Bugzilla – Bug 1106989
VUL-1: CVE-2018-16413: GraphicsMagick,ImageMagick: heap-based buffer over-read in the MagickCore/quantum-private.h PushShortPixel function
Last modified: 2021-10-05 10:41:16 UTC
CVE-2018-16413 ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the MagickCore/quantum-private.h PushShortPixel function when called from the coders/psd.c ParseImageResourceBlocks function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16413 http://www.cvedetails.com/cve/CVE-2018-16413/ https://github.com/ImageMagick/ImageMagick/issues/1251 https://github.com/ImageMagick/ImageMagick/issues/1249
According to my analysis (based on the available patch [1]), makes me thing that the following codestreams are affected: - SUSE:SLE-15:Update - openSUSE:Factory - openSUSE:Leap:15.0 Not affected: - SUSE:SLE-11:Update - SUSE:SLE-12:Update - openSUSE:Leap:42.3 [1]: https://github.com/ImageMagick/ImageMagick/commit/17a1a6f97fd088a71931bdc422f4e96bb6ffc549
See similar bug 1106996.
*/GraphicsMagick: the code similar to ParseImageResourceBlocks() not found. If I missed something, please let me know where the code lies.
No single valgrind error running the testcase for 15,12,11/ImageMagick 32-bit.
Related to bug 984160.
Packages submitted into 11,12,15/ImageMagick.
I believe all fixed.
SUSE-SU-2018:2977-1: An update that fixes 10 vulnerabilities is now available. Category: security (low) Bug References: 1106855,1106857,1106858,1106989,1107604,1107609,1107612,1107616,1107618,1107619 CVE References: CVE-2018-16323,CVE-2018-16328,CVE-2018-16329,CVE-2018-16413,CVE-2018-16640,CVE-2018-16641,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645 Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): ImageMagick-7.0.7.34-3.24.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): ImageMagick-7.0.7.34-3.24.1
openSUSE-SU-2018:3014-1: An update that fixes 10 vulnerabilities is now available. Category: security (low) Bug References: 1106855,1106857,1106858,1106989,1107604,1107609,1107612,1107616,1107618,1107619 CVE References: CVE-2018-16323,CVE-2018-16328,CVE-2018-16329,CVE-2018-16413,CVE-2018-16640,CVE-2018-16641,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645 Sources used: openSUSE Leap 15.0 (src): ImageMagick-7.0.7.34-lp150.2.15.1
SUSE-SU-2018:3095-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1050129,1105592,1106989,1107604,1107609,1107612,1107616,1107619,1108282,1108283 CVE References: CVE-2017-11532,CVE-2018-16413,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): ImageMagick-6.8.8.1-71.79.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): ImageMagick-6.8.8.1-71.79.1 SUSE Linux Enterprise Server 12-SP3 (src): ImageMagick-6.8.8.1-71.79.1 SUSE Linux Enterprise Desktop 12-SP3 (src): ImageMagick-6.8.8.1-71.79.1
openSUSE-SU-2018:3203-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1050129,1105592,1106989,1107604,1107609,1107612,1107616,1107619,1108282,1108283 CVE References: CVE-2017-11532,CVE-2018-16413,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750 Sources used: openSUSE Leap 42.3 (src): ImageMagick-6.8.8.1-70.2
SUSE-SU-2018:3348-1: An update that fixes 13 vulnerabilities is now available. Category: security (moderate) Bug References: 1074170,1106855,1106989,1107604,1107609,1107612,1107616,1108282,1108283,1110746,1110747,1111069,1111072 CVE References: CVE-2017-17934,CVE-2018-16323,CVE-2018-16413,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ImageMagick-6.4.3.6-78.74.1 SUSE Linux Enterprise Server 11-SP4 (src): ImageMagick-6.4.3.6-78.74.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ImageMagick-6.4.3.6-78.74.1
SUSE-SU-2019:13993-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1106989,1106996,1113064,1120381,1124365,1124366,1128649 CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-18544,CVE-2018-20467,CVE-2019-7175,CVE-2019-7397,CVE-2019-7398 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ImageMagick-6.4.3.6-78.92.1 SUSE Linux Enterprise Server 11-SP4 (src): ImageMagick-6.4.3.6-78.92.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): ImageMagick-6.4.3.6-78.92.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ImageMagick-6.4.3.6-78.92.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1033-1: An update that solves 13 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060 CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956 Sources used: SUSE OpenStack Cloud 7 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Workstation Extension 12-SP4 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Workstation Extension 12-SP3 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server 12-SP4 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server 12-SP3 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server 12-LTSS (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Desktop 12-SP4 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Desktop 12-SP3 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Enterprise Storage 4 (src): ImageMagick-6.8.8.1-71.108.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1033-2: An update that solves 13 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060 CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): ImageMagick-6.8.8.1-71.108.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1320-1: An update that solves 13 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060 CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956 Sources used: openSUSE Leap 42.3 (src): ImageMagick-6.8.8.1-82.1
released
This is an autogenerated message for OBS integration: This bug (1106989) was mentioned in https://build.opensuse.org/request/show/923064 Factory / ImageMagick
This is an autogenerated message for OBS integration: This bug (1106989) was mentioned in https://build.opensuse.org/request/show/923178 Factory / ImageMagick