Mailinglist Archive: opensuse-updates (145 mails)

< Previous Next >
openSUSE-SU-2018:1205-1: moderate: Security update for ImageMagick
openSUSE Security Update: Security update for ImageMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1205-1
Rating: moderate
References: #1047356 #1058635 #1074117 #1086773 #1086782
#1087027 #1087033 #1087037 #1087039 #1087825
#1089781
Cross-References: CVE-2017-1000476 CVE-2017-10928 CVE-2017-11450
CVE-2017-14325 CVE-2017-17887 CVE-2017-18250
CVE-2017-18251 CVE-2017-18252 CVE-2017-18254
CVE-2018-10177 CVE-2018-8960 CVE-2018-9018
CVE-2018-9135
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes 13 vulnerabilities is now available.

Description:

This update for ImageMagick fixes the following issues:

- CVE-2017-14325: In ImageMagick, a memory leak vulnerability was found in
the function PersistPixelCache in magick/cache.c, which allowed
attackers to cause a denial of service (memory consumption in
ReadMPCImage in coders/mpc.c) via a crafted file. [bsc#1058635]
- CVE-2017-17887: In ImageMagick, a memory leak vulnerability was found in
the function GetImagePixelCache in magick/cache.c, which allowed
attackers to cause a denial of service via a crafted MNG image file that
is processed by ReadOneMNGImage. [bsc#1074117]
- CVE-2017-18250: A NULL pointer dereference vulnerability was found in
the function LogOpenCLBuildFailure in MagickCore/opencl.c, which could
lead to a denial of service via a crafted file. [bsc#1087039]
- CVE-2017-18251: A memory leak vulnerability was found in the function
ReadPCDImage in coders/pcd.c, which could lead to a denial of service
via a crafted file. [bsc#1087037]
- CVE-2017-18252: The MogrifyImageList function in MagickWand/mogrify.c
could allow attackers to cause a denial of service via a crafted file.
[bsc#1087033]
- CVE-2017-18254: A memory leak vulnerability was found in the function
WriteGIFImage in coders/gif.c, which could lead to denial of service
via a crafted file. [bsc#1087027]
- CVE-2018-8960: The ReadTIFFImage function in coders/tiff.c in
ImageMagick did not properly restrict memory allocation, leading to a
heap-based buffer over-read. [bsc#1086782]
- CVE-2018-9018: divide-by-zero in the ReadMNGImage function of
coders/png.c. Attackers could leverage this vulnerability to cause a
crash and denial of service via a crafted mng file. [bsc#1086773]
- CVE-2018-9135: heap-based buffer over-read in IsWEBPImageLossless in
coders/webp.c could lead to denial of service. [bsc#1087825]
- CVE-2018-10177: In ImageMagick, there was an infinite loop in the
ReadOneMNGImage function of the coders/png.c file. Remote attackers
could leverage this vulnerability to cause a denial of service via a
crafted mng file. [bsc#1089781]
- CVE-2017-10928: a heap-based buffer over-read in the GetNextToken
function in token.c could allow attackers to obtain sensitive
information from process memory or possibly have unspecified other
impact via a crafted SVG document that is mishandled in the
GetUserSpaceCoordinateValue function in coders/svg.c. [bsc#1047356]


This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended
installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-442=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

ImageMagick-6.8.8.1-61.2
ImageMagick-debuginfo-6.8.8.1-61.2
ImageMagick-debugsource-6.8.8.1-61.2
ImageMagick-devel-6.8.8.1-61.2
ImageMagick-extra-6.8.8.1-61.2
ImageMagick-extra-debuginfo-6.8.8.1-61.2
libMagick++-6_Q16-3-6.8.8.1-61.2
libMagick++-6_Q16-3-debuginfo-6.8.8.1-61.2
libMagick++-devel-6.8.8.1-61.2
libMagickCore-6_Q16-1-6.8.8.1-61.2
libMagickCore-6_Q16-1-debuginfo-6.8.8.1-61.2
libMagickWand-6_Q16-1-6.8.8.1-61.2
libMagickWand-6_Q16-1-debuginfo-6.8.8.1-61.2
perl-PerlMagick-6.8.8.1-61.2
perl-PerlMagick-debuginfo-6.8.8.1-61.2

- openSUSE Leap 42.3 (noarch):

ImageMagick-doc-6.8.8.1-61.2

- openSUSE Leap 42.3 (x86_64):

ImageMagick-devel-32bit-6.8.8.1-61.2
libMagick++-6_Q16-3-32bit-6.8.8.1-61.2
libMagick++-6_Q16-3-debuginfo-32bit-6.8.8.1-61.2
libMagick++-devel-32bit-6.8.8.1-61.2
libMagickCore-6_Q16-1-32bit-6.8.8.1-61.2
libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-61.2
libMagickWand-6_Q16-1-32bit-6.8.8.1-61.2
libMagickWand-6_Q16-1-debuginfo-32bit-6.8.8.1-61.2


References:

https://www.suse.com/security/cve/CVE-2017-1000476.html
https://www.suse.com/security/cve/CVE-2017-10928.html
https://www.suse.com/security/cve/CVE-2017-11450.html
https://www.suse.com/security/cve/CVE-2017-14325.html
https://www.suse.com/security/cve/CVE-2017-17887.html
https://www.suse.com/security/cve/CVE-2017-18250.html
https://www.suse.com/security/cve/CVE-2017-18251.html
https://www.suse.com/security/cve/CVE-2017-18252.html
https://www.suse.com/security/cve/CVE-2017-18254.html
https://www.suse.com/security/cve/CVE-2018-10177.html
https://www.suse.com/security/cve/CVE-2018-8960.html
https://www.suse.com/security/cve/CVE-2018-9018.html
https://www.suse.com/security/cve/CVE-2018-9135.html
https://bugzilla.suse.com/1047356
https://bugzilla.suse.com/1058635
https://bugzilla.suse.com/1074117
https://bugzilla.suse.com/1086773
https://bugzilla.suse.com/1086782
https://bugzilla.suse.com/1087027
https://bugzilla.suse.com/1087033
https://bugzilla.suse.com/1087037
https://bugzilla.suse.com/1087039
https://bugzilla.suse.com/1087825
https://bugzilla.suse.com/1089781


< Previous Next >
This Thread
  • No further messages