Bug 1086782 – VUL-1: CVE-2018-8960: ImageMagick: The ReadTIFFImage function in coders/tiff.c in ImageMagick memory allocation issue could lead to denial of service

Bug 1086782 - (CVE-2018-8960) VUL-1: CVE-2018-8960: ImageMagick: The ReadTIFFImage function in coders/tiff.c in ImageMagick memory allocation issue could lead to denial of service

(CVE-2018-8960)
Summary:	VUL-1: CVE-2018-8960: ImageMagick: The ReadTIFFImage function in coders/tiff....

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/202580/
Whiteboard:	CVSSv3:SUSE:CVE-2018-8960:4.0:(AV:L/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-03-26 06:23 UTC by Victor Pereira
Modified:	2018-05-10 22:39 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2018-03-26 06:23:43 UTC

CVE-2018-8960

The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-26 Q16 does not
properly restrict memory allocation, leading to a heap-based buffer over-read.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8960
http://www.cvedetails.com/cve/CVE-2018-8960/
https://github.com/ImageMagick/ImageMagick/issues/1020

Comment 1 Petr Gajdos 2018-04-18 09:44:28 UTC

BEFORE

12/ImageMagick

$ valgrind -q convert tif_heap-buffer-overflow /dev/null
==22746== Conditional jump or move depends on uninitialised value(s)
==22746==    at 0x4FA8503: PerceptibleReciprocal (pixel-private.h:87)
==22746==    by 0x4FA8503: ImportQuantumPixels (quantum-import.c:3562)
==22746==    by 0x84202CB: ReadTIFFImage (tiff.c:1555)
==22746==    by 0x4EC0955: ReadImage (constitute.c:601)
==22746==    by 0x4EC0ECA: ReadImages (constitute.c:907)
==22746==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==22746==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==22746==    by 0x400836: ConvertMain (convert.c:81)
==22746==    by 0x400836: main (convert.c:92)
==22746== 
==22746== Conditional jump or move depends on uninitialised value(s)
==22746==    at 0x4FA8432: ClampToQuantum (quantum.h:92)
==22746==    by 0x4FA8432: ImportQuantumPixels (quantum-import.c:3563)
==22746==    by 0x84202CB: ReadTIFFImage (tiff.c:1555)
==22746==    by 0x4EC0955: ReadImage (constitute.c:601)
==22746==    by 0x4EC0ECA: ReadImages (constitute.c:907)
==22746==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==22746==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==22746==    by 0x400836: ConvertMain (convert.c:81)
==22746==    by 0x400836: main (convert.c:92)
==22746== 
==22746== Conditional jump or move depends on uninitialised value(s)
==22746==    at 0x4FA8440: ClampToQuantum (quantum.h:94)
==22746==    by 0x4FA8440: ImportQuantumPixels (quantum-import.c:3563)
==22746==    by 0x84202CB: ReadTIFFImage (tiff.c:1555)
==22746==    by 0x4EC0955: ReadImage (constitute.c:601)
==22746==    by 0x4EC0ECA: ReadImages (constitute.c:907)
==22746==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==22746==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==22746==    by 0x400836: ConvertMain (convert.c:81)
==22746==    by 0x400836: main (convert.c:92)
==22746== 
==22746== Conditional jump or move depends on uninitialised value(s)
==22746==    at 0x4FA8460: ClampToQuantum (quantum.h:92)
==22746==    by 0x4FA8460: ImportQuantumPixels (quantum-import.c:3565)
==22746==    by 0x84202CB: ReadTIFFImage (tiff.c:1555)
==22746==    by 0x4EC0955: ReadImage (constitute.c:601)
==22746==    by 0x4EC0ECA: ReadImages (constitute.c:907)
==22746==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==22746==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==22746==    by 0x400836: ConvertMain (convert.c:81)
==22746==    by 0x400836: main (convert.c:92)
==22746== 
==22746== Conditional jump or move depends on uninitialised value(s)
==22746==    at 0x4FA848D: ClampToQuantum (quantum.h:92)
==22746==    by 0x4FA848D: ImportQuantumPixels (quantum-import.c:3567)
==22746==    by 0x84202CB: ReadTIFFImage (tiff.c:1555)
