Security update for ImageMagick

SUSE Security Update: Security update for ImageMagick
Announcement ID: SUSE-SU-2018:1129-1
Rating: moderate
References: #1047356 #1086773 #1086782 #1087027 #1087033 #1087037 #1089781
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 11-SP4
  • SUSE Linux Enterprise Server 11-SP4
  • SUSE Linux Enterprise Debuginfo 11-SP4

  • An update that fixes 8 vulnerabilities is now available.

    Description:

    This update for ImageMagick fixes the following issues:


    - security update (png.c)
    * CVE-2018-9018: divide-by-zero in the ReadMNGImage function of
    coders/png.c. Attackers could leverage this vulnerability to cause a
    crash and denial of service via a crafted mng file. [bsc#1086773]
    * CVE-2018-10177: there is an infinite loop in the
    ReadOneMNGImagefunction of the coders/png.c file. Remote attackers
    could leverage thisvulnerability to cause a denial of service
    (bsc#1089781)

    - security update (wand)
    * CVE-2017-18252: The MogrifyImageList function in MagickWand/mogrify.c
    could allow attackers to cause a denial of service via a crafted file.
    [bsc#1087033]

    - security update (gif.c)
    * CVE-2017-18254: A memory leak vulnerability was found in the function
    WriteGIFImage in coders/gif.c, which could lead to denial of service
    via a crafted file. [bsc#1087027]

    - security update (core)
    * CVE-2017-10928: a heap-based buffer over-read in the GetNextToken
    function in token.c could allow attackers to obtain sensitive
    information from process memory or possibly have unspecified other
    impact via a crafted SVG document that is mishandled in the
    GetUserSpaceCoordinateValue function in coders/svg.c. [bsc#1047356]

    - security update (pcd.c)
    * CVE-2017-18251: A memory leak vulnerability was found in the function
    ReadPCDImage in coders/pcd.c, which could lead to a denial of service
    via a crafted file. [bsc#1087037]

    - security update (gif.c)
    * CVE-2017-18254: A memory leak vulnerability was found in the function
    WriteGIFImage in coders/gif.c, which could lead to denial of service
    via a crafted file. [bsc#1087027]

    - security update (tiff.c)
    * CVE-2018-8960: The ReadTIFFImage function in coders/tiff.c in
    ImageMagick memory allocation issue could lead to denial of service
    (bsc#1086782)

    Patch Instructions:

    To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Software Development Kit 11-SP4:
      zypper in -t patch sdksp4-ImageMagick-13586=1
    • SUSE Linux Enterprise Server 11-SP4:
      zypper in -t patch slessp4-ImageMagick-13586=1
    • SUSE Linux Enterprise Debuginfo 11-SP4:
      zypper in -t patch dbgsp4-ImageMagick-13586=1

    Package List:

    • SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • ImageMagick-6.4.3.6-78.45.1
      • ImageMagick-devel-6.4.3.6-78.45.1
      • libMagick++-devel-6.4.3.6-78.45.1
      • libMagick++1-6.4.3.6-78.45.1
      • libMagickWand1-6.4.3.6-78.45.1
      • perl-PerlMagick-6.4.3.6-78.45.1
    • SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64):
      • libMagickWand1-32bit-6.4.3.6-78.45.1
    • SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • libMagickCore1-6.4.3.6-78.45.1
    • SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64):
      • libMagickCore1-32bit-6.4.3.6-78.45.1
    • SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • ImageMagick-debuginfo-6.4.3.6-78.45.1
      • ImageMagick-debugsource-6.4.3.6-78.45.1

    References: