openSUSE Security Update : ImageMagick (openSUSE-2017-686)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update for ImageMagick fixes the following issues :

Security issues fixed :

- CVE-2017-6502: Possible file-descriptor leak in
libmagickcore that could be triggered via a specially
crafted webp file (bsc#1028075).

- CVE-2017-7943: The ReadSVGImage function in svg.c
allowed remote attackers to consume an amount of
available memory via a crafted file (bsc#1034870). Note
that this only impacts the built-in SVG implementation.
As we use the librsgv implementation, we are not
affected.

- CVE-2017-7942: The ReadAVSImage function in avs.c
allowed remote attackers to consume an amount of
available memory via a crafted file (bsc#1034872).

- CVE-2017-7941: The ReadSGIImage function in sgi.c
allowed remote attackers to consume an amount of
available memory via a crafted file (bsc#1034876).

- CVE-2017-8351: ImageMagick, GraphicsMagick: denial of
service (memory leak) via a crafted file (ReadPCDImage
func in pcd.c) (bsc#1036986).

- CVE-2017-8352: denial of service (memory leak) via a
crafted file (ReadXWDImage func in xwd.c) (bsc#1036987)

- CVE-2017-8349: denial of service (memory leak) via a
crafted file (ReadSFWImage func in sfw.c) (bsc#1036984)

- CVE-2017-8350: denial of service (memory leak) via a
crafted file (ReadJNGImage function in png.c)
(bsc#1036985)

- CVE-2017-8347: denial of service (memory leak) via a
crafted file (ReadEXRImage func in exr.c) (bsc#1036982)

- CVE-2017-8348: denial of service (memory leak) via a
crafted file (ReadMATImage func in mat.c) (bsc#1036983)

- CVE-2017-8345: denial of service (memory leak) via a
crafted file (ReadMNGImage func in png.c) (bsc#1036980)

- CVE-2017-8346: denial of service (memory leak) via a
crafted file (ReadDCMImage func in dcm.c) (bsc#1036981)

- CVE-2017-8353: denial of service (memory leak) via a
crafted file (ReadPICTImage func in pict.c)
(bsc#1036988)

- CVE-2017-8354: denial of service (memory leak) via a
crafted file (ReadBMPImage func in bmp.c) (bsc#1036989)

- CVE-2017-8830: denial of service (memory leak) via a
crafted file (ReadBMPImage func in bmp.c:1379)
(bsc#1038000)

- CVE-2017-7606: denial of service (application crash) or
possibly have unspecified other impact via a crafted
image (bsc#1033091)

- CVE-2017-8765: memory leak vulnerability via a crafted
ICON file (ReadICONImage in coders\icon.c) (bsc#1037527)

- CVE-2017-8356: denial of service (memory leak) via a
crafted file (ReadSUNImage function in sun.c)
(bsc#1036991)

- CVE-2017-8355: denial of service (memory leak) via a
crafted file (ReadMTVImage func in mtv.c) (bsc#1036990)

- CVE-2017-8344: denial of service (memory leak) via a
crafted file (ReadPCXImage func in pcx.c) (bsc#1036978)

- CVE-2017-8343: denial of service (memory leak) via a
crafted file (ReadAAIImage func in aai.c) (bsc#1036977)

- CVE-2017-8357: denial of service (memory leak) via a
crafted file (ReadEPTImage func in ept.c) (bsc#1036976)

- CVE-2017-9098: uninitialized memory usage in the
ReadRLEImage RLE decoder function coders/rle.c
(bsc#1040025)

- CVE-2017-9141: Missing checks in the ReadDDSImage
function in coders/dds.c could lead to a denial of
service (assertion) (bsc#1040303)

- CVE-2017-9142: Missing checks in theReadOneJNGImage
function in coders/png.c could lead to denial of service
(assertion) (bsc#1040304)

- CVE-2017-9143: A possible denial of service attack via
crafted .art file in ReadARTImage function in
coders/art.c (bsc#1040306)

- CVE-2017-9144: A crafted RLE image can trigger a crash
in coders/rle.c could lead to a denial of service
(crash) (bsc#1040332)

This update was imported from the SUSE:SLE-12:Update update project.

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=1028075
https://bugzilla.opensuse.org/show_bug.cgi?id=1033091
https://bugzilla.opensuse.org/show_bug.cgi?id=1034870
https://bugzilla.opensuse.org/show_bug.cgi?id=1034872
https://bugzilla.opensuse.org/show_bug.cgi?id=1034876
https://bugzilla.opensuse.org/show_bug.cgi?id=1036976
https://bugzilla.opensuse.org/show_bug.cgi?id=1036977
https://bugzilla.opensuse.org/show_bug.cgi?id=1036978
https://bugzilla.opensuse.org/show_bug.cgi?id=1036980
https://bugzilla.opensuse.org/show_bug.cgi?id=1036981
https://bugzilla.opensuse.org/show_bug.cgi?id=1036982
https://bugzilla.opensuse.org/show_bug.cgi?id=1036983
https://bugzilla.opensuse.org/show_bug.cgi?id=1036984
https://bugzilla.opensuse.org/show_bug.cgi?id=1036985
https://bugzilla.opensuse.org/show_bug.cgi?id=1036986
https://bugzilla.opensuse.org/show_bug.cgi?id=1036987
https://bugzilla.opensuse.org/show_bug.cgi?id=1036988
https://bugzilla.opensuse.org/show_bug.cgi?id=1036989
https://bugzilla.opensuse.org/show_bug.cgi?id=1036990
https://bugzilla.opensuse.org/show_bug.cgi?id=1036991
https://bugzilla.opensuse.org/show_bug.cgi?id=1037527
https://bugzilla.opensuse.org/show_bug.cgi?id=1038000
https://bugzilla.opensuse.org/show_bug.cgi?id=1040025
https://bugzilla.opensuse.org/show_bug.cgi?id=1040303
https://bugzilla.opensuse.org/show_bug.cgi?id=1040304
https://bugzilla.opensuse.org/show_bug.cgi?id=1040306
https://bugzilla.opensuse.org/show_bug.cgi?id=1040332

Solution :

Update the affected ImageMagick packages.

Risk factor :

High / CVSS Base Score : 7.1
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C)