SUSE Security Update: Security update for GraphicsMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2017:3435-1 Rating: important References: #1050632 #1052450 #1054757 #1055214 #1056426 #1056429 #1057508 #1058485 #1058637 #1066003 #1067181 #1067184 #1067409 Cross-References: CVE-2016-7996 CVE-2017-11640 CVE-2017-12587 CVE-2017-12983 CVE-2017-13134 CVE-2017-13776 CVE-2017-13777 CVE-2017-14165 CVE-2017-14341 CVE-2017-14342 CVE-2017-15930 CVE-2017-16545 CVE-2017-16546 CVE-2017-16669 Affected Products: SUSE Studio Onsite 1.3 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. Description: This update for GraphicsMagick fixes the following issues: * CVE-2017-11640: NULL pointer deref in WritePTIFImage() in coders/tiff.c could lead to denial of service [bsc#1050632] * CVE-2017-14342: Memory exhaustion in ReadWPGImage in coders/wpg.c could lead to denial of service [bsc#1058485] * CVE-2017-14341: Infinite loop in the ReadWPGImage function could lead to denial of service [bsc#1058637] * CVE-2017-16546: Issue in ReadWPGImage function in coders/wpg.c could lead to denial of service [bsc#1067181] * CVE-2017-16545: The ReadWPGImage function in coders/wpg.c in validation problems could lead to denial of service [bsc#1067184] * CVE-2017-16669: coders/wpg.c allows remote attackers to cause a denial of service via crafted file [bsc#1067409] * CVE-2017-13776: denial of service issue in ReadXBMImage() in a coders/xbm.c [bsc#1056429] * CVE-2017-13777: denial of service issue in ReadXBMImage() in a coders/xbm.c [bsc#1056426] * CVE-2017-13134: heap-based buffer over-read in the function SFWScan in coders/sfw.c could lead to denial of service via a crafted file [bsc#1055214] * CVE-2017-15930: Null Pointer dereference while transfering JPEG scanlines could lead to denial of service [bsc#1066003] * CVE-2017-12983: Heap-based buffer overflow in the ReadSFWImage function in coders/sfw.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file. [bsc#1054757] * CVE-2017-14165: The ReadSUNImage function in coders/sun.c has an issue where memory allocation is excessive because it depends only on a length field in a header. This may lead to remote denial of service in the MagickMalloc function in magick/memory.c. [bsc#1057508] * CVE-2017-12587: Large loop vulnerability in the ReadPWPImage function in coders\pwp.c. [bsc#1052450] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-GraphicsMagick-13386=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-GraphicsMagick-13386=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-GraphicsMagick-13386=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): GraphicsMagick-1.2.5-4.78.19.1 libGraphicsMagick2-1.2.5-4.78.19.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): GraphicsMagick-1.2.5-4.78.19.1 libGraphicsMagick2-1.2.5-4.78.19.1 perl-GraphicsMagick-1.2.5-4.78.19.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): GraphicsMagick-debuginfo-1.2.5-4.78.19.1 GraphicsMagick-debugsource-1.2.5-4.78.19.1 References: https://www.suse.com/security/cve/CVE-2016-7996.html https://www.suse.com/security/cve/CVE-2017-11640.html https://www.suse.com/security/cve/CVE-2017-12587.html https://www.suse.com/security/cve/CVE-2017-12983.html https://www.suse.com/security/cve/CVE-2017-13134.html https://www.suse.com/security/cve/CVE-2017-13776.html https://www.suse.com/security/cve/CVE-2017-13777.html https://www.suse.com/security/cve/CVE-2017-14165.html https://www.suse.com/security/cve/CVE-2017-14341.html https://www.suse.com/security/cve/CVE-2017-14342.html https://www.suse.com/security/cve/CVE-2017-15930.html https://www.suse.com/security/cve/CVE-2017-16545.html https://www.suse.com/security/cve/CVE-2017-16546.html https://www.suse.com/security/cve/CVE-2017-16669.html https://bugzilla.suse.com/1050632 https://bugzilla.suse.com/1052450 https://bugzilla.suse.com/1054757 https://bugzilla.suse.com/1055214 https://bugzilla.suse.com/1056426 https://bugzilla.suse.com/1056429 https://bugzilla.suse.com/1057508 https://bugzilla.suse.com/1058485 https://bugzilla.suse.com/1058637 https://bugzilla.suse.com/1066003 https://bugzilla.suse.com/1067181 https://bugzilla.suse.com/1067184 https://bugzilla.suse.com/1067409 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org