==22746==    by 0x4EC0955: ReadImage (constitute.c:601)
==22746==    by 0x4EC0ECA: ReadImages (constitute.c:907)
==22746==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==22746==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==22746==    by 0x400836: ConvertMain (convert.c:81)
==22746==    by 0x400836: main (convert.c:92)
==22746== 
==22746== Syscall param write(buf) points to uninitialised byte(s)
==22746==    at 0x58E9CB0: __write_nocancel (in /lib64/libc-2.19.so)
==22746==    by 0x5884992: _IO_file_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==22746==    by 0x5884052: new_do_write (in /lib64/libc-2.19.so)
==22746==    by 0x5884FA5: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==22746==    by 0x587B02C: fwrite (in /lib64/libc-2.19.so)
==22746==    by 0x866B7CB: ??? (in /usr/lib64/libtiff.so.5.3.0)
==22746==    by 0x866CA60: TIFFFlushData1 (in /usr/lib64/libtiff.so.5.3.0)
==22746==    by 0x866C034: TIFFWriteScanline (in /usr/lib64/libtiff.so.5.3.0)
==22746==    by 0x841D0C3: WriteTIFFImage (tiff.c:3489)
==22746==    by 0x4EC177B: WriteImage (constitute.c:1237)
==22746==    by 0x4EC1C91: WriteImages (constitute.c:1394)
==22746==    by 0x531B923: ConvertImageCommand (convert.c:3154)
==22746==  Address 0x9308180 is 0 bytes inside a block of size 8,192 alloc'd
==22746==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==22746==    by 0x866BF08: TIFFWriteBufferSetup (in /usr/lib64/libtiff.so.5.3.0)
==22746==    by 0x866C1E8: TIFFWriteScanline (in /usr/lib64/libtiff.so.5.3.0)
==22746==    by 0x841D0C3: WriteTIFFImage (tiff.c:3489)
==22746==    by 0x4EC177B: WriteImage (constitute.c:1237)
==22746==    by 0x4EC1C91: WriteImages (constitute.c:1394)
==22746==    by 0x531B923: ConvertImageCommand (convert.c:3154)
==22746==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==22746==    by 0x400836: ConvertMain (convert.c:81)
==22746==    by 0x400836: main (convert.c:92)
==22746== 
==22746== Syscall param write(buf) points to uninitialised byte(s)
==22746==    at 0x58E9CB0: __write_nocancel (in /lib64/libc-2.19.so)
==22746==    by 0x5884992: _IO_file_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==22746==    by 0x5884052: new_do_write (in /lib64/libc-2.19.so)
==22746==    by 0x58857C4: _IO_do_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==22746==    by 0x588641E: _IO_switch_to_get_mode (in /lib64/libc-2.19.so)
==22746==    by 0x588416D: _IO_file_seekoff@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==22746==    by 0x5882DA6: fseeko (in /lib64/libc-2.19.so)
==22746==    by 0x4E8D7E6: SeekBlob (blob.c:3604)
==22746==    by 0x866B70F: ??? (in /usr/lib64/libtiff.so.5.3.0)
==22746==    by 0x866CA60: TIFFFlushData1 (in /usr/lib64/libtiff.so.5.3.0)
==22746==    by 0x866C034: TIFFWriteScanline (in /usr/lib64/libtiff.so.5.3.0)
==22746==    by 0x841D0C3: WriteTIFFImage (tiff.c:3489)
==22746==  Address 0x4029000 is not stack'd, malloc'd or (recently) free'd
==22746== 
TIFFWriteDirectoryTagData: IO error writing tag data.
convert: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/883.
convert: Incorrect count for "StripOffsets"; tag ignored. `TIFFFetchStripThing' @ warning/tiff.c/TIFFWarnings/883.
convert: Incorrect count for "StripByteCounts"; tag ignored. `TIFFFetchStripThing' @ warning/tiff.c/TIFFWarnings/883.
convert: Incorrect count for "ColorMap"; tag ignored. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/883.
convert: Not enough data for scanline 152, expected a request for at most 0 bytes, got a request for 1 bytes. `DumpModeDecode' @ error/tiff.c/TIFFErrors/584.
convert: Invalid strip byte count 0, strip 59. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/584.
convert: Invalid strip byte count 0, strip 118. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/584.
convert: Invalid strip byte count 0, strip 177. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/584.
$

