Security update for GraphicsMagick

Announcement ID:	SUSE-SU-2017:3435-1
Rating:	important
References:	bsc#1050632 bsc#1052450 bsc#1054757 bsc#1055214 bsc#1056426 bsc#1056429 bsc#1057508 bsc#1058485 bsc#1058637 bsc#1066003 bsc#1067181 bsc#1067184 bsc#1067409
Cross-References:	CVE-2016-7996 CVE-2017-11640 CVE-2017-12587 CVE-2017-12983 CVE-2017-13134 CVE-2017-13776 CVE-2017-13777 CVE-2017-14165 CVE-2017-14341 CVE-2017-14342 CVE-2017-15930 CVE-2017-16545 CVE-2017-16546 CVE-2017-16669
CVSS scores:	CVE-2016-7996 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-11640 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-11640 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-12587 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-12587 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-12983 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-12983 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-13134 ( SUSE ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2017-13134 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-13776 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-13776 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-13777 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-13777 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-14165 ( SUSE ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-14165 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-14341 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-14341 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-14341 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-14342 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-14342 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-15930 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-15930 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-16545 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-16546 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-16546 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-16546 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-16669 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Studio Onsite 1.3

An update that solves 14 vulnerabilities can now be installed.

Description:

This update for GraphicsMagick fixes the following issues:

CVE-2017-11640: NULL pointer deref in WritePTIFImage() in coders/tiff.c could lead to denial of service [bsc#1050632]
CVE-2017-14342: Memory exhaustion in ReadWPGImage in coders/wpg.c could lead to denial of service [bsc#1058485]
CVE-2017-14341: Infinite loop in the ReadWPGImage function could lead to denial of service [bsc#1058637]
CVE-2017-16546: Issue in ReadWPGImage function in coders/wpg.c could lead to denial of service [bsc#1067181]
CVE-2017-16545: The ReadWPGImage function in coders/wpg.c in validation problems could lead to denial of service [bsc#1067184]
CVE-2017-16669: coders/wpg.c allows remote attackers to cause a denial of service via crafted file [bsc#1067409]
CVE-2017-13776: denial of service issue in ReadXBMImage() in a coders/xbm.c [bsc#1056429]
CVE-2017-13777: denial of service issue in ReadXBMImage() in a coders/xbm.c [bsc#1056426]
CVE-2017-13134: heap-based buffer over-read in the function SFWScan in coders/sfw.c could lead to denial of service via a crafted file [bsc#1055214]
CVE-2017-15930: Null Pointer dereference while transfering JPEG scanlines could lead to denial of service [bsc#1066003]
CVE-2017-12983: Heap-based buffer overflow in the ReadSFWImage function in coders/sfw.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file. [bsc#1054757]
CVE-2017-14165: The ReadSUNImage function in coders/sun.c has an issue where memory allocation is excessive because it depends only on a length field in a header. This may lead to remote denial of service in the MagickMalloc function in magick/memory.c. [bsc#1057508]
CVE-2017-12587: Large loop vulnerability in the ReadPWPImage function in coders\pwp.c. [bsc#1052450]

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Linux Enterprise Software Development Kit 11 SP4
zypper in -t patch sdksp4-GraphicsMagick-13386=1
SUSE Studio Onsite 1.3
zypper in -t patch slestso13-GraphicsMagick-13386=1

Package List:

SUSE Linux Enterprise Software Development Kit 11 SP4 (s390x x86_64 i586 ppc64 ia64)
- GraphicsMagick-1.2.5-4.78.19.1
- perl-GraphicsMagick-1.2.5-4.78.19.1
- libGraphicsMagick2-1.2.5-4.78.19.1
SUSE Studio Onsite 1.3 (x86_64)
- GraphicsMagick-1.2.5-4.78.19.1
- libGraphicsMagick2-1.2.5-4.78.19.1

Security update for GraphicsMagick

Description:

Patch Instructions:

Package List:

References: