OpenSUSE Linux update for ImageMagick
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2018-14434 CVE-2018-14435 CVE-2018-14436 CVE-2018-14437 |
| CWE-ID | CWE-20 CWE-401 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software |
Opensuse Operating systems & Components / Operating system |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU33729
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-14434
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c.
MitigationUpdate the affected packages.
Opensuse: 15.0
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2018-08/msg00075.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory leak
EUVDB-ID: #VU14465
Risk: Low
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2018-14435
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to memory leak in DecodeImage in coders/pcd.c. A remote attacker can trick the victim into opening a specially crafted input, trigger memory corruption and cause the service to crash.
MitigationUpdate the affected packages.
Opensuse: 15.0
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2018-08/msg00075.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Memory leak
EUVDB-ID: #VU33480
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-14436
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ReadMIFFImage in coders/miff.c. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages.
Opensuse: 15.0
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2018-08/msg00075.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Memory leak
EUVDB-ID: #VU33481
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-14437
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within parse8BIM in coders/meta.c. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages.
Opensuse: 15.0
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2018-08/msg00075.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
