984172 – (CVE-2014-9841) VUL-0: CVE-2014-9841: GraphicsMagick,ImageMagick: throwing of exceptions in psd handling

Bug 984172 (CVE-2014-9841) - VUL-0: CVE-2014-9841: GraphicsMagick,ImageMagick: throwing of exceptions in psd handling

Summary: VUL-0: CVE-2014-9841: GraphicsMagick,ImageMagick: throwing of exceptions in p...

Status:	RESOLVED FIXED

Alias:	CVE-2014-9841

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Petr Gajdos
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/169739/
Whiteboard:	CVSSv2:SUSE:CVE-2014-9841:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-06-10 13:45 UTC by Marcus Meissner
Modified:	2020-06-29 06:25 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-10 13:45:22 UTC

Fixed throwing of exceptions in psd handling.

https://anonscm.debian.org/cgit/collab-maint/imagemagick.git/commit/?h=debian-patches/6.8.9.9-4-for-upstream&id=f9ef11671c41da4cf973d0d880af1cdfbd127860

Comment 1 Marcus Meissner 2016-06-10 13:49:09 UTC

sle11 im and sle12 im seem affected.

sle11 GM code is differently structured, I think it is not affected.

Comment 2 Swamp Workflow Management 2016-06-10 22:02:55 UTC

bugbot adjusting priority

Comment 3 Petr Gajdos 2016-06-15 12:55:59 UTC

Memory leak fixed everywhere, throwing exceptions just in 13.2/ImageMagick and 12/ImageMagick, others seems not to be affected (use another exepctions).

Comment 4 Petr Gajdos 2016-06-16 08:55:29 UTC

Correction, I am not going to apply the patch for GraphicsMagick at all. It fails the testsuite there and it examines the changed code therefore. Running the testsuite with valgrind (make memcheck) does not reveal the leak, though.

More over, the current devel mercurial repository of GraphicsMagick does not contain similar code.

Situation could change of course when a reproducer would be available.

Comment 5 Petr Gajdos 2016-06-20 10:55:52 UTC

Splitting the patch, memory leak is handled in bug 984374.

Comment 6 Petr Gajdos 2016-06-20 11:04:58 UTC

=> Just 13.2/ImageMagick and 12/ImageMagick affected.

Comment 7 Petr Gajdos 2016-06-23 13:06:58 UTC

I believe all fixed.

Comment 8 Swamp Workflow Management 2016-07-06 19:09:58 UTC

openSUSE-SU-2016:1748-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-26.1

Comment 9 Swamp Workflow Management 2016-07-11 14:33:05 UTC

SUSE-SU-2016:1784-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-30.2

Comment 10 Swamp Workflow Management 2016-07-20 10:15:13 UTC

openSUSE-SU-2016:1833-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-15.1