Security update for GraphicsMagick SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:3223-1 Final 1 1 2017-12-05T21:01:21Z current 2017-12-05T21:01:21Z 2017-12-05T21:01:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for GraphicsMagick This update for GraphicsMagick fixes the following issues: Security issues fixed: - CVE-2017-16546: Fix ReadWPGImage function in coders/wpg.c that could lead to a denial of service (bsc#1067181). - CVE-2017-14342: Fix a memory exhaustion vulnerability in ReadWPGImage in coders/wpg.c that could lead to a denial of service (bsc#1058485). - CVE-2017-16669: Fix coders/wpg.c that allows remote attackers to cause a denial of service via crafted files (bsc#1067409). - CVE-2017-16545: Fix the ReadWPGImage function in coders/wpg.c as a validation problems could lead to a denial of service (bsc#1067184). - CVE-2017-14341: Fix infinite loop in the ReadWPGImage function (bsc#1058637). - CVE-2017-13737: Fix invalid free in the MagickFree function in magick/memory.c (tiff.c) (bsc#1056162). - CVE-2017-11640: Fix NULL pointer deref in WritePTIFImage() in coders/tiff.c (bsc#1050632). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00010.html E-Mail link for openSUSE-SU-2017:3223-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 GraphicsMagick-1.3.25-44.1 GraphicsMagick-devel-1.3.25-44.1 libGraphicsMagick++-Q16-12-1.3.25-44.1 libGraphicsMagick++-devel-1.3.25-44.1 libGraphicsMagick-Q16-3-1.3.25-44.1 libGraphicsMagick3-config-1.3.25-44.1 libGraphicsMagickWand-Q16-2-1.3.25-44.1 perl-GraphicsMagick-1.3.25-44.1 GraphicsMagick-1.3.25-44.1 as a component of openSUSE Leap 42.2 GraphicsMagick-devel-1.3.25-44.1 as a component of openSUSE Leap 42.2 libGraphicsMagick++-Q16-12-1.3.25-44.1 as a component of openSUSE Leap 42.2 libGraphicsMagick++-devel-1.3.25-44.1 as a component of openSUSE Leap 42.2 libGraphicsMagick-Q16-3-1.3.25-44.1 as a component of openSUSE Leap 42.2 libGraphicsMagick3-config-1.3.25-44.1 as a component of openSUSE Leap 42.2 libGraphicsMagickWand-Q16-2-1.3.25-44.1 as a component of openSUSE Leap 42.2 perl-GraphicsMagick-1.3.25-44.1 as a component of openSUSE Leap 42.2 GraphicsMagick-1.3.25-44.1 as a component of openSUSE Leap 42.3 GraphicsMagick-devel-1.3.25-44.1 as a component of openSUSE Leap 42.3 libGraphicsMagick++-Q16-12-1.3.25-44.1 as a component of openSUSE Leap 42.3 libGraphicsMagick++-devel-1.3.25-44.1 as a component of openSUSE Leap 42.3 libGraphicsMagick-Q16-3-1.3.25-44.1 as a component of openSUSE Leap 42.3 libGraphicsMagick3-config-1.3.25-44.1 as a component of openSUSE Leap 42.3 libGraphicsMagickWand-Q16-2-1.3.25-44.1 as a component of openSUSE Leap 42.3 perl-GraphicsMagick-1.3.25-44.1 as a component of openSUSE Leap 42.3 When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to an address access exception in the WritePTIFImage() function in coders/tiff.c. CVE-2017-11640 openSUSE Leap 42.2:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.2:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.2:perl-GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-44.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00010.html https://www.suse.com/security/cve/CVE-2017-11640.html CVE-2017-11640 https://bugzilla.suse.com/1050632 SUSE Bug 1050632 There is an invalid free in the MagickFree function in magick/memory.c in GraphicsMagick 1.3.26 that will lead to a remote denial of service attack. CVE-2017-13737 openSUSE Leap 42.2:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.2:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.2:perl-GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-44.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00010.html https://www.suse.com/security/cve/CVE-2017-13737.html CVE-2017-13737 https://bugzilla.suse.com/1056162 SUSE Bug 1056162 ImageMagick 7.0.6-6 has a large loop vulnerability in ReadWPGImage in coders/wpg.c, causing CPU exhaustion via a crafted wpg image file. CVE-2017-14341 openSUSE Leap 42.2:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.2:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.2:perl-GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-44.1 low 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00010.html https://www.suse.com/security/cve/CVE-2017-14341.html CVE-2017-14341 https://bugzilla.suse.com/1058637 SUSE Bug 1058637 ImageMagick 7.0.6-6 has a memory exhaustion vulnerability in ReadWPGImage in coders/wpg.c via a crafted wpg image file. CVE-2017-14342 openSUSE Leap 42.2:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.2:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.2:perl-GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-44.1 low 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00010.html https://www.suse.com/security/cve/CVE-2017-14342.html CVE-2017-14342 https://bugzilla.suse.com/1058485 SUSE Bug 1058485 The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 does not properly validate colormapped images, which allows remote attackers to cause a denial of service (ImportIndexQuantumType invalid write and application crash) or possibly have unspecified other impact via a malformed WPG image. CVE-2017-16545 openSUSE Leap 42.2:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.2:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.2:perl-GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-44.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00010.html https://www.suse.com/security/cve/CVE-2017-16545.html CVE-2017-16545 https://bugzilla.suse.com/1067184 SUSE Bug 1067184 The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does not properly validate the colormap index in a WPG palette, which allows remote attackers to cause a denial of service (use of uninitialized data or invalid memory allocation) or possibly have unspecified other impact via a malformed WPG file. CVE-2017-16546 openSUSE Leap 42.2:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.2:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.2:perl-GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-44.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00010.html https://www.suse.com/security/cve/CVE-2017-16546.html CVE-2017-16546 https://bugzilla.suse.com/1067181 SUSE Bug 1067181 coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file, related to the AcquireCacheNexus function in magick/pixel_cache.c. CVE-2017-16669 openSUSE Leap 42.2:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.2:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.2:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.2:perl-GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-1.3.25-44.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-44.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-44.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-44.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00010.html https://www.suse.com/security/cve/CVE-2017-16669.html CVE-2017-16669 https://bugzilla.suse.com/1067409 SUSE Bug 1067409 https://bugzilla.suse.com/1072898 SUSE Bug 1072898