Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] openSUSE-SU-2016:3060-1: important: Security update for GraphicsMagick

Recommended Posts

openSUSE Security Update: Security update for GraphicsMagick

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2016:3060-1

Rating: important

References: #1000399 #1000434 #1000689 #1000698 #1000704

#1000707 #1000711 #1001066 #1001221 #1002206

#1002209 #1002422 #1003629 #1005123 #1005125

#1005127 #1007245 #1011130 #982178 #983521

#983752 #983794 #983799 #984145 #984150 #984166

#984372 #984375 #984394 #984400 #984436

Cross-References: CVE-2014-9805 CVE-2014-9807 CVE-2014-9809

CVE-2014-9815 CVE-2014-9817 CVE-2014-9820

CVE-2014-9831 CVE-2014-9834 CVE-2014-9835

CVE-2014-9837 CVE-2014-9845 CVE-2014-9846

CVE-2014-9853 CVE-2016-5118 CVE-2016-6823

CVE-2016-7101 CVE-2016-7515 CVE-2016-7522

CVE-2016-7528 CVE-2016-7529 CVE-2016-7531

CVE-2016-7533 CVE-2016-7537 CVE-2016-7800

CVE-2016-7996 CVE-2016-7997 CVE-2016-8682

CVE-2016-8683 CVE-2016-8684 CVE-2016-8862

CVE-2016-9556

Affected Products:

openSUSE Leap 42.2

______________________________________________________________________________

 

An update that fixes 31 vulnerabilities is now available.

 

Description:

 

 

This update for GraphicsMagick fixes the following issues:

 

- a possible shell execution attack was fixed. if the first character of

an input filename for 'convert' was a '|' then the remainder of the

filename was passed to the shell (CVE-2016-5118, boo#982178)

- Maliciously crafted pnm files could crash GraphicsMagick (CVE-2014-9805,

[boo#983752])

- Prevent overflow in rle files (CVE-2014-9846, boo#983521)

- Fix a double free in pdb coder (CVE-2014-9807, boo#983794)

- Fix a possible crash due to corrupted xwd images (CVE-2014-9809,

boo#983799)

- Fix a possible crash due to corrupted wpg images (CVE-2014-9815,

boo#984372)

- Fix a heap buffer overflow in pdb file handling (CVE-2014-9817,

boo#984400)

- Fix a heap overflow in xpm files (CVE-2014-9820, boo#984150)

- Fix a heap overflow in pict files (CVE-2014-9834, boo#984436)

- Fix a heap overflow in wpf files (CVE-2014-9835, CVE-2014-9831,

boo#984145, boo#984375)

- Additional PNM sanity checks (CVE-2014-9837, boo#984166)

- Fix a possible crash due to corrupted dib file (CVE-2014-9845,

boo#984394)

- Fix out of bound in quantum handling (CVE-2016-7529, boo#1000399)

- Fix out of bound access in xcf file coder (CVE-2016-7528, boo#1000434)

- Fix handling of corrupted lle files (CVE-2016-7515, boo#1000689)

- Fix out of bound access for malformed psd file (CVE-2016-7522,

boo#1000698)

- Fix out of bound access for pbd files (CVE-2016-7531, boo#1000704)

- Fix out of bound access in corrupted wpg files (CVE-2016-7533,

boo#1000707)

- Fix out of bound access in corrupted pdb files (CVE-2016-7537,

boo#1000711)

- BMP Coder Out-Of-Bounds Write Vulnerability (CVE-2016-6823, boo#1001066)

- SGI Coder Out-Of-Bounds Read Vulnerability (CVE-2016-7101, boo#1001221)

- Divide by zero in WriteTIFFImage (do not divide by zero in

WriteTIFFImage, boo#1002206)

- Buffer overflows in SIXEL, PDB, MAP, and TIFF coders (fix buffer

overflow, boo#1002209)

- 8BIM/8BIMW unsigned underflow leads to heap overflow (CVE-2016-7800,

boo#1002422)

- wpg reader issues (CVE-2016-7996, CVE-2016-7997, boo#1003629)

- Mismatch between real filesize and header values (CVE-2016-8684,

boo#1005123)

- Stack-buffer read overflow while reading SCT header (CVE-2016-8682,

boo#1005125)

- Check that filesize is reasonable compared to the header value

(CVE-2016-8683, boo#1005127)

- Memory allocation failure in AcquireMagickMemory (CVE-2016-8862,

boo#1007245)

