openSUSE update for ImageMagick
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 32 |
| CVE-ID | CVE-2017-11188 CVE-2017-11478 CVE-2017-11523 CVE-2017-11527 CVE-2017-11535 CVE-2017-11640 CVE-2017-11752 CVE-2017-12140 CVE-2017-12435 CVE-2017-12587 CVE-2017-12644 CVE-2017-12662 CVE-2017-12669 CVE-2017-12983 CVE-2017-13134 CVE-2017-13769 CVE-2017-14138 CVE-2017-14172 CVE-2017-14173 CVE-2017-14175 CVE-2017-14341 CVE-2017-14342 CVE-2017-14531 CVE-2017-14607 CVE-2017-14682 CVE-2017-14733 CVE-2017-14989 CVE-2017-15217 CVE-2017-15930 CVE-2017-16545 CVE-2017-16546 CVE-2017-16669 |
| CWE-ID | CWE-400 CWE-835 CWE-119 CWE-126 CWE-20 CWE-401 CWE-122 CWE-190 CWE-125 CWE-416 CWE-476 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Opensuse Operating systems & Components / Operating system |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 32 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU9783
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11188
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a large loop in the ReadDPXImage function in coders\dpx.c. A remote attacker can trick the victim into opening a specially crafted DPX file, trigger CPU exhaustion, related to lack of an EOF check and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Infinite loop
EUVDB-ID: #VU9784
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11478
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to infinite loop in the ReadOneDJVUImage function in coders/djvu.c. A remote attacker can trick the victim into opening a specially crafted DJVU image, trigger infinite loop and CPU consumption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Infinite loop
EUVDB-ID: #VU9785
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11523
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to infinite loop in the ReadTXTImage function in coders/txt.c. A remote attacker can trick the victim into opening a specially crafted file, trigger the end-of-file condition and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Memory corruption
EUVDB-ID: #VU9786
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11527
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a boundary error in the ReadDPXImage function in coders/dpx.c. A remote attacker can trick the victim into opening a specially crafted file, trigger memory corruption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Heap-based buffer overread
EUVDB-ID: #VU9787
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11535
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to heap-based buffer over-read in the WritePSImage() function in coders/ps.c. A remote attacker can trick the victim into opening a specially crafted file, trigger memory corruption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Denial of service
EUVDB-ID: #VU9788
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11640
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to an address access exception in the WritePTIFImage() function in coders/tiff.c. A remote attacker can trick the victim into converting a specially crafted file and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Memory leak
EUVDB-ID: #VU9789
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11752
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a memory leak in the ReadMAGICKImage function in coders/magick.c. A remote attacker can trick the victim into opening a specially crafted file and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Resource exhaustion
EUVDB-ID: #VU9790
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-12140
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to an integer signedness error in the ReadDCMImage function in coders\dcm.c. A remote attacker can trick the victim into opening a specially crafted DCM file, trigger excessive memory consumption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Resource exhaustion
EUVDB-ID: #VU9791
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-12435
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to an error in the ReadSUNImage function in coders/sun.c. A remote attacker can trick the victim into opening a specially crafted file, trigger excessive memory consumption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Infinite loop
EUVDB-ID: #VU9792
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-12587
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to an error in the ReadPWPImage function in coderspwp.c. A remote attacker can trick the victim into opening a specially crafted file, trigger an infinite loop and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Memory leak
EUVDB-ID: #VU9793
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-12644
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a memory leak in ReadDCMImage in codersdcm.c. A remote attacker can trick the victim into opening a specially crafted file and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Memory leak
EUVDB-ID: #VU9794
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-12662
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a memory leak in WritePDFImage in coders/pdf.c. A remote attacker can trick the victim into opening a specially crafted file and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Memory leak
EUVDB-ID: #VU9795
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-12669
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a memory leak in WriteCALSImage in coders/cals.c. A remote attacker can trick the victim into opening a specially crafted file and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Heap-based buffer overflow
EUVDB-ID: #VU9796
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-12983
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to heap-based buffer overflow in the ReadSFWImage function in coders/sfw.c. A remote attacker can trick the victim into opening a specially crafted file, trigger memory corruption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Heap-based buffer overread
EUVDB-ID: #VU9797
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-13134
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to heap-based buffer over-read in the function SFWScan in coders/sfw.c. A remote attacker can trick the victim into opening a specially crafted file, trigger memory corruption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Buffer over-read
EUVDB-ID: #VU9798
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-13769
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to buffer over-read in the WriteTHUMBNAILImage function in coders/thumbnail.c. A remote attacker can trick the victim into opening a specially crafted JPEG file, trigger memory corruption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Memory leak
