Bug 1020443 – VUL-0: CVE-2016-10146: Imagemagick: memory leak in caption and label handling

Bug 1020443 - (CVE-2016-10146) VUL-0: CVE-2016-10146: Imagemagick: memory leak in caption and label handling

(CVE-2016-10146)
Summary:	VUL-0: CVE-2016-10146: Imagemagick: memory leak in caption and label handling

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	unspecified
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2016-10146:4.3:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-01-17 17:16 UTC by Mikhail Kasimov
Modified:	2017-09-01 10:07 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail Kasimov 2017-01-17 17:16:44 UTC

Ref: http://seclists.org/oss-sec/2017/q1/110
=============================================
memory leak in caption and label handling

Debian Bug: https://bugs.debian.org/851380

Fixed by: https://github.com/ImageMagick/ImageMagick/commit/aeff00de228bc5a158c2a975ab47845d8a1db456
=============================================

Comment 1 Swamp Workflow Management 2017-01-17 23:01:57 UTC

bugbot adjusting priority

Comment 2 Petr Gajdos 2017-01-23 08:27:29 UTC

No testcase found.

Comment 3 Petr Gajdos 2017-01-23 08:29:10 UTC

Affected: ImageMagick, GraphicsMagick

Comment 4 Petr Gajdos 2017-01-27 11:04:54 UTC

Packages submitted, I believe all fixed.

Comment 6 Bernhard Wiedemann 2017-01-27 13:04:54 UTC

This is an autogenerated message for OBS integration:
This bug (1020443) was mentioned in
https://build.opensuse.org/request/show/452917 42.2 / GraphicsMagick
https://build.opensuse.org/request/show/452918 42.1 / GraphicsMagick

Comment 7 Swamp Workflow Management 2017-02-06 14:09:46 UTC

openSUSE-SU-2017:0391-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017310,1017312,1017313,1017314,1017318,1017321,1017322,1017324,1017325,1017326,1020443,1020448
CVE References: CVE-2016-10048,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10069,CVE-2016-10070,CVE-2016-10146,CVE-2017-5511
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-26.1

Comment 8 Swamp Workflow Management 2017-02-06 14:14:27 UTC

openSUSE-SU-2017:0399-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017310,1017312,1017313,1017314,1017324,1017326,1020443,1020448
CVE References: CVE-2016-10048,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10068,CVE-2016-10070,CVE-2016-10146,CVE-2017-5511
Sources used:
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-9.1

Comment 9 Swamp Workflow Management 2017-02-20 14:12:37 UTC

SUSE-SU-2017:0518-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017310,1017311,1017312,1017313,1017318,1017321,1017322,1017324,1017326,1020443,1020448
CVE References: CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10059,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10070,CVE-2016-10146,CVE-2017-5511
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.62.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.62.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.62.1

Comment 10 Swamp Workflow Management 2017-02-21 14:11:27 UTC

SUSE-SU-2017:0529-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017308,1017310,1017311,1017312,1017313,1017314,1017318,1017319,1017320,1017321,1017322,1017324,1017325,1017326,1017421,1020433,1020435,1020436,1020439,1020441,1020443,1020446,1020448
CVE References: CVE-2016-10046,CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10060,CVE-2016-10061,CVE-2016-10062,CVE-2016-10063,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10069,CVE-2016-10070,CVE-2016-10071,CVE-2016-10144,CVE-2016-10145,CVE-2016-10146,CVE-2017-5506,CVE-2017-5507,CVE-2017-5508,CVE-2017-5510,CVE-2017-5511
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-59.1

Comment 11 Swamp Workflow Management 2017-03-01 20:12:25 UTC

SUSE-SU-2017:0586-1: An update that fixes 21 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017308,1017310,1017311,1017312,1017313,1017314,1017318,1017319,1017320,1017321,1017322,1017324,1017326,1017421,1020433,1020435,1020436,1020439,1020441,1020443,1020448
CVE References: CVE-2016-10046,CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10060,CVE-2016-10063,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10070,CVE-2016-10071,CVE-2016-10144,CVE-2016-10145,CVE-2016-10146,CVE-2017-5506,CVE-2017-5507,CVE-2017-5508,CVE-2017-5511
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.65.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.65.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.65.1

Comment 12 Swamp Workflow Management 2017-03-02 14:11:37 UTC

openSUSE-SU-2017:0587-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017308,1017310,1017311,1017312,1017313,1017314,1017318,1017319,1017320,1017321,1017322,1017324,1017325,1017326,1017421,1020433,1020435,1020436,1020439,1020441,1020443,1020446,1020448
CVE References: CVE-2016-10046,CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10060,CVE-2016-10061,CVE-2016-10062,CVE-2016-10063,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10069,CVE-2016-10070,CVE-2016-10071,CVE-2016-10144,CVE-2016-10145,CVE-2016-10146,CVE-2017-5506,CVE-2017-5507,CVE-2017-5508,CVE-2017-5510,CVE-2017-5511
Sources used:
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-28.1
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-30.1

Comment 13 Matthias Gerstner 2017-03-06 09:44:59 UTC

All codestreams released. openSUSE comes from SLE. Closing.

Comment 14 Petr Gajdos 2017-09-01 10:07:18 UTC

I think GraphicsMagick mercurial is not affected, testcase would be needed to prove.