the code in question is there but commented out. Could be another issue?
[unclear] openSUSE:13.2:Update in coders/psd.c:1122: the same
[unclear] openSUSE:Leap:42.1:Update in coders/psd.c:1149: the same
[unclear] openSUSE:Leap:42.2:Update in coders/psd.c:1149: the same
Comment 4 Petr Gajdos 2017-01-25 08:35:59 UTC 
No testcase found.
Comment 5 Petr Gajdos 2017-01-25 08:42:32 UTC 
info member of LayerInfo structure in psd.c was introduced later than 6.8.8-1 we have in sle12 was out. GraphicsMagick does not contain this member at all.