EUVDB-ID: #VU9799
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-14138
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a memory leak in ReadWEBPImage in coders/webp.c because memory is not freed in certain error cases. A remote attacker can trick the victim into opening a specially crafted file and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Resource exhaustion
EUVDB-ID: #VU9800
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-14172
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in coders/ps.c in ReadPSImage() due to lack of an EOF (End of File) check. A remote attacker can provide a specially crafted PSD file, which claims a large "extent" field in the header but does not contain sufficient backing data, trigger the loop over "length", consume huge CPU resources and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Integer overflow
EUVDB-ID: #VU9801
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-14173
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to integer overflow in the function ReadTXTImage() in coders/txt.c that may occur for the addition operation "GetQuantumRange(depth)+1" when "depth" is large, producing a smaller value than expected. A remote attacker can provide a specially crafted TXT file that claims a very large "max_value" value, trigger infinite loop and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Resource exhaustion
EUVDB-ID: #VU9802
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-14175
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in coders/xbm.c in ReadXBMImage() due to lack of an EOF (End of File) check. A remote attacker can provide a specially crafted XBM file, which claims large rows and columns fields in the header but does not contain sufficient backing data, trigger the loop over the rows, consume huge CPU resources and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Resource exhaustion
EUVDB-ID: #VU9803
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-14341
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a large loop vulnerability in ReadWPGImage in coders/wpg.c. A remote attacker can provide a specially crafted wpg image file, trigger CPU exhaustion and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Resource exhaustion
EUVDB-ID: #VU9804
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-14342
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to an error in ReadWPGImage in coders/wpg.c. A remote attacker can provide a specially crafted wpg image file, trigger memory exhaustion and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Resource exhaustion
EUVDB-ID: #VU9805
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-14531
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to an error in ReadSUNImage in coders/sun.c.. A remote attacker can provide a specially crafted image file, trigger memory exhaustion and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Out-of-bounds read
EUVDB-ID: #VU9806
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-14607
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.
The weakness exists due to out of bounds read flaw related to ReadTIFFImage function in coders/tiff.c. A remote attacker can provide a specially crafted image file and read arbitrary data or cause the application to crash.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Heap-based buffer overflow
EUVDB-ID: #VU9807
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-14682
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to heap-based buffer overflow in GetNextToken in MagickCore/token.c. A remote attacker can provide a specially crafted SVG document, trigger memory corruption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Heap-based buffer overread
EUVDB-ID: #VU9808
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-14733
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to ReadRLEImage in coders/rle.c mishandles RLE headers that specify too few colors. A remote attacker can provide a specially crafted RLE document, trigger heap-based buffer over-read and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Use-after-free error
EUVDB-ID: #VU9809
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-14989
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to use-after-free in RenderFreetype in MagickCore/annotate.c. A remote attacker can provide a specially crafted font file, call the FT_Done_Glyph function (from FreeType 2) at an incorrect place in the ImageMagick code, trigger memory corruption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Memory leak
EUVDB-ID: #VU9810
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-15217
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.
The weakness exists due to an error in ReadSGIImage in coders/sgi.c. A remote attacker can provide a specially SGI image file, trigger memory leak and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Null pointer dereference
EUVDB-ID: #VU9811
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-15930
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to an error n ReadOneJNGImage in coders/png.c. A remote attacker can transfer specially crafted JPEG scanlines, trigger null pointer dereference, related to a PixelPacket pointer and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Improper input validation
EUVDB-ID: #VU9812
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-16545
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to the ReadWPGImage function in coders/wpg.c does not properly validate colormapped images. A remote attacker can transfer specially crafted WPG image, trigger ImportIndexQuantumType invalid write and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Improper input validation
EUVDB-ID: #VU9813
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-16546
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.
The weakness exists due to the ReadWPGImage function in coders/wpg.c does not properly validate the colormap index in a WPG palette. A remote attacker can provide a specially WPG file, trigger use of uninitialized data or invalid memory allocation and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
32) Heap-based buffer overflow
EUVDB-ID: #VU9814
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-16669
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to heap-based buffer overflow in coders/wpg.c. A remote attacker can provide a specially crafted file, related to the AcquireCacheNexus function in magick/pixel_cache.c, trigger memory corruption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2 - 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-12/msg00087.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
