openSUSE-SU-2017:0391

openSUSE-SU-2017:0399

[oss-security] 20161226 Re: CVE requests for various ImageMagick issues

95185

https://bugzilla.redhat.com/show_bug.cgi?id=1410454

https://github.com/ImageMagick/ImageMagick/commit/139d4323c40d7363bfdd2382c3821a6f76d69430

https://github.com/ImageMagick/ImageMagick/commit/73fb0aac5b958521e1511e179ecc0ad49f70ebaf

This update for ImageMagick fixes the following issues: This security issue was fixed :

  - CVE-2017-7941: The ReadSGIImage function in sgi.c     allowed remote attackers to consume an amount of     available memory via a crafted file (bsc#1034876).

  - CVE-2017-8351: ImageMagick, GraphicsMagick: denial of     service (memory leak) via a crafted file (ReadPCDImage     func in pcd.c) (bsc#1036986).

  - CVE-2017-8352: denial of service (memory leak) via a     crafted file (ReadXWDImage func in xwd.c) (bsc#1036987)

  - CVE-2017-8349: denial of service (memory leak) via a     crafted file (ReadSFWImage func in sfw.c) (bsc#1036984)

  - CVE-2017-8350: denial of service (memory leak) via a     crafted file (ReadJNGImage function in png.c)     (bsc#1036985)

  - CVE-2017-8345: denial of service (memory leak) via a     crafted file (ReadMNGImage func in png.c) (bsc#1036980)

  - CVE-2017-8346: denial of service (memory leak) via a     crafted file (ReadDCMImage func in dcm.c) (bsc#1036981)

  - CVE-2017-8353: denial of service (memory leak) via a     crafted file (ReadPICTImage func in pict.c)     (bsc#1036988)

  - CVE-2017-8830: denial of service (memory leak) via a     crafted file (ReadBMPImage func in bmp.c:1379)     (bsc#1038000)

  - CVE-2017-7606: denial of service (application crash) or     possibly have unspecified other impact via a crafted     image (bsc#1033091)

  - CVE-2017-8765: memory leak vulnerability via a crafted     ICON file (ReadICONImage in coders\icon.c) (bsc#1037527)

  - CVE-2017-8355: denial of service (memory leak) via a     crafted file (ReadMTVImage func in mtv.c) (bsc#1036990)

  - CVE-2017-8344: denial of service (memory leak) via a     crafted file (ReadPCXImage func in pcx.c) (bsc#1036978)

  - CVE-2017-9098: uninitialized memory usage in the     ReadRLEImage RLE decoder function coders/rle.c     (bsc#1040025)

  - CVE-2017-9141: Missing checks in the ReadDDSImage     function in coders/dds.c could lead to a denial of     service (assertion) (bsc#1040303)

  - CVE-2017-9142: Missing checks in theReadOneJNGImage     function in coders/png.c could lead to denial of service     (assertion) (bsc#1040304)

  - CVE-2017-9143: A possible denial of service attack via     crafted .art file in ReadARTImage function in     coders/art.c (bsc#1040306)

  - CVE-2017-9144: A crafted RLE image can trigger a crash     in coders/rle.c could lead to a denial of service     (crash) (bsc#1040332)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes the following issues :

  - CVE-2016-10046: Prevent buffer overflow in draw.c caused     by an incorrect length calculation (bsc#1017308)

  - CVE-2016-10048: Arbitrary module could have been load     because relative path were not escaped (bsc#1017310)

  - CVE-2016-10049: Corrupt RLE files could have overflowed     a buffer due to a incorrect length calculation     (bsc#1017311)

  - CVE-2016-10050: Corrupt RLE files could have overflowed     a heap buffer due to a missing offset check     (bsc#1017312)

  - CVE-2016-10051: Fixed use after free when reading PWP     files (bsc#1017313)

  - CVE-2016-10052: Added bound check to exif parsing of     JPEG files (bsc#1017314)

  - CVE-2016-10059: Unchecked calculation when reading TIFF     files could have lead to a buffer overflow (bsc#1017318)

  - CVE-2016-10060: Improved error handling when writing     files to not mask errors (bsc#1017319)

  - CVE-2016-10061: Improved error handling when writing     files to not mask errors (bsc#1017319).