11/ImageMagick

$ valgrind -q convert tif_heap-buffer-overflow /dev/null
convert: tif_heap-buffer-overflow: invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectory'.
convert: incorrect count for field "StripOffsets" (1, expecting 236); tag ignored. `tif_heap-buffer-overflow'.
convert: incorrect count for field "StripByteCounts" (1, expecting 236); tag ignored. `tif_heap-buffer-overflow'.
convert: incorrect count for field "ColorMap" (12, expecting 768); tag ignored. `tif_heap-buffer-overflow'.
convert: 0: Invalid strip byte count, strip 59. `tif_heap-buffer-overflow'.
convert: DumpModeDecode: Not enough data for scanline 152. `tif_heap-buffer-overflow'.
convert: DumpModeDecode: Not enough data for scanline 153. `tif_heap-buffer-overflow'.
[...]
convert: 0: Invalid strip byte count, strip 57. `tif_heap-buffer-overflow'.
convert: 0: Invalid strip byte count, strip 58. `tif_heap-buffer-overflow'.
$

11/GraphicsMagick

$ valgrind -q gm convert tif_heap-buffer-overflow /dev/null
gm convert: DumpModeDecode: Not enough data for scanline 0. (tif_heap-buffer-overflow).
$

42.3/GraphicsMagick

$ valgrind -q gm convert tif_heap-buffer-overflow /dev/null
gm convert: Read error at scanline 4294967295; got 400 bytes, expected 1024. (TIFFReadEncodedStrip).
$

HG/GraphicsMagick

$ valgrind -q gm convert tif_heap-buffer-overflow /dev/null
gm convert: Improper image header (tif_heap-buffer-overflow).
$


PATCH

https://github.com/ImageMagick/ImageMagick6/commit/7c0b29f621ebcce1a35c0e6c1992c9043b3bb1bd

This is follow-up of bug 1020441, CVE-2017-5508. As there, I consider affected 12/ImageMagick and 11/ImageMagick.

