openSUSE Security Update : php7-imagick (openSUSE-2020-14)

critical Nessus Plugin ID 132905

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for php7-imagick fixes the following issues :

Upgrade to version 3.4.4 :

Added :

- function Imagick::optimizeImageTransparency()

- METRIC_STRUCTURAL_SIMILARITY_ERROR

- METRIC_STRUCTURAL_DISSIMILARITY_ERROR

- COMPRESSION_ZSTD - https://github.com/facebook/zstd

- COMPRESSION_WEBP

- CHANNEL_COMPOSITE_MASK

- FILTER_CUBIC_SPLINE - 'Define the lobes with the -define filter:lobes=(2,3,4) (reference https://imagemagick.org/discourse-server/viewtopic.php?f =2&t=32506).'

- Imagick now explicitly conflicts with the Gmagick extension.

Fixes :

- Correct version check to make RemoveAlphaChannel and FlattenAlphaChannel be available when using Imagick with ImageMagick version 6.7.8-x

- Bug 77128 - Imagick::setImageInterpolateMethod() not available on Windows

- Prevent memory leak when ImagickPixel::__construct called after object instantiation.

- Prevent segfault when ImagickPixel internal constructor not called.

- Imagick::setResourceLimit support for values larger than 2GB (2^31) on 32bit platforms.

- Corrected memory overwrite in Imagick::colorDecisionListImage()

- Bug 77791 - ImagickKernel::fromMatrix() out of bounds write. Fixes CVE-2019-11037, boo#1135418

The following functions have been deprecated :

- ImagickDraw, matte

- Imagick::averageimages

- Imagick::colorfloodfillimage

- Imagick::filter

- Imagick::flattenimages

- Imagick::getimageattribute

- Imagick::getimagechannelextrema

- Imagick::getimageclipmask

- Imagick::getimageextrema

- Imagick::getimageindex

- Imagick::getimagematte

- Imagick::getimagemattecolor

- Imagick::getimagesize

- Imagick::mapimage

- Imagick::mattefloodfillimage

- Imagick::medianfilterimage

- Imagick::mosaicimages

- Imagick::orderedposterizeimage

- Imagick::paintfloodfillimage

- Imagick::paintopaqueimage

- Imagick::painttransparentimage

- Imagick::radialblurimage

- Imagick::recolorimage

- Imagick::reducenoiseimage

- Imagick::roundcornersimage

- Imagick::roundcorners

- Imagick::setimageattribute

- Imagick::setimagebias

- Imagick::setimageclipmask

- Imagick::setimageindex

- Imagick::setimagemattecolor

- Imagick::setimagebiasquantum

- Imagick::setimageopacity

- Imagick::transformimage

Solution

Update the affected php7-imagick packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1135418

https://github.com/facebook/zstd

https://imagemagick.org/discourse-server/viewtopic.php?f=2&t=32506

Plugin Details

Severity: Critical

ID: 132905

File Name: openSUSE-2020-14.nasl

Version: 1.2

Type: local

Agent: unix

Published: 1/15/2020

Updated: 1/17/2020

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:php7-imagick, p-cpe:/a:novell:opensuse:php7-imagick-debuginfo, p-cpe:/a:novell:opensuse:php7-imagick-debugsource, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 1/13/2020

Vulnerability Publication Date: 5/3/2019

Reference Information

CVE: CVE-2019-11037