Security update for ImageMagick SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1683-1 Final 1 1 2019-07-01T11:51:00Z current 2019-07-01T11:51:00Z 2019-07-01T11:51:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ImageMagick This update for ImageMagick fixes the following issues: Security issues fixed: - CVE-2019-11597: Fixed a heap-based buffer over-read in the WriteTIFFImage() (bsc#1138464). - Fixed a file content disclosure via SVG and WMF decoding (bsc#1138425).- CVE-2019-11472: Fixed a denial of service in ReadXWDImage() (bsc#1133204). - CVE-2019-11470: Fixed a denial of service in ReadCINImage() (bsc#1133205). - CVE-2019-11506: Fixed a heap-based buffer overflow in the WriteMATLABImage() (bsc#1133498). - CVE-2019-11505: Fixed a heap-based buffer overflow in the WritePDBImage() (bsc#1133501). - CVE-2019-10131: Fixed a off-by-one read in formatIPTCfromBuffer function in coders/meta.c (bsc#1134075). - CVE-2017-12806: Fixed a denial of service through memory exhaustion in format8BIM() (bsc#1135232). - CVE-2017-12805: Fixed a denial of service through memory exhaustion in ReadTIFFImage() (bsc#1135236). - CVE-2019-11598: Fixed a heap-based buffer over-read in WritePNMImage() (bsc#1136732) We also now disable PCL in the -SUSE configuration, as it also uses ghostscript for decoding (bsc#1136183) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.html E-Mail link for openSUSE-SU-2019:1683-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 ImageMagick-6.8.8.1-85.1 ImageMagick-config-6-SUSE-6.8.8.1-85.1 ImageMagick-config-6-upstream-6.8.8.1-85.1 ImageMagick-devel-6.8.8.1-85.1 ImageMagick-devel-32bit-6.8.8.1-85.1 ImageMagick-doc-6.8.8.1-85.1 ImageMagick-extra-6.8.8.1-85.1 libMagick++-6_Q16-3-6.8.8.1-85.1 libMagick++-6_Q16-3-32bit-6.8.8.1-85.1 libMagick++-devel-6.8.8.1-85.1 libMagick++-devel-32bit-6.8.8.1-85.1 libMagickCore-6_Q16-1-6.8.8.1-85.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-85.1 libMagickWand-6_Q16-1-6.8.8.1-85.1 libMagickWand-6_Q16-1-32bit-6.8.8.1-85.1 perl-PerlMagick-6.8.8.1-85.1 ImageMagick-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 ImageMagick-config-6-SUSE-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 ImageMagick-config-6-upstream-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 ImageMagick-devel-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 ImageMagick-devel-32bit-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 ImageMagick-doc-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 ImageMagick-extra-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 libMagick++-6_Q16-3-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 libMagick++-6_Q16-3-32bit-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 libMagick++-devel-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 libMagick++-devel-32bit-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 libMagickCore-6_Q16-1-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 libMagickCore-6_Q16-1-32bit-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 libMagickWand-6_Q16-1-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 libMagickWand-6_Q16-1-32bit-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 perl-PerlMagick-6.8.8.1-85.1 as a component of openSUSE Leap 42.3 In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service. CVE-2017-12805 openSUSE Leap 42.3:ImageMagick-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-SUSE-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-upstream-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-85.1 low Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.html https://www.suse.com/security/cve/CVE-2017-12805.html CVE-2017-12805 https://bugzilla.suse.com/1135236 SUSE Bug 1135236 In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service. CVE-2017-12806 openSUSE Leap 42.3:ImageMagick-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-SUSE-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-upstream-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-85.1 low Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.html https://www.suse.com/security/cve/CVE-2017-12806.html CVE-2017-12806 https://bugzilla.suse.com/1135232 SUSE Bug 1135232 An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program. CVE-2019-10131 openSUSE Leap 42.3:ImageMagick-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-SUSE-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-upstream-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-85.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.html https://www.suse.com/security/cve/CVE-2019-10131.html CVE-2019-10131 https://bugzilla.suse.com/1134075 SUSE Bug 1134075 The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file. CVE-2019-11470 openSUSE Leap 42.3:ImageMagick-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-SUSE-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-upstream-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-85.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.html https://www.suse.com/security/cve/CVE-2019-11470.html CVE-2019-11470 https://bugzilla.suse.com/1133205 SUSE Bug 1133205 ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first. CVE-2019-11472 openSUSE Leap 42.3:ImageMagick-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-SUSE-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-upstream-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-85.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.html https://www.suse.com/security/cve/CVE-2019-11472.html CVE-2019-11472 https://bugzilla.suse.com/1133202 SUSE Bug 1133202 https://bugzilla.suse.com/1133203 SUSE Bug 1133203 https://bugzilla.suse.com/1133204 SUSE Bug 1133204 https://bugzilla.suse.com/1146213 SUSE Bug 1146213 In GraphicsMagick from version 1.3.8 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WritePDBImage of coders/pdb.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file. This is related to MagickBitStreamMSBWrite in magick/bit_stream.c. CVE-2019-11505 openSUSE Leap 42.3:ImageMagick-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-SUSE-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-upstream-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-85.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.html https://www.suse.com/security/cve/CVE-2019-11505.html CVE-2019-11505 https://bugzilla.suse.com/1133501 SUSE Bug 1133501 In GraphicsMagick from version 1.3.30 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WriteMATLABImage of coders/mat.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file. This is related to ExportRedQuantumType in magick/export.c. CVE-2019-11506 openSUSE Leap 42.3:ImageMagick-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-SUSE-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-upstream-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-85.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.html https://www.suse.com/security/cve/CVE-2019-11506.html CVE-2019-11506 https://bugzilla.suse.com/1133498 SUSE Bug 1133498 In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. CVE-2019-11597 openSUSE Leap 42.3:ImageMagick-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-SUSE-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-upstream-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-85.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.html https://www.suse.com/security/cve/CVE-2019-11597.html CVE-2019-11597 https://bugzilla.suse.com/1138464 SUSE Bug 1138464 https://bugzilla.suse.com/1146211 SUSE Bug 1146211 In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c. CVE-2019-11598 openSUSE Leap 42.3:ImageMagick-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-SUSE-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-config-6-upstream-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-devel-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-doc-6.8.8.1-85.1 openSUSE Leap 42.3:ImageMagick-extra-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-6_Q16-3-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagick++-devel-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickCore-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-32bit-6.8.8.1-85.1 openSUSE Leap 42.3:libMagickWand-6_Q16-1-6.8.8.1-85.1 openSUSE Leap 42.3:perl-PerlMagick-6.8.8.1-85.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.html https://www.suse.com/security/cve/CVE-2019-11598.html CVE-2019-11598 https://bugzilla.suse.com/1136732 SUSE Bug 1136732