Bug 1133205 (CVE-2019-11470)

Summary: VUL-1: CVE-2019-11470: ImageMagick: The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size.
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: apappas, meissner, pgajdos, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/230156/
Whiteboard: CVSSv3:SUSE:CVE-2019-11470:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: c.cin

Description Marcus Meissner 2019-04-24 06:27:14 UTC
CVE-2019-11470

The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to
cause a denial-of-service (uncontrolled resource consumption) by crafting a
Cineon image with an incorrect claimed image size. This occurs because
ReadCINImage in coders/cin.c lacks a check for insufficient image data in a
file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11470
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11470.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11470
https://github.com/ImageMagick/ImageMagick/issues/1472
https://github.com/ImageMagick/ImageMagick/commit/e3cdce6fe12193f235b8c0ae5efe6880a25eb957
Comment 1 Marcus Meissner 2019-04-24 06:29:18 UTC
Created attachment 803465 [details]
c.cin

QA REPRODUCER:

convert c.cin /tmp/test.jpg

should not create a HUGE /tmp/test.jpg file and not take vrery long to run
Comment 2 Marcus Meissner 2019-04-24 06:29:51 UTC
GM has checks against the ridicolous sizes -> not affected
Comment 3 Petr Gajdos 2019-04-30 08:41:04 UTC
AFTER

15,12/ImageMagick

$ convert c.cin /tmp/test.jpg
convert: insufficient image data in file `c.cin' @ error/cin.c/ReadCINImage/730.
convert: no images defined `/tmp/test.jpg' @ error/convert.c/ConvertImageCommand/3275.
$
[exits immediately]
Comment 6 Petr Gajdos 2019-05-02 09:20:30 UTC
I believe all fixed.
Comment 8 Swamp Workflow Management 2019-05-10 19:18:59 UTC
SUSE-SU-2019:14043-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1130330,1131317,1132053,1132060,1133204,1133205,1133498,1133501
CVE References: CVE-2019-10650,CVE-2019-11007,CVE-2019-11009,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-9956
Sources used:
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.97.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Antonios Konstantinos Pappas 2019-06-17 09:21:33 UTC
After waiting some time on a disposable VM:

apappasserver:~ # convert c.cin /tmp/test.jpg
convert: unexpected end-of-file `c.cin': No such file or directory @ error/cin.c/ReadCINImage/749.                 
convert: unable to write pixel cache `/tmp/magick-2002s9WYB4B4G8Xj': No space left on device @ error/cache.c/WritePixelCachePixels/5429.
Comment 15 Marcus Meissner 2019-06-17 09:57:25 UTC
The if in the patches is apparently not sufficient, the height*width also overflows the 32bit bit integer...
Comment 16 Swamp Workflow Management 2019-06-17 19:16:19 UTC
SUSE-SU-2019:1523-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1136183,1136732
CVE References: CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11598
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.61.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Petr Gajdos 2019-06-18 11:07:24 UTC
(In reply to Antonios Konstantinos Pappas from comment #14)
> After waiting some time on a disposable VM:
> 
> apappasserver:~ # convert c.cin /tmp/test.jpg
> convert: unexpected end-of-file `c.cin': No such file or directory @
> error/cin.c/ReadCINImage/749.                 
> convert: unable to write pixel cache `/tmp/magick-2002s9WYB4B4G8Xj': No
> space left on device @ error/cache.c/WritePixelCachePixels/5429.

Yes. The hunk was applied wrongly, not sure how my tests could pass. Resubmitted: sr#195201.
Comment 18 Petr Gajdos 2019-06-18 11:08:56 UTC
(In reply to Marcus Meissner from comment #15)
> The if in the patches is apparently not sufficient, the height*width also
> overflows the 32bit bit integer...

Would you mind report a (different) bug upstream?
Comment 21 Swamp Workflow Management 2019-06-24 13:27:36 UTC
openSUSE-SU-2019:1603-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1136183,1136732
CVE References: CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11598
Sources used:
openSUSE Leap 15.1 (src):    ImageMagick-7.0.7.34-lp151.7.3.1
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.32.1
Comment 22 Swamp Workflow Management 2019-06-25 19:12:11 UTC
SUSE-SU-2019:1712-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1134075,1135232,1135236,1136183,1136732,1138425,1138464
CVE References: CVE-2017-12805,CVE-2017-12806,CVE-2019-10131,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11597,CVE-2019-11598
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Server 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2019-07-01 16:14:16 UTC
openSUSE-SU-2019:1683-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1134075,1135232,1135236,1136183,1136732,1138425,1138464
CVE References: CVE-2017-12805,CVE-2017-12806,CVE-2019-10131,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11597,CVE-2019-11598
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-85.1
Comment 24 Marcus Meissner 2019-07-10 05:35:48 UTC
released