AFTER

12/ImageMagick

$ valgrind -q convert tif_heap-buffer-overflow /dev/null
==25796== Conditional jump or move depends on uninitialised value(s)
==25796==    at 0x4FA8503: PerceptibleReciprocal (pixel-private.h:87)
==25796==    by 0x4FA8503: ImportQuantumPixels (quantum-import.c:3562)
==25796==    by 0x84202DB: ReadTIFFImage (tiff.c:1556)
==25796==    by 0x4EC0955: ReadImage (constitute.c:601)
==25796==    by 0x4EC0ECA: ReadImages (constitute.c:907)
==25796==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==25796==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==25796==    by 0x400836: ConvertMain (convert.c:81)
==25796==    by 0x400836: main (convert.c:92)
==25796== 
==25796== Conditional jump or move depends on uninitialised value(s)
==25796==    at 0x4FA8432: ClampToQuantum (quantum.h:92)
==25796==    by 0x4FA8432: ImportQuantumPixels (quantum-import.c:3563)
==25796==    by 0x84202DB: ReadTIFFImage (tiff.c:1556)
==25796==    by 0x4EC0955: ReadImage (constitute.c:601)
==25796==    by 0x4EC0ECA: ReadImages (constitute.c:907)
==25796==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==25796==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==25796==    by 0x400836: ConvertMain (convert.c:81)
==25796==    by 0x400836: main (convert.c:92)
==25796== 
==25796== Conditional jump or move depends on uninitialised value(s)
==25796==    at 0x4FA8440: ClampToQuantum (quantum.h:94)
==25796==    by 0x4FA8440: ImportQuantumPixels (quantum-import.c:3563)
==25796==    by 0x84202DB: ReadTIFFImage (tiff.c:1556)
==25796==    by 0x4EC0955: ReadImage (constitute.c:601)
==25796==    by 0x4EC0ECA: ReadImages (constitute.c:907)
==25796==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==25796==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==25796==    by 0x400836: ConvertMain (convert.c:81)
==25796==    by 0x400836: main (convert.c:92)
==25796== 
==25796== Conditional jump or move depends on uninitialised value(s)
==25796==    at 0x4FA8460: ClampToQuantum (quantum.h:92)
==25796==    by 0x4FA8460: ImportQuantumPixels (quantum-import.c:3565)
==25796==    by 0x84202DB: ReadTIFFImage (tiff.c:1556)
==25796==    by 0x4EC0955: ReadImage (constitute.c:601)
==25796==    by 0x4EC0ECA: ReadImages (constitute.c:907)
==25796==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==25796==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==25796==    by 0x400836: ConvertMain (convert.c:81)
==25796==    by 0x400836: main (convert.c:92)
==25796== 
==25796== Conditional jump or move depends on uninitialised value(s)
==25796==    at 0x4FA848D: ClampToQuantum (quantum.h:92)
==25796==    by 0x4FA848D: ImportQuantumPixels (quantum-import.c:3567)
==25796==    by 0x84202DB: ReadTIFFImage (tiff.c:1556)
==25796==    by 0x4EC0955: ReadImage (constitute.c:601)
==25796==    by 0x4EC0ECA: ReadImages (constitute.c:907)
==25796==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==25796==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==25796==    by 0x400836: ConvertMain (convert.c:81)
==25796==    by 0x400836: main (convert.c:92)
==25796== 
==25796== Syscall param write(buf) points to uninitialised byte(s)
==25796==    at 0x58E9CB0: __write_nocancel (in /lib64/libc-2.19.so)
==25796==    by 0x5884992: _IO_file_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==25796==    by 0x5884052: new_do_write (in /lib64/libc-2.19.so)
==25796==    by 0x5884FA5: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==25796==    by 0x587B02C: fwrite (in /lib64/libc-2.19.so)
==25796==    by 0x866B7CB: ??? (in /usr/lib64/libtiff.so.5.3.0)
==25796==    by 0x866CA60: TIFFFlushData1 (in /usr/lib64/libtiff.so.5.3.0)
==25796==    by 0x866C034: TIFFWriteScanline (in /usr/lib64/libtiff.so.5.3.0)
==25796==    by 0x841D0C3: WriteTIFFImage (tiff.c:3490)
==25796==    by 0x4EC177B: WriteImage (constitute.c:1237)
==25796==    by 0x4EC1C91: WriteImages (constitute.c:1394)
==25796==    by 0x531B923: ConvertImageCommand (convert.c:3154)
==25796==  Address 0x93085a0 is 0 bytes inside a block of size 8,192 alloc'd
==25796==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==25796==    by 0x866BF08: TIFFWriteBufferSetup (in /usr/lib64/libtiff.so.5.3.0)
==25796==    by 0x866C1E8: TIFFWriteScanline (in /usr/lib64/libtiff.so.5.3.0)
==25796==    by 0x841D0C3: WriteTIFFImage (tiff.c:3490)
==25796==    by 0x4EC177B: WriteImage (constitute.c:1237)
==25796==    by 0x4EC1C91: WriteImages (constitute.c:1394)
==25796==    by 0x531B923: ConvertImageCommand (convert.c:3154)
==25796==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==25796==    by 0x400836: ConvertMain (convert.c:81)
==25796==    by 0x400836: main (convert.c:92)
==25796== 
==25796== Syscall param write(buf) points to uninitialised byte(s)
==25796==    at 0x58E9CB0: __write_nocancel (in /lib64/libc-2.19.so)
==25796==    by 0x5884992: _IO_file_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==25796==    by 0x5884052: new_do_write (in /lib64/libc-2.19.so)
==25796==    by 0x58857C4: _IO_do_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==25796==    by 0x588641E: _IO_switch_to_get_mode (in /lib64/libc-2.19.so)
==25796==    by 0x588416D: _IO_file_seekoff@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==25796==    by 0x5882DA6: fseeko (in /lib64/libc-2.19.so)
==25796==    by 0x4E8D7E6: SeekBlob (blob.c:3604)
==25796==    by 0x866B70F: ??? (in /usr/lib64/libtiff.so.5.3.0)
==25796==    by 0x866CA60: TIFFFlushData1 (in /usr/lib64/libtiff.so.5.3.0)
==25796==    by 0x866C034: TIFFWriteScanline (in /usr/lib64/libtiff.so.5.3.0)
==25796==    by 0x841D0C3: WriteTIFFImage (tiff.c:3490)
==25796==  Address 0x4029000 is not stack'd, malloc'd or (recently) free'd
==25796== 
TIFFWriteDirectoryTagData: IO error writing tag data.
convert: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/883.
convert: Incorrect count for "StripOffsets"; tag ignored. `TIFFFetchStripThing' @ warning/tiff.c/TIFFWarnings/883.
convert: Incorrect count for "StripByteCounts"; tag ignored. `TIFFFetchStripThing' @ warning/tiff.c/TIFFWarnings/883.
convert: Incorrect count for "ColorMap"; tag ignored. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/883.
convert: Not enough data for scanline 152, expected a request for at most 0 bytes, got a request for 1 bytes. `DumpModeDecode' @ error/tiff.c/TIFFErrors/584.
convert: Invalid strip byte count 0, strip 59. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/584.
convert: Invalid strip byte count 0, strip 118. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/584.
convert: Invalid strip byte count 0, strip 177. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/584.
$
[no change, as far as I can see]

