Bug 1074124 - (CVE-2017-17880) VUL-0: CVE-2017-17880: ImageMagick: Memory leak in the function WriteWEBPImage could lead to a denial of service
(CVE-2017-17880)
VUL-0: CVE-2017-17880: ImageMagick: Memory leak in the function WriteWEBPIma...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Petr Gajdos
Security Team bot
https://smash.suse.de/issue/197258/
CVSSv3:RedHat:CVE-2017-17880:4.4:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-27 08:43 UTC by Victor Pereira
Modified: 2018-01-09 15:38 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-12-27 08:43:00 UTC
CVE-2017-17880

In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a stack-based
buffer over-read in WriteWEBPImage in coders/webp.c, related to a
WEBP_DECODER_ABI_VERSION check.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17880
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17880
Comment 2 Petr Gajdos 2018-01-05 09:41:14 UTC
GraphicsMagick and ImageMagick in 11 does not have webp support, even libwebp is not there.
Comment 3 Petr Gajdos 2018-01-05 10:05:05 UTC
This is ImageMagick counterpart of CVE-2017-17913, bug 1074299, as the testcase is the same. Again: the code is not there. Fixed in factory due version update.