GraphicsMagick-1.3.25-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10505 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z GraphicsMagick-1.3.25-1.1 on GA media These are all security issues fixed in the GraphicsMagick-1.3.25-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10505 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10505 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2009-1882/ SUSE CVE CVE-2009-1882 page https://www.suse.com/security/cve/CVE-2009-3736/ SUSE CVE CVE-2009-3736 page https://www.suse.com/security/cve/CVE-2012-3438/ SUSE CVE CVE-2012-3438 page https://www.suse.com/security/cve/CVE-2016-2317/ SUSE CVE CVE-2016-2317 page https://www.suse.com/security/cve/CVE-2016-3714/ SUSE CVE CVE-2016-3714 page https://www.suse.com/security/cve/CVE-2016-3715/ SUSE CVE CVE-2016-3715 page https://www.suse.com/security/cve/CVE-2016-3717/ SUSE CVE CVE-2016-3717 page https://www.suse.com/security/cve/CVE-2016-3718/ SUSE CVE CVE-2016-3718 page https://www.suse.com/security/cve/CVE-2016-5118/ SUSE CVE CVE-2016-5118 page openSUSE Tumbleweed GraphicsMagick-1.3.25-1.1 GraphicsMagick-devel-1.3.25-1.1 libGraphicsMagick++-Q16-12-1.3.25-1.1 libGraphicsMagick++-devel-1.3.25-1.1 libGraphicsMagick-Q16-3-1.3.25-1.1 libGraphicsMagick3-config-1.3.25-1.1 libGraphicsMagickWand-Q16-2-1.3.25-1.1 perl-GraphicsMagick-1.3.25-1.1 GraphicsMagick-1.3.25-1.1 as a component of openSUSE Tumbleweed GraphicsMagick-devel-1.3.25-1.1 as a component of openSUSE Tumbleweed libGraphicsMagick++-Q16-12-1.3.25-1.1 as a component of openSUSE Tumbleweed libGraphicsMagick++-devel-1.3.25-1.1 as a component of openSUSE Tumbleweed libGraphicsMagick-Q16-3-1.3.25-1.1 as a component of openSUSE Tumbleweed libGraphicsMagick3-config-1.3.25-1.1 as a component of openSUSE Tumbleweed libGraphicsMagickWand-Q16-2-1.3.25-1.1 as a component of openSUSE Tumbleweed perl-GraphicsMagick-1.3.25-1.1 as a component of openSUSE Tumbleweed Integer overflow in the XMakeImage function in magick/xwindow.c in ImageMagick 6.5.2-8, and GraphicsMagick, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF file, which triggers a buffer overflow. NOTE: some of these details are obtained from third party information. CVE-2009-1882 openSUSE Tumbleweed:GraphicsMagick-1.3.25-1.1 openSUSE Tumbleweed:GraphicsMagick-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-Q16-12-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick-Q16-3-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick3-config-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagickWand-Q16-2-1.3.25-1.1 openSUSE Tumbleweed:perl-GraphicsMagick-1.3.25-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-1882.html CVE-2009-1882 https://bugzilla.suse.com/507728 SUSE Bug 507728 ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file. CVE-2009-3736 openSUSE Tumbleweed:GraphicsMagick-1.3.25-1.1 openSUSE Tumbleweed:GraphicsMagick-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-Q16-12-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick-Q16-3-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick3-config-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagickWand-Q16-2-1.3.25-1.1 openSUSE Tumbleweed:perl-GraphicsMagick-1.3.25-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-3736.html CVE-2009-3736 https://bugzilla.suse.com/556122 SUSE Bug 556122 The Magick_png_malloc function in coders/png.c in GraphicsMagick 6.7.8-6 does not use the proper variable type for the allocation size, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG file that triggers incorrect memory allocation. CVE-2012-3438 openSUSE Tumbleweed:GraphicsMagick-1.3.25-1.1 openSUSE Tumbleweed:GraphicsMagick-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-Q16-12-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick-Q16-3-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick3-config-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagickWand-Q16-2-1.3.25-1.1 openSUSE Tumbleweed:perl-GraphicsMagick-1.3.25-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-3438.html CVE-2012-3438 https://bugzilla.suse.com/773612 SUSE Bug 773612 https://bugzilla.suse.com/785093 SUSE Bug 785093 Multiple buffer overflows in GraphicsMagick 1.3.23 allow remote attackers to cause a denial of service (crash) via a crafted SVG file, related to the (1) TracePoint function in magick/render.c, (2) GetToken function in magick/utility.c, and (3) GetTransformTokens function in