Security update for GraphicsMagick SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0328-1 Final 1 1 2018-01-31T20:27:38Z current 2018-01-31T20:27:38Z 2018-01-31T20:27:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for GraphicsMagick This update for GraphicsMagick fixes several issues. These security issues were fixed: - CVE-2017-13065: Prevent NULL pointer dereference in the function SVGStartElement (bsc#1055038) - CVE-2018-5685: Prevent infinite loop and application hang in the ReadBMPImage function. Remote attackers could leverage this vulnerability to cause a denial of service via an image file with a crafted bit-field mask value (bsc#1075939) - CVE-2017-18029: Prevent memory leak in the function ReadMATImage which allowed remote attackers to cause a denial of service via a crafted file (bsc#1076021). - CVE-2017-18027: Prevent memory leak vulnerability in the function ReadMATImage which allowed remote attackers to cause a denial of service via a crafted file (bsc#1076051). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2018-02/msg00000.html E-Mail link for openSUSE-SU-2018:0328-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 GraphicsMagick-1.3.25-63.1 GraphicsMagick-devel-1.3.25-63.1 libGraphicsMagick++-Q16-12-1.3.25-63.1 libGraphicsMagick++-devel-1.3.25-63.1 libGraphicsMagick-Q16-3-1.3.25-63.1 libGraphicsMagick3-config-1.3.25-63.1 libGraphicsMagickWand-Q16-2-1.3.25-63.1 perl-GraphicsMagick-1.3.25-63.1 GraphicsMagick-1.3.25-63.1 as a component of openSUSE Leap 42.3 GraphicsMagick-devel-1.3.25-63.1 as a component of openSUSE Leap 42.3 libGraphicsMagick++-Q16-12-1.3.25-63.1 as a component of openSUSE Leap 42.3 libGraphicsMagick++-devel-1.3.25-63.1 as a component of openSUSE Leap 42.3 libGraphicsMagick-Q16-3-1.3.25-63.1 as a component of openSUSE Leap 42.3 libGraphicsMagick3-config-1.3.25-63.1 as a component of openSUSE Leap 42.3 libGraphicsMagickWand-Q16-2-1.3.25-63.1 as a component of openSUSE Leap 42.3 perl-GraphicsMagick-1.3.25-63.1 as a component of openSUSE Leap 42.3 GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability in the function GetStyleTokens in coders/svg.c:314:12. CVE-2017-13063 openSUSE Leap 42.3:GraphicsMagick-1.3.25-63.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-63.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-63.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-02/msg00000.html https://www.suse.com/security/cve/CVE-2017-13063.html CVE-2017-13063 https://bugzilla.suse.com/1054598 SUSE Bug 1054598 https://bugzilla.suse.com/1054600 SUSE Bug 1054600 https://bugzilla.suse.com/1055038 SUSE Bug 1055038 https://bugzilla.suse.com/1055050 SUSE Bug 1055050 GraphicsMagick 1.3.26 has a NULL pointer dereference vulnerability in the function SVGStartElement in coders/svg.c. CVE-2017-13065 openSUSE Leap 42.3:GraphicsMagick-1.3.25-63.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-63.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-63.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-02/msg00000.html https://www.suse.com/security/cve/CVE-2017-13065.html CVE-2017-13065 https://bugzilla.suse.com/1054598 SUSE Bug 1054598 https://bugzilla.suse.com/1054600 SUSE Bug 1054600 https://bugzilla.suse.com/1055038 SUSE Bug 1055038 In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allow remote attackers to cause a denial of service via a crafted file. CVE-2017-18027 openSUSE Leap 42.3:GraphicsMagick-1.3.25-63.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-63.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-63.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-02/msg00000.html https://www.suse.com/security/cve/CVE-2017-18027.html CVE-2017-18027 https://bugzilla.suse.com/1076051 SUSE Bug 1076051 In ImageMagick 7.0.6-10 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allow remote attackers to cause a denial of service via a crafted file. CVE-2017-18029 openSUSE Leap 42.3:GraphicsMagick-1.3.25-63.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-63.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-63.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-02/msg00000.html https://www.suse.com/security/cve/CVE-2017-18029.html CVE-2017-18029 https://bugzilla.suse.com/1076021 SUSE Bug 1076021 https://bugzilla.suse.com/1076051 SUSE Bug 1076051 In GraphicsMagick 1.3.27, there is an infinite loop and application hang in the ReadBMPImage function (coders/bmp.c). Remote attackers could leverage this vulnerability to cause a denial of service via an image file with a crafted bit-field mask value. CVE-2018-5685 openSUSE Leap 42.3:GraphicsMagick-1.3.25-63.1 openSUSE Leap 42.3:GraphicsMagick-devel-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick++-Q16-12-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick++-devel-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick-Q16-3-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagick3-config-1.3.25-63.1 openSUSE Leap 42.3:libGraphicsMagickWand-Q16-2-1.3.25-63.1 openSUSE Leap 42.3:perl-GraphicsMagick-1.3.25-63.1 important Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-02/msg00000.html https://www.suse.com/security/cve/CVE-2018-5685.html CVE-2018-5685 https://bugzilla.suse.com/1075939 SUSE Bug 1075939