SUSE-SU-2018:1178-1: moderate: Security update for ImageMagick

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed May 9 10:10:25 MDT 2018 

   SUSE Security Update: Security update for ImageMagick
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:1178-1
Rating:             moderate
References:         #1047356 #1058635 #1074117 #1086773 #1086782 
                    #1087027 #1087033 #1087037 #1087039 #1087825 
                    #1089781 
Cross-References:   CVE-2017-1000476 CVE-2017-10928 CVE-2017-11450
                    CVE-2017-14325 CVE-2017-17887 CVE-2017-18250
                    CVE-2017-18251 CVE-2017-18252 CVE-2017-18254
                    CVE-2018-10177 CVE-2018-8960 CVE-2018-9018
                    CVE-2018-9135
Affected Products:
                    SUSE Linux Enterprise Workstation Extension 12-SP3
                    SUSE Linux Enterprise Software Development Kit 12-SP3
                    SUSE Linux Enterprise Server 12-SP3
                    SUSE Linux Enterprise Desktop 12-SP3
______________________________________________________________________________

   An update that fixes 13 vulnerabilities is now available.

Description:

   This update for ImageMagick fixes the following issues:

   - CVE-2017-14325: In ImageMagick, a memory leak vulnerability was found in
     the function PersistPixelCache in magick/cache.c, which allowed
     attackers to cause a denial of service (memory consumption in
     ReadMPCImage in coders/mpc.c) via a crafted file.  [bsc#1058635]
   - CVE-2017-17887: In ImageMagick, a memory leak vulnerability was found in
     the function GetImagePixelCache in magick/cache.c, which allowed
     attackers to cause a denial of service via a crafted MNG image file that
     is processed by ReadOneMNGImage.  [bsc#1074117]
   - CVE-2017-18250: A NULL pointer dereference vulnerability was found in
     the function LogOpenCLBuildFailure in MagickCore/opencl.c, which could
     lead to a denial of service via a crafted file. [bsc#1087039]
   - CVE-2017-18251: A memory leak vulnerability was found in the function
     ReadPCDImage in coders/pcd.c, which could lead to a denial of service
     via a crafted file. [bsc#1087037]
   - CVE-2017-18252: The MogrifyImageList function in MagickWand/mogrify.c
     could allow attackers to cause a denial of service via a crafted file.
     [bsc#1087033]
   - CVE-2017-18254: A memory leak vulnerability was found in the function
     WriteGIFImage in coders/gif.c, which could lead to  denial of service
     via a crafted file. [bsc#1087027]
   - CVE-2018-8960: The ReadTIFFImage function in coders/tiff.c in
     ImageMagick did not properly restrict memory allocation, leading to a
     heap-based buffer over-read.  [bsc#1086782]
   - CVE-2018-9018: divide-by-zero in the ReadMNGImage function of
     coders/png.c. Attackers could leverage this vulnerability to cause a
     crash and denial of service via a crafted mng file. [bsc#1086773]
   - CVE-2018-9135: heap-based buffer over-read in IsWEBPImageLossless in
     coders/webp.c could lead to denial of service. [bsc#1087825]
   - CVE-2018-10177: In ImageMagick, there was an infinite loop in the
     ReadOneMNGImage function of the coders/png.c file. Remote attackers
     could leverage this vulnerability to cause a denial of service via a
     crafted mng file.  [bsc#1089781]
   - CVE-2017-10928: a heap-based buffer over-read in the GetNextToken
     function in token.c could allow attackers to obtain sensitive
     information from process memory or possibly have unspecified other
     impact via a crafted SVG document that is mishandled in the
     GetUserSpaceCoordinateValue function in coders/svg.c. [bsc#1047356]


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Workstation Extension 12-SP3:

      zypper in -t patch SUSE-SLE-WE-12-SP3-2018-818=1

   - SUSE Linux Enterprise Software Development Kit 12-SP3:

      zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-818=1

   - SUSE Linux Enterprise Server 12-SP3:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-818=1

   - SUSE Linux Enterprise Desktop 12-SP3:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-818=1



Package List:

   - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64):

      ImageMagick-6.8.8.1-71.54.5
      ImageMagick-debuginfo-6.8.8.1-71.54.5
      ImageMagick-debugsource-6.8.8.1-71.54.5
      libMagick++-6_Q16-3-6.8.8.1-71.54.5
      libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.54.5
      libMagickCore-6_Q16-1-32bit-6.8.8.1-71.54.5
      libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.54.5

   - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):

      ImageMagick-6.8.8.1-71.54.5
      ImageMagick-debuginfo-6.8.8.1-71.54.5
      ImageMagick-debugsource-6.8.8.1-71.54.5
      ImageMagick-devel-6.8.8.1-71.54.5
      libMagick++-6_Q16-3-6.8.8.1-71.54.5
      libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.54.5
      libMagick++-devel-6.8.8.1-71.54.5
      perl-PerlMagick-6.8.8.1-71.54.5
      perl-PerlMagick-debuginfo-6.8.8.1-71.54.5

   - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):

      ImageMagick-debuginfo-6.8.8.1-71.54.5
      ImageMagick-debugsource-6.8.8.1-71.54.5
      libMagickCore-6_Q16-1-6.8.8.1-71.54.5
      libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.54.5
      libMagickWand-6_Q16-1-6.8.8.1-71.54.5
      libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.54.5

   - SUSE Linux Enterprise Desktop 12-SP3 (x86_64):

      ImageMagick-6.8.8.1-71.54.5
      ImageMagick-debuginfo-6.8.8.1-71.54.5
      ImageMagick-debugsource-6.8.8.1-71.54.5
      libMagick++-6_Q16-3-6.8.8.1-71.54.5
      libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.54.5
      libMagickCore-6_Q16-1-32bit-6.8.8.1-71.54.5
      libMagickCore-6_Q16-1-6.8.8.1-71.54.5
      libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.54.5
      libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.54.5
      libMagickWand-6_Q16-1-6.8.8.1-71.54.5
      libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.54.5


References:

   https://www.suse.com/security/cve/CVE-2017-1000476.html
   https://www.suse.com/security/cve/CVE-2017-10928.html
   https://www.suse.com/security/cve/CVE-2017-11450.html
   https://www.suse.com/security/cve/CVE-2017-14325.html
   https://www.suse.com/security/cve/CVE-2017-17887.html
   https://www.suse.com/security/cve/CVE-2017-18250.html
   https://www.suse.com/security/cve/CVE-2017-18251.html
   https://www.suse.com/security/cve/CVE-2017-18252.html
   https://www.suse.com/security/cve/CVE-2017-18254.html
   https://www.suse.com/security/cve/CVE-2018-10177.html
   https://www.suse.com/security/cve/CVE-2018-8960.html
   https://www.suse.com/security/cve/CVE-2018-9018.html
   https://www.suse.com/security/cve/CVE-2018-9135.html
   https://bugzilla.suse.com/1047356
   https://bugzilla.suse.com/1058635
   https://bugzilla.suse.com/1074117
   https://bugzilla.suse.com/1086773
   https://bugzilla.suse.com/1086782
   https://bugzilla.suse.com/1087027
   https://bugzilla.suse.com/1087033
   https://bugzilla.suse.com/1087037
   https://bugzilla.suse.com/1087039
   https://bugzilla.suse.com/1087825
   https://bugzilla.suse.com/1089781

More information about the sle-security-updates mailing list