Bug 1140538 (CVE-2019-13307)

Summary: VUL-0: CVE-2019-13307: ImageMagick: heap-based buffer overflow at MagickCore/statistic.c
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/236487/
Whiteboard: CVSSv3:SUSE:CVE-2019-13307:5.1:(AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) CVSSv2:NVD:CVE-2019-13307:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2019-13307:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2019-13307:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Alexandros Toptsoglou 2019-07-05 15:07:06 UTC
Reproduced it only in SLE15 but looking at the code it seems that SLE12 can receive the patch.  Tracked SLE15 and SLE12 as affected. 

to reproduce the issue simply run: valgrind magick -seed 0 -monitor -bias 63 "(" magick:rose -colorize 172,35,77 ")" "(" magick:logo +repage ")" -crop 507x10'!'+20-54 -evaluate-sequence Median tmp

OUTPUT: 

==21809== Invalid read of size 8
==21809==    at 0x4FCC0F4: ClampToQuantum (quantum.h:87)
==21809==    by 0x4FCC0F4: EvaluateImages (statistic.c:590)
==21809==    by 0x53D2205: CLIListOperatorImages (operation.c:4045)
==21809==    by 0x53D4CF7: CLIOption (operation.c:5238)
==21809==    by 0x5371534: ProcessCommandOptions (magick-cli.c:477)
==21809==    by 0x5371DFA: MagickImageCommand (magick-cli.c:796)
==21809==    by 0x538DB54: MagickCommandGenesis (mogrify.c:183)
==21809==    by 0x10937F: MagickMain (magick.c:149)
==21809==    by 0x584CF89: (below main) (in /lib64/libc-2.26.so)
==21809==  Address 0x8ff7f60 is 0 bytes after a block of size 256 alloc'd
==21809==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==21809==    by 0x4FCB697: AcquirePixelThreadSet (statistic.c:175)
==21809==    by 0x4FCB85C: EvaluateImages (statistic.c:493)
==21809==    by 0x53D2205: CLIListOperatorImages (operation.c:4045)
==21809==    by 0x53D4CF7: CLIOption (operation.c:5238)
==21809==    by 0x5371534: ProcessCommandOptions (magick-cli.c:477)
==21809==    by 0x5371DFA: MagickImageCommand (magick-cli.c:796)
==21809==    by 0x538DB54: MagickCommandGenesis (mogrify.c:183)
==21809==    by 0x10937F: MagickMain (magick.c:149)
==21809==    by 0x584CF89: (below main) (in /lib64/libc-2.26.so)


and then fails with core dumped 

Fix for ImageMagick7 at [1]
Fix for ImageMagick6 at [2]

[1]https://github.com/ImageMagick/ImageMagick/commit/025e77fcb2f45b21689931ba3bf74eac153afa48
[2]https://github.com/ImageMagick/ImageMagick6/commit/91e58d967a92250439ede038ccfb0913a81e59fe
Comment 2 Petr Gajdos 2019-07-19 11:13:17 UTC
BEFORE

15/ImageMagick

$ magick -seed 0 -monitor -bias 63 "(" magick:rose -colorize 172,35,77 ")" "(" magick:logo +repage ")" -crop 507x10'!'+20-54 -evaluate-sequence Median temp
load image[rose]: 45 of 46, 100% complete
colorize image[rose]: 45 of 46, 100% complete
magick: geometry does not contain image `rose' @ warning/transform.c/CropImage/590.
magick: geometry does not contain image `logo' @ warning/transform.c/CropImage/590.
magick: malloc.c:4025: _int_malloc: Assertion `(unsigned long) (size) >= (unsigned long) (nb)' failed.
Aborted (core dumped)
$

12/ImageMagick

$ convert -seed 0 -monitor -bias 63 "(" magick:rose -colorize 172,35,77 ")" "(" magick:logo +repage ")" -crop 507x10'!'+20-54 -evaluate-sequence Median temp
load image[rose]: 45 of 46, 100% complete
colorize image[rose]: 45 of 46, 100% complete
mogrify image[logo]: 1 of 2, 100% complete
mogrify image[logo]: 1 of 2, 100% complete
*** Error in `convert': free(): invalid pointer: 0x0000000001cb0a40 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x74c99)[0x7fcd2546cc99]
/lib64/libc.so.6(+0x7a566)[0x7fcd25472566]
/usr/lib64/libMagickCore-6.Q16.so.1(RelinquishMagickMemory+0xf)[0x7fcd25e0566f]
/usr/lib64/libMagickCore-6.Q16.so.1(+0x192c57)[0x7fcd25e70c57]
/usr/lib64/libMagickCore-6.Q16.so.1(EvaluateImages+0x21f)[0x7fcd25e73dff]
/usr/lib64/libMagickWand-6.Q16.so.1(MogrifyImageList+0x7fa)[0x7fcd25a78f9a]
/usr/lib64/libMagickWand-6.Q16.so.1(MogrifyImages+0x134)[0x7fcd25a7a424]
/usr/lib64/libMagickWand-6.Q16.so.1(ConvertImageCommand+0xc2f)[0x7fcd25a03e2f]
/usr/lib64/libMagickWand-6.Q16.so.1(MagickCommandGenesis+0x6d3)[0x7fcd25a6fc73]
convert[0x400847]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7fcd25419cb5]
convert[0x40089b]
======= Memory map: ========
Aborted (core dumped)
$

