Security update for GraphicsMagick SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:3020-1 Final 1 1 2017-11-15T11:00:44Z current 2017-11-15T11:00:44Z 2017-11-15T11:00:44Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for GraphicsMagick This update for GraphicsMagick fixes the following security issues: - CVE-2017-13776: denial of service issue in ReadXBMImage() in a coders/xbm.c (bsc#1056429) - CVE-2017-13777: denial of service issue in ReadXBMImage() in a coders/xbm.c (bsc#1056426) - CVE-2017-13134: heap-based buffer over-read allowing DoS via crafted sfw files (bsc#1055214) - CVE-2017-15930: Specially crafted JPEG files could lead to a Null Pointer dereference and DoS (bsc#1066003) - CVE-2017-14165: Memory allocation issue may allow DoS through specially crafted files (bsc#1057508) - CVE-2017-12983: Heap-based buffer overflow could have triggered an application crash or possibly have unspecified other impact via a crafted file. (bnc#1054757) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-11/msg00048.html E-Mail link for openSUSE-SU-2017:3020-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 GraphicsMagick-1.3.25-39.1 GraphicsMagick-devel-1.3.25-39.1 libGraphicsMagick++-Q16-12-1.3.25-39.1 libGraphicsMagick++-devel-1.3.25-39.1 libGraphicsMagick-Q16-3-1.3.25-39.1 libGraphicsMagick3-config-1.3.25-39.1 libGraphicsMagickWand-Q16-2-1.3.25-39.1 perl-GraphicsMagick-1.3.25-39.1 GraphicsMagick-1.3.25-39.1 as a component of openSUSE Leap 42.2 GraphicsMagick-devel-1.3.25-39.1 as a component of openSUSE Leap 42.2 libGraphicsMagick++-Q16-12-1.3.25-39.1 as a component of openSUSE Leap 42.2 libGraphicsMagick++-devel-1.3.25-39.1 as a component of openSUSE Leap 42.2 libGraphicsMagick-Q16-3-1.3.25-39.1 as a component of openSUSE Leap 42.2 libGraphicsMagick3-config-1.3.25-39.1 as a component of openSUSE Leap 42.2 libGraphicsMagickWand-Q16-2-1.3.25-39.1 as a component of openSUSE Leap 42.2 perl-GraphicsMagick-1.3.25-39.1 as a component of openSUSE Leap 42.2 GraphicsMagick-1.3.25-39.1 as a component of openSUSE Leap 42.3 GraphicsMagick-devel-1.3.25-39.1 as a component of openSUSE Leap 42.3 libGraphicsMagick++-Q16-12-1.3.25-39.1 as a component of openSUSE Leap 42.3 libGraphicsMagick++-devel-1.3.25-39.1 as a component of openSUSE Leap 42.3 libGraphicsMagick-Q16-3-1.3.25-39.1 as a component of openSUSE Leap 42.3 libGraphicsMagick3-config-1.3.25-39.1 as a component of openSUSE Leap 42.3 libGraphicsMagickWand-Q16-2-1.3.25-39.1 as a component of openSUSE Leap 42.3 perl-GraphicsMagick-1.3.25-39.1 as a component of openSUSE Leap 42.3 Heap-based buffer overflow in the ReadSFWImage function in coders/sfw.c in ImageMagick 7.0.6-8 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file. CVE-2017-12983 openSUSE Leap 42.2:GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.2:GraphicsMagick-devel-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick++-Q16-12-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick++-devel-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick-Q16-3-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick3-config-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagickWand-Q16-2-1.3.25-39.1 openSUSE Leap 42.2:perl-GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.3:GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-39.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-39.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-11/msg00048.html https://www.suse.com/security/cve/CVE-2017-12983.html CVE-2017-12983 https://bugzilla.suse.com/1054757 SUSE Bug 1054757 In ImageMagick 7.0.6-6 and GraphicsMagick 1.3.26, a heap-based buffer over-read was found in the function SFWScan in coders/sfw.c, which allows attackers to cause a denial of service via a crafted file. CVE-2017-13134 openSUSE Leap 42.2:GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.2:GraphicsMagick-devel-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick++-Q16-12-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick++-devel-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick-Q16-3-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick3-config-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagickWand-Q16-2-1.3.25-39.1 openSUSE Leap 42.2:perl-GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.3:GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-39.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-39.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-11/msg00048.html https://www.suse.com/security/cve/CVE-2017-13134.html CVE-2017-13134 https://bugzilla.suse.com/1055214 SUSE Bug 1055214 GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c "Read hex image data" version!=10 case that results in the reader not returning; it would cause large amounts of CPU and memory consumption although the crafted file itself does not request it. CVE-2017-13776 openSUSE Leap 42.2:GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.2:GraphicsMagick-devel-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick++-Q16-12-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick++-devel-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick-Q16-3-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick3-config-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagickWand-Q16-2-1.3.25-39.1 openSUSE Leap 42.2:perl-GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.3:GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-39.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-39.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-11/msg00048.html https://www.suse.com/security/cve/CVE-2017-13776.html CVE-2017-13776 https://bugzilla.suse.com/1056429 SUSE Bug 1056429 https://bugzilla.suse.com/1106855 SUSE Bug 1106855 GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c "Read hex image data" version==10 case that results in the reader not returning; it would cause large amounts of CPU and memory consumption although the crafted file itself does not request it. CVE-2017-13777 openSUSE Leap 42.2:GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.2:GraphicsMagick-devel-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick++-Q16-12-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick++-devel-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick-Q16-3-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick3-config-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagickWand-Q16-2-1.3.25-39.1 openSUSE Leap 42.2:perl-GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.3:GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-39.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-39.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-11/msg00048.html https://www.suse.com/security/cve/CVE-2017-13777.html CVE-2017-13777 https://bugzilla.suse.com/1056426 SUSE Bug 1056426 https://bugzilla.suse.com/1057719 SUSE Bug 1057719 The ReadSUNImage function in coders/sun.c in GraphicsMagick 1.3.26 has an issue where memory allocation is excessive because it depends only on a length field in a header. This may lead to remote denial of service in the MagickMalloc function in magick/memory.c. CVE-2017-14165 openSUSE Leap 42.2:GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.2:GraphicsMagick-devel-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick++-Q16-12-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick++-devel-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick-Q16-3-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick3-config-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagickWand-Q16-2-1.3.25-39.1 openSUSE Leap 42.2:perl-GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.3:GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-39.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-39.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-11/msg00048.html https://www.suse.com/security/cve/CVE-2017-14165.html CVE-2017-14165 https://bugzilla.suse.com/1052553 SUSE Bug 1052553 https://bugzilla.suse.com/1057508 SUSE Bug 1057508 https://bugzilla.suse.com/1059666 SUSE Bug 1059666 In ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a Null Pointer Dereference occurs while transferring JPEG scanlines, related to a PixelPacket pointer. CVE-2017-15930 openSUSE Leap 42.2:GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.2:GraphicsMagick-devel-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick++-Q16-12-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick++-devel-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick-Q16-3-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagick3-config-1.3.25-39.1 openSUSE Leap 42.2:libGraphicsMagickWand-Q16-2-1.3.25-39.1 openSUSE Leap 42.2:perl-GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.3:GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-39.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-39.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-39.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-11/msg00048.html https://www.suse.com/security/cve/CVE-2017-15930.html CVE-2017-15930 https://bugzilla.suse.com/1066003 SUSE Bug 1066003