Security update for ImageMagick

Announcement ID:	SUSE-SU-2018:0130-1
Rating:	moderate
References:	bsc#1047044 bsc#1047898 bsc#1050120 bsc#1050606 bsc#1051446 bsc#1052468 bsc#1052550 bsc#1052710 bsc#1052720 bsc#1052731 bsc#1052732 bsc#1055065 bsc#1055323 bsc#1055434 bsc#1055855 bsc#1058640 bsc#1059751 bsc#1074123 bsc#1074969 bsc#1074973 bsc#1074975
Cross-References:	CVE-2017-10800 CVE-2017-11141 CVE-2017-11529 CVE-2017-11644 CVE-2017-11724 CVE-2017-12434 CVE-2017-12564 CVE-2017-12667 CVE-2017-12670 CVE-2017-12672 CVE-2017-12675 CVE-2017-13060 CVE-2017-13146 CVE-2017-13648 CVE-2017-13658 CVE-2017-14326 CVE-2017-14533 CVE-2017-17881 CVE-2017-18022 CVE-2018-5246 CVE-2018-5247
CVSS scores:	CVE-2017-10800 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-10800 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-11141 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-11141 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-11529 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-11529 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-11644 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2017-11644 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-11724 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-11724 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-12434 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-12434 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-12564 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-12564 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-12667 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-12667 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-12670 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-12670 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-12672 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-12672 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-12675 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-12675 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-13060 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-13060 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-13146 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-13146 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-13648 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-13648 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-13658 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-13658 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-14326 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-14326 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-14533 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-14533 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-17881 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-18022 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-18022 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-5246 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-5247 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2018-5247 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 SUSE Linux Enterprise Software Development Kit 12 12-SP2 SUSE Linux Enterprise Software Development Kit 12 SP3 SUSE Linux Enterprise Workstation Extension 12 12-SP3 SUSE Linux Enterprise Workstation Extension 12 SP2

An update that solves 21 vulnerabilities can now be installed.

Description:

This update for ImageMagick fixes several issues.

These security issues were fixed:

