SUSE 5149 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2017:3419-1: important: Security update for enigmail
openSUSE-SU-2017:3420-1: important: Security update for ImageMagick
openSUSE-SU-2017:3427-1: important: Security update for enigmail



openSUSE-SU-2017:3419-1: important: Security update for enigmail

openSUSE Security Update: Security update for enigmail
______________________________________________________________________________

Announcement ID: openSUSE-SU-2017:3419-1
Rating: important
References: #1073858
Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for enigmail to version 1.9.9 fixes the following issues
(boo#1073858):

* Enigmail could be coerced to use a malicious PGP public key with a
corresponding secret key controlled by an attacker
* Enigmail could have replayed encrypted content in partially encrypted
e-mails, allowing a plaintext leak
* Enigmail could be tricked into displaying incorrect signature
verification results
* Specially crafted content may cause denial of service


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2017-1403=1

To bring your system up-to-date, use "zypper patch".


Package List:

- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64):

enigmail-1.9.9-6.1


References:

https://bugzilla.suse.com/1073858

openSUSE-SU-2017:3420-1: important: Security update for ImageMagick

openSUSE Security Update: Security update for ImageMagick
______________________________________________________________________________

Announcement ID: openSUSE-SU-2017:3420-1
Rating: important
References: #1048457 #1049796 #1050083 #1050116 #1050139
#1050632 #1051441 #1051847 #1052450 #1052553
#1052689 #1052744 #1052758 #1052764 #1054757
#1055214 #1056432 #1057157 #1057719 #1057729
#1057730 #1058485 #1058637 #1059666 #1059778
#1060176 #1060577 #1061254 #1062750 #1066003
#1067181 #1067184 #1067409
Cross-References: CVE-2017-11188 CVE-2017-11478 CVE-2017-11523
CVE-2017-11527 CVE-2017-11535 CVE-2017-11640
CVE-2017-11752 CVE-2017-12140 CVE-2017-12435
CVE-2017-12587 CVE-2017-12644 CVE-2017-12662
CVE-2017-12669 CVE-2017-12983 CVE-2017-13134
CVE-2017-13769 CVE-2017-14138 CVE-2017-14172
CVE-2017-14173 CVE-2017-14175 CVE-2017-14341
CVE-2017-14342 CVE-2017-14531 CVE-2017-14607
CVE-2017-14682 CVE-2017-14733 CVE-2017-14989
CVE-2017-15217 CVE-2017-15930 CVE-2017-16545
CVE-2017-16546 CVE-2017-16669
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 42.2
______________________________________________________________________________

An update that solves 32 vulnerabilities and has one errata
is now available.

Description:

This update for ImageMagick fixes the following issues:

