Bug 1132060 (CVE-2019-11007)

Summary: VUL-1: CVE-2019-11007: GraphicsMagick,ImageMagick: a heap-based buffer over-read in the ReadMNGImage function of coders/png.c allows attackers to cause a denial of service or information disclosure
Product: [openSUSE] openSUSE Distribution Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P4 - Low CC: pgajdos, smash_bz
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/229219/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2019-04-10 08:55:34 UTC
CVE-2019-11007

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer
over-read in the ReadMNGImage function of coders/png.c, which allows attackers
to cause a denial of service or information disclosure via an image colormap.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11007
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11007.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11007
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/40fc71472b98
https://sourceforge.net/p/graphicsmagick/bugs/596/
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/86a9295e7c83
Comment 1 Alexandros Toptsoglou 2019-04-11 11:23:47 UTC
A fix is available in [1] and a POC at [2] 
To run the POC simply 
valgrind gm convert $POC /dev/null

Affects GraphicsMagick in: TW, Leap 15.0, expect also 42.3 (did not test) 
Does not affect ImageMagick 

[1]http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/86a9295e7c83
[2] https://sourceforge.net/p/graphicsmagick/bugs/596/attachment/heap_buffer_overflow_in_ReadMNGImage
Comment 2 Petr Gajdos 2019-04-15 14:48:44 UTC
Thanks for the analysis. Yes, the testcase does exhibit the issue only in GraphicsMagick:

BEFORE

42.3,15.0/GraphicsMagick

$ valgrind  -q gm convert heap_buffer_overflow_in_ReadMNGImage /dev/null
--9728-- WARNING: Serious error when reading debug info
--9728-- When reading debug info from /usr/lib64/GraphicsMagick-1.3.29/modules-Q16/coders/png.so:
--9728-- get_Form_contents: DW_FORM_GNU_strp_alt used, but no alternate .debug_str
==9728== Invalid read of size 8
==9728==    at 0x4C34CF0: memmove (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9728==    by 0x4EF32B8: UnknownInlinedFun (string_fortified.h:34)
==9728==    by 0x4EF32B8: CloneImage (image.c:1162)
==9728==    by 0x4EC11C2: CompositeImage (composite.c:3221)
==9728==    by 0x4F40942: CoalesceImages (transform.c:408)
==9728==    by 0x7A815AC: ReadMNGImage (png.c:6078)
==9728==    by 0x4EC5A4A: ReadImage (constitute.c:1607)
==9728==    by 0x4EA5D84: ConvertImageCommand (command.c:4348)
==9728==    by 0x4E967BB: MagickCommand (command.c:8872)
==9728==    by 0x4E978C5: GMCommandSingle (command.c:17393)
==9728==    by 0x4EB84CD: GMCommand (command.c:17446)
==9728==    by 0x5450F49: (below main) (in /lib64/libc-2.26.so)
==9728==  Address 0x7684358 is 0 bytes after a block of size 8 alloc'd
==9728==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9728==    by 0x4E8C7B7: AllocateImageColormap (colormap.c:76)
==9728==    by 0x7A7D93A: ReadOnePNGImage (png.c:2161)
==9728==    by 0x7A7F3A0: ReadMNGImage (png.c:5391)
==9728==    by 0x4EC5A4A: ReadImage (constitute.c:1607)
==9728==    by 0x4EA5D84: ConvertImageCommand (command.c:4348)
==9728==    by 0x4E967BB: MagickCommand (command.c:8872)
==9728==    by 0x4E978C5: GMCommandSingle (command.c:17393)
==9728==    by 0x4EB84CD: GMCommand (command.c:17446)
==9728==    by 0x5450F49: (below main) (in /lib64/libc-2.26.so)
==9728== 
$

15,12/ImageMagick
$ valgrind  -q convert mng:heap_buffer_overflow_in_ReadMNGImage out
$

PATCH

GraphicsMagick:
comment 0
ImageMagick: however, there was added a patch in upstream recently, that looks similar, I propose to backport it:
https://github.com/ImageMagick/ImageMagick/commit/74d260c405b92de374513719340317e1ce27a023


AFTER

15.0,42.3/GraphicsMagick

$ valgrind  -q gm convert heap_buffer_overflow_in_ReadMNGImage /dev/null
$

15,12/ImageMagick
$ valgrind  -q convert heap_buffer_overflow_in_ReadMNGImage /dev/null
$
[no change in output]
Comment 3 Petr Gajdos 2019-04-15 14:49:14 UTC
Will submit for: 15.0,42.3/GraphicsMagick and 11,12/ImageMagick.
Comment 4 Petr Gajdos 2019-04-16 15:32:42 UTC
Packages submitted.

I believe all fixed.
Comment 6 Swamp Workflow Management 2019-04-16 16:10:24 UTC
This is an autogenerated message for OBS integration:
This bug (1132060) was mentioned in
https://build.opensuse.org/request/show/694830 15.0 / GraphicsMagick
https://build.opensuse.org/request/show/694831 42.3 / GraphicsMagick
Comment 7 Swamp Workflow Management 2019-04-24 15:52:28 UTC
SUSE-SU-2019:1019-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1122033,1130330,1131317,1132054,1132060
CVE References: CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-9956
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ImageMagick-7.0.7.34-3.54.3
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.54.3
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.54.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-04-25 16:18:00 UTC
SUSE-SU-2019:1033-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
SUSE OpenStack Cloud 7 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Enterprise Storage 4 (src):    ImageMagick-6.8.8.1-71.108.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-04-25 19:11:00 UTC
openSUSE-SU-2019:1272-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1132055,1132058,1132060,1132061
CVE References: CVE-2019-11005,CVE-2019-11006,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-11010
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-132.1
openSUSE Leap 15.0 (src):    GraphicsMagick-1.3.29-lp150.3.25.1
Comment 10 Swamp Workflow Management 2019-04-27 01:13:38 UTC
SUSE-SU-2019:1033-2: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ImageMagick-6.8.8.1-71.108.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-04-29 22:15:20 UTC
openSUSE-SU-2019:1295-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1132055,1132058,1132060,1132061
CVE References: CVE-2019-11005,CVE-2019-11006,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-11010
Sources used:
openSUSE Backports SLE-15 (src):    GraphicsMagick-1.3.29-bp150.2.18.1
Comment 12 Petr Gajdos 2019-04-30 11:54:04 UTC
(In reply to Petr Gajdos from comment #3)
> Will submit for: 15.0,42.3/GraphicsMagick and 11,12/ImageMagick.

That should have been ..                        15,12/ImageMagick
Comment 15 Swamp Workflow Management 2019-05-03 19:15:34 UTC
openSUSE-SU-2019:1320-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-82.1
Comment 16 Swamp Workflow Management 2019-05-04 13:11:25 UTC
openSUSE-SU-2019:1331-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1122033,1130330,1131317,1132054,1132060
CVE References: CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-9956
Sources used:
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.29.1
Comment 17 Swamp Workflow Management 2019-05-10 19:18:43 UTC
SUSE-SU-2019:14043-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1130330,1131317,1132053,1132060,1133204,1133205,1133498,1133501
CVE References: CVE-2019-10650,CVE-2019-11007,CVE-2019-11009,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-9956
Sources used:
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.97.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2019-05-28 13:31:11 UTC
This is an autogenerated message for OBS integration:
This bug (1132060) was mentioned in
https://build.opensuse.org/request/show/705902 15.1 / GraphicsMagick
Comment 19 Marcus Meissner 2019-07-10 05:33:10 UTC
released