Bug 1075819 - (CVE-2018-5358) VUL-0: CVE-2018-5358: ImageMagick: memory leak in the EncodeImageAttributes functionin coders/json.c could lead to crash
(CVE-2018-5358)
VUL-0: CVE-2018-5358: ImageMagick: memory leak in the EncodeImageAttributes ...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Other
Current
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Petr Gajdos
E-mail List
https://smash.suse.de/issue/198117/
CVSSv3:RedHat:CVE-2018-5358:3.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-12 15:23 UTC by Victor Pereira
Modified: 2018-01-24 15:14 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
json.psd (63.13 KB, application/octet-stream)
2018-01-18 16:13 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2018-01-12 15:23:10 UTC
CVE-2018-5358

ImageMagick 7.0.7-22 Q16 has memory leaks in the EncodeImageAttributes function
in coders/json.c, as demonstrated by the ReadPSDLayersInternal function in
coders/psd.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5358
https://github.com/ImageMagick/ImageMagick/issues/939
Comment 2 Marcus Meissner 2018-01-18 16:13:45 UTC
Created attachment 756672 [details]
json.psd

QA REPRODUCER:

ImageMagick:

valgrind --leak-check=full montage json.psd 1.json
Comment 3 Marcus Meissner 2018-01-18 16:15:40 UTC
SLE11 GM and IM have no JSON coder.
Neither seems to be in SLE12.
Comment 4 Petr Gajdos 2018-01-24 15:14:18 UTC
Indeed, neither it is part of HG/GraphicsMagick.

Commit is already part of just-commited devel/ImageMagick.

Fixed.