  - CVE-2016-10062: Improved error handling when writing     files to not mask errors (bsc#1017319).

  - CVE-2016-10063: Check validity of extend during TIFF     file reading (bsc#1017320)

  - CVE-2016-10064: Improved checks for buffer overflow when     reading TIFF files (bsc#1017321)

  - CVE-2016-10065: Unchecked calculations when reading VIFF     files could have lead to out of bound reads     (bsc#1017322)

  - CVE-2016-10068: Prevent NULL pointer access when using     the MSL interpreter (bsc#1017324)

  - CVE-2016-10069: Add check for invalid mat file     (bsc#1017325).

  - CVE-2016-10070: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326)

  - CVE-2016-10071: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326)

  - CVE-2016-10144: Added a check after allocating memory     when parsing IPL files (bsc#1020433)

  - CVE-2016-10145: Fixed of-by-one in string copy operation     when parsing WPG files (bsc#1020435)

  - CVE-2016-10146: Captions and labels were handled     incorrectly, causing a memory leak that could have lead     to DoS (bsc#1020443)

  - CVE-2017-5506: Missing offset check leading to a     double-free (bsc#1020436)

  - CVE-2017-5507: Fixed a memory leak when reading MPC     files allowing for DoS (bsc#1020439)

  - CVE-2017-5508: Increase the amount of memory allocated     for TIFF pixels to prevent a heap buffer-overflow     (bsc#1020441)

  - CVE-2017-5510: Prevent out-of-bounds write when reading     PSD files (bsc#1020446).

  - CVE-2017-5511: A missing cast when reading PSD files     could have caused memory corruption by a heap overflow     (bsc#1020448)

This update removes the fix for CVE-2016-9773. ImageMagick-6 was not affected by CVE-2016-9773 and it caused a regression (at least in GraphicsMagick) (bsc#1017421).

This update was imported from the SUSE:SLE-12:Update update project.

This update for ImageMagick fixes the following issues :

  - CVE-2016-10046: Prevent buffer overflow in draw.c caused     by an incorrect length calculation (bsc#1017308)

  - CVE-2016-10048: Arbitrary module could have been load     because relative path were not escaped (bsc#1017310)

  - CVE-2016-10049: Corrupt RLE files could have overflowed     a buffer due to a incorrect length calculation     (bsc#1017311)

  - CVE-2016-10050: Corrupt RLE files could have overflowed     a heap buffer due to a missing offset check     (bsc#1017312)

  - CVE-2016-10051: Fixed use after free when reading PWP     files (bsc#1017313)

  - CVE-2016-10052: Added bound check to exif parsing of     JPEG files (bsc#1017314).

  - CVE-2016-10059: Unchecked calculation when reading TIFF     files could have lead to a buffer overflow (bsc#1017318)

  - CVE-2016-10060: Improved error handling when writing     files to not mask errors (bsc#1017319).

  - CVE-2016-10063: Check validity of extend during TIFF     file reading (bsc#1017320).

  - CVE-2016-10064: Improved checks for buffer overflow when     reading TIFF files (bsc#1017321)

  - CVE-2016-10065: Unchecked calculations when reading VIFF     files could have lead to out of bound reads     (bsc#1017322)

  - CVE-2016-10068: Prevent NULL pointer access when using     the MSL interpreter (bsc#1017324)

  - CVE-2016-10070: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326)

  - CVE-2016-10071: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326).

  - CVE-2016-10144: Added a check after allocating memory     when parsing IPL files (bsc#1020433).

  - CVE-2016-10145: Fixed of-by-one in string copy operation     when parsing WPG files (bsc#1020435).

  - CVE-2016-10146: Captions and labels were handled     incorrectly, causing a memory leak that could have lead     to DoS (bsc#1020443)

  - CVE-2017-5506: Missing offset check leading to a     double-free (bsc#1020436).

