Bug 1107604 - (CVE-2018-16645) VUL-1: CVE-2018-16645: GraphicsMagick,ImageMagick: excessive memory allocation issue in the functions ReadBMPImage ofcoders/bmp.c and ReadDIBImage of coders/dib.c
(CVE-2018-16645)
VUL-1: CVE-2018-16645: GraphicsMagick,ImageMagick: excessive memory allocatio...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/213901/
CVSSv3:SUSE:CVE-2018-16645:3.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-07 07:04 UTC by Karol Babioch
Modified: 2021-10-04 16:41 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-09-07 07:04:10 UTC
CVE-2018-16645

There is an excessive memory allocation issue in the functions ReadBMPImage of
coders/bmp.c and ReadDIBImage of coders/dib.c in ImageMagick 7.0.8-11, which
allows remote attackers to cause a denial of service via a crafted image file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16645
http://www.cvedetails.com/cve/CVE-2018-16645/
https://github.com/ImageMagick/ImageMagick/issues/1268
https://github.com/ImageMagick/ImageMagick/commit/ecb31dbad39ccdc65868d5d2a37f0f0521250832
Comment 1 Karol Babioch 2018-09-07 07:11:27 UTC
Seems like all supported codestreams are affected:

- SUSE:SLE-11:Update/GraphicsMagick
- SUSE:SLE-11:Update/ImageMagick
- SUSE:SLE-12:Update/ImageMagick
- SUSE:SLE-15:Update/ImageMagick
Comment 2 Petr Gajdos 2018-09-10 08:17:45 UTC
No testcase found.
Comment 3 Petr Gajdos 2018-09-10 08:39:43 UTC
Will submit for 15,12,11/ImageMagick and 11,42.3,15.0/GraphicsMagick.

GraphicsMagick upstream bug reported:
https://sourceforge.net/p/graphicsmagick/bugs/572/
Comment 4 Petr Gajdos 2018-09-11 12:37:01 UTC
I believe all fixed.
Comment 6 Swamp Workflow Management 2018-09-11 13:10:05 UTC
This is an autogenerated message for OBS integration:
This bug (1107604) was mentioned in
https://build.opensuse.org/request/show/634960 42.3 / GraphicsMagick
https://build.opensuse.org/request/show/634961 15.0 / GraphicsMagick
Comment 7 Swamp Workflow Management 2018-09-15 11:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1107604) was mentioned in
https://build.opensuse.org/request/show/635859 42.3 / GraphicsMagick
Comment 9 Swamp Workflow Management 2018-09-17 13:08:17 UTC
openSUSE-SU-2018:2742-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 1107604,1107609
CVE References: CVE-2018-16644,CVE-2018-16645
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-105.1
openSUSE Leap 15.0 (src):    GraphicsMagick-1.3.29-lp150.3.12.1
Comment 12 Swamp Workflow Management 2018-09-22 07:27:20 UTC
openSUSE-SU-2018:2742-2: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 1107604,1107609
CVE References: CVE-2018-16644,CVE-2018-16645
Sources used:
openSUSE Backports SLE-15 (src):    GraphicsMagick-1.3.29-bp150.2.6.1
Comment 13 Swamp Workflow Management 2018-10-02 19:14:39 UTC
SUSE-SU-2018:2977-1: An update that fixes 10 vulnerabilities is now available.

Category: security (low)
Bug References: 1106855,1106857,1106858,1106989,1107604,1107609,1107612,1107616,1107618,1107619
CVE References: CVE-2018-16323,CVE-2018-16328,CVE-2018-16329,CVE-2018-16413,CVE-2018-16640,CVE-2018-16641,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.24.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.24.1
Comment 15 Swamp Workflow Management 2018-10-05 10:10:12 UTC
openSUSE-SU-2018:3014-1: An update that fixes 10 vulnerabilities is now available.

Category: security (low)
Bug References: 1106855,1106857,1106858,1106989,1107604,1107609,1107612,1107616,1107618,1107619
CVE References: CVE-2018-16323,CVE-2018-16328,CVE-2018-16329,CVE-2018-16413,CVE-2018-16640,CVE-2018-16641,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645
Sources used:
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.15.1
Comment 16 Swamp Workflow Management 2018-10-11 07:09:14 UTC
SUSE-SU-2018:3095-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1050129,1105592,1106989,1107604,1107609,1107612,1107616,1107619,1108282,1108283
CVE References: CVE-2017-11532,CVE-2018-16413,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
Comment 19 Swamp Workflow Management 2018-10-17 19:23:49 UTC
openSUSE-SU-2018:3203-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1050129,1105592,1106989,1107604,1107609,1107612,1107616,1107619,1108282,1108283
CVE References: CVE-2017-11532,CVE-2018-16413,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-70.2
Comment 20 Swamp Workflow Management 2018-10-22 13:12:43 UTC
SUSE-SU-2018:3269-1: An update that fixes 12 vulnerabilities is now available.

Category: security (low)
Bug References: 1106855,1107604,1107609,1107612,1107616,1107619,1108282,1108283,1110746,1110747,1111069,1111072
CVE References: CVE-2018-16323,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.72.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.72.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.72.1
Comment 23 Swamp Workflow Management 2018-10-23 19:18:36 UTC
SUSE-SU-2018:3348-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1074170,1106855,1106989,1107604,1107609,1107612,1107616,1108282,1108283,1110746,1110747,1111069,1111072
CVE References: CVE-2017-17934,CVE-2018-16323,CVE-2018-16413,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.74.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.74.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.74.1
Comment 24 Marcus Meissner 2018-10-26 06:40:02 UTC
released
Comment 25 Swamp Workflow Management 2019-05-28 13:30:29 UTC
This is an autogenerated message for OBS integration:
This bug (1107604) was mentioned in
https://build.opensuse.org/request/show/705902 15.1 / GraphicsMagick
Comment 26 OBSbugzilla Bot 2021-10-04 16:41:29 UTC
This is an autogenerated message for OBS integration:
This bug (1107604) was mentioned in
https://build.opensuse.org/request/show/923064 Factory / ImageMagick