openSUSE Security Update : GraphicsMagick (openSUSE-2017-214)

critical Nessus Plugin ID 97075
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for GraphicsMagick fixes several issues.

These security issues were fixed :

- CVE-2016-10048: Arbitrary module could have been load because relative path were not escaped (bsc#1017310)

- CVE-2016-10050: Corrupt RLE files could have overflowed a heap buffer due to a missing offset check (bsc#1017312)

- CVE-2016-10051: Fixed use after free when reading PWP files (bsc#1017313)

- CVE-2016-10052: Added bound check to exif parsing of JPEG files (bsc#1017314)

- CVE-2016-10059: Unchecked calculation when reading TIFF files could have lead to a buffer overflow (bsc#1017318)

- CVE-2016-10064: Improved checks for buffer overflow when reading TIFF files (bsc#1017321)

- CVE-2016-10065: Unchecked calculations when reading VIFF files could have lead to out of bound reads (bsc#1017322)

- CVE-2016-10068: Prevent NULL pointer access when using the MSL interpreter (bsc#1017324)

- CVE-2016-10069: Add check for invalid mat file (bsc#1017325).

- CVE-2016-10070: Prevent allocating the wrong amount of memory when reading mat files (bsc#1017326)

- CVE-2016-10146: Captions and labels were handled incorrectly, causing a memory leak that could have lead to DoS (bsc#1020443)

- CVE-2017-5511: A missing cast when reading PSD files could have caused memory corruption by a heap overflow (bsc#1020448)

Solution

Update the affected GraphicsMagick packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1017310

https://bugzilla.opensuse.org/show_bug.cgi?id=1017312

https://bugzilla.opensuse.org/show_bug.cgi?id=1017313

https://bugzilla.opensuse.org/show_bug.cgi?id=1017314

https://bugzilla.opensuse.org/show_bug.cgi?id=1017318

https://bugzilla.opensuse.org/show_bug.cgi?id=1017321

https://bugzilla.opensuse.org/show_bug.cgi?id=1017322

https://bugzilla.opensuse.org/show_bug.cgi?id=1017324

https://bugzilla.opensuse.org/show_bug.cgi?id=1017325

https://bugzilla.opensuse.org/show_bug.cgi?id=1017326

https://bugzilla.opensuse.org/show_bug.cgi?id=1020443

https://bugzilla.opensuse.org/show_bug.cgi?id=1020448

Plugin Details

Severity: Critical

ID: 97075

File Name: openSUSE-2017-214.nasl

Version: 3.6

Type: local

Agent: unix

Published: 2/9/2017

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:GraphicsMagick, p-cpe:/a:novell:opensuse:GraphicsMagick-debuginfo, p-cpe:/a:novell:opensuse:GraphicsMagick-debugsource, p-cpe:/a:novell:opensuse:GraphicsMagick-devel, p-cpe:/a:novell:opensuse:libGraphicsMagick++-Q16-11, p-cpe:/a:novell:opensuse:libGraphicsMagick++-Q16-11-debuginfo, p-cpe:/a:novell:opensuse:libGraphicsMagick++-devel, p-cpe:/a:novell:opensuse:libGraphicsMagick-Q16-3, p-cpe:/a:novell:opensuse:libGraphicsMagick-Q16-3-debuginfo, p-cpe:/a:novell:opensuse:libGraphicsMagick3-config, p-cpe:/a:novell:opensuse:libGraphicsMagickWand-Q16-2, p-cpe:/a:novell:opensuse:libGraphicsMagickWand-Q16-2-debuginfo, p-cpe:/a:novell:opensuse:perl-GraphicsMagick, p-cpe:/a:novell:opensuse:perl-GraphicsMagick-debuginfo, cpe:/o:novell:opensuse:42.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2/6/2017

Reference Information

CVE: CVE-2016-10048, CVE-2016-10050, CVE-2016-10051, CVE-2016-10052, CVE-2016-10059, CVE-2016-10064, CVE-2016-10065, CVE-2016-10068, CVE-2016-10069, CVE-2016-10070, CVE-2016-10146, CVE-2017-5511