Security update for ImageMagick SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:2176-1 Final 1 1 2017-08-16T10:28:11Z current 2017-08-16T10:28:11Z 2017-08-16T10:28:11Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ImageMagick This update for ImageMagick fixes the following issues: Security issues fixed: - CVE-2017-9439: A memory leak was found in the function ReadPDBImage incoders/pdb.c (bsc#1042826) - CVE-2017-9501: An assertion failure could cause a denial of service via a crafted file (bsc#1043289) - CVE-2017-11403: ReadMNGImage function in coders/png.c has an out-of-order CloseBlob call, resulting in a use-after-free via acrafted file (bsc#1049072) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-ImageMagick-13232,slessp4-ImageMagick-13232 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20172176-1/ Link for SUSE-SU-2017:2176-1 https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00049.html E-Mail link for SUSE-SU-2017:2176-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1042826 SUSE Bug 1042826 https://bugzilla.suse.com/1043289 SUSE Bug 1043289 https://bugzilla.suse.com/1049072 SUSE Bug 1049072 https://www.suse.com/security/cve/CVE-2017-11403/ SUSE CVE CVE-2017-11403 page https://www.suse.com/security/cve/CVE-2017-9439/ SUSE CVE CVE-2017-9439 page https://www.suse.com/security/cve/CVE-2017-9501/ SUSE CVE CVE-2017-9501 page SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 ImageMagick-6.4.3.6-7.78.5.2 ImageMagick-devel-6.4.3.6-7.78.5.2 libMagick++-devel-6.4.3.6-7.78.5.2 libMagick++1-6.4.3.6-7.78.5.2 libMagickWand1-6.4.3.6-7.78.5.2 libMagickWand1-32bit-6.4.3.6-7.78.5.2 perl-PerlMagick-6.4.3.6-7.78.5.2 libMagickCore1-6.4.3.6-7.78.5.2 libMagickCore1-32bit-6.4.3.6-7.78.5.2 libMagickCore1-6.4.3.6-7.78.5.2 as a component of SUSE Linux Enterprise Server 11 SP4 libMagickCore1-32bit-6.4.3.6-7.78.5.2 as a component of SUSE Linux Enterprise Server 11 SP4 libMagickCore1-6.4.3.6-7.78.5.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libMagickCore1-32bit-6.4.3.6-7.78.5.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 ImageMagick-6.4.3.6-7.78.5.2 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 ImageMagick-devel-6.4.3.6-7.78.5.2 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libMagick++-devel-6.4.3.6-7.78.5.2 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libMagick++1-6.4.3.6-7.78.5.2 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libMagickWand1-6.4.3.6-7.78.5.2 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libMagickWand1-32bit-6.4.3.6-7.78.5.2 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 perl-PerlMagick-6.4.3.6-7.78.5.2 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 has an out-of-order CloseBlob call, resulting in a use-after-free via a crafted file. CVE-2017-11403 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-32bit-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-32bit-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-devel-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++-devel-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++1-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-32bit-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:perl-PerlMagick-6.4.3.6-7.78.5.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172176-1/ https://www.suse.com/security/cve/CVE-2017-11403.html CVE-2017-11403 https://bugzilla.suse.com/1049072 SUSE Bug 1049072 https://bugzilla.suse.com/1053809 SUSE Bug 1053809 https://bugzilla.suse.com/1053919 SUSE Bug 1053919 https://bugzilla.suse.com/1054600 SUSE Bug 1054600 https://bugzilla.suse.com/1057000 SUSE Bug 1057000 https://bugzilla.suse.com/1084062 SUSE Bug 1084062 In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file. CVE-2017-9439 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-32bit-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-32bit-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-devel-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++-devel-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++1-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-32bit-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:perl-PerlMagick-6.4.3.6-7.78.5.2 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172176-1/ https://www.suse.com/security/cve/CVE-2017-9439.html CVE-2017-9439 https://bugzilla.suse.com/1042826 SUSE Bug 1042826 https://bugzilla.suse.com/1053919 SUSE Bug 1053919 In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file. CVE-2017-9501 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-32bit-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Server 11 SP4:libMagickCore1-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-32bit-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libMagickCore1-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:ImageMagick-devel-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++-devel-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagick++1-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-32bit-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:libMagickWand1-6.4.3.6-7.78.5.2 SUSE Linux Enterprise Software Development Kit 11 SP4:perl-PerlMagick-6.4.3.6-7.78.5.2 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172176-1/ https://www.suse.com/security/cve/CVE-2017-9501.html CVE-2017-9501 https://bugzilla.suse.com/1043289 SUSE Bug 1043289 https://bugzilla.suse.com/1053919 SUSE Bug 1053919