|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-1: CVE-2018-11624: GraphicsMagick,ImageMagick: use after free in ReadMATImage function in coders/mat.c | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Karol Babioch <karol> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Minor | ||
| Priority: | P4 - Low | CC: | smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/206845/ | ||
| Whiteboard: | CVSSv2:NVD:CVE-2018-11624:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:RedHat:CVE-2018-11624:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:SUSE:CVE-2018-11624:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Karol Babioch
2018-06-06 09:30:18 UTC
BEFORE 15/ImageMagick $ valgrind -q identify poc ==26185== Invalid read of size 8 ==26185== at 0x4E8BAF4: CloseBlob (blob.c:605) ==26185== by 0x920EA3F: ReadMATImage (mat.c:1238) ==26185== by 0x4EB6EA9: ReadImage (constitute.c:558) ==26185== by 0x4FD69EB: ReadStream (stream.c:1043) ==26185== by 0x4EB6962: PingImage (constitute.c:226) ==26185== by 0x4EB6BDA: PingImages (constitute.c:327) ==26185== by 0x535FF03: IdentifyImageCommand (identify.c:319) ==26185== by 0x538DAF4: MagickCommandGenesis (mogrify.c:183) ==26185== by 0x10937F: MagickMain (magick.c:149) ==26185== by 0x584CF49: (below main) (in /lib64/libc-2.26.so) ==26185== Address 0x8e6e030 is 13,392 bytes inside a block of size 13,504 free'd ==26185== at 0x4C2F2BB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26185== by 0x4F4F37E: RelinquishMagickMemory (memory.c:1058) ==26185== by 0x9210933: ReadMATImage (mat.c:1084) ==26185== by 0x4EB6EA9: ReadImage (constitute.c:558) ==26185== by 0x4FD69EB: ReadStream (stream.c:1043) ==26185== by 0x4EB6962: PingImage (constitute.c:226) ==26185== by 0x4EB6BDA: PingImages (constitute.c:327) ==26185== by 0x535FF03: IdentifyImageCommand (identify.c:319) ==26185== by 0x538DAF4: MagickCommandGenesis (mogrify.c:183) ==26185== by 0x10937F: MagickMain (magick.c:149) ==26185== by 0x584CF49: (below main) (in /lib64/libc-2.26.so) ==26185== Block was alloc'd at ==26185== at 0x4C2E08F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26185== by 0x4F3CDDF: AcquireCriticalMemory (memory-private.h:64) ==26185== by 0x4F3CDDF: AcquireImage (image.c:171) ==26185== by 0x920E508: ReadMATImage (mat.c:895) ==26185== by 0x4EB6EA9: ReadImage (constitute.c:558) ==26185== by 0x4FD69EB: ReadStream (stream.c:1043) ==26185== by 0x4EB6962: PingImage (constitute.c:226) ==26185== by 0x4EB6BDA: PingImages (constitute.c:327) ==26185== by 0x535FF03: IdentifyImageCommand (identify.c:319) ==26185== by 0x538DAF4: MagickCommandGenesis (mogrify.c:183) ==26185== by 0x10937F: MagickMain (magick.c:149) ==26185== by 0x584CF49: (below main) (in /lib64/libc-2.26.so) ==26185== identify: MagickCore/blob.c:605: CloseBlob: Assertion `image->signature == MagickCoreSignature' failed. /root/bin/vgq: line 3: 26185 Aborted (core dumped) valgrind -q $@ $ 12/ImageMagick $ valgrind -q identify poc identify: UnsupportedCellTypeInTheMatrix `poc' @ error/mat.c/ReadMATImage/1078. $ 11/ImageMagick $ valgrind -q identify mat:poc identify: UnsupportedCellTypeInTheMatrix `poc'. $ [note the mat: prefix, otherwise command quits sooner via 'no decode delegate'] 11/GraphicsMagick $ valgrind -q gm identify mat:poc gm identify: Unsupported cell type in the matrix (poc). $ 42.3,15.0/GraphicsMagick $ valgrind -q gm identify poc gm identify: Unsupported cell type in the matrix (poc). gm identify: Request did not return an image. $ PATCH https://github.com/ImageMagick/ImageMagick6/commit/172d82afe89d3499ef0cab06dc58d380cc1ab946 15/ImageMagick: the fix is needed 11,12/ImageMagick: already solved via ImageMagick-mat.c-update.patch 11/GraphicsMagick: no image2 code 42.3/GraphicsMagick: already solved in ThrowImg2MATReaderException() via GraphicsMagick-mat.c-update.patch 15.0/GraphicsMagick: already solved AFTER 15/ImageMagick $ valgrind -q identify poc identify: UnsupportedCellTypeInTheMatrix `poc' @ error/mat.c/ReadMATImage/1088. $ Given the date of the upstream bug and date of ImageMagick-mat.c-update.patch, I will 11,12/ImageMagick consider unaffected as the bug was probably introduced between these dates. Also, the bug seem to never existed in 42.3/GraphicsMagick as ThrowImg2MATReaderException() was introduced with ImageMagick-mat.c-update.patch with the correct shape. I consider 15/ImageMagick the only affected codestream. I believe all fixed. SUSE-SU-2018:2043-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546 CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600 Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): ImageMagick-7.0.7.34-3.9.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): ImageMagick-7.0.7.34-3.9.1 openSUSE-SU-2018:2123-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546 CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600 Sources used: openSUSE Leap 15.0 (src): ImageMagick-7.0.7.34-lp150.2.6.1 released This is an autogenerated message for OBS integration: This bug (1096203) was mentioned in https://build.opensuse.org/request/show/923064 Factory / ImageMagick This is an autogenerated message for OBS integration: This bug (1096203) was mentioned in https://build.opensuse.org/request/show/923178 Factory / ImageMagick |