Security update for ImageMagick SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1860-1 Final 1 1 2018-06-30T09:43:37Z current 2018-06-30T09:43:37Z 2018-06-30T09:43:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ImageMagick This update for ImageMagick fixes the following issues: These security issues were fixed: - CVE-2017-13758: Prevent heap-based buffer overflow in the TracePoint() function (bsc#1056277). - CVE-2017-10928: Prevent heap-based buffer over-read in the GetNextToken function that allowed remote attackers to obtain sensitive information from process memory or possibly have unspecified other impact via a crafted SVG document (bsc#1047356). - CVE-2018-9133: Long compute times in the tiff decoder have been fixed (bsc#1087820). - CVE-2018-11251: Heap-based buffer over-read in ReadSUNImage in coders/sun.c, which allows attackers to cause denial of service (bsc#1094237). - CVE-2017-18271: Infinite loop in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (bsc#1094204). - CVE-2018-11655: Memory leak in the GetImagePixelCache in MagickCore/cache.c was fixed (bsc#1095730) - CVE-2018-10804: Memory leak in WriteTIFFImage in coders/tiff.c was fixed (bsc#1095813) - CVE-2018-10805: Fixed memory leaks in bgr.c, rgb.c, cmyk.c, gray.c, ycbcr.c (bsc#1095812) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00055.html E-Mail link for openSUSE-SU-2018:1860-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 ImageMagick-6.8.8.1-64.1 ImageMagick-devel-6.8.8.1-64.1 ImageMagick-devel-32bit-6.8.8.1-64.1 ImageMagick-doc-6.8.8.1-64.1 ImageMagick-extra-6.8.8.1-64.1 libMagick++-6_Q16-3-6.8.8.1-64.1 libMagick++-6_Q16-3-32bit-6.8.8.1-64.1 libMagick++-devel-6.8.8.1-64.1 libMagick++-devel-32bit-6.8.8.1-64.1 libMagickCore-6_Q16-1-6.8.8.1-64.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-64.1 libMagickWand-6_Q16-1-6.8.8.1-64.1 libMagickWand-6_Q16-1-32bit-6.8.8.1-64.1 perl-PerlMagick-6.8.8.1-64.1 ImageMagick-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 ImageMagick-devel-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 ImageMagick-devel-32bit-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 ImageMagick-doc-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 ImageMagick-extra-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 libMagick++-6_Q16-3-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 libMagick++-6_Q16-3-32bit-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 libMagick++-devel-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 libMagick++-devel-32bit-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 libMagickCore-6_Q16-1-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 libMagickCore-6_Q16-1-32bit-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 libMagickWand-6_Q16-1-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 libMagickWand-6_Q16-1-32bit-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 perl-PerlMagick-6.8.8.1-64.1 as a component of openSUSE Leap 42.3 In ImageMagick 7.0.6-0, a heap-based buffer over-read in the GetNextToken function in token.c allows remote attackers to obtain sensitive information from process memory or possibly have unspecified other impact via a crafted SVG document that is mishandled in the GetUserSpaceCoordinateValue function in coders/svg.c. CVE-2017-10928 openSUSE Leap 42.3:ImageMagick-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-64.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00055.html https://www.suse.com/security/cve/CVE-2017-10928.html CVE-2017-10928 https://bugzilla.suse.com/1047356 SUSE Bug 1047356 https://bugzilla.suse.com/1047359 SUSE Bug 1047359 https://bugzilla.suse.com/1056277 SUSE Bug 1056277 https://bugzilla.suse.com/1060176 SUSE Bug 1060176 https://bugzilla.suse.com/1096261 SUSE Bug 1096261 In ImageMagick 7.0.6-10, there is a heap-based buffer overflow in the TracePoint() function in MagickCore/draw.c. CVE-2017-13758 openSUSE Leap 42.3:ImageMagick-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-64.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00055.html https://www.suse.com/security/cve/CVE-2017-13758.html CVE-2017-13758 https://bugzilla.suse.com/1056277 SUSE Bug 1056277 https://bugzilla.suse.com/1096261 SUSE Bug 1096261 In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file. CVE-2017-18271 openSUSE Leap 42.3:ImageMagick-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-64.1 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00055.html https://www.suse.com/security/cve/CVE-2017-18271.html CVE-2017-18271 https://bugzilla.suse.com/1094204 SUSE Bug 1094204 ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c. CVE-2018-10804 openSUSE Leap 42.3:ImageMagick-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-64.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00055.html https://www.suse.com/security/cve/CVE-2018-10804.html CVE-2018-10804 https://bugzilla.suse.com/1095813 SUSE Bug 1095813 ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c. CVE-2018-10805 openSUSE Leap 42.3:ImageMagick-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-64.1 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00055.html https://www.suse.com/security/cve/CVE-2018-10805.html CVE-2018-10805 https://bugzilla.suse.com/1095812 SUSE Bug 1095812 In ImageMagick 7.0.7-23 Q16 x86_64 2018-01-24, there is a heap-based buffer over-read in ReadSUNImage in coders/sun.c, which allows attackers to cause a denial of service (application crash in SetGrayscaleImage in MagickCore/quantize.c) via a crafted SUN image file. CVE-2018-11251 openSUSE Leap 42.3:ImageMagick-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-64.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00055.html https://www.suse.com/security/cve/CVE-2018-11251.html CVE-2018-11251 https://bugzilla.suse.com/1094237 SUSE Bug 1094237 In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function GetImagePixelCache in MagickCore/cache.c, which allows attackers to cause a denial of service via a crafted CALS image file. CVE-2018-11655 openSUSE Leap 42.3:ImageMagick-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-64.1 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00055.html https://www.suse.com/security/cve/CVE-2018-11655.html CVE-2018-11655 https://bugzilla.suse.com/1095730 SUSE Bug 1095730 ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file. CVE-2018-9133 openSUSE Leap 42.3:ImageMagick-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-64.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-64.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-64.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-64.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00055.html https://www.suse.com/security/cve/CVE-2018-9133.html CVE-2018-9133 https://bugzilla.suse.com/1087820 SUSE Bug 1087820