Bugzilla – Bug 1000711
VUL-0: CVE-2016-7537: ImageMagick: Out of bound access for corrupted pdb file
Last modified: 2017-08-30 09:50:33 UTC
AddressSanitizer: heap-buffer-overflow READ of size 128 References: https://bugs.debian.org/832791 https://bugs.launchpad.net/bugs/1553366 https://github.com/ImageMagick/ImageMagick/issues/143 https://github.com/ImageMagick/ImageMagick/commit/424d40ebfcde48bb872eba75179d3d73704fdf1f
bugbot adjusting priority
With the testcase from the Ubuntu, I get no crash nor valgrind errors anywhere.
I have found similar code everywhere, considering affected.
I believe all fixed.
openSUSE-SU-2016:2641-1: An update that fixes 28 vulnerabilities is now available. Category: security (moderate) Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000702,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,985442,999673 CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684 Sources used: openSUSE 13.2 (src): GraphicsMagick-1.3.20-12.1
openSUSE-SU-2016:2644-1: An update that fixes 23 vulnerabilities is now available. Category: security (moderate) Bug References: 1000399,1000434,1000689,1000693,1000695,1000698,1000700,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,999673 CVE References: CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684 Sources used: openSUSE Leap 42.1 (src): GraphicsMagick-1.3.21-14.1
SUSE-SU-2016:2667-1: An update that solves 41 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328 CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): ImageMagick-6.8.8.1-40.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): ImageMagick-6.8.8.1-40.1 SUSE Linux Enterprise Server 12-SP1 (src): ImageMagick-6.8.8.1-40.1 SUSE Linux Enterprise Desktop 12-SP1 (src): ImageMagick-6.8.8.1-40.1
openSUSE-SU-2016:2671-1: An update that solves 41 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000703,1000704,1000706,1000707,1000708,1000709,1000710,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328 CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7536,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684 Sources used: openSUSE 13.2 (src): ImageMagick-6.8.9.8-34.1
SUSE-SU-2016:2724-1: An update that fixes 26 vulnerabilities is now available. Category: security (moderate) Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,999673 CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684 Sources used: SUSE Studio Onsite 1.3 (src): GraphicsMagick-1.2.5-4.46.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): GraphicsMagick-1.2.5-4.46.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): GraphicsMagick-1.2.5-4.46.1
openSUSE-SU-2016:2770-1: An update that solves 41 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328 CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684 Sources used: openSUSE Leap 42.1 (src): ImageMagick-6.8.8.1-21.1
SUSE-SU-2016:2964-1: An update that fixes 34 vulnerabilities is now available. Category: security (important) Bug References: 1000399,1000434,1000436,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000698,1000699,1000700,1000701,1000703,1000704,1000707,1000709,1000711,1000713,1000714,1001066,1001221,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1007245 CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-5687,CVE-2016-6823,CVE-2016-7101,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7533,CVE-2016-7535,CVE-2016-7537,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ImageMagick-6.4.3.6-7.54.1 SUSE Linux Enterprise Server 11-SP4 (src): ImageMagick-6.4.3.6-7.54.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ImageMagick-6.4.3.6-7.54.1
openSUSE-SU-2016:3060-1: An update that fixes 31 vulnerabilities is now available. Category: security (important) Bug References: 1000399,1000434,1000689,1000698,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,1007245,1011130,982178,983521,983752,983794,983799,984145,984150,984166,984372,984375,984394,984400,984436 CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9809,CVE-2014-9815,CVE-2014-9817,CVE-2014-9820,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9845,CVE-2014-9846,CVE-2014-9853,CVE-2016-5118,CVE-2016-6823,CVE-2016-7101,CVE-2016-7515,CVE-2016-7522,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862,CVE-2016-9556 Sources used: openSUSE Leap 42.2 (src): GraphicsMagick-1.3.25-3.1
released
GraphicsMagick allocates less memory, I have asked upstream to consider this.
Upstream does not think current code is affected.