Security update for ImageMagick SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:3233-1 Final 1 1 2016-12-22T10:02:22Z current 2016-12-22T10:02:22Z 2016-12-22T10:02:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ImageMagick This security update for ImageMagick fixes the following issues: - a maliciously crafted compressed TIFF image could cause code remote code execution in the convert utility in particular circumstances (CVE-2016-8707, boo#1014159) - a memory allocation failure was fixed (CVE-2016-8866, boo#1009318, follow up on CVE-2016-8862) - the identify utility could crash on maliciously crafted images (CVE-2016-9773, boo#1013376, follow up on CVE-2016-9556) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution for Non-Commercial usage (CC-BY-NC-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution for Non-Commercial usage (CC-BY-NC-4.0) http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00085.html E-Mail link for openSUSE-SU-2016:3233-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 ImageMagick-6.8.9.8-45.1 ImageMagick-debuginfo-6.8.9.8-45.1 ImageMagick-debugsource-6.8.9.8-45.1 ImageMagick-devel-6.8.9.8-45.1 ImageMagick-devel-32bit-6.8.9.8-45.1 ImageMagick-doc-6.8.9.8-45.1 ImageMagick-extra-6.8.9.8-45.1 ImageMagick-extra-debuginfo-6.8.9.8-45.1 libMagick++-6_Q16-5-6.8.9.8-45.1 libMagick++-6_Q16-5-32bit-6.8.9.8-45.1 libMagick++-6_Q16-5-debuginfo-6.8.9.8-45.1 libMagick++-6_Q16-5-debuginfo-32bit-6.8.9.8-45.1 libMagick++-devel-6.8.9.8-45.1 libMagick++-devel-32bit-6.8.9.8-45.1 libMagickCore-6_Q16-2-6.8.9.8-45.1 libMagickCore-6_Q16-2-32bit-6.8.9.8-45.1 libMagickCore-6_Q16-2-debuginfo-6.8.9.8-45.1 libMagickCore-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 libMagickWand-6_Q16-2-6.8.9.8-45.1 libMagickWand-6_Q16-2-32bit-6.8.9.8-45.1 libMagickWand-6_Q16-2-debuginfo-6.8.9.8-45.1 libMagickWand-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 perl-PerlMagick-6.8.9.8-45.1 perl-PerlMagick-debuginfo-6.8.9.8-45.1 ImageMagick-6.8.9.8-45.1 as a component of openSUSE 13.2 ImageMagick-debuginfo-6.8.9.8-45.1 as a component of openSUSE 13.2 ImageMagick-debugsource-6.8.9.8-45.1 as a component of openSUSE 13.2 ImageMagick-devel-6.8.9.8-45.1 as a component of openSUSE 13.2 ImageMagick-devel-32bit-6.8.9.8-45.1 as a component of openSUSE 13.2 ImageMagick-doc-6.8.9.8-45.1 as a component of openSUSE 13.2 ImageMagick-extra-6.8.9.8-45.1 as a component of openSUSE 13.2 ImageMagick-extra-debuginfo-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagick++-6_Q16-5-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagick++-6_Q16-5-32bit-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagick++-6_Q16-5-debuginfo-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagick++-6_Q16-5-debuginfo-32bit-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagick++-devel-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagick++-devel-32bit-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagickCore-6_Q16-2-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagickCore-6_Q16-2-32bit-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagickCore-6_Q16-2-debuginfo-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagickCore-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagickWand-6_Q16-2-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagickWand-6_Q16-2-32bit-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagickWand-6_Q16-2-debuginfo-6.8.9.8-45.1 as a component of openSUSE 13.2 libMagickWand-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 as a component of openSUSE 13.2 perl-PerlMagick-6.8.9.8-45.1 as a component of openSUSE 13.2 perl-PerlMagick-debuginfo-6.8.9.8-45.1 as a component of openSUSE 13.2 An exploitable out of bounds write exists in the handling of compressed TIFF images in ImageMagicks's convert utility. A crafted TIFF document can lead to an out of bounds write which in particular circumstances could be leveraged into remote code execution. The vulnerability can be triggered through any user controlled TIFF that is handled by this functionality. CVE-2016-8707 openSUSE 13.2:ImageMagick-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-debuginfo-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-debugsource-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-devel-32bit-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-devel-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-doc-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-extra-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-extra-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagick++-devel-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-devel-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-debuginfo-6.8.9.8-45.1 openSUSE 13.2:perl-PerlMagick-6.8.9.8-45.1 openSUSE 13.2:perl-PerlMagick-debuginfo-6.8.9.8-45.1 important 6.0 AV:N/AC:M/Au:S/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00085.html https://www.suse.com/security/cve/CVE-2016-8707.html CVE-2016-8707 https://bugzilla.suse.com/1014159 SUSE Bug 1014159 The