- heap-based buffer overflow in IsPixelGray (CVE-2016-9556, boo#1011130)

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE Leap 42.2:

 

zypper in -t patch openSUSE-2016-1430=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE Leap 42.2 (i586 x86_64):

 

GraphicsMagick-1.3.25-3.1

GraphicsMagick-debuginfo-1.3.25-3.1

GraphicsMagick-debugsource-1.3.25-3.1

GraphicsMagick-devel-1.3.25-3.1

libGraphicsMagick++-Q16-12-1.3.25-3.1

libGraphicsMagick++-Q16-12-debuginfo-1.3.25-3.1

libGraphicsMagick++-devel-1.3.25-3.1

libGraphicsMagick-Q16-3-1.3.25-3.1

libGraphicsMagick-Q16-3-debuginfo-1.3.25-3.1

libGraphicsMagick3-config-1.3.25-3.1

libGraphicsMagickWand-Q16-2-1.3.25-3.1

libGraphicsMagickWand-Q16-2-debuginfo-1.3.25-3.1

perl-GraphicsMagick-1.3.25-3.1

perl-GraphicsMagick-debuginfo-1.3.25-3.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2014-9805.html

https://www.suse.com/security/cve/CVE-2014-9807.html

https://www.suse.com/security/cve/CVE-2014-9809.html

https://www.suse.com/security/cve/CVE-2014-9815.html

https://www.suse.com/security/cve/CVE-2014-9817.html

https://www.suse.com/security/cve/CVE-2014-9820.html

https://www.suse.com/security/cve/CVE-2014-9831.html

https://www.suse.com/security/cve/CVE-2014-9834.html

https://www.suse.com/security/cve/CVE-2014-9835.html

https://www.suse.com/security/cve/CVE-2014-9837.html

https://www.suse.com/security/cve/CVE-2014-9845.html

https://www.suse.com/security/cve/CVE-2014-9846.html

https://www.suse.com/security/cve/CVE-2014-9853.html

https://www.suse.com/security/cve/CVE-2016-5118.html

https://www.suse.com/security/cve/CVE-2016-6823.html

https://www.suse.com/security/cve/CVE-2016-7101.html

https://www.suse.com/security/cve/CVE-2016-7515.html

https://www.suse.com/security/cve/CVE-2016-7522.html

https://www.suse.com/security/cve/CVE-2016-7528.html

https://www.suse.com/security/cve/CVE-2016-7529.html

https://www.suse.com/security/cve/CVE-2016-7531.html

https://www.suse.com/security/cve/CVE-2016-7533.html

https://www.suse.com/security/cve/CVE-2016-7537.html

https://www.suse.com/security/cve/CVE-2016-7800.html

https://www.suse.com/security/cve/CVE-2016-7996.html

https://www.suse.com/security/cve/CVE-2016-7997.html

https://www.suse.com/security/cve/CVE-2016-8682.html

https://www.suse.com/security/cve/CVE-2016-8683.html

https://www.suse.com/security/cve/CVE-2016-8684.html

https://www.suse.com/security/cve/CVE-2016-8862.html

https://www.suse.com/security/cve/CVE-2016-9556.html

https://bugzilla.suse.com/1000399

https://bugzilla.suse.com/1000434

https://bugzilla.suse.com/1000689

https://bugzilla.suse.com/1000698

https://bugzilla.suse.com/1000704

https://bugzilla.suse.com/1000707

https://bugzilla.suse.com/1000711

https://bugzilla.suse.com/1001066

https://bugzilla.suse.com/1001221

https://bugzilla.suse.com/1002206

https://bugzilla.suse.com/1002209

https://bugzilla.suse.com/1002422

https://bugzilla.suse.com/1003629

https://bugzilla.suse.com/1005123

https://bugzilla.suse.com/1005125

https://bugzilla.suse.com/1005127

https://bugzilla.suse.com/1007245

https://bugzilla.suse.com/1011130

https://bugzilla.suse.com/982178

https://bugzilla.suse.com/983521

https://bugzilla.suse.com/983752

https://bugzilla.suse.com/983794

https://bugzilla.suse.com/983799

https://bugzilla.suse.com/984145

https://bugzilla.suse.com/984150

https://bugzilla.suse.com/984166

https://bugzilla.suse.com/984372

https://bugzilla.suse.com/984375

https://bugzilla.suse.com/984394

https://bugzilla.suse.com/984400

https://bugzilla.suse.com/984436

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×