Security update for ImageMagick SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:3256-1 Final 1 1 2016-12-23T11:22:13Z current 2016-12-23T11:22:13Z 2016-12-23T11:22:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ImageMagick This update for ImageMagick fixes the following issues: * CVE-2016-9556: Possible Heap-overflow found by fuzzing [bsc#1011130] * CVE-2016-9559: Possible Null pointer access found by fuzzing [bsc#1011136] * CVE-2016-8707: Possible code execution in the tiff deflate convert code [bsc#1014159] * CVE-2016-9773: Possible Heap overflow in IsPixelGray [bsc#1013376] * CVE-2016-8866: Possible memory allocation failure in AcquireMagickMemory [bsc#1009318] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-ImageMagick-12917,slessp4-ImageMagick-12917 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20163256-1/ Link for SUSE-SU-2016:3256-1 https://lists.suse.com/pipermail/sle-security-updates/2016-December/002520.html E-Mail link for SUSE-SU-2016:3256-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1009318 SUSE Bug 1009318 https://bugzilla.suse.com/1011130 SUSE Bug 1011130 https://bugzilla.suse.com/1011136 SUSE Bug 1011136 https://bugzilla.suse.com/1013376 SUSE Bug 1013376 https://bugzilla.suse.com/1014159 SUSE Bug 1014159 https://www.suse.com/security/cve/CVE-2016-7530/ SUSE CVE CVE-2016-7530 page https://www.suse.com/security/cve/CVE-2016-8707/ SUSE CVE CVE-2016-8707 page https://www.suse.com/security/cve/CVE-2016-8866/ SUSE CVE CVE-2016-8866 page https://www.suse.com/security/cve/CVE-2016-9556/ SUSE CVE CVE-2016-9556 page https://www.suse.com/security/cve/CVE-2016-9559/ SUSE CVE CVE-2016-9559 page https://www.suse.com/security/cve/CVE-2016-9773/ SUSE CVE CVE-2016-9773 page SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 ImageMagick-6.4.3.6-7.60.1 ImageMagick-devel-6.4.3.6-7.60.1 libMagick++-devel-6.4.3.6-7.60.1 libMagick++1-6.4.3.6-7.60.1 libMagickWand1-6.4.3.6-7.60.1 libMagickWand1-32bit-6.4.3.6-7.60.1 perl-PerlMagick-6.4.3.6-7.60.1 libMagickCore1-6.4.3.6-7.60.1 libMagickCore1-32bit-6.4.3.6-7.60.1 libMagickCore1-6.4.3.6-7.60.1 as a component of SUSE Linux Enterprise Server 11 SP4 libMagickCore1-32bit-6.4.3.6-7.60.1 as a component of SUSE Linux Enterprise Server 11 SP4 libMagickCore1-6.4.3.6-7.60.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libMagickCore1-32bit-6.4.3.6-7.60.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 ImageMagick-6.4.3.6-7.60.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 ImageMagick-devel-6.4.3.6-7.60.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libMagick++-devel-6.4.3.6-7.60.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libMagick++1-6.4.3.6-7.60.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libMagickWand1-6.4.3.6-7.60.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libMagickWand1-32bit-6.4.3.6-7.60.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 perl-PerlMagick-6.4.3.6-7.60.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 The quantum handling code in ImageMagick allows remote attackers to cause a denial of service (divide-by-zero error or out-of-bounds write) via a crafted file. CVE-2016-7530 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-6.4.3.6-7.60.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-devel-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++-devel-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:perl-PerlMagick-6.4.3.6-7.60.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163256-1/ https://www.suse.com/security/cve/CVE-2016-7530.html CVE-2016-7530 https://bugzilla.suse.com/1000399 SUSE Bug 1000399 https://bugzilla.suse.com/1000703 SUSE Bug 1000703 https://bugzilla.suse.com/1054924 SUSE Bug 1054924 An exploitable out of bounds write exists in the handling of compressed TIFF images in ImageMagicks's convert utility. A crafted TIFF document can lead to an out of bounds write which in particular circumstances could be leveraged into remote code execution. The vulnerability can be triggered through any user controlled TIFF that is handled by this functionality. CVE-2016-8707 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-6.4.3.6-7.60.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-devel-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++-devel-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:perl-PerlMagick-6.4.3.6-7.60.1 moderate 6 AV:N/AC:M/Au:S/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163256-1/ https://www.suse.com/security/cve/CVE-2016-8707.html CVE-2016-8707 https://bugzilla.suse.com/1014159 SUSE Bug 1014159 The AcquireMagickMemory function in MagickCore/memory.c in ImageMagick 7.0.3.3 before 7.0.3.8 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8862. CVE-2016-8866 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-6.4.3.6-7.60.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-devel-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++-devel-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:perl-PerlMagick-6.4.3.6-7.60.1 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163256-1/ https://www.suse.com/security/cve/CVE-2016-8866.html CVE-2016-8866 https://bugzilla.suse.com/1007245 SUSE Bug 1007245 https://bugzilla.suse.com/1009318 SUSE Bug 1009318 https://bugzilla.suse.com/1031267 SUSE Bug 1031267 The IsPixelGray function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3-8 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted image file. CVE-2016-9556 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-6.4.3.6-7.60.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-devel-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++-devel-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:perl-PerlMagick-6.4.3.6-7.60.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163256-1/ https://www.suse.com/security/cve/CVE-2016-9556.html CVE-2016-9556 https://bugzilla.suse.com/1011130 SUSE Bug 1011130 https://bugzilla.suse.com/1013376 SUSE Bug 1013376 coders/tiff.c in ImageMagick before 7.0.3.7 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted image. CVE-2016-9559 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-6.4.3.6-7.60.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-devel-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++-devel-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:perl-PerlMagick-6.4.3.6-7.60.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163256-1/ https://www.suse.com/security/cve/CVE-2016-9559.html CVE-2016-9559 https://bugzilla.suse.com/1011136 SUSE Bug 1011136 Heap-based buffer overflow in the IsPixelGray function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3.8 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted image file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9556. CVE-2016-9773 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-6.4.3.6-7.60.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-devel-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++-devel-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-32bit-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-6.4.3.6-7.60.1 SUSE Linux Enterprise Software Development Kit 11 SP4:perl-PerlMagick-6.4.3.6-7.60.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163256-1/ https://www.suse.com/security/cve/CVE-2016-9773.html CVE-2016-9773 https://bugzilla.suse.com/1011130 SUSE Bug 1011130 https://bugzilla.suse.com/1013376 SUSE Bug 1013376 https://bugzilla.suse.com/1017421 SUSE Bug 1017421