openSUSE Security Update: Security update for GraphicsMagick ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:0460-1 Rating: moderate References: #1047900 #1049374 #1051411 #1058009 #1073081 #1074307 #1076182 Cross-References: CVE-2017-11140 CVE-2017-11450 CVE-2017-11722 CVE-2017-14224 CVE-2017-17502 CVE-2017-17912 CVE-2017-18028 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for GraphicsMagick fixes the following issues: - The dcm coder was updated to newest code, covering all currently known security issues. Security issues fixed: - CVE-2017-17502: ReadCMYKImage in ImportCMYKQuantumType had a heap-based buffer over-read via a crafted file. [boo#1073081] - CVE-2017-11450: A remote denial of service in coders/jpeg.c was fixed [boo#1049374] - CVE-2017-11140: coders/jpeg.c allowed remote attackers to cause a denial of service (application crash). [boo#1047900] - CVE-2017-14224: A heap-based buffer overflow in WritePCXImage in coders/pcx.c could lead to denial of service or code execution. [boo#1058009] - CVE-2017-17912: A heap-based buffer over-read in ReadNewsProfile in coders/tiff.c was fixed. [boo#1074307] - CVE-2017-18028: A memory exhaustion in the function ReadTIFFImage in coders/tiff.c was fixed. [boo#1076182] - CVE-2017-11722: The WriteOnePNGImage function in coders/png.c allowed attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file, because the program's actual control flow was inconsistent with its indentation. This resulted in a logging statement executing outside of a loop, and consequently using an invalid array index corresponding to the loop's exit condition. (bsc#1051411) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-166=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.3 (i586 x86_64): GraphicsMagick-1.3.25-68.1 GraphicsMagick-debuginfo-1.3.25-68.1 GraphicsMagick-debugsource-1.3.25-68.1 GraphicsMagick-devel-1.3.25-68.1 libGraphicsMagick++-Q16-12-1.3.25-68.1 libGraphicsMagick++-Q16-12-debuginfo-1.3.25-68.1 libGraphicsMagick++-devel-1.3.25-68.1 libGraphicsMagick-Q16-3-1.3.25-68.1 libGraphicsMagick-Q16-3-debuginfo-1.3.25-68.1 libGraphicsMagick3-config-1.3.25-68.1 libGraphicsMagickWand-Q16-2-1.3.25-68.1 libGraphicsMagickWand-Q16-2-debuginfo-1.3.25-68.1 perl-GraphicsMagick-1.3.25-68.1 perl-GraphicsMagick-debuginfo-1.3.25-68.1 References: https://www.suse.com/security/cve/CVE-2017-11140.html https://www.suse.com/security/cve/CVE-2017-11450.html https://www.suse.com/security/cve/CVE-2017-11722.html https://www.suse.com/security/cve/CVE-2017-14224.html https://www.suse.com/security/cve/CVE-2017-17502.html https://www.suse.com/security/cve/CVE-2017-17912.html https://www.suse.com/security/cve/CVE-2017-18028.html https://bugzilla.suse.com/1047900 https://bugzilla.suse.com/1049374 https://bugzilla.suse.com/1051411 https://bugzilla.suse.com/1058009 https://bugzilla.suse.com/1073081 https://bugzilla.suse.com/1074307 https://bugzilla.suse.com/1076182