Bug 1098546 (CVE-2018-12599)

Summary: VUL-0: CVE-2018-12599: GraphicsMagick,ImageMagick: out of bounds write in ReadBMPImage and WriteBMPImage in coders/bmp.c
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, pgajdos, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/208552/
Whiteboard: CVSSv3:SUSE:CVE-2018-12599:6.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) CVSSv3:RedHat:CVE-2018-12599:5.4:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) CVSSv2:NVD:CVE-2018-12599:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:RedHat:CVE-2018-12599:5.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Alexander Bergmann 2018-06-21 07:31:13 UTC
Reproducer is not working under SLE.

https://github.com/ImageMagick/ImageMagick/files/2115374/poc.zip

#> valgrind --leak-check=full --show-leak-kinds=all convert ./poc output.bmp
ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Comment 2 Petr Gajdos 2018-06-25 16:48:32 UTC
BEFORE

15/ImageMagick

$ valgrind -q convert poc output.bmp
==8108== Invalid write of size 1
==8108==    at 0x982042A: WriteBMPImage (bmp.c:2061)
==8108==    by 0x4ECDEC7: WriteImage (constitute.c:1124)
==8108==    by 0x4ECE70B: WriteImages (constitute.c:1338)
==8108==    by 0x542F15D: ConvertImageCommand (convert.c:3280)
==8108==    by 0x54B389E: MagickCommandGenesis (mogrify.c:183)
==8108==    by 0x109434: MagickMain (magick.c:149)
==8108==    by 0x109571: main (magick.c:180)
==8108==  Address 0x1237aa800 is not stack'd, malloc'd or (recently) free'd
==8108== 
/root/bin/vgq: line 3:  8108 Aborted                 (core dumped) valgrind -q $@
$

12/ImageMagick

$ valgrind -q convert poc output.bmp
convert: Corrupt JPEG data: 68 extraneous bytes before marker 0xdb `poc' @ warning/jpeg.c/JPEGWarningHandler/349.
convert: Corrupt JPEG data: 783 extraneous bytes before marker 0xda `poc' @ warning/jpeg.c/JPEGWarningHandler/349.
convert: Quantization table 0x00 was not defined `poc' @ error/jpeg.c/JPEGErrorHandler/319.
convert: no images defined `output.bmp' @ error/convert.c/ConvertImageCommand/3149.
$

11/ImageMagick

$ valgrind -q convert poc output.bmp
convert: Quantization table 0x00 was not defined `poc'.
convert: missing an image filename `output.bmp'.
$

11/GraphicsMagick

$ valgrind -q gm convert poc output.bmp
gm convert: Quantization table 0x00 was not defined (poc).
$

42.3/GraphicsMagick

$ valgrind -q gm convert poc output.bmp
gm convert: Quantization table 0x00 was not defined (poc).
$

15.0/GraphicsMagick

$ valgrind -q gm convert poc output.bmp
gm convert: Quantization table 0x00 was not defined (poc).
$


PATCH

see comment 0
12/ImageMagick: bmp_info.image_size is unsigned int, affected
11/ImageMagick: bmp_info.image_size is unsigned long, considering partially affected (MagickMax)
11/GraphicsMagick: bmp_info.image_size is unsigned long, considering not affected
42.3,15.0,HG/GraphicsMagick: bmp_info.image_size is unsigned long, according to upstream unaffected


AFTER

15/ImageMagick

$ valgrind -q convert poc output.bmp
[run long, 100% cpu]

However, this can be overcome by relevant setting in /etc/ImageMagick*/policy.xml, e. g. by:

  <policy domain="resource" name="width" value="10KP"/>
  <policy domain="resource" name="height" value="10KP"/>

to limit vertical and horizontal size of the image. Then:

$ valgrind -q convert poc output.bmp
convert: Corrupt JPEG data: 68 extraneous bytes before marker 0xdb `poc' @ warning/jpeg.c/JPEGWarningHandler/365.
convert: Corrupt JPEG data: 783 extraneous bytes before marker 0xda `poc' @ warning/jpeg.c/JPEGWarningHandler/365.
convert: width or height exceeds limit `poc' @ error/cache.c/OpenPixelCache/3688.
convert: no images defined `output.bmp' @ error/convert.c/ConvertImageCommand/3275.
$
[crash fixed]

12/ImageMagick

$ valgrind -q convert poc output.bmp
convert: Corrupt JPEG data: 68 extraneous bytes before marker 0xdb `poc' @ warning/jpeg.c/JPEGWarningHandler/349.
convert: Corrupt JPEG data: 783 extraneous bytes before marker 0xda `poc' @ warning/jpeg.c/JPEGWarningHandler/349.
convert: Quantization table 0x00 was not defined `poc' @ error/jpeg.c/JPEGErrorHandler/319.
convert: no images defined `output.bmp' @ error/convert.c/ConvertImageCommand/3149.
$
[no change]

11/ImageMagick

$ valgrind -q convert poc output.bmp
convert: Quantization table 0x00 was not defined `poc'.
convert: missing an image filename `output.bmp'.
$
[no change]
Comment 3 Petr Gajdos 2018-06-25 16:49:38 UTC
Will submit for: 15/ImageMagick, 12/ImageMagick and 11/ImageMagick.
Comment 4 Petr Gajdos 2018-06-25 17:27:47 UTC
I believe all fixed.
Comment 7 Swamp Workflow Management 2018-07-23 19:09:06 UTC
SUSE-SU-2018:2043-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546
CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.9.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.9.1
Comment 8 Swamp Workflow Management 2018-07-28 14:01:58 UTC
openSUSE-SU-2018:2123-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546
CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600
Sources used:
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.6.1
Comment 10 Swamp Workflow Management 2018-08-21 10:13:17 UTC
SUSE-SU-2018:2465-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1056277,1094204,1094237,1095812,1098545,1098546,1102003,1102004,1102005,1102007
CVE References: CVE-2017-13758,CVE-2017-18271,CVE-2018-10805,CVE-2018-11251,CVE-2018-12599,CVE-2018-12600,CVE-2018-14434,CVE-2018-14435,CVE-2018-14436,CVE-2018-14437
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.56.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.56.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.56.1
Comment 11 Marcus Meissner 2018-10-05 06:21:15 UTC
all released
Comment 14 Swamp Workflow Management 2018-10-17 10:11:45 UTC
SUSE-SU-2018:3191-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1098545,1098546,1110746,1110747,1111069,1111072
CVE References: CVE-2017-13058,CVE-2018-12599,CVE-2018-12600,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.82.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.82.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.82.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.82.1
Comment 15 Swamp Workflow Management 2018-10-18 17:26:59 UTC
openSUSE-SU-2018:3225-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1098545,1098546,1110746,1110747,1111069,1111072
CVE References: CVE-2017-13058,CVE-2018-12599,CVE-2018-12600,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-73.1
Comment 16 OBSbugzilla Bot 2021-10-04 16:40:38 UTC
This is an autogenerated message for OBS integration:
This bug (1098546) was mentioned in
https://build.opensuse.org/request/show/923064 Factory / ImageMagick
Comment 17 OBSbugzilla Bot 2021-10-05 10:40:37 UTC
This is an autogenerated message for OBS integration:
This bug (1098546) was mentioned in
https://build.opensuse.org/request/show/923178 Factory / ImageMagick