* CVE-2017-14989: use-after-free in RenderFreetype in
MagickCore/annotate.c could lead to denial of service [bsc#1061254]
* CVE-2017-14682: GetNextToken in MagickCore/token.c heap buffer
overflow could lead to denial of service [bsc#1060176]
* Memory leak in WriteINLINEImage in coders/inline.c could lead to
denial of service [bsc#1052744]
* CVE-2017-14607: out of bounds read flaw related to ReadTIFFImagehas
could possibly disclose potentially sensitive memory [bsc#1059778]
* CVE-2017-11640: NULL pointer deref in WritePTIFImage() in
coders/tiff.c [bsc#1050632]
* CVE-2017-14342: a memory exhaustion vulnerability in ReadWPGImage in
coders/wpg.c could lead to denial of service [bsc#1058485]
* CVE-2017-14341: Infinite loop in the ReadWPGImage function
[bsc#1058637]
* CVE-2017-16546: problem in the function ReadWPGImage in coders/wpg.c
could lead to denial of service [bsc#1067181]
* CVE-2017-16545: The ReadWPGImage function in coders/wpg.c in
validation problems could lead to denial of service [bsc#1067184]
* CVE-2017-16669: problem in coders/wpg.c could allow remote attackers
to cause a denial of service via crafted file [bsc#1067409]
* CVE-2017-14175: Lack of End of File check could lead to denial of
service [bsc#1057719]
* CVE-2017-14138: memory leak vulnerability in ReadWEBPImage in
coders/webp.c could lead to denial of service [bsc#1057157]
* CVE-2017-13769: denial of service issue in function
WriteTHUMBNAILImage in coders/thumbnail.c [bsc#1056432]
* CVE-2017-13134: a heap-based buffer over-read was found in thefunction
SFWScan in coders/sfw.c, which allows attackers to cause adenial of
service via a crafted file. [bsc#1055214]
* CVE-2017-15217: memory leak in ReadSGIImage in coders/sgi.c
[bsc#1062750]
* CVE-2017-11478: ReadOneDJVUImage in coders/djvu.c in ImageMagick
allows remote attackers to cause a DoS [bsc#1049796]
* CVE-2017-15930: Null Pointer dereference while transfering JPEG
scanlines could lead to denial of service [bsc#1066003]
* CVE-2017-12983: Heap-based buffer overflow in the ReadSFWImage
function in coders/sfw.c inImageMagick 7.0.6-8 allows remote attackers
to cause a denial of service [bsc#1054757]
* CVE-2017-14531: memory exhaustion issue in ReadSUNImage
incoders/sun.c. [bsc#1059666]
* CVE-2017-12435: Memory exhaustion in ReadSUNImage in coders/sun.c,
which allows attackers to cause denial of service [bsc#1052553]
* CVE-2017-12587: User controlable large loop in the ReadPWPImage in
coders\pwp.c could lead to denial of service [bsc#1052450]
* CVE-2017-11523: ReadTXTImage in coders/txt.c allows remote attackers
to cause a denial of service [bsc#1050083]
* CVE-2017-14173: unction ReadTXTImage is vulnerable to a integer
overflow that could lead to denial of service [bsc#1057729]
* CVE-2017-11188: ImageMagick: The ReadDPXImage function in codersdpx.c
in ImageMagick 7.0.6-0 has a largeloop vulnerability that can cause
CPU exhaustion via a crafted DPX file, relatedto lack of an EOF check.
[bnc#1048457]
* CVE-2017-11527: ImageMagick: ReadDPXImage in coders/dpx.c allows
remote attackers to cause DoS [bnc#1050116]
* CVE-2017-11535: GraphicsMagick, ImageMagick: Heap-based buffer
over-read in WritePSImage() in coders/ps.c [bnc#1050139]
* CVE-2017-11752: ImageMagick: ReadMAGICKImage in coders/magick.c allows
to cause DoS [bnc#1051441]
* CVE-2017-12140: ImageMagick: ReadDCMImage in codersdcm.c has a
ninteger signedness error leading to excessive memory consumption
[bnc#1051847]
* CVE-2017-12669: ImageMagick: Memory leak in WriteCALSImage in
coders/cals.c [bnc#1052689]
* CVE-2017-12662: GraphicsMagick, ImageMagick: Memory leak in
WritePDFImage in coders/pdf.c [bnc#1052758]
* CVE-2017-12644: ImageMagick: Memory leak in ReadDCMImage in
codersdcm.c [bnc#1052764]
* CVE-2017-14172: ImageMagick: Lack of end of file check in
ReadPSImage() could lead to a denial of service [bnc#1057730]
* CVE-2017-14733: GraphicsMagick: Heap overflow on ReadRLEImage in
coders/rle.c could lead to denial of service [bnc#1060577]

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2017-1413=1

- openSUSE Leap 42.2:

zypper in -t patch openSUSE-2017-1413=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE Leap 42.3 (i586 x86_64):

