[oss-security] 20161201 imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h) (Incomplete fix for CVE-2016-9556)

[oss-security] 20161202 Re: imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h) (Incomplete fix for CVE-2016-9556)

[oss-security] 20161202 Re: Re: imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h) (Incomplete fix for CVE-2016-9556)

https://blogs.gentoo.org/ago/2016/12/01/imagemagick-heap-based-buffer-overflow-in-ispixelgray-pixel-accessor-h-incomplete-fix-for-cve-2016-9556/

This update for ImageMagick fixes the following issues :

  - CVE-2016-10046: Prevent buffer overflow in draw.c caused     by an incorrect length calculation (bsc#1017308)

  - CVE-2016-10048: Arbitrary module could have been load     because relative path were not escaped (bsc#1017310)

  - CVE-2016-10049: Corrupt RLE files could have overflowed     a buffer due to a incorrect length calculation     (bsc#1017311)

  - CVE-2016-10050: Corrupt RLE files could have overflowed     a heap buffer due to a missing offset check     (bsc#1017312)

  - CVE-2016-10051: Fixed use after free when reading PWP     files (bsc#1017313)

  - CVE-2016-10052: Added bound check to exif parsing of     JPEG files (bsc#1017314)

  - CVE-2016-10059: Unchecked calculation when reading TIFF     files could have lead to a buffer overflow (bsc#1017318)

  - CVE-2016-10060: Improved error handling when writing     files to not mask errors (bsc#1017319)

  - CVE-2016-10061: Improved error handling when writing     files to not mask errors (bsc#1017319).

  - CVE-2016-10062: Improved error handling when writing     files to not mask errors (bsc#1017319).

  - CVE-2016-10063: Check validity of extend during TIFF     file reading (bsc#1017320)

  - CVE-2016-10064: Improved checks for buffer overflow when     reading TIFF files (bsc#1017321)

  - CVE-2016-10065: Unchecked calculations when reading VIFF     files could have lead to out of bound reads     (bsc#1017322)

  - CVE-2016-10068: Prevent NULL pointer access when using     the MSL interpreter (bsc#1017324)

  - CVE-2016-10069: Add check for invalid mat file     (bsc#1017325).

  - CVE-2016-10070: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326)

  - CVE-2016-10071: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326)

  - CVE-2016-10144: Added a check after allocating memory     when parsing IPL files (bsc#1020433)

  - CVE-2016-10145: Fixed of-by-one in string copy operation     when parsing WPG files (bsc#1020435)

  - CVE-2016-10146: Captions and labels were handled     incorrectly, causing a memory leak that could have lead     to DoS (bsc#1020443)

  - CVE-2017-5506: Missing offset check leading to a     double-free (bsc#1020436)

  - CVE-2017-5507: Fixed a memory leak when reading MPC     files allowing for DoS (bsc#1020439)

  - CVE-2017-5508: Increase the amount of memory allocated     for TIFF pixels to prevent a heap buffer-overflow     (bsc#1020441)

  - CVE-2017-5510: Prevent out-of-bounds write when reading     PSD files (bsc#1020446).

  - CVE-2017-5511: A missing cast when reading PSD files     could have caused memory corruption by a heap overflow     (bsc#1020448)

This update removes the fix for CVE-2016-9773. ImageMagick-6 was not affected by CVE-2016-9773 and it caused a regression (at least in GraphicsMagick) (bsc#1017421).

This update was imported from the SUSE:SLE-12:Update update project.

This update for ImageMagick fixes the following issues :

  - CVE-2016-10046: Prevent buffer overflow in draw.c caused     by an incorrect length calculation (bsc#1017308)

  - CVE-2016-10048: Arbitrary module could have been load     because relative path were not escaped (bsc#1017310)

  - CVE-2016-10049: Corrupt RLE files could have overflowed     a buffer due to a incorrect length calculation     (bsc#1017311)

  - CVE-2016-10050: Corrupt RLE files could have overflowed     a heap buffer due to a missing offset check     (bsc#1017312)

  - CVE-2016-10051: Fixed use after free when reading PWP     files (bsc#1017313)

  - CVE-2016-10052: Added bound check to exif parsing of     JPEG files (bsc#1017314).

