Bug 991445 (CVE-2016-6491) - VUL-0: CVE-2016-6491: ImageMagick: Out-of-bounds read in CopyMagickMemory
Summary: VUL-0: CVE-2016-6491: ImageMagick: Out-of-bounds read in CopyMagickMemory
Status: RESOLVED FIXED
Alias: CVE-2016-6491
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/171446/
Whiteboard: CVSSv2:RedHat:CVE-2016-6491:5.8:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-01 09:56 UTC by Sebastian Krahmer
Modified: 2016-08-24 16:09 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2016-08-01 09:56:16 UTC 
Quoting from RH BZ:

An out-of-bounds read vulnerability in CopyMagickMemory was found that can lead to memory leak because the read data are written into output image using SetImageProperty or can cause DoS by crashing the application.


rh#1361492

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1361492
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6491
http://seclists.org/oss-sec/2016/q3/194
Comment 2 Petr Gajdos 2016-08-04 18:47:04 UTC 
GraphicsMagick seems not to be affected.
Comment 3 Petr Gajdos 2016-08-04 19:03:14 UTC 
I believe all affected code streams are fixed.
Comment 4 Bernhard Wiedemann 2016-08-04 20:00:44 UTC 
This is an autogenerated message for OBS integration:
This bug (991445) was mentioned in
https://build.opensuse.org/request/show/416993 13.2 / ImageMagick
Comment 6 Sebastian Krahmer 2016-08-15 11:48:41 UTC 
released
Comment 7 Swamp Workflow Management 2016-08-15 13:10:48 UTC 
openSUSE-SU-2016:2072-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 991444,991445,991872
CVE References: CVE-2016-5010,CVE-2016-6491,CVE-2016-6520
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-29.1
Comment 8 Swamp Workflow Management 2016-08-15 15:09:09 UTC 
SUSE-SU-2016:2075-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 991445,991872
CVE References: CVE-2016-6491,CVE-2016-6520
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.48.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.48.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.48.1
Comment 9 Swamp Workflow Management 2016-08-15 15:09:52 UTC 
SUSE-SU-2016:2076-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 991444,991445,991872
CVE References: CVE-2016-5010,CVE-2016-6491,CVE-2016-6520
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-33.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-33.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-33.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-33.1
Comment 10 Swamp Workflow Management 2016-08-24 16:09:39 UTC 
openSUSE-SU-2016:2148-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 991444,991445,991872
CVE References: CVE-2016-5010,CVE-2016-6491,CVE-2016-6520
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-18.2