Bug 1203212 - (CVE-2021-3574) VUL-1: CVE-2021-3574: ImageMagick: memory leaks with convert command
(CVE-2021-3574)
VUL-1: CVE-2021-3574: ImageMagick: memory leaks with convert command
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/340942/
CVSSv3.1:SUSE:CVE-2021-3574:3.3:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-09-07 12:31 UTC by Carlos López
Modified: 2022-10-07 22:20 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Carlos López 2022-09-07 12:33:17 UTC
This is barely a security issue by the looks of it. Anyhow, the patch could be backported to:
- SUSE:SLE-15:Update
- SUSE:SLE-15-SP2:Update

Unsure about SUSE:SLE-11:Update and SUSE:SLE-12:Update, since there is no longer an available reproducer.

Already fixed in SUSE:SLE-15-SP4:Update and Factory.
Comment 2 Petr Gajdos 2022-09-08 10:21:07 UTC
In my opinion, we are not affected by this CVE at all. The check leading to interrupt of the function on the wrong place is not there at all. Yeah, we can add the check, but I agree with adding it only in 15 (ImageMagick 7).
Comment 3 Carlos López 2022-09-08 10:43:29 UTC
(In reply to Petr Gajdos from comment #2)
> In my opinion, we are not affected by this CVE at all. The check leading to
> interrupt of the function on the wrong place is not there at all. Yeah, we
> can add the check, but I agree with adding it only in 15 (ImageMagick 7).

Makes sense
Comment 4 Petr Gajdos 2022-09-08 10:50:58 UTC
Packages submitted for 15sp2,15/ImageMagick.

I believe all fixed.
Comment 6 Swamp Workflow Management 2022-10-07 22:20:17 UTC
SUSE-SU-2022:3552-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1203212
CVE References: CVE-2021-3574
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ImageMagick-7.0.7.34-150200.10.39.1
openSUSE Leap 15.3 (src):    ImageMagick-7.0.7.34-150200.10.39.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    ImageMagick-7.0.7.34-150200.10.39.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    ImageMagick-7.0.7.34-150200.10.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.