Security update for ImageMagick SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:1276-1 Final 1 1 2021-04-20T12:32:54Z current 2021-04-20T12:32:54Z 2021-04-20T12:32:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ImageMagick This update for ImageMagick fixes the following issues: - CVE-2021-20309: Division by zero in WaveImage() of MagickCore/visual-effects. (bsc#1184624) - CVE-2021-20311: Division by zero in sRGBTransformImage() in MagickCore/colorspace.c (bsc#1184626) - CVE-2021-20312: Integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c (bsc#1184627) - CVE-2021-20313: Cipher leak when the calculating signatures in TransformSignatureof MagickCore/signature.c (bsc#1184628) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-1276,SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1276,SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-1276,SUSE-SLE-Module-Development-Tools-15-SP2-2021-1276,SUSE-SLE-Module-Development-Tools-15-SP3-2021-1276 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20211276-1/ Link for SUSE-SU-2021:1276-1 https://lists.suse.com/pipermail/sle-security-updates/2021-April/008667.html E-Mail link for SUSE-SU-2021:1276-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1184624 SUSE Bug 1184624 https://bugzilla.suse.com/1184626 SUSE Bug 1184626 https://bugzilla.suse.com/1184627 SUSE Bug 1184627 https://bugzilla.suse.com/1184628 SUSE Bug 1184628 https://www.suse.com/security/cve/CVE-2021-20309/ SUSE CVE CVE-2021-20309 page https://www.suse.com/security/cve/CVE-2021-20311/ SUSE CVE CVE-2021-20311 page https://www.suse.com/security/cve/CVE-2021-20312/ SUSE CVE CVE-2021-20312 page https://www.suse.com/security/cve/CVE-2021-20313/ SUSE CVE CVE-2021-20313 page SUSE Linux Enterprise Module for Desktop Applications 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP2 ImageMagick-7.0.7.34-10.15.1 ImageMagick-config-7-SUSE-7.0.7.34-10.15.1 ImageMagick-config-7-upstream-7.0.7.34-10.15.1 ImageMagick-devel-7.0.7.34-10.15.1 ImageMagick-devel-32bit-7.0.7.34-10.15.1 ImageMagick-devel-64bit-7.0.7.34-10.15.1 ImageMagick-doc-7.0.7.34-10.15.1 ImageMagick-extra-7.0.7.34-10.15.1 libMagick++-7_Q16HDRI4-7.0.7.34-10.15.1 libMagick++-7_Q16HDRI4-32bit-7.0.7.34-10.15.1 libMagick++-7_Q16HDRI4-64bit-7.0.7.34-10.15.1 libMagick++-devel-7.0.7.34-10.15.1 libMagick++-devel-32bit-7.0.7.34-10.15.1 libMagick++-devel-64bit-7.0.7.34-10.15.1 libMagickCore-7_Q16HDRI6-7.0.7.34-10.15.1 libMagickCore-7_Q16HDRI6-32bit-7.0.7.34-10.15.1 libMagickCore-7_Q16HDRI6-64bit-7.0.7.34-10.15.1 libMagickWand-7_Q16HDRI6-7.0.7.34-10.15.1 libMagickWand-7_Q16HDRI6-32bit-7.0.7.34-10.15.1 libMagickWand-7_Q16HDRI6-64bit-7.0.7.34-10.15.1 perl-PerlMagick-7.0.7.34-10.15.1 ImageMagick-7.0.7.34-10.15.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 ImageMagick-config-7-SUSE-7.0.7.34-10.15.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 ImageMagick-config-7-upstream-7.0.7.34-10.15.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 ImageMagick-devel-7.0.7.34-10.15.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 libMagick++-7_Q16HDRI4-7.0.7.34-10.15.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 libMagick++-devel-7.0.7.34-10.15.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 libMagickCore-7_Q16HDRI6-7.0.7.34-10.15.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 libMagickWand-7_Q16HDRI6-7.0.7.34-10.15.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 perl-PerlMagick-7.0.7.34-10.15.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to system availability. CVE-2021-20309 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-config-7-SUSE-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-config-7-upstream-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-devel-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagick++-7_Q16HDRI4-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagick++-devel-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagickCore-7_Q16HDRI6-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagickWand-7_Q16HDRI6-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:perl-PerlMagick-7.0.7.34-10.15.1 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211276-1/ https://www.suse.com/security/cve/CVE-2021-20309.html CVE-2021-20309 https://bugzilla.suse.com/1184624 SUSE Bug 1184624 A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from this vulnerability is to system availability. CVE-2021-20311 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-config-7-SUSE-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-config-7-upstream-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-devel-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagick++-7_Q16HDRI4-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagick++-devel-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagickCore-7_Q16HDRI6-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagickWand-7_Q16HDRI6-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:perl-PerlMagick-7.0.7.34-10.15.1 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211276-1/ https://www.suse.com/security/cve/CVE-2021-20311.html CVE-2021-20311 https://bugzilla.suse.com/1184626 SUSE Bug 1184626 A flaw was found in ImageMagick in versions 7.0.11, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this vulnerability is to system availability. CVE-2021-20312 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-config-7-SUSE-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-config-7-upstream-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-devel-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagick++-7_Q16HDRI4-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagick++-devel-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagickCore-7_Q16HDRI6-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagickWand-7_Q16HDRI6-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:perl-PerlMagick-7.0.7.34-10.15.1 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211276-1/ https://www.suse.com/security/cve/CVE-2021-20312.html CVE-2021-20312 https://bugzilla.suse.com/1184627 SUSE Bug 1184627 A flaw was found in ImageMagick in versions before 7.0.11. A potential cipher leak when the calculate signatures in TransformSignature is possible. The highest threat from this vulnerability is to data confidentiality. CVE-2021-20313 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-config-7-SUSE-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-config-7-upstream-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:ImageMagick-devel-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagick++-7_Q16HDRI4-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagick++-devel-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagickCore-7_Q16HDRI6-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libMagickWand-7_Q16HDRI6-7.0.7.34-10.15.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:perl-PerlMagick-7.0.7.34-10.15.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211276-1/ https://www.suse.com/security/cve/CVE-2021-20313.html CVE-2021-20313 https://bugzilla.suse.com/1184628 SUSE Bug 1184628