11/ImageMagick

$ convert -seed 0 -monitor -bias 63 "(" magick:rose -colorize 172,35,77 ")" "(" magick:logo +repage ")" -crop 507x10'!'+20-54 -evaluate-sequence Median temp
Load image: 100%
Colorize image: 100%
Mogrify image: 100%
convert: geometry does not contain image `rose'.
convert: unrecognized option `-evaluate-sequence'.
$
[testcase not applicable]


PATCH

ImageMagick7
https://github.com/ImageMagick/ImageMagick/commit/025e77fcb2f45b21689931ba3bf74eac153afa48
https://github.com/ImageMagick/ImageMagick/commit/0726f905bb464d653f48b6e59f1022951d6e88cd
https://github.com/ImageMagick/ImageMagick/commit/cc33f038d26fef62904becc3ba004d7525fb6418

ImageMagick6
https://github.com/ImageMagick/ImageMagick6/commit/91e58d967a92250439ede038ccfb0913a81e59fe
https://github.com/ImageMagick/ImageMagick6/commit/e6d26d4e2f07375ddbf46a857d309d51eeff7ee1
https://github.com/ImageMagick/ImageMagick6/commit/643921ca69a20b203faebd0b287d8b7012dc749d

11/ImageMagick: no AcquirePixelThreadSet()/DestroyPixelThreadSet() code found


AFTER

15/ImageMagick

$ magick -seed 0 -monitor -bias 63 "(" magick:rose -colorize 172,35,77 ")" "(" magick:logo +repage ")" -crop 507x10'!'+20-54 -evaluate-sequence Median temp
load image[rose]: 45 of 46, 100% complete
colorize image[rose]: 45 of 46, 100% complete
magick: geometry does not contain image `rose' @ warning/transform.c/CropImage/590.
magick: geometry does not contain image `logo' @ warning/transform.c/CropImage/590.
$

12/ImageMagick

$ convert -seed 0 -monitor -bias 63 "(" magick:rose -colorize 172,35,77 ")" "(" magick:logo +repage ")" -crop 507x10'!'+20-54 -evaluate-sequence Median temp
load image[rose]: 45 of 46, 100% complete
colorize image[rose]: 45 of 46, 100% complete
mogrify image[logo]: 1 of 2, 100% complete
mogrify image[logo]: 1 of 2, 100% complete
Magick: geometry does not contain image `rose' @ warning/transform.c/CropImage/674.
Magick: geometry does not contain image `logo' @ warning/transform.c/CropImage/674.
$
Comment 3 Petr Gajdos 2019-07-19 11:14:07 UTC
Will submit for 15,12/ImageMagick.
Comment 4 Petr Gajdos 2019-07-19 13:58:48 UTC
I believe all fixed.
Comment 7 Swamp Workflow Management 2019-07-29 16:24:15 UTC
SUSE-SU-2019:2010-1: An update that fixes 18 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139885,1139886,1140100,1140102,1140103,1140106,1140110,1140111,1140501,1140513,1140534,1140538,1140554,1140664,1140666,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13295,CVE-2019-13297,CVE-2019-13300,CVE-2019-13301,CVE-2019-13307,CVE-2019-13308,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ImageMagick-6.8.8.1-71.126.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ImageMagick-6.8.8.1-71.126.1
SUSE Linux Enterprise Server 12-SP4 (src):    ImageMagick-6.8.8.1-71.126.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ImageMagick-6.8.8.1-71.126.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-08-09 19:12:15 UTC
SUSE-SU-2019:2106-1: An update that fixes 30 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.67.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-08-21 13:14:07 UTC
openSUSE-SU-2019:1983-1: An update that fixes 30 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
openSUSE Leap 15.1 (src):    ImageMagick-7.0.7.34-lp151.7.9.1
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.38.1
Comment 10 Marcus Meissner 2019-08-28 14:54:25 UTC
released