coders/svg.c. CVE-2016-2317 openSUSE Tumbleweed:GraphicsMagick-1.3.25-1.1 openSUSE Tumbleweed:GraphicsMagick-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-Q16-12-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick-Q16-3-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick3-config-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagickWand-Q16-2-1.3.25-1.1 openSUSE Tumbleweed:perl-GraphicsMagick-1.3.25-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2317.html CVE-2016-2317 https://bugzilla.suse.com/965853 SUSE Bug 965853 https://bugzilla.suse.com/999673 SUSE Bug 999673 The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick." CVE-2016-3714 openSUSE Tumbleweed:GraphicsMagick-1.3.25-1.1 openSUSE Tumbleweed:GraphicsMagick-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-Q16-12-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick-Q16-3-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick3-config-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagickWand-Q16-2-1.3.25-1.1 openSUSE Tumbleweed:perl-GraphicsMagick-1.3.25-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3714.html CVE-2016-3714 https://bugzilla.suse.com/1000484 SUSE Bug 1000484 https://bugzilla.suse.com/1057163 SUSE Bug 1057163 https://bugzilla.suse.com/1105592 SUSE Bug 1105592 https://bugzilla.suse.com/978061 SUSE Bug 978061 https://bugzilla.suse.com/980401 SUSE Bug 980401 https://bugzilla.suse.com/982178 SUSE Bug 982178 The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image. CVE-2016-3715 openSUSE Tumbleweed:GraphicsMagick-1.3.25-1.1 openSUSE Tumbleweed:GraphicsMagick-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-Q16-12-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick-Q16-3-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick3-config-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagickWand-Q16-2-1.3.25-1.1 openSUSE Tumbleweed:perl-GraphicsMagick-1.3.25-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3715.html CVE-2016-3715 https://bugzilla.suse.com/1000484 SUSE Bug 1000484 https://bugzilla.suse.com/1057163 SUSE Bug 1057163 https://bugzilla.suse.com/1105592 SUSE Bug 1105592 https://bugzilla.suse.com/978061 SUSE Bug 978061 The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image. CVE-2016-3717 openSUSE Tumbleweed:GraphicsMagick-1.3.25-1.1 openSUSE Tumbleweed:GraphicsMagick-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-Q16-12-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick-Q16-3-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick3-config-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagickWand-Q16-2-1.3.25-1.1 openSUSE Tumbleweed:perl-GraphicsMagick-1.3.25-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3717.html CVE-2016-3717 https://bugzilla.suse.com/1000484 SUSE Bug 1000484 https://bugzilla.suse.com/1057163 SUSE Bug 1057163 https://bugzilla.suse.com/1105592 SUSE Bug 1105592 https://bugzilla.suse.com/978061 SUSE Bug 978061 The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image. CVE-2016-3718 openSUSE Tumbleweed:GraphicsMagick-1.3.25-1.1 openSUSE Tumbleweed:GraphicsMagick-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-Q16-12-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick-Q16-3-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick3-config-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagickWand-Q16-2-1.3.25-1.1 openSUSE Tumbleweed:perl-GraphicsMagick-1.3.25-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3718.html CVE-2016-3718 https://bugzilla.suse.com/1000484 SUSE Bug 1000484 https://bugzilla.suse.com/1057163 SUSE Bug 1057163 https://bugzilla.suse.com/1105592 SUSE Bug 1105592 https://bugzilla.suse.com/978061 SUSE Bug 978061 The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbitrary code via a | (pipe) character at the start of a filename. CVE-2016-5118 openSUSE Tumbleweed:GraphicsMagick-1.3.25-1.1 openSUSE Tumbleweed:GraphicsMagick-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-Q16-12-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick++-devel-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick-Q16-3-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagick3-config-1.3.25-1.1 openSUSE Tumbleweed:libGraphicsMagickWand-Q16-2-1.3.25-1.1 openSUSE Tumbleweed:perl-GraphicsMagick-1.3.25-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5118.html CVE-2016-5118 https://bugzilla.suse.com/1000484 SUSE Bug 1000484 https://bugzilla.suse.com/982178 SUSE Bug 982178