Lucene search

K
suseSuseOPENSUSE-SU-2019:1320-1
HistoryMay 03, 2019 - 12:00 a.m.

Security update for ImageMagick (moderate)

2019-05-0300:00:00
lists.opensuse.org
237

EPSS

0.021

Percentile

89.5%

An update that solves 13 vulnerabilities and has one errata
is now available.

Description:

This update for ImageMagick fixes the following issues:

Security issues fixed:

  • CVE-2019-9956: Fixed a stack-based buffer overflow in PopHexPixel()
    (bsc#1130330).

  • CVE-2019-10650: Fixed a heap-based buffer over-read in WriteTIFFImage()
    (bsc#1131317).

  • CVE-2019-7175: Fixed multiple memory leaks in DecodeImage function
    (bsc#1128649).

  • CVE-2018-20467: Fixed infinite loop in coders/bmp.c (bsc#1120381).

  • CVE-2019-7398: Fixed a memory leak in the function WriteDIBImage
    (bsc#1124365).

  • CVE-2019-7397: Fixed a memory leak in the function WritePDFImage
    (bsc#1124366).

  • CVE-2019-7395: Fixed a memory leak in the function WritePSDChannel
    (bsc#1124368).

  • CVE-2018-16413: Fixed a heap-based buffer over-read in PushShortPixel()
    (bsc#1106989).

  • CVE-2018-16412: Fixed a heap-based buffer over-read in
    ParseImageResourceBlocks() (bsc#1106996).

  • CVE-2018-16644: Fixed a regression in dcm coder (bsc#1107609).

  • CVE-2019-11007: Fixed a heap-based buffer overflow in ReadMNGImage()
    (bsc#1132060).

  • CVE-2019-11008: Fixed a heap-based buffer overflow in WriteXWDImage()
    (bsc#1132054).

  • CVE-2019-11009: Fixed a heap-based buffer over-read in ReadXWDImage()
    (bsc#1132053).

  • Added extra -config- packages with Postscript/EPS/PDF readers still
    enabled.

    Removing the PS decoders is used to harden ImageMagick against security
    issues within ghostscript. Enabling them might impact security.
    (bsc#1122033)

    These are two packages that can be selected:

    • ImageMagick-config-6-SUSE: This has the PS decoders disabled.
    • ImageMagick-config-6-upstream: This has the PS decoders enabled.

    Depending on your local needs install either one of them. The default is
    the -SUSE configuration.

This update was imported from the SUSE:SLE-12:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 42.3:

    zypper in -t patch openSUSE-2019-1320=1

OSVersionArchitecturePackageVersionFilename
openSUSE Leap42.3i586< - openSUSE Leap 42.3 (i586 x86_64):- openSUSE Leap 42.3 (i586 x86_64):.i586.rpm
openSUSE Leap42.3x86_64< - openSUSE Leap 42.3 (i586 x86_64):- openSUSE Leap 42.3 (i586 x86_64):.x86_64.rpm
openSUSE Leap42.3noarch< - openSUSE Leap 42.3 (noarch):- openSUSE Leap 42.3 (noarch):.noarch.rpm
openSUSE Leap42.3x86_64< - openSUSE Leap 42.3 (x86_64):- openSUSE Leap 42.3 (x86_64):.x86_64.rpm