Bug 1117463 (CVE-2018-19492)

Summary: VUL-1: CVE-2018-19492: gnuplot: an attacker can conduct a buffer overflow with an arbitrary amount of data in the cairotrm_options function
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: meissner, pgajdos, security-team, smash_bz, werner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/219617/
Whiteboard: CVSSv3:SUSE:CVE-2018-19492:4.4:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: /etc/ImageMagick-6/policy.xml modified

Description Robert Frohl 2018-11-27 12:27:24 UTC 
CVE-2018-19492

An issue was discovered in cairo.trm in Gnuplot 5.2.5. This issue allows an
attacker to conduct a buffer overflow with an arbitrary amount of data in the
cairotrm_options function. This flaw is caused by a missing size check of an
argument passed to the "set font" function. This issue occurs when the Gnuplot
pngcairo terminal is used as a backend.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19492
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19492.html
http://www.cvedetails.com/cve/CVE-2018-19492/
https://sourceforge.net/p/gnuplot/bugs/2089/
Comment 1 Robert Frohl 2018-11-27 12:38:09 UTC 
The changes are merged into one big patch for gnuplot 5.2 [0], for this case the changes to cairo.trm, metapost.trm and tgif.trm should be considered for this specific vulnerability.

The patch contains additional fixes for bsc#1117465, bsc#1117464 and additional issues that did not get a CVE assigned. It would be okay to apply the whole patch if that makes things easier.

Please note that there is a second commit for gnuplot 5.3, which is missing the changes for cairo.trm (should be d5020716834582b20a5e12cdd49f39ee4f9dd949)
 
[0] https://sourceforge.net/p/gnuplot/gnuplot-main/ci/e3cc539c23ceb1640395236248f0ab5a26397557/
Comment 2 Robert Frohl 2018-11-27 12:51:21 UTC 
My investigation suggests that these codestreams are affected:
- SUSE:SLE-15:Update/gnuplot
- SUSE:SLE-12:Update/gnuplot

these are not affected:
- SUSE:SLE-11:Update/gnuplot
- SUSE:SLE-10-SP3:Update
Comment 3 Dr. Werner Fink 2018-11-28 09:51:38 UTC 
(In reply to Robert Frohl from comment #1)
> The changes are merged into one big patch for gnuplot 5.2 [0], for this case
> the changes to cairo.trm, metapost.trm and tgif.trm should be considered for
> this specific vulnerability.
> 
> The patch contains additional fixes for bsc#1117465, bsc#1117464 and
> additional issues that did not get a CVE assigned. It would be okay to apply
> the whole patch if that makes things easier.
> 
> Please note that there is a second commit for gnuplot 5.3, which is missing
> the changes for cairo.trm (should be
> d5020716834582b20a5e12cdd49f39ee4f9dd949)
>  
> [0]
> https://sourceforge.net/p/gnuplot/gnuplot-main/ci/
> e3cc539c23ceb1640395236248f0ab5a26397557/

The commits e3cc539c23ceb1640395236248f0ab5a26397557 and d5020716834582b20a5e12cdd49f39ee4f9dd949 are most identical only the first one also includes the change for cairo.trm:

--- /dev/fd/63  2018-11-28 10:50:30.866710947 +0100
+++ /dev/fd/62  2018-11-28 10:50:30.866710947 +0100
@@ -1,4 +1,4 @@
-commit d5020716834582b20a5e12cdd49f39ee4f9dd949
+commit e3cc539c23ceb1640395236248f0ab5a26397557
 Author: Ethan A Merritt <merritt@u.washington.edu>
 Date:   Mon Nov 19 11:35:25 2018 -0800
 