  - CVE-2016-10059: Unchecked calculation when reading TIFF     files could have lead to a buffer overflow (bsc#1017318)

  - CVE-2016-10060: Improved error handling when writing     files to not mask errors (bsc#1017319).

  - CVE-2016-10063: Check validity of extend during TIFF     file reading (bsc#1017320).

  - CVE-2016-10064: Improved checks for buffer overflow when     reading TIFF files (bsc#1017321)

  - CVE-2016-10065: Unchecked calculations when reading VIFF     files could have lead to out of bound reads     (bsc#1017322)

  - CVE-2016-10068: Prevent NULL pointer access when using     the MSL interpreter (bsc#1017324)

  - CVE-2016-10070: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326)

  - CVE-2016-10071: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326).

  - CVE-2016-10144: Added a check after allocating memory     when parsing IPL files (bsc#1020433).

  - CVE-2016-10145: Fixed of-by-one in string copy operation     when parsing WPG files (bsc#1020435).

  - CVE-2016-10146: Captions and labels were handled     incorrectly, causing a memory leak that could have lead     to DoS (bsc#1020443)

  - CVE-2017-5506: Missing offset check leading to a     double-free (bsc#1020436).

  - CVE-2017-5507: Fixed a memory leak when reading MPC     files allowing for DoS (bsc#1020439).

  - CVE-2017-5508: Increase the amount of memory allocated     for TIFF pixels to prevent a heap buffer-overflow     (bsc#1020441).

  - CVE-2017-5511: A missing cast when reading PSD files     could have caused memory corruption by a heap overflow     (bsc#1020448) This update removes the fix for     CVE-2016-9773. ImageMagick-6 was not affected by     CVE-2016-9773 and it caused a regression (at least in     GraphicsMagick) (bsc#1017421).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes the following issues :

  - CVE-2016-10046: Prevent buffer overflow in draw.c caused     by an incorrect length calculation (bsc#1017308)

  - CVE-2016-10048: Arbitrary module could have been load     because relative path were not escaped (bsc#1017310)

  - CVE-2016-10049: Corrupt RLE files could have overflowed     a buffer due to a incorrect length calculation     (bsc#1017311)

  - CVE-2016-10050: Corrupt RLE files could have overflowed     a heap buffer due to a missing offset check     (bsc#1017312)

  - CVE-2016-10051: Fixed use after free when reading PWP     files (bsc#1017313)

  - CVE-2016-10052: Added bound check to exif parsing of     JPEG files (bsc#1017314)

  - CVE-2016-10059: Unchecked calculation when reading TIFF     files could have lead to a buffer overflow (bsc#1017318)

  - CVE-2016-10060: Improved error handling when writing     files to not mask errors (bsc#1017319)

  - CVE-2016-10061: Improved error handling when writing     files to not mask errors (bsc#1017319).

  - CVE-2016-10062: Improved error handling when writing     files to not mask errors (bsc#1017319).

  - CVE-2016-10063: Check validity of extend during TIFF     file reading (bsc#1017320)

  - CVE-2016-10064: Improved checks for buffer overflow when     reading TIFF files (bsc#1017321)

  - CVE-2016-10065: Unchecked calculations when reading VIFF     files could have lead to out of bound reads     (bsc#1017322)

  - CVE-2016-10068: Prevent NULL pointer access when using     the MSL interpreter (bsc#1017324)

  - CVE-2016-10069: Add check for invalid mat file     (bsc#1017325).

  - CVE-2016-10070: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326)

  - CVE-2016-10071: Prevent allocating the wrong amount of     memory when reading mat files (bsc#1017326)

  - CVE-2016-10144: Added a check after allocating memory     when parsing IPL files (bsc#1020433)

  - CVE-2016-10145: Fixed of-by-one in string copy operation     when parsing WPG files (bsc#1020435)

  - CVE-2016-10146: Captions and labels were handled     incorrectly, causing a memory leak that could have lead     to DoS (bsc#1020443)

  - CVE-2017-5506: Missing offset check leading to a     double-free (bsc#1020436)

  - CVE-2017-5507: Fixed a memory leak when reading MPC     files allowing for DoS (bsc#1020439)

  - CVE-2017-5508: Increase the amount of memory allocated     for TIFF pixels to prevent a heap buffer-overflow     (bsc#1020441)

  - CVE-2017-5510: Prevent out-of-bounds write when reading     PSD files (bsc#1020446).