AcquireMagickMemory function in MagickCore/memory.c in ImageMagick before 7.0.3.3 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure. CVE-2016-8862 openSUSE 13.2:ImageMagick-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-debuginfo-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-debugsource-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-devel-32bit-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-devel-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-doc-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-extra-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-extra-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagick++-devel-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-devel-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-debuginfo-6.8.9.8-45.1 openSUSE 13.2:perl-PerlMagick-6.8.9.8-45.1 openSUSE 13.2:perl-PerlMagick-debuginfo-6.8.9.8-45.1 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00085.html https://www.suse.com/security/cve/CVE-2016-8862.html CVE-2016-8862 https://bugzilla.suse.com/1007245 SUSE Bug 1007245 https://bugzilla.suse.com/1009318 SUSE Bug 1009318 https://bugzilla.suse.com/1031267 SUSE Bug 1031267 The AcquireMagickMemory function in MagickCore/memory.c in ImageMagick 7.0.3.3 before 7.0.3.8 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8862. CVE-2016-8866 openSUSE 13.2:ImageMagick-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-debuginfo-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-debugsource-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-devel-32bit-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-devel-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-doc-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-extra-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-extra-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagick++-devel-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-devel-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-debuginfo-6.8.9.8-45.1 openSUSE 13.2:perl-PerlMagick-6.8.9.8-45.1 openSUSE 13.2:perl-PerlMagick-debuginfo-6.8.9.8-45.1 important 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00085.html https://www.suse.com/security/cve/CVE-2016-8866.html CVE-2016-8866 https://bugzilla.suse.com/1007245 SUSE Bug 1007245 https://bugzilla.suse.com/1009318 SUSE Bug 1009318 https://bugzilla.suse.com/1031267 SUSE Bug 1031267 The IsPixelGray function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3-8 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted image file. CVE-2016-9556 openSUSE 13.2:ImageMagick-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-debuginfo-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-debugsource-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-devel-32bit-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-devel-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-doc-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-extra-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-extra-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagick++-devel-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-devel-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-debuginfo-6.8.9.8-45.1 openSUSE 13.2:perl-PerlMagick-6.8.9.8-45.1 openSUSE 13.2:perl-PerlMagick-debuginfo-6.8.9.8-45.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00085.html https://www.suse.com/security/cve/CVE-2016-9556.html CVE-2016-9556 https://bugzilla.suse.com/1011130 SUSE Bug 1011130 https://bugzilla.suse.com/1013376 SUSE Bug 1013376 Heap-based buffer overflow in the IsPixelGray function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3.8 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted image file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9556. CVE-2016-9773 openSUSE 13.2:ImageMagick-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-debuginfo-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-debugsource-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-devel-32bit-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-devel-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-doc-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-extra-6.8.9.8-45.1 openSUSE 13.2:ImageMagick-extra-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-6_Q16-5-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagick++-devel-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagick++-devel-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickCore-6_Q16-2-debuginfo-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-debuginfo-32bit-6.8.9.8-45.1 openSUSE 13.2:libMagickWand-6_Q16-2-debuginfo-6.8.9.8-45.1 openSUSE 13.2:perl-PerlMagick-6.8.9.8-45.1 openSUSE 13.2:perl-PerlMagick-debuginfo-6.8.9.8-45.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00085.html https://www.suse.com/security/cve/CVE-2016-9773.html CVE-2016-9773 https://bugzilla.suse.com/1011130 SUSE Bug 1011130 https://bugzilla.suse.com/1013376 SUSE Bug 1013376 https://bugzilla.suse.com/1017421 SUSE Bug 1017421