@@ -11,7 +11,7 @@ Date:   Mon Nov 19 11:35:25 2018 -0800
         Nils Bars
     
     Bug 2088: term.c(strlen_tex)
-    Bug 2089: metapost.trm tgif.trm (arbitrarily long font name)
+    Bug 2089: cairo.trm metapost.trm tgif.trm (arbitrarily long font name)
     Bug 2092: cgm.trm overwrites trailing '\0' in default font name
               also context.trm emf.trm
     Bug 2094: also post.trm
[...]
+diff --git term/cairo.trm term/cairo.trm
+index c3f98c695..39a206681 100644
+--- term/cairo.trm
++++ term/cairo.trm
+@@ -295,7 +295,7 @@ TERM_PUBLIC void cairotrm_options()
+                               cairo_params->fontsize = 0;
+                       } else {
+                               sep = strcspn(s,",");
+-                              if (sep > 0) {
++                              if (0 < sep && sep < MAX_ID_LEN) {
+                                       strncpy(cairo_params->fontname, s, sep);
+                                       cairo_params->fontname[sep] = '\0';
+                               }
Comment 4 Dr. Werner Fink 2018-11-28 12:14:14 UTC 
(In reply to Robert Frohl from comment #2)
> My investigation suggests that these codestreams are affected:
> - SUSE:SLE-15:Update/gnuplot
> - SUSE:SLE-12:Update/gnuplot
> 
> these are not affected:
> - SUSE:SLE-11:Update/gnuplot
> - SUSE:SLE-10-SP3:Update

There is a problem with SLES-12 and ImageMagick

* Mon Oct 22 2018 pgajdos@suse.com
- security update (pict.c):
  * CVE-2017-14997 [bsc#1112399]
    + ImageMagick-CVE-2017-14997.patch

* Mon Oct 22 2018 pgajdos@suse.com
- fix regression in pict coder [bsc#1107609#c24]
  % ImageMagick-CVE-2018-16644.patch

* Mon Oct 22 2018 pgajdos@suse.com
- add a possibility to build with ASAN

* Fri Oct 12 2018 pgajdos@suse.com
- security update (bmp.c)
  * CVE-2018-18024 [bsc#1111069]
  * ImageMagick-CVE-2018-18024.patch

* Thu Oct 11 2018 pgajdos@suse.com
- security update (pcx.c)
  * CVE-2018-18016 [bsc#1111072]
    % ImageMagick-CVE-2017-13058.patch renamed to
    ImageMagick-CVE-2017-13058,CVE-2018-18016.patch

* Thu Oct 11 2018 pgajdos@suse.com
- security update (sgi.c)
  * CVE-2018-17965 [bsc#1110747]
    + ImageMagick-CVE-2018-17965.patch

* Thu Oct 11 2018 pgajdos@suse.com
- security update (dib.c and bmp.c)
  * CVE-2018-12600 [bsc#1098545]
    + ImageMagick-CVE-2018-12600.patch
  * CVE-2018-12599 [bsc#1098546]
    + ImageMagick-CVE-2018-12599.patch

* Wed Oct 10 2018 pgajdos@suse.com
- security update (pdb.c):
  * CVE-2018-17966 [bsc#1110746]
    + ImageMagick-CVE-2018-17966.patch

... this breaks build of gnuplot:

[  202s] convert: not authorized `zzgnuplot.ps' @ error/constitute.c/ReadImage/464.
[  202s] convert: no images defined `gnuplot11x.png' @ error/convert.c/ConvertImageCommand/3149.
[  202s] ----------------------------
[  202s] t4ht.c (2012-07-25-19:28 kpathsea)
[  202s] t4ht -f/gnuplot 
[  202s] (/usr/share/texmf/tex4ht/base/unix/tex4ht.env)
[  202s] Entering gnuplot.lg
[  202s] System call: dvips -E -Ppdf -mode ibmvga -D 110 -f gnuplot.idv -pp 2  > zzgnuplot.ps
[  202s] System return: 0
[  202s] System call: convert -trim +repage -density 110x110 -transparent '#FFFFFF' zzgnuplot.ps gnuplot0x.png
[  202s] --- Warning --- System return: 256
[  202s] System call: dvips -E -Ppdf -mode ibmvga -D 110 -f gnuplot.idv -pp 4  > zzgnuplot.ps
[  202s] System return: 0
Comment 5 Dr. Werner Fink 2018-11-28 13:49:27 UTC 
It seems not to be possible to overwrite /etc/ImageMagick-6/policy.xml with a $HOME/.magic/policy.xml ... this breaks build here.  IMHO this is a nogo
Comment 6 Petr Gajdos 2018-11-28 14:25:29 UTC 
Werner, you seem to be little bit impatient. The relevant pointer for this issue is:

-------------------------------------------------------------------
Wed Aug 22 10:04:54 UTC 2018 - pgajdos@suse.com

- disable PS, PS2, PS3, XPS and PDF coders in default policy.xml
  [bsc#1105592]

(In reply to Dr. Werner Fink from comment #5)
> It seems not to be possible to overwrite /etc/ImageMagick-6/policy.xml with
> a $HOME/.magic/policy.xml ... this breaks build here.  IMHO this is a nogo