  - CVE-2017-5507: Fixed a memory leak when reading MPC     files allowing for DoS (bsc#1020439).

  - CVE-2017-5508: Increase the amount of memory allocated     for TIFF pixels to prevent a heap buffer-overflow     (bsc#1020441).

  - CVE-2017-5511: A missing cast when reading PSD files     could have caused memory corruption by a heap overflow     (bsc#1020448) This update removes the fix for     CVE-2016-9773. ImageMagick-6 was not affected by     CVE-2016-9773 and it caused a regression (at least in     GraphicsMagick) (bsc#1017421).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes the following issues :

  - CVE-2016-10046: Prevent buffer overflow in draw.c caused     by an incorrect length calculation (bsc#1017308)

  - CVE-2016-10048: Arbitrary module could have been load     because relative path were not escaped (bsc#1017310)

  - CVE-2016-10049: Corrupt RLE files could have overflowed     a buffer due to a incorrect length calculation     (bsc#1017311)

  - CVE-2016-10050: Corrupt RLE files could have overflowed     a heap buffer due to a missing offset check     (bsc#1017312)

  - CVE-2016-10051: Fixed use after free when reading PWP     files (bsc#1017313)

  - CVE-2016-10052: Added bound check to exif parsing of     JPEG files (bsc#1017314)

  - CVE-2016-10059: Unchecked calculation when reading TIFF     files could have lead to a buffer overflow (bsc#1017318)

  - CVE-2016-10060: Improved error handling when writing     files to not mask errors (bsc#1017319)

  - CVE-2016-10061: Improved error handling when writing     files to not mask errors (bsc#1017319).

  - CVE-2016-10062: Improved error handling when writing     files to not mask errors (bsc#1017319).

  - CVE-2016-10063: Check validity of extend during TIFF     file reading (bsc#1017320)

  - CVE-2016-10064: Improved checks for buffer overflow when     reading TIFF files (bsc#1017321)

  - CVE-2016-10065: Unchecked calculations when reading VIFF     files could have lead to out of bound reads     (bsc#1017322)

  - CVE-2016-10068: Prevent NULL pointer access when using     the MSL interpreter (bsc#1017324)

  - CVE-2016-10069: Add check for invalid mat file     (bsc#1017325).

  - CVE-2016-10070: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326)

  - CVE-2016-10071: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326)

  - CVE-2016-10144: Added a check after allocating memory     when parsing IPL files (bsc#1020433)

  - CVE-2016-10145: Fixed of-by-one in string copy operation     when parsing WPG files (bsc#1020435)

  - CVE-2016-10146: Captions and labels were handled     incorrectly, causing a memory leak that could have lead     to DoS (bsc#1020443)

  - CVE-2017-5506: Missing offset check leading to a     double-free (bsc#1020436)

  - CVE-2017-5507: Fixed a memory leak when reading MPC     files allowing for DoS (bsc#1020439)

  - CVE-2017-5508: Increase the amount of memory allocated     for TIFF pixels to prevent a heap buffer-overflow     (bsc#1020441)

  - CVE-2017-5510: Prevent out-of-bounds write when reading     PSD files (bsc#1020446).

  - CVE-2017-5511: A missing cast when reading PSD files     could have caused memory corruption by a heap overflow     (bsc#1020448) This update removes the fix for     CVE-2016-9773. ImageMagick-6 was not affected by     CVE-2016-9773 and it caused a regression (at least in     GraphicsMagick) (bsc#1017421).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for GraphicsMagick fixes several issues.

