ESB-2018.2845 - [SUSE] ImageMagick: Multiple vulnerabilities 2018-09-24

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2845
           SUSE Security Update: Security update for ImageMagick
                             24 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ImageMagick
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Denial of Service        -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-16329 CVE-2018-16323 CVE-2018-14437
                   CVE-2018-14436 CVE-2018-14435 CVE-2018-14434

Reference:         ESB-2018.2490
                   ESB-2018.2505

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2018/suse-su-20182778-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for ImageMagick
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2778-1
Rating:             moderate
References:         #1102003 #1102004 #1102005 #1102007 #1105592 
                    #1106855 #1106858 
Cross-References:   CVE-2018-14434 CVE-2018-14435 CVE-2018-14436
                    CVE-2018-14437 CVE-2018-16323 CVE-2018-16329
                   
Affected Products:
                    SUSE Linux Enterprise Workstation Extension 12-SP3
                    SUSE Linux Enterprise Software Development Kit 12-SP3
                    SUSE Linux Enterprise Server 12-SP3
                    SUSE Linux Enterprise Desktop 12-SP3
______________________________________________________________________________

   An update that solves 6 vulnerabilities and has one errata
   is now available.

Description:

   This update for ImageMagick fixes the following issues:

   The following security vulnerabilities were fixed:

   - CVE-2018-16329: Prevent NULL pointer dereference in the
     GetMagickProperty function leading to DoS (bsc#1106858)
   - CVE-2018-16323: ReadXBMImage left data uninitialized when processing an
     XBM file that has a negative pixel value. If the affected code was used
     as a library loaded into a process that includes sensitive information,
     that information sometimes can be leaked via the image data (bsc#1106855)
   - CVE-2018-14434: Fixed a memory leak for a colormap in WriteMPCImage
     (bsc#1102003)
   - CVE-2018-14435: Fixed a memory leak in DecodeImage in coders/pcd.c
     (bsc#1102007)
   - CVE-2018-14436: Fixed a memory leak in ReadMIFFImage in coders/miff.c
     (bsc#1102005)
   - CVE-2018-14437: Fixed a memory leak in parse8BIM in coders/meta.c
     (bsc#1102004)
   - Disable PS, PS2, PS3, XPS and PDF coders in default policy.xml
     (bsc#1105592)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Workstation Extension 12-SP3:

      zypper in -t patch SUSE-SLE-WE-12-SP3-2018-1943=1

   - SUSE Linux Enterprise Software Development Kit 12-SP3:

      zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1943=1

   - SUSE Linux Enterprise Server 12-SP3:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1943=1

   - SUSE Linux Enterprise Desktop 12-SP3:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1943=1



Package List:

   - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64):

      ImageMagick-6.8.8.1-71.74.1
      ImageMagick-debuginfo-6.8.8.1-71.74.1
      ImageMagick-debugsource-6.8.8.1-71.74.1
      libMagick++-6_Q16-3-6.8.8.1-71.74.1
      libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.74.1
      libMagickCore-6_Q16-1-32bit-6.8.8.1-71.74.1
      libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.74.1

   - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):

      ImageMagick-6.8.8.1-71.74.1
      ImageMagick-debuginfo-6.8.8.1-71.74.1
      ImageMagick-debugsource-6.8.8.1-71.74.1
      ImageMagick-devel-6.8.8.1-71.74.1
      libMagick++-6_Q16-3-6.8.8.1-71.74.1
      libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.74.1
      libMagick++-devel-6.8.8.1-71.74.1
      perl-PerlMagick-6.8.8.1-71.74.1
      perl-PerlMagick-debuginfo-6.8.8.1-71.74.1

   - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):

      ImageMagick-debuginfo-6.8.8.1-71.74.1
      ImageMagick-debugsource-6.8.8.1-71.74.1
      libMagickCore-6_Q16-1-6.8.8.1-71.74.1
      libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.74.1
      libMagickWand-6_Q16-1-6.8.8.1-71.74.1
      libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.74.1

   - SUSE Linux Enterprise Desktop 12-SP3 (x86_64):

      ImageMagick-6.8.8.1-71.74.1
      ImageMagick-debuginfo-6.8.8.1-71.74.1
      ImageMagick-debugsource-6.8.8.1-71.74.1
      libMagick++-6_Q16-3-6.8.8.1-71.74.1
      libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.74.1
      libMagickCore-6_Q16-1-32bit-6.8.8.1-71.74.1
      libMagickCore-6_Q16-1-6.8.8.1-71.74.1
      libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.74.1
      libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.74.1
      libMagickWand-6_Q16-1-6.8.8.1-71.74.1
      libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.74.1


References:

   https://www.suse.com/security/cve/CVE-2018-14434.html
   https://www.suse.com/security/cve/CVE-2018-14435.html
   https://www.suse.com/security/cve/CVE-2018-14436.html
   https://www.suse.com/security/cve/CVE-2018-14437.html
   https://www.suse.com/security/cve/CVE-2018-16323.html
   https://www.suse.com/security/cve/CVE-2018-16329.html
   https://bugzilla.suse.com/1102003
   https://bugzilla.suse.com/1102004
   https://bugzilla.suse.com/1102005
   https://bugzilla.suse.com/1102007
   https://bugzilla.suse.com/1105592
   https://bugzilla.suse.com/1106855
   https://bugzilla.suse.com/1106858

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW6heXWaOgq3Tt24GAQh+nhAAg0A0WSp+Bsx1a0Ug+3H+ZWD2Lqxkw/PU
Ha0b9dSDKiBCGHyHhDGTxyx+5AlLAXBXVKalxTgJ1AuoQ4Bupor6a0KNhE4PeX5G
6+1ZTy5hceUmd35IuO5OKVVA3FMmKrYO3uuZl/jyc57/iffS/CqEUu38eE7Yg8/d
7CFeXE4x9QsjTc1CgGz0lWveJqs2YUSR7qR+s3XyEX/Y+LHfceRfKhQfflOmoOk3
RWWiriNXaL1nkbBJG3AlG4pBMgVYSs00uAhPKzYDXIxugB9sMf7t/Ea55kUN7brD
tQ88kChM0NIrVG4z7tMrlW/0f7DVaC5NB57vWapyzPVJdZh8LZoXsIbn9TJ2V2Kp
VGrOjJhAZ7+kGgiBaGqfzYMPKTsY26eTHwXetCpjeBAkWOWA6JgKz1aP4C25XKzb
Ipr5SJf5eEbTWfXD9/2qzqBFa+Y4unBa7GQ07f8CUcq8Bj5tnDaCHVOnjQIocO7H
dt7ep8JkqasRW99WwM6j3rJPGrFwDH3RTTTLxbwmDXw+F0px/c4SghpqHp+ERFKg
9R+/qe3lhkM7jkrLf2aU4Uat+7vEDJ/agBYZ3+ABe5JfXz7uFs0RaRyBHYXeVR4q
nHuPZ+JN67w/3qDjRvGTV5SbXx7qDt2e1myov3HoWqXnR05X67sMm8+bQA1rHVCy
kb5irTj3xLY=
=nvfi
-----END PGP SIGNATURE-----

« Back to bulletins