SUSE-SU-2018:1129-1: moderate: Security update for ImageMagick

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed May 2 13:08:47 MDT 2018 

   SUSE Security Update: Security update for ImageMagick
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:1129-1
Rating:             moderate
References:         #1047356 #1086773 #1086782 #1087027 #1087033 
                    #1087037 #1089781 
Cross-References:   CVE-2017-1000476 CVE-2017-10928 CVE-2017-18251
                    CVE-2017-18252 CVE-2017-18254 CVE-2018-10177
                    CVE-2018-8960 CVE-2018-9018
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 11-SP4
                    SUSE Linux Enterprise Server 11-SP4
                    SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

   An update that fixes 8 vulnerabilities is now available.

Description:

   This update for ImageMagick fixes the following issues:


   - security update (png.c)
     * CVE-2018-9018: divide-by-zero in the ReadMNGImage function of
       coders/png.c. Attackers could leverage this vulnerability to cause a
       crash and denial of service via a crafted mng file. [bsc#1086773]
     * CVE-2018-10177: there is an infinite loop in the
       ReadOneMNGImagefunction of the coders/png.c file. Remote attackers
       could leverage thisvulnerability to cause a denial of service
       (bsc#1089781)

   - security update (wand)
     * CVE-2017-18252: The MogrifyImageList function in MagickWand/mogrify.c
       could allow attackers to cause a denial of service via a crafted file.
       [bsc#1087033]

   - security update (gif.c)
     * CVE-2017-18254: A memory leak vulnerability was found in the function
       WriteGIFImage in coders/gif.c, which could lead to  denial of service
       via a crafted file. [bsc#1087027]

   - security update (core)
     * CVE-2017-10928: a heap-based buffer over-read in the GetNextToken
       function in token.c could allow attackers to obtain sensitive
       information from process memory or possibly have unspecified other
       impact via a crafted SVG document that is mishandled in the
       GetUserSpaceCoordinateValue function in coders/svg.c. [bsc#1047356]

   - security update (pcd.c)
     * CVE-2017-18251: A memory leak vulnerability was found in the function
       ReadPCDImage in coders/pcd.c, which could lead to a denial of service
       via a crafted file. [bsc#1087037]

   - security update (gif.c)
     * CVE-2017-18254: A memory leak vulnerability was found in the function
       WriteGIFImage in coders/gif.c, which could lead to denial of service
       via a crafted file. [bsc#1087027]

   - security update (tiff.c)
     * CVE-2018-8960: The ReadTIFFImage function in coders/tiff.c in
       ImageMagick memory allocation issue could lead to denial of service
       (bsc#1086782)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 11-SP4:

      zypper in -t patch sdksp4-ImageMagick-13586=1

   - SUSE Linux Enterprise Server 11-SP4:

      zypper in -t patch slessp4-ImageMagick-13586=1

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-ImageMagick-13586=1



Package List:

   - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64):

      ImageMagick-6.4.3.6-78.45.1
      ImageMagick-devel-6.4.3.6-78.45.1
      libMagick++-devel-6.4.3.6-78.45.1
      libMagick++1-6.4.3.6-78.45.1
      libMagickWand1-6.4.3.6-78.45.1
      perl-PerlMagick-6.4.3.6-78.45.1

   - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64):

      libMagickWand1-32bit-6.4.3.6-78.45.1

   - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):

      libMagickCore1-6.4.3.6-78.45.1

   - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64):

      libMagickCore1-32bit-6.4.3.6-78.45.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):

      ImageMagick-debuginfo-6.4.3.6-78.45.1
      ImageMagick-debugsource-6.4.3.6-78.45.1


References:

   https://www.suse.com/security/cve/CVE-2017-1000476.html
   https://www.suse.com/security/cve/CVE-2017-10928.html
   https://www.suse.com/security/cve/CVE-2017-18251.html
   https://www.suse.com/security/cve/CVE-2017-18252.html
   https://www.suse.com/security/cve/CVE-2017-18254.html
   https://www.suse.com/security/cve/CVE-2018-10177.html
   https://www.suse.com/security/cve/CVE-2018-8960.html
   https://www.suse.com/security/cve/CVE-2018-9018.html
   https://bugzilla.suse.com/1047356
   https://bugzilla.suse.com/1086773
   https://bugzilla.suse.com/1086782
   https://bugzilla.suse.com/1087027
   https://bugzilla.suse.com/1087033
   https://bugzilla.suse.com/1087037
   https://bugzilla.suse.com/1089781

More information about the sle-security-updates mailing list