• CVE-2018-5246: Fixed memory leak vulnerability in ReadPATTERNImage in coders/pattern.c (bsc#1074973)
• CVE-2017-18022: Fixed memory leak vulnerability in MontageImageCommand in MagickWand/montage.c (bsc#1074975)
• CVE-2018-5247: Fixed memory leak vulnerability in ReadRLAImage in coders/rla.c (bsc#1074969)
• CVE-2017-12672: Fixed a memory leak vulnerability in the function ReadMATImage in coders/mat.c, which allowed attackers to cause a denial of service (bsc#1052720)
• CVE-2017-13060: Fixed a memory leak vulnerability in the function ReadMATImage in coders/mat.c, which allowed attackers to cause a denial of service via a crafted file (bsc#1055065)
• CVE-2017-11724: Fixed a memory leak vulnerability in the function ReadMATImage in coders/mat.c involving the quantum_info and clone_info data structures (bsc#1051446)
• CVE-2017-12670: Added validation in coders/mat.c to prevent an assertion failure in the function DestroyImage in MagickCore/image.c, which allowed attackers to cause a denial of service (bsc#1052731)
• CVE-2017-12667: Fixed a memory leak vulnerability in the function ReadMATImage in coders/mat.c (bsc#1052732)
• CVE-2017-13146: Fixed a memory leak vulnerability in the function ReadMATImage in coders/mat.c (bsc#1055323)
• CVE-2017-10800: Processing MATLAB images in coders/mat.c could have lead to a denial of service (OOM) in ReadMATImage() if the size specified for a MAT Object was larger than the actual amount of data (bsc#1047044)
• CVE-2017-13648: Fixed a memory leak vulnerability in the function ReadMATImage in coders/mat.c (bsc#1055434)
• CVE-2017-11141: Fixed a memory leak vulnerability in the function ReadMATImage in coders\mat.c that could have caused memory exhaustion via a crafted MAT file, related to incorrect ordering of a SetImageExtent call (bsc#1047898)
• CVE-2017-11529: The ReadMATImage function in coders/mat.c allowed remote attackers to cause a denial of service (memory leak) via a crafted file (bsc#1050120)
• CVE-2017-12564: Fixed a memory leak vulnerability in the function ReadMATImage in coders/mat.c, which allowed attackers to cause a denial of service (bsc#1052468)
• CVE-2017-12434: Added a missing NULL check in the function ReadMATImage in coders/mat.c, which allowed attackers to cause a denial of service (assertion failure) in DestroyImageInfo in image.c (bsc#1052550)
• CVE-2017-12675: Added a missing check for multidimensional data coders/mat.c, that could have lead to a memory leak in the function ReadImage in MagickCore/constitute.c, which allowed attackers to cause a denial of service (bsc#1052710)
• CVE-2017-14326: Fixed a memory leak vulnerability in the function ReadMATImage in coders/mat.c, which allowed attackers to cause a denial of service via a crafted file (bsc#1058640)
• CVE-2017-11644: Processesing a crafted file in convert could have lead to a memory leak in the ReadMATImage() function in coders/mat.c (bsc#1050606)
• CVE-2017-13658: Added a missing NULL check in the ReadMATImage function in coders/mat.c, which could have lead to a denial of service (assertion failure and application exit) in the DestroyImageInfo function in MagickCore/image.c (bsc#1055855)
• CVE-2017-14533: Fixed a memory leak vulnerability in the function ReadMATImage in coders/mat.c (bsc#1059751)
• CVE-2017-17881: Fixed a memory leak vulnerability in the function ReadMATImage in coders/mat.c, which allowed attackers to cause a denial of service via a crafted MAT image file (bsc#1074123)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12 SP2
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-97=1
• SUSE Linux Enterprise Desktop 12 SP3
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-97=1
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
  zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-97=1
• SUSE Linux Enterprise Software Development Kit 12 12-SP2
  zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-97=1
• SUSE Linux Enterprise Software Development Kit 12 SP3
  zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-97=1
• SUSE Linux Enterprise High Performance Computing 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-97=1
• SUSE Linux Enterprise Server 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-97=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-97=1
• SUSE Linux Enterprise Server 12 SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-97=1
• SUSE Linux Enterprise High Performance Computing 12 SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-97=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-97=1
• SUSE Linux Enterprise Workstation Extension 12 SP2
  zypper in -t patch SUSE-SLE-WE-12-SP2-2018-97=1
• SUSE Linux Enterprise Workstation Extension 12 12-SP3
  zypper in -t patch SUSE-SLE-WE-12-SP3-2018-97=1

Package List:

• SUSE Linux Enterprise Desktop 12 SP2 (x86_64)
  • ImageMagick-debugsource-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-6.8.8.1-71.26.1
  • ImageMagick-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-32bit-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-6.8.8.1-71.26.1
  • libMagick++-6_Q16-3-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-debuginfo-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.26.1
• SUSE Linux Enterprise Desktop 12 SP3 (x86_64)
  • ImageMagick-debugsource-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-6.8.8.1-71.26.1
  • ImageMagick-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-32bit-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-6.8.8.1-71.26.1
  • libMagick++-6_Q16-3-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-debuginfo-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.26.1
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 (aarch64)
  • ImageMagick-debugsource-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-debuginfo-6.8.8.1-71.26.1
• SUSE Linux Enterprise Software Development Kit 12 12-SP2 (aarch64 ppc64le s390x x86_64)
  • ImageMagick-debugsource-6.8.8.1-71.26.1
  • ImageMagick-devel-6.8.8.1-71.26.1
  • libMagick++-devel-6.8.8.1-71.26.1
  • perl-PerlMagick-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-6.8.8.1-71.26.1
  • perl-PerlMagick-6.8.8.1-71.26.1
  • libMagick++-6_Q16-3-6.8.8.1-71.26.1
  • libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-debuginfo-6.8.8.1-71.26.1
• SUSE Linux Enterprise Software Development Kit 12 SP3 (aarch64 ppc64le s390x x86_64)
  • ImageMagick-debugsource-6.8.8.1-71.26.1
  • ImageMagick-devel-6.8.8.1-71.26.1
  • libMagick++-devel-6.8.8.1-71.26.1
  • perl-PerlMagick-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-6.8.8.1-71.26.1
  • perl-PerlMagick-6.8.8.1-71.26.1
  • libMagick++-6_Q16-3-6.8.8.1-71.26.1
  • libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-debuginfo-6.8.8.1-71.26.1
• SUSE Linux Enterprise High Performance Computing 12 SP2 (aarch64 x86_64)
  • ImageMagick-debugsource-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-debuginfo-6.8.8.1-71.26.1
• SUSE Linux Enterprise Server 12 SP2 (aarch64 ppc64le s390x x86_64)
  • ImageMagick-debugsource-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-debuginfo-6.8.8.1-71.26.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
  • ImageMagick-debugsource-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-debuginfo-6.8.8.1-71.26.1
• SUSE Linux Enterprise Server 12 SP3 (aarch64 ppc64le s390x x86_64)
  • ImageMagick-debugsource-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-debuginfo-6.8.8.1-71.26.1
• SUSE Linux Enterprise High Performance Computing 12 SP3 (aarch64 x86_64)
  • ImageMagick-debugsource-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-debuginfo-6.8.8.1-71.26.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP3 (ppc64le x86_64)
  • ImageMagick-debugsource-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-6.8.8.1-71.26.1
  • libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-debuginfo-6.8.8.1-71.26.1
• SUSE Linux Enterprise Workstation Extension 12 SP2 (x86_64)
  • ImageMagick-debugsource-6.8.8.1-71.26.1
  • ImageMagick-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-32bit-6.8.8.1-71.26.1
  • libMagick++-6_Q16-3-6.8.8.1-71.26.1
  • libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-debuginfo-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.26.1
• SUSE Linux Enterprise Workstation Extension 12 12-SP3 (x86_64)
  • ImageMagick-debugsource-6.8.8.1-71.26.1
  • ImageMagick-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-32bit-6.8.8.1-71.26.1
  • libMagick++-6_Q16-3-6.8.8.1-71.26.1
  • libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.26.1
  • ImageMagick-debuginfo-6.8.8.1-71.26.1
  • libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.26.1

References:

• https://www.suse.com/security/cve/CVE-2017-10800.html
• https://www.suse.com/security/cve/CVE-2017-11141.html
• https://www.suse.com/security/cve/CVE-2017-11529.html
• https://www.suse.com/security/cve/CVE-2017-11644.html
• https://www.suse.com/security/cve/CVE-2017-11724.html
• https://www.suse.com/security/cve/CVE-2017-12434.html
• https://www.suse.com/security/cve/CVE-2017-12564.html
• https://www.suse.com/security/cve/CVE-2017-12667.html
• https://www.suse.com/security/cve/CVE-2017-12670.html
• https://www.suse.com/security/cve/CVE-2017-12672.html
• https://www.suse.com/security/cve/CVE-2017-12675.html
• https://www.suse.com/security/cve/CVE-2017-13060.html
• https://www.suse.com/security/cve/CVE-2017-13146.html
• https://www.suse.com/security/cve/CVE-2017-13648.html
• https://www.suse.com/security/cve/CVE-2017-13658.html
• https://www.suse.com/security/cve/CVE-2017-14326.html
• https://www.suse.com/security/cve/CVE-2017-14533.html
• https://www.suse.com/security/cve/CVE-2017-17881.html
• https://www.suse.com/security/cve/CVE-2017-18022.html
• https://www.suse.com/security/cve/CVE-2018-5246.html
• http