Yes, I still have not found a solution for SLE12. It is possible in newer ImageMagick versions as can be seen from following example:

https://build.opensuse.org/request/show/639367

But for ImageMagick-6.8.8-1 even following does not work as I would expect:

  <policy domain="coder" rights="write" pattern="PS" />
  <policy domain="coder" rights="read" pattern="PS" />

(in one file) will disable reading/writing actually. Whether this is nogo or enabling PS coders is nogo you should ask rather security team ;).
Comment 7 Dr. Werner Fink 2018-11-28 14:48:48 UTC 
(In reply to Petr Gajdos from comment #6)
> Werner, you seem to be little bit impatient. The relevant pointer for this
> issue is:
> 
> -------------------------------------------------------------------
> Wed Aug 22 10:04:54 UTC 2018 - pgajdos@suse.com
> 
> - disable PS, PS2, PS3, XPS and PDF coders in default policy.xml
>   [bsc#1105592]
> 
> (In reply to Dr. Werner Fink from comment #5)
> > It seems not to be possible to overwrite /etc/ImageMagick-6/policy.xml with
> > a $HOME/.magic/policy.xml ... this breaks build here.  IMHO this is a nogo
> 
> Yes, I still have not found a solution for SLE12. It is possible in newer
> ImageMagick versions as can be seen from following example:
> 
> https://rudin.suse.de:8894/request/show/639367

This seems to work if I use ~/.magick/policy.xml instead of ~/.config/ImageMagick/policy.xml
Comment 8 Dr. Werner Fink 2018-11-28 14:53:21 UTC 
Yep, perfect, thanks!
Comment 9 Dr. Werner Fink 2018-11-28 15:02:09 UTC 
(In reply to Dr. Werner Fink from comment #8)
> Yep, perfect, thanks!

Hmmm ... it had work with my changed /etc/ImageMagick-6/policy.xml plus the new ~/.magick/policy.xml but with the default /etc/ImageMagick-6/policy.xml it still does not work ... trying again
Comment 10 Dr. Werner Fink 2018-11-28 15:14:46 UTC 
Created attachment 791173 [details]
/etc/ImageMagick-6/policy.xml modified

This is the policy I'm using with osc build --no-init in combination with the policy below ~/.magick/
Comment 11 Dr. Werner Fink 2018-11-28 15:34:52 UTC 
OK found the problem ... the /etc/ImageMagick-6/policy.xml wins over ~/.magick/policy.xml  that is is you are using the modify system policy in combination with the ~/.magick/policy.xml it works ... also simply copy the ~/.magick/policy.xml to the system wide policy works.  But only the modify system policy does not.
Comment 12 Dr. Werner Fink 2018-11-28 15:36:15 UTC 
convert -verbose -trim +repage -density 110x110 -transparent '#FFFFFF'  zzgnuplot.ps gnuplot0x.png 
"gs" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=pngalpha" -dTextAlphaBits=4 -dGraphicsAlphaBits=4 "-r110x110" -g11x12  "-sOutputFile=/tmp/magick-224662xC-k0xfGA7f%d" "-f/tmp/magick-224665uRIUBN1cgYr" "-f/tmp/magick-22466RzTM38342bPD"

... there has to be the authorization for /tmp/ as well I guess
Comment 13 Dr. Werner Fink 2018-11-28 15:47:45 UTC 
For me this looks as the ~/.magick/policy.xml can extend the system wide policy but not overwrite
Comment 14 Petr Gajdos 2018-11-30 07:39:38 UTC 
(In reply to Dr. Werner Fink from comment #13)
> For me this looks as the ~/.magick/policy.xml can extend the system wide
> policy but not overwrite

Yep, to me it looks like that as well; I plan to look at it today.
Comment 15 Petr Gajdos 2018-11-30 08:34:30 UTC 
With 6.9.9-14, the system policy can be overridden by .magick/policy.xml.
Comment 16 Petr Gajdos 2018-11-30 09:02:59 UTC 
MAGICK_CONFIGURE_PATH does not help either, even if custom policy.xml is read first:

$ MAGICK_CONFIGURE_PATH=/home/abuild strace convert out.ps out.png 2>&1 | grep 'not authorized\|policy.xml'
open("/home/abuild/policy.xml", O_RDONLY) = 3
open("/usr/share/ImageMagick-6/policy.xml", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/ImageMagick-6.8.8//config-Q16/policy.xml", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ImageMagick-6/policy.xml", O_RDONLY) = 3
open("/usr/share/doc/packages/ImageMagick/policy.xml", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/home/abuild/.magick/policy.xml", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "abuild: not authorized `out.ps' "..., 66abuild: not authorized `out.ps' @ error/constitute.c/ReadImage/464) = 66
$
Comment 17 Petr Gajdos 2018-11-30 11:01:44 UTC 
(In reply to Petr Gajdos from comment #15)
> With 6.9.9-14, the system policy can be overridden by .magick/policy.xml.