These security issues were fixed :

  - CVE-2016-10048: Arbitrary module could have been load     because relative path were not escaped (bsc#1017310)

  - CVE-2016-10050: Corrupt RLE files could have overflowed     a heap buffer due to a missing offset check     (bsc#1017312)

  - CVE-2016-10051: Fixed use after free when reading PWP     files (bsc#1017313)

  - CVE-2016-10052: Added bound check to exif parsing of     JPEG files (bsc#1017314)

  - CVE-2016-10059: Unchecked calculation when reading TIFF     files could have lead to a buffer overflow (bsc#1017318)

  - CVE-2016-10064: Improved checks for buffer overflow when     reading TIFF files (bsc#1017321)

  - CVE-2016-10065: Unchecked calculations when reading VIFF     files could have lead to out of bound reads     (bsc#1017322)

  - CVE-2016-10068: Prevent NULL pointer access when using     the MSL interpreter (bsc#1017324)

  - CVE-2016-10069: Add check for invalid mat file     (bsc#1017325).

  - CVE-2016-10070: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326)

  - CVE-2016-10146: Captions and labels were handled     incorrectly, causing a memory leak that could have lead     to DoS (bsc#1020443)

  - CVE-2017-5511: A missing cast when reading PSD files     could have caused memory corruption by a heap overflow     (bsc#1020448)

This update for GraphicsMagick fixes several issues.

These security issues were fixed :

  - CVE-2016-10048: Arbitrary module could have been load     because relative path were not escaped (bsc#1017310)

  - CVE-2016-10050: Corrupt RLE files could have overflowed     a heap buffer due to a missing offset check     (bsc#1017312)

  - CVE-2016-10051: Fixed use after free when reading PWP     files (bsc#1017313)

  - CVE-2016-10052: Added bound check to exif parsing of     JPEG files (bsc#1017314)

  - CVE-2016-10068: Prevent NULL pointer access when using     the MSL interpreter (bsc#1017324)

  - CVE-2016-10070: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326)

  - CVE-2016-10146: Captions and labels were handled     incorrectly, causing a memory leak that could have lead     to DoS (bsc#1020443)

  - CVE-2017-5511: A missing cast when reading PSD files     could have caused memory corruption by a heap overflow     (bsc#1020448)

The remote Windows host has a version of ImageMagick installed that is 7.x prior to 7.0.1-10. It is, therefore, affected by the following vulnerabilities :

  - An overflow condition exists in the ReadRLEImage()     function in rle.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this, by convincing a user to open a     specially crafted RLE image, to cause a heap-based     buffer overflow, resulting in a denial of service     condition or the execution of arbitrary code.
    (CVE-2016-10050)

  - An unspecified flaw exists in the ConcatenateImages()     function in magick-cli.c that is triggered when handling     return values. An unauthenticated, remote attacker can     exploit this to have an unspecified impact.
    (CVE-2016-10060)

  - An unspecified flaw exists in the ReadGROUP4Image()     function in tiff.c that is triggered when handling     return values. An unauthenticated, remote attacker can     exploit this to have an unspecified impact.
    (CVE-2016-10061)     
  - An unspecified flaw exists in the ReadGROUP4Image()     function in tiff.c that is triggered when handling     fwrite errors. An unauthenticated, remote attacker can     exploit this to have an unspecified impact.
    (CVE-2016-10062)

  - A flaw exists in pes.c due to improper handling of PES     blocks. An unauthenticated, remote attacker can exploit     this to cause a process linked against the library to     crash, resulting in a denial of service condition.

ID	Name	Product	Family	Severity
100908	SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2017:1599-1)	Nessus	SuSE Local Security Checks	critical
97562	openSUSE Security Update : ImageMagick (openSUSE-2017-303)	Nessus	SuSE Local Security Checks	critical
97495	SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2017:0586-1)	Nessus	SuSE Local Security Checks	critical
97317	SUSE SLED12 / SLES12 Security Update : ImageMagick (SUSE-SU-2017:0529-1)	Nessus	SuSE Local Security Checks	critical
97075	openSUSE Security Update : GraphicsMagick (openSUSE-2017-214)	Nessus	SuSE Local Security Checks	critical
97073	openSUSE Security Update : GraphicsMagick (openSUSE-2017-212)	Nessus	SuSE Local Security Checks	critical
91763	ImageMagick 7.x < 7.0.1-10 Multiple Vulnerabilities	Nessus	Windows	high

CVE-2016-10050

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

critical

critical

critical

critical

high