Bug 1017319 - (CVE-2016-10060) VUL-0: CVE-2016-10060, CVE-2016-10061, CVE-2016-10062: ImageMagick: Check return of write function
(CVE-2016-10060)
VUL-0: CVE-2016-10060, CVE-2016-10061, CVE-2016-10062: ImageMagick: Check ret...
Status: RESOLVED FIXED
: 1016588 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-10062:4.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-27 09:22 UTC by Johannes Segitz
Modified: 2017-05-19 06:37 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-12-27 09:22:48 UTC
Debian bug: https://bugs.debian.org/845196
Reference URL: https://security-tracker.debian.org/845196
Upstream commit:
  - https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7
  - https://github.com/ImageMagick/ImageMagick/commit/4e914bbe371433f0590cefdf3bd5f3a5710069f9
Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/196
Upstream version fixed: 7.0.1-10

The above fixes may be incomplete, according to the upstream issue. In
addition, the -6 branch seems to have an incomplete fix as well.

Use CVE-2016-10060 for the issue fixed in 933e96f01a8c889c7bf5ffd30020e86a02a046e7.
Use CVE-2016-10061 for the issue fixed in 4e914bbe371433f0590cefdf3bd5f3a5710069f9.
Use CVE-2016-10062 for the fwrite issue in ReadGROUP4Image. This was
specifically noted at the beginning of issues/196, but not fixed in
either of these commits. It is not the same as the fputc issue in
ReadGROUP4Image.

Seems like we have already parts of the fixes in our codestreams, but not all of them.
Comment 1 Swamp Workflow Management 2016-12-27 23:02:21 UTC
bugbot adjusting priority
Comment 2 Johannes Segitz 2016-12-28 10:16:41 UTC
*** Bug 1016588 has been marked as a duplicate of this bug. ***
Comment 3 Johannes Segitz 2016-12-28 10:17:41 UTC
Comments by Mathias Gerstner in the other bug:
This is not strictly a security bug. A conversion operation that failed due to
a failed target file write may go unnoticed.

ImageMagick:

[affected] SLE-12:Update in coders/tiff.c:375
[affected] openSUSE:13.2:Update in coders/tiff.c:375
[n/a] SLE-11:Update in coders/tiff.c:2021
  code looks completely different here. Not direct fputc to be found, only via
  wrappers. Some return values are checked like in tiff.c:2659.

GraphicsMagick:

GM uses completely different I/O routines that rely on POSIX open/read/write
and error handling seems to be in place for example in magick/blob.c:550 of
13.2:Update.

[fixed] SLE-11:Update in corders/tiff.c:4338
  older code, return codes are checked though
[fixed] openSUSE:13.2:Update in coders/tiff.c:3086
[fixed] openSUSE:Leap:42.1:Update in coders/tiff.c:3443
[fixed] openSUSE:Leap:42.2:Update in coders/tiff.c:3443
Comment 6 Petr Gajdos 2017-01-25 10:00:30 UTC
Affected:

CVE-2016-10060: 11/ImageMagick, 12/ImageMagick
CVE-2016-10061: 12/ImageMagick
CVE-2016-10062: 12/ImageMagick
Comment 7 Petr Gajdos 2017-01-27 11:05:00 UTC
Packages submitted, I believe all fixed.
Comment 8 Swamp Workflow Management 2017-02-21 14:09:20 UTC
SUSE-SU-2017:0529-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017308,1017310,1017311,1017312,1017313,1017314,1017318,1017319,1017320,1017321,1017322,1017324,1017325,1017326,1017421,1020433,1020435,1020436,1020439,1020441,1020443,1020446,1020448
CVE References: CVE-2016-10046,CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10060,CVE-2016-10061,CVE-2016-10062,CVE-2016-10063,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10069,CVE-2016-10070,CVE-2016-10071,CVE-2016-10144,CVE-2016-10145,CVE-2016-10146,CVE-2017-5506,CVE-2017-5507,CVE-2017-5508,CVE-2017-5510,CVE-2017-5511
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
Comment 9 Swamp Workflow Management 2017-03-01 20:10:37 UTC
SUSE-SU-2017:0586-1: An update that fixes 21 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017308,1017310,1017311,1017312,1017313,1017314,1017318,1017319,1017320,1017321,1017322,1017324,1017326,1017421,1020433,1020435,1020436,1020439,1020441,1020443,1020448
CVE References: CVE-2016-10046,CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10060,CVE-2016-10063,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10070,CVE-2016-10071,CVE-2016-10144,CVE-2016-10145,CVE-2016-10146,CVE-2017-5506,CVE-2017-5507,CVE-2017-5508,CVE-2017-5511
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.65.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.65.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.65.1
Comment 10 Swamp Workflow Management 2017-03-02 14:09:23 UTC
openSUSE-SU-2017:0587-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017308,1017310,1017311,1017312,1017313,1017314,1017318,1017319,1017320,1017321,1017322,1017324,1017325,1017326,1017421,1020433,1020435,1020436,1020439,1020441,1020443,1020446,1020448
CVE References: CVE-2016-10046,CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10060,CVE-2016-10061,CVE-2016-10062,CVE-2016-10063,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10069,CVE-2016-10070,CVE-2016-10071,CVE-2016-10144,CVE-2016-10145,CVE-2016-10146,CVE-2017-5506,CVE-2017-5507,CVE-2017-5508,CVE-2017-5510,CVE-2017-5511
Sources used:
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-28.1
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-30.1
Comment 11 Matthias Gerstner 2017-03-06 09:51:07 UTC
GM not affected. IM all codestreams released. openSUSE comes from SLE.
Closing.