This appears to be a consequence of
https://github.com/ImageMagick/ImageMagick6/commit/af8ab904f1da20ed9f4738cdc737c0cdeed4ba80

After extracting the relevant part of the patch the policy overriding appears to work well. I also tried to enable something with system policy and disable it again in user policy.

Anyway, second pair of eyes would be appreciated.
Comment 18 Petr Gajdos 2018-11-30 12:14:41 UTC 
Do we want to change the policy behavior described in comment 17 also for SLE12?

Another solution could perhaps be to create two conflicting packages providing the same file /etc/ImageMagick-6/policy.xml and the same symbol, e. g. ImageMagick-config and ImageMagick-config-insecure. Main package would then require the symbol. BuildRequired by gnuplot (and others) could be ImageMagick-config-insecure. Either ImageMagick-config-insecure would not be shipped at all or ImageMagick-config would be recommended by main package. Untested, and not sure I see all difficulties.
Comment 19 Petr Gajdos 2018-11-30 12:26:13 UTC 
I have now submitted solution described in comment 17. security-team@, Let me know if you want try something else.
Comment 21 Marcus Meissner 2018-12-03 13:48:24 UTC 
The ImageMagick policy patch looks OK to me as far as I understand it.
Comment 22 Marcus Meissner 2018-12-03 13:48:41 UTC 
good for us -> needinfo provided
Comment 23 Dr. Werner Fink 2018-12-03 13:59:28 UTC 
(In reply to Marcus Meissner from comment #22)
> good for us -> needinfo provided

Hmmm ...where will the new version of ImageMagick be active in SUSE_SLE-12_Update
Comment 24 Marcus Meissner 2018-12-04 07:21:39 UTC 
we will push an adjusted imagemagick to qa that can override policies via $HOME/.magick/policy.xml
Comment 27 Swamp Workflow Management 2018-12-07 17:28:54 UTC 
SUSE-SU-2018:4023-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1057246,1113064,1117463
CVE References: CVE-2018-18544
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ImageMagick-6.8.8.1-71.93.2
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.93.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ImageMagick-6.8.8.1-71.93.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.93.2
SUSE Linux Enterprise Server 12-SP4 (src):    ImageMagick-6.8.8.1-71.93.2
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.93.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    ImageMagick-6.8.8.1-71.93.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.93.2
Comment 28 Swamp Workflow Management 2018-12-08 14:14:00 UTC 
openSUSE-SU-2018:4054-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1057246,1113064,1117463
CVE References: CVE-2018-18544
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-79.1
Comment 29 Swamp Workflow Management 2019-04-08 19:09:53 UTC 
SUSE-SU-2019:0904-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1117463,1117464,1117465
CVE References: CVE-2018-19490,CVE-2018-19491,CVE-2018-19492
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    gnuplot-5.2.2-3.3.29

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2019-04-16 19:09:39 UTC 
openSUSE-SU-2019:1216-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1117463,1117464,1117465
CVE References: CVE-2018-19490,CVE-2018-19491,CVE-2018-19492
Sources used:
openSUSE Leap 15.0 (src):    gnuplot-5.2.2-lp150.3.3.1
Comment 31 Marcus Meissner 2019-10-28 07:01:06 UTC 
released
Comment 32 Swamp Workflow Management 2020-06-08 13:15:22 UTC 
SUSE-SU-2020:14388-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1044638,1117463,1117464,1117465,375175
CVE References: CVE-2017-9670,CVE-2018-19490,CVE-2018-19491,CVE-2018-19492
Sources used:
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gnuplot-4.2.3-7.3.22

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Swamp Workflow Management 2020-06-18 13:13:51 UTC 
SUSE-SU-2020:1660-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1044638,1117463,1117464,1117465
CVE References: CVE-2017-9670,CVE-2018-19490,CVE-2018-19491,CVE-2018-19492
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    gnuplot-4.6.5-3.3.74
SUSE Linux Enterprise Server 12-SP4 (src):    gnuplot-4.6.5-3.3.74

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.