Bug 1131439 - (CVE-2019-10714) VUL-1: CVE-2019-10714: GraphicsMagick,ImageMagick: An out-of-bounds access exists in function LocaleLowercase in MagickCore/locale.c leads to SIGSEGV
VUL-1: CVE-2019-10714: GraphicsMagick,ImageMagick: An out-of-bounds access e...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P5 - None : Normal
: ---
Assigned To: Petr Gajdos
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-04-03 14:43 UTC by Alexandros Toptsoglou
Modified: 2019-04-03 17:29 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Alexandros Toptsoglou 2019-04-03 17:29:49 UTC
Failed to reproduce the issue in all the codestreams. 
After investigation it seems that the vulnerable function introduced when upstream tried to fix [1]. The fix of [1] introduced in 7.0.8-25 and backported to version 6.9.10-25. 
The versions that fix this CVE are and  6.9.0-36

Regarding our codestreams, none seems affected. Tested with valgrind the POC [2] and did not work. 
Regarding openSUSE LEAP codestreams are not affected while TW ships an already fixed version. 

[1] https://github.com/ImageMagick/ImageMagick/issues/1455
[2] https://github.com/Dk0n9/MyFuzzy/blob/master/oob_LocaleLowercase_crash