Bug 1156520 - (CVE-2019-18853) VUL-1: CVE-2019-18853: ImageMagick: allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2
(CVE-2019-18853)
VUL-1: CVE-2019-18853: ImageMagick: allows remote attackers to cause a denial...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Petr Gajdos
Security Team bot
https://smash.suse.de/issue/246870/
CVSSv3:SUSE:CVE-2019-18853:5.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-12 10:06 UTC by Wolfgang Frisch
Modified: 2019-11-12 11:24 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
ImageMagick-CVE-2019-18853.patch (1.48 KB, patch)
2019-11-12 10:18 UTC, Wolfgang Frisch
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-11-12 10:06:41 UTC
CVE-2019-18853

ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service
because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to
SVG and libxml2.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18853
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18853.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18853
https://github.com/ImageMagick/ImageMagick/commit/ec9c8944af2bfc65c697ca44f93a727a99b405f1
https://fortiguard.com/zeroday/FG-VD-19-136
Comment 1 Wolfgang Frisch 2019-11-12 10:18:16 UTC
Created attachment 823915 [details]
ImageMagick-CVE-2019-18853.patch

upstream patch
https://github.com/ImageMagick/ImageMagick/commit/ec9c8944af2bfc65c697ca44f93a727a99b405f1
Comment 2 Petr Gajdos 2019-11-12 10:58:00 UTC
Fixed in Tumbleweed, code not found in older distros.
Comment 3 Petr Gajdos 2019-11-12 11:02:08 UTC
GraphicsMagick: code not found