ALAS-2016-752


Amazon Linux 1 Security Advisory: ALAS-2016-752
Advisory Release Date: 2016-10-12 17:00 Pacific
Advisory Updated Date: 2016-10-12 17:00 Pacific
Severity: Medium

Issue Overview:

A possible heap overflow was discovered in the EscapeParenthesis() function (CVE-2016-7447).

Various issues were found in the processing of SVG files in GraphicsMagick (CVE-2016-7446).

The TIFF reader had a bug pertaining to use of TIFFGetField() when a 'count' value is returned. The bug caused a heap read overflow (due to using strlcpy() to copy a possibly unterminated string) which could allow an untrusted file to crash the software (CVE-2016-7449).

The Utah RLE reader did not validate that header information was reasonable given the file size and so it could cause huge memory allocations and/or consume huge amounts of CPU, causing a denial of service (CVE-2016-7448)


Affected Packages:

GraphicsMagick


Issue Correction:
Run yum update GraphicsMagick to update your system.

New Packages:
i686:
    GraphicsMagick-c++-devel-1.3.25-1.9.amzn1.i686
    GraphicsMagick-devel-1.3.25-1.9.amzn1.i686
    GraphicsMagick-1.3.25-1.9.amzn1.i686
    GraphicsMagick-c++-1.3.25-1.9.amzn1.i686
    GraphicsMagick-perl-1.3.25-1.9.amzn1.i686
    GraphicsMagick-debuginfo-1.3.25-1.9.amzn1.i686

noarch:
    GraphicsMagick-doc-1.3.25-1.9.amzn1.noarch

src:
    GraphicsMagick-1.3.25-1.9.amzn1.src

x86_64:
    GraphicsMagick-c++-1.3.25-1.9.amzn1.x86_64
    GraphicsMagick-1.3.25-1.9.amzn1.x86_64
    GraphicsMagick-perl-1.3.25-1.9.amzn1.x86_64
    GraphicsMagick-c++-devel-1.3.25-1.9.amzn1.x86_64
    GraphicsMagick-devel-1.3.25-1.9.amzn1.x86_64
    GraphicsMagick-debuginfo-1.3.25-1.9.amzn1.x86_64