  - CVE-2017-5511: A missing cast when reading PSD files     could have caused memory corruption by a heap overflow     (bsc#1020448) This update removes the fix for     CVE-2016-9773. ImageMagick-6 was not affected by     CVE-2016-9773 and it caused a regression (at least in     GraphicsMagick) (bsc#1017421).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes the following issues :

  - CVE-2016-9556 Possible Heap-overflow found by fuzzing     [bsc#1011130]

  - CVE-2016-9559 Possible NULL pointer access found by     fuzzing [bsc#1011136]

  - CVE-2016-8707 Possible code execution in Tiff conver     utility [bsc#1014159]

  - CVE-2016-8866 Memory allocation failure in     AcquireMagickMemory could lead to Heap overflow     [bsc#1009318]

  - CVE-2016-9559 Possible NULL pointer access found by     fuzzing [bsc#1011136]

This update was imported from the SUSE:SLE-12:Update update project.

This update for ImageMagick fixes the following issues :

  - CVE-2016-9556 Possible Heap-overflow found by fuzzing     [bsc#1011130]

  - CVE-2016-9559 Possible NULL pointer access found by     fuzzing [bsc#1011136]

  - CVE-2016-8707 Possible code execution in Tiff conver     utility [bsc#1014159]

  - CVE-2016-8866 Memory allocation failure in     AcquireMagickMemory could lead to Heap overflow     [bsc#1009318]

  - CVE-2016-9559 Possible NULL pointer access found by     fuzzing [bsc#1011136]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes the following issues :

  - CVE-2016-9556: Possible Heap-overflow found by fuzzing     [bsc#1011130]

  - CVE-2016-9559: Possible NULL pointer access found by     fuzzing [bsc#1011136]

  - CVE-2016-8707: Possible code execution in the tiff     deflate convert code [bsc#1014159]

  - CVE-2016-9773: Possible Heap overflow in IsPixelGray     [bsc#1013376]

  - CVE-2016-8866: Possible memory allocation failure in     AcquireMagickMemory [bsc#1009318]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This security update for ImageMagick fixes the following issues :

  - a maliciously crafted compressed TIFF image could cause     code remote code execution in the convert utility in     particular circumstances (CVE-2016-8707, boo#1014159)

  - a memory allocation failure was fixed (CVE-2016-8866,     boo#1009318, follow up on CVE-2016-8862)

  - the identify utility could crash on maliciously crafted     images (CVE-2016-9773, boo#1013376, follow up on     CVE-2016-9556)

The version of ImageMagick installed on the remote Windows host is 7.x prior to 7.0.3-9. It is, therefore, affected by a denial of service vulnerability due to an out-of-bounds read error in the ReadSGIImage() function within file coders/sgi.c when handling iris info dimensions.
An unauthenticated, remote attacker can exploit this to crash a process linked against the library or possibly disclose memory contents.

Note that CVE-2016-9773 exists due to an incomplete fix for CVE-2016-9556.

ID	Name	Product	Family	Severity
97562	openSUSE Security Update : ImageMagick (openSUSE-2017-303)	Nessus	SuSE Local Security Checks	critical
97495	SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2017:0586-1)	Nessus	SuSE Local Security Checks	critical
97317	SUSE SLED12 / SLES12 Security Update : ImageMagick (SUSE-SU-2017:0529-1)	Nessus	SuSE Local Security Checks	critical
96296	openSUSE Security Update : ImageMagick (openSUSE-2017-14)	Nessus	SuSE Local Security Checks	high
96139	SUSE SLED12 / SLES12 Security Update : ImageMagick (SUSE-SU-2016:3258-1)	Nessus	SuSE Local Security Checks	high
96138	SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2016:3256-1)	Nessus	SuSE Local Security Checks	high
96133	openSUSE Security Update : ImageMagick (openSUSE-2016-1512)	Nessus	SuSE Local Security Checks	high
95722	ImageMagick 7.x < 7.0.3-9 ReadSGIImage() SGI File Handling DoS	Nessus	Windows	medium

CVE-2016-9773

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical

high

high

high

high

medium