11/ImageMagick

$ valgrind -q convert tif_heap-buffer-overflow /dev/null
convert: tif_heap-buffer-overflow: invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectory'.
convert: incorrect count for field "StripOffsets" (1, expecting 236); tag ignored. `tif_heap-buffer-overflow'.
convert: incorrect count for field "StripByteCounts" (1, expecting 236); tag ignored. `tif_heap-buffer-overflow'.
convert: incorrect count for field "ColorMap" (12, expecting 768); tag ignored. `tif_heap-buffer-overflow'.
convert: 0: Invalid strip byte count, strip 59. `tif_heap-buffer-overflow'.
convert: DumpModeDecode: Not enough data for scanline 152. `tif_heap-buffer-overflow'.
convert: DumpModeDecode: Not enough data for scanline 153. `tif_heap-buffer-overflow'.
[...]
convert: 0: Invalid strip byte count, strip 57. `tif_heap-buffer-overflow'.
convert: 0: Invalid strip byte count, strip 58. `tif_heap-buffer-overflow'.
$
[no change as far as I can see]

Comment 2 Petr Gajdos 2018-04-18 09:46:40 UTC

Will submit for 12/ImageMagick and 11/ImageMagick.

Comment 3 Petr Gajdos 2018-04-20 11:59:37 UTC

I believe all fixed.

Comment 7 Swamp Workflow Management 2018-05-02 19:09:21 UTC

SUSE-SU-2018:1129-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047356,1086773,1086782,1087027,1087033,1087037,1089781
CVE References: CVE-2017-1000476,CVE-2017-10928,CVE-2017-18251,CVE-2017-18252,CVE-2017-18254,CVE-2018-10177,CVE-2018-8960,CVE-2018-9018
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.45.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.45.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.45.1

Comment 8 Swamp Workflow Management 2018-05-09 16:11:29 UTC

SUSE-SU-2018:1178-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047356,1058635,1074117,1086773,1086782,1087027,1087033,1087037,1087039,1087825,1089781
CVE References: CVE-2017-1000476,CVE-2017-10928,CVE-2017-11450,CVE-2017-14325,CVE-2017-17887,CVE-2017-18250,CVE-2017-18251,CVE-2017-18252,CVE-2017-18254,CVE-2018-10177,CVE-2018-8960,CVE-2018-9018,CVE-2018-9135
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.54.5
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.54.5
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.54.5
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.54.5

Comment 9 Andreas Stieger 2018-05-10 17:54:42 UTC

releasing for Leap 42.3, done

Comment 10 Swamp Workflow Management 2018-05-10 22:08:21 UTC

openSUSE-SU-2018:1205-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047356,1058635,1074117,1086773,1086782,1087027,1087033,1087037,1087039,1087825,1089781
CVE References: CVE-2017-1000476,CVE-2017-10928,CVE-2017-11450,CVE-2017-14325,CVE-2017-17887,CVE-2017-18250,CVE-2017-18251,CVE-2017-18252,CVE-2017-18254,CVE-2018-10177,CVE-2018-8960,CVE-2018-9018,CVE-2018-9135
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-61.2