Security update for ImageMagick (moderate)

2019-05-0300:00:00

lists.opensuse.org

232

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

85.6%

JSON

An update that solves 13 vulnerabilities and has one errata
is now available.

Description:

This update for ImageMagick fixes the following issues:

Security issues fixed:

CVE-2019-9956: Fixed a stack-based buffer overflow in PopHexPixel()
(bsc#1130330).
CVE-2019-10650: Fixed a heap-based buffer over-read in WriteTIFFImage()
(bsc#1131317).
CVE-2019-7175: Fixed multiple memory leaks in DecodeImage function
(bsc#1128649).
CVE-2018-20467: Fixed infinite loop in coders/bmp.c (bsc#1120381).
CVE-2019-7398: Fixed a memory leak in the function WriteDIBImage
(bsc#1124365).
CVE-2019-7397: Fixed a memory leak in the function WritePDFImage
(bsc#1124366).
CVE-2019-7395: Fixed a memory leak in the function WritePSDChannel
(bsc#1124368).
CVE-2018-16413: Fixed a heap-based buffer over-read in PushShortPixel()
(bsc#1106989).
CVE-2018-16412: Fixed a heap-based buffer over-read in
ParseImageResourceBlocks() (bsc#1106996).
CVE-2018-16644: Fixed a regression in dcm coder (bsc#1107609).
CVE-2019-11007: Fixed a heap-based buffer overflow in ReadMNGImage()
(bsc#1132060).
CVE-2019-11008: Fixed a heap-based buffer overflow in WriteXWDImage()
(bsc#1132054).
CVE-2019-11009: Fixed a heap-based buffer over-read in ReadXWDImage()
(bsc#1132053).
Added extra -config- packages with Postscript/EPS/PDF readers still
enabled.

Removing the PS decoders is used to harden ImageMagick against security
issues within ghostscript. Enabling them might impact security.
(bsc#1122033)

These are two packages that can be selected:
- ImageMagick-config-6-SUSE: This has the PS decoders disabled.
- ImageMagick-config-6-upstream: This has the PS decoders enabled.
Depending on your local needs install either one of them. The default is
the -SUSE configuration.

This update was imported from the SUSE:SLE-12:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1320=1

OSVersionArchitecturePackageVersionFilename
openSUSE Leap42.3i586< - openSUSE Leap 42.3 (i586 x86_64):- openSUSE Leap 42.3 (i586 x86_64):.i586.rpm
openSUSE Leap42.3x86_64< - openSUSE Leap 42.3 (i586 x86_64):- openSUSE Leap 42.3 (i586 x86_64):.x86_64.rpm
openSUSE Leap42.3noarch< - openSUSE Leap 42.3 (noarch):- openSUSE Leap 42.3 (noarch):.noarch.rpm
openSUSE Leap42.3x86_64< - openSUSE Leap 42.3 (x86_64):- openSUSE Leap 42.3 (x86_64):.x86_64.rpm

OS	Version	Architecture	Version	Filename
openSUSE Leap	42.3	i586	< - openSUSE Leap 42.3 (i586 x86_64):	- openSUSE Leap 42.3 (i586 x86_64):.i586.rpm
openSUSE Leap	42.3	x86_64	< - openSUSE Leap 42.3 (i586 x86_64):	- openSUSE Leap 42.3 (i586 x86_64):.x86_64.rpm
openSUSE Leap	42.3	noarch	< - openSUSE Leap 42.3 (noarch):	- openSUSE Leap 42.3 (noarch):.noarch.rpm
openSUSE Leap	42.3	x86_64	< - openSUSE Leap 42.3 (x86_64):	- openSUSE Leap 42.3 (x86_64):.x86_64.rpm