OpenSUSE Linux update for ImageMagick

1) Input validation error

EUVDB-ID: #VU33729

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14434

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c.

Mitigation

Update the affected packages.

Vulnerable software versions

Opensuse: 15.0

External links

http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00075.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory leak

EUVDB-ID: #VU14465

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-14435

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to memory leak in DecodeImage in coders/pcd.c. A remote attacker can trick the victim into opening a specially crafted input, trigger memory corruption and cause the service to crash.

Mitigation

Update the affected packages.

Vulnerable software versions

Opensuse: 15.0

External links

http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00075.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Memory leak

EUVDB-ID: #VU33480

Risk: Medium

CVSSv3.1: 6 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2018-14436

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ReadMIFFImage in coders/miff.c. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages.

Vulnerable software versions

Opensuse: 15.0

External links

http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00075.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Memory leak

EUVDB-ID: #VU33481

Risk: Medium

CVSSv3.1: 6 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2018-14437

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within parse8BIM in coders/meta.c. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages.

Vulnerable software versions

Opensuse: 15.0

External links

http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00075.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.