ImageMagick-6.8.8.1-40.1
ImageMagick-debuginfo-6.8.8.1-40.1
ImageMagick-debugsource-6.8.8.1-40.1
ImageMagick-devel-6.8.8.1-40.1
ImageMagick-extra-6.8.8.1-40.1
ImageMagick-extra-debuginfo-6.8.8.1-40.1
libMagick++-6_Q16-3-6.8.8.1-40.1
libMagick++-6_Q16-3-debuginfo-6.8.8.1-40.1
libMagick++-devel-6.8.8.1-40.1
libMagickCore-6_Q16-1-6.8.8.1-40.1
libMagickCore-6_Q16-1-debuginfo-6.8.8.1-40.1
libMagickWand-6_Q16-1-6.8.8.1-40.1
libMagickWand-6_Q16-1-debuginfo-6.8.8.1-40.1
perl-PerlMagick-6.8.8.1-40.1
perl-PerlMagick-debuginfo-6.8.8.1-40.1

- openSUSE Leap 42.3 (noarch):

ImageMagick-doc-6.8.8.1-40.1

- openSUSE Leap 42.3 (x86_64):

ImageMagick-devel-32bit-6.8.8.1-40.1
libMagick++-6_Q16-3-32bit-6.8.8.1-40.1
libMagick++-6_Q16-3-debuginfo-32bit-6.8.8.1-40.1
libMagick++-devel-32bit-6.8.8.1-40.1
libMagickCore-6_Q16-1-32bit-6.8.8.1-40.1
libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-40.1
libMagickWand-6_Q16-1-32bit-6.8.8.1-40.1
libMagickWand-6_Q16-1-debuginfo-32bit-6.8.8.1-40.1

- openSUSE Leap 42.2 (i586 x86_64):

ImageMagick-6.8.8.1-30.12.1
ImageMagick-debuginfo-6.8.8.1-30.12.1
ImageMagick-debugsource-6.8.8.1-30.12.1
ImageMagick-devel-6.8.8.1-30.12.1
ImageMagick-extra-6.8.8.1-30.12.1
ImageMagick-extra-debuginfo-6.8.8.1-30.12.1
libMagick++-6_Q16-3-6.8.8.1-30.12.1
libMagick++-6_Q16-3-debuginfo-6.8.8.1-30.12.1
libMagick++-devel-6.8.8.1-30.12.1
libMagickCore-6_Q16-1-6.8.8.1-30.12.1
libMagickCore-6_Q16-1-debuginfo-6.8.8.1-30.12.1
libMagickWand-6_Q16-1-6.8.8.1-30.12.1
libMagickWand-6_Q16-1-debuginfo-6.8.8.1-30.12.1
perl-PerlMagick-6.8.8.1-30.12.1
perl-PerlMagick-debuginfo-6.8.8.1-30.12.1

- openSUSE Leap 42.2 (x86_64):

ImageMagick-devel-32bit-6.8.8.1-30.12.1
libMagick++-6_Q16-3-32bit-6.8.8.1-30.12.1
libMagick++-6_Q16-3-debuginfo-32bit-6.8.8.1-30.12.1
libMagick++-devel-32bit-6.8.8.1-30.12.1
libMagickCore-6_Q16-1-32bit-6.8.8.1-30.12.1
libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-30.12.1
libMagickWand-6_Q16-1-32bit-6.8.8.1-30.12.1
libMagickWand-6_Q16-1-debuginfo-32bit-6.8.8.1-30.12.1

- openSUSE Leap 42.2 (noarch):

ImageMagick-doc-6.8.8.1-30.12.1


References:

