First Last Prev Next    This bug is not in your last search results.
Bug 1107619 - (CVE-2018-16640) VUL-1: CVE-2018-16640: GraphicsMagick,ImageMagick: memory leak vulnerability in the functionReadOneJNGImage in coders/png.c
(CVE-2018-16640)
VUL-1: CVE-2018-16640: GraphicsMagick,ImageMagick: memory leak vulnerability ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/213896/
CVSSv3:SUSE:CVE-2018-16640:3.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-07 07:51 UTC by Karol Babioch
Modified: 2021-10-04 16:41 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-09-07 07:51:40 UTC 
CVE-2018-16640

ImageMagick 7.0.8-5 has a memory leak vulnerability in the function
ReadOneJNGImage in coders/png.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16640
https://github.com/ImageMagick/ImageMagick/issues/1201
https://github.com/ImageMagick/ImageMagick/commit/76efa969342568841ecf320b5a041685a6d24e0b
Comment 1 Karol Babioch 2018-09-07 09:35:59 UTC 
It seems that all codestreams are affected (i.e. no cleanup), but only the most recent one (SUSE:SLE-15:Update/ImageMagick) has the cleanup functionality (DestroyJNG) available.

- SUSE:SLE-11:Update/GraphicsMagick
- SUSE:SLE-11:Update/ImageMagick
- SUSE:SLE-12:Update/ImageMagick
- SUSE:SLE-15:Update/ImageMagick
Comment 2 Petr Gajdos 2018-09-11 07:55:59 UTC 
No testcase found.
Comment 3 Petr Gajdos 2018-09-11 07:59:40 UTC 
There is also similar code in ReadOneMNGImage(), nevertheless it is not affected.
Comment 4 Petr Gajdos 2018-09-11 08:24:56 UTC 
15,12/ImageMagick: will fix
11/ImageMagick: already fixed by ImageMagick-png.c-other-fixes.patch
11/ImageMagick: already fixed by GraphicsMagick-CVE-2017-11102.patch
>=42.3/GraphicsMagick: already fixed by upstream
Comment 5 Petr Gajdos 2018-09-11 08:33:57 UTC 
Will submit fix for 15,12/ImageMagick.
Will submit rpm changelog names and renamed patches to 11/ImageMagick,GraphicsMagick.
Comment 6 Petr Gajdos 2018-09-11 08:34:20 UTC 
s/names/changes/
Comment 7 Petr Gajdos 2018-09-11 12:36:47 UTC 
I believe all fixed.
Comment 12 Swamp Workflow Management 2018-10-02 19:15:26 UTC 
SUSE-SU-2018:2977-1: An update that fixes 10 vulnerabilities is now available.

Category: security (low)
Bug References: 1106855,1106857,1106858,1106989,1107604,1107609,1107612,1107616,1107618,1107619
CVE References: CVE-2018-16323,CVE-2018-16328,CVE-2018-16329,CVE-2018-16413,CVE-2018-16640,CVE-2018-16641,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.24.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.24.1
Comment 14 Swamp Workflow Management 2018-10-05 10:10:56 UTC 
openSUSE-SU-2018:3014-1: An update that fixes 10 vulnerabilities is now available.

Category: security (low)
Bug References: 1106855,1106857,1106858,1106989,1107604,1107609,1107612,1107616,1107618,1107619
CVE References: CVE-2018-16323,CVE-2018-16328,CVE-2018-16329,CVE-2018-16413,CVE-2018-16640,CVE-2018-16641,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645
Sources used:
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.15.1
Comment 15 Swamp Workflow Management 2018-10-11 07:09:51 UTC 
SUSE-SU-2018:3095-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1050129,1105592,1106989,1107604,1107609,1107612,1107616,1107619,1108282,1108283
CVE References: CVE-2017-11532,CVE-2018-16413,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
Comment 18 Swamp Workflow Management 2018-10-17 19:24:20 UTC 
openSUSE-SU-2018:3203-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1050129,1105592,1106989,1107604,1107609,1107612,1107616,1107619,1108282,1108283
CVE References: CVE-2017-11532,CVE-2018-16413,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-70.2
Comment 19 Swamp Workflow Management 2018-10-22 13:13:16 UTC 
SUSE-SU-2018:3269-1: An update that fixes 12 vulnerabilities is now available.

Category: security (low)
Bug References: 1106855,1107604,1107609,1107612,1107616,1107619,1108282,1108283,1110746,1110747,1111069,1111072
CVE References: CVE-2018-16323,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.72.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.72.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.72.1
Comment 22 Marcus Meissner 2019-07-09 07:00:50 UTC 
released
Comment 23 OBSbugzilla Bot 2021-10-04 16:41:52 UTC 
This is an autogenerated message for OBS integration:
This bug (1107619) was mentioned in
https://build.opensuse.org/request/show/923064 Factory / ImageMagick
First Last Prev Next    This bug is not in your last search results.