Security update for GraphicsMagick SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1-1 Final 1 1 2019-03-23T10:38:52Z current 2019-03-23T10:38:52Z 2019-03-23T10:38:52Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for GraphicsMagick This update for GraphicsMagick fixes the following issues: Security vulnerabilities fixed: - CVE-2018-20184: Fixed heap-based buffer overflow in the WriteTGAImage function of tga.c (bsc#1119822) - CVE-2018-20189: Fixed denial of service vulnerability in ReadDIBImage function of coders/dib.c (bsc#1119790) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XQWUXM5I4JV4BSLELC7N5TQKRBPM4YQY/#XQWUXM5I4JV4BSLELC7N5TQKRBPM4YQY E-Mail link for openSUSE-SU-2019:1-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1119790 SUSE Bug 1119790 https://bugzilla.suse.com/1119822 SUSE Bug 1119822 https://www.suse.com/security/cve/CVE-2018-20184/ SUSE CVE CVE-2018-20184 page https://www.suse.com/security/cve/CVE-2018-20189/ SUSE CVE CVE-2018-20189 page openSUSE Leap 15.0 GraphicsMagick-1.3.29-lp150.3.18.1 GraphicsMagick-devel-1.3.29-lp150.3.18.1 libGraphicsMagick++-Q16-12-1.3.29-lp150.3.18.1 libGraphicsMagick++-devel-1.3.29-lp150.3.18.1 libGraphicsMagick-Q16-3-1.3.29-lp150.3.18.1 libGraphicsMagick3-config-1.3.29-lp150.3.18.1 libGraphicsMagickWand-Q16-2-1.3.29-lp150.3.18.1 perl-GraphicsMagick-1.3.29-lp150.3.18.1 GraphicsMagick-1.3.29-lp150.3.18.1 as a component of openSUSE Leap 15.0 GraphicsMagick-devel-1.3.29-lp150.3.18.1 as a component of openSUSE Leap 15.0 libGraphicsMagick++-Q16-12-1.3.29-lp150.3.18.1 as a component of openSUSE Leap 15.0 libGraphicsMagick++-devel-1.3.29-lp150.3.18.1 as a component of openSUSE Leap 15.0 libGraphicsMagick-Q16-3-1.3.29-lp150.3.18.1 as a component of openSUSE Leap 15.0 libGraphicsMagick3-config-1.3.29-lp150.3.18.1 as a component of openSUSE Leap 15.0 libGraphicsMagickWand-Q16-2-1.3.29-lp150.3.18.1 as a component of openSUSE Leap 15.0 perl-GraphicsMagick-1.3.29-lp150.3.18.1 as a component of openSUSE Leap 15.0 In GraphicsMagick 1.4 snapshot-20181209 Q8, there is a heap-based buffer overflow in the WriteTGAImage function of tga.c, which allows attackers to cause a denial of service via a crafted image file, because the number of rows or columns can exceed the pixel-dimension restrictions of the TGA specification. CVE-2018-20184 openSUSE Leap 15.0:GraphicsMagick-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:GraphicsMagick-devel-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:libGraphicsMagick++-Q16-12-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:libGraphicsMagick++-devel-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:libGraphicsMagick-Q16-3-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:libGraphicsMagick3-config-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:libGraphicsMagickWand-Q16-2-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:perl-GraphicsMagick-1.3.29-lp150.3.18.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XQWUXM5I4JV4BSLELC7N5TQKRBPM4YQY/#XQWUXM5I4JV4BSLELC7N5TQKRBPM4YQY https://www.suse.com/security/cve/CVE-2018-20184.html CVE-2018-20184 https://bugzilla.suse.com/1119822 SUSE Bug 1119822 In GraphicsMagick 1.3.31, the ReadDIBImage function of coders/dib.c has a vulnerability allowing a crash and denial of service via a dib file that is crafted to appear with direct pixel values and also colormapping (which is not available beyond 8-bits/sample), and therefore lacks indexes initialization. CVE-2018-20189 openSUSE Leap 15.0:GraphicsMagick-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:GraphicsMagick-devel-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:libGraphicsMagick++-Q16-12-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:libGraphicsMagick++-devel-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:libGraphicsMagick-Q16-3-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:libGraphicsMagick3-config-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:libGraphicsMagickWand-Q16-2-1.3.29-lp150.3.18.1 openSUSE Leap 15.0:perl-GraphicsMagick-1.3.29-lp150.3.18.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XQWUXM5I4JV4BSLELC7N5TQKRBPM4YQY/#XQWUXM5I4JV4BSLELC7N5TQKRBPM4YQY https://www.suse.com/security/cve/CVE-2018-20189.html CVE-2018-20189 https://bugzilla.suse.com/1119790 SUSE Bug 1119790