https://www.suse.com/security/cve/CVE-2017-11188.html
https://www.suse.com/security/cve/CVE-2017-11478.html
https://www.suse.com/security/cve/CVE-2017-11523.html
https://www.suse.com/security/cve/CVE-2017-11527.html
https://www.suse.com/security/cve/CVE-2017-11535.html
https://www.suse.com/security/cve/CVE-2017-11640.html
https://www.suse.com/security/cve/CVE-2017-11752.html
https://www.suse.com/security/cve/CVE-2017-12140.html
https://www.suse.com/security/cve/CVE-2017-12435.html
https://www.suse.com/security/cve/CVE-2017-12587.html
https://www.suse.com/security/cve/CVE-2017-12644.html
https://www.suse.com/security/cve/CVE-2017-12662.html
https://www.suse.com/security/cve/CVE-2017-12669.html
https://www.suse.com/security/cve/CVE-2017-12983.html
https://www.suse.com/security/cve/CVE-2017-13134.html
https://www.suse.com/security/cve/CVE-2017-13769.html
https://www.suse.com/security/cve/CVE-2017-14138.html
https://www.suse.com/security/cve/CVE-2017-14172.html
https://www.suse.com/security/cve/CVE-2017-14173.html
https://www.suse.com/security/cve/CVE-2017-14175.html
https://www.suse.com/security/cve/CVE-2017-14341.html
https://www.suse.com/security/cve/CVE-2017-14342.html
https://www.suse.com/security/cve/CVE-2017-14531.html
https://www.suse.com/security/cve/CVE-2017-14607.html
https://www.suse.com/security/cve/CVE-2017-14682.html
https://www.suse.com/security/cve/CVE-2017-14733.html
https://www.suse.com/security/cve/CVE-2017-14989.html
https://www.suse.com/security/cve/CVE-2017-15217.html
https://www.suse.com/security/cve/CVE-2017-15930.html
https://www.suse.com/security/cve/CVE-2017-16545.html
https://www.suse.com/security/cve/CVE-2017-16546.html
https://www.suse.com/security/cve/CVE-2017-16669.html
https://bugzilla.suse.com/1048457
https://bugzilla.suse.com/1049796
https://bugzilla.suse.com/1050083
https://bugzilla.suse.com/1050116
https://bugzilla.suse.com/1050139
https://bugzilla.suse.com/1050632
https://bugzilla.suse.com/1051441
https://bugzilla.suse.com/1051847
https://bugzilla.suse.com/1052450
https://bugzilla.suse.com/1052553
https://bugzilla.suse.com/1052689
https://bugzilla.suse.com/1052744
https://bugzilla.suse.com/1052758
https://bugzilla.suse.com/1052764
https://bugzilla.suse.com/1054757
https://bugzilla.suse.com/1055214
https://bugzilla.suse.com/1056432
https://bugzilla.suse.com/1057157
https://bugzilla.suse.com/1057719
https://bugzilla.suse.com/1057729
https://bugzilla.suse.com/1057730
https://bugzilla.suse.com/1058485
https://bugzilla.suse.com/1058637
https://bugzilla.suse.com/1059666
https://bugzilla.suse.com/1059778
https://bugzilla.suse.com/1060176
https://bugzilla.suse.com/1060577
https://bugzilla.suse.com/1061254
https://bugzilla.suse.com/1062750
https://bugzilla.suse.com/1066003
https://bugzilla.suse.com/1067181
https://bugzilla.suse.com/1067184
https://bugzilla.suse.com/1067409

openSUSE-SU-2017:3427-1: important: Security update for enigmail

openSUSE Security Update: Security update for enigmail
______________________________________________________________________________

Announcement ID: openSUSE-SU-2017:3427-1
Rating: important
References: #1073858
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 42.2
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for enigmail to version 1.9.9 fixes the following issues
(boo#1073858):

* Enigmail could be coerced to use a malicious PGP public key with a
corresponding secret key controlled by an attacker
* Enigmail could have replayed encrypted content in partially encrypted
e-mails, allowing a plaintext leak
* Enigmail could be tricked into displaying incorrect signature
verification results
* Specially crafted content may cause denial of service


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2017-1403=1

- openSUSE Leap 42.2:

zypper in -t patch openSUSE-2017-1403=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE Leap 42.3 (i586 x86_64):

enigmail-1.9.9-9.1

- openSUSE Leap 42.2 (i586 x86_64):

enigmail-1.9.9-2.13.1


References:

https://bugzilla.suse.com/1073858