Bug 1140543 (CVE-2019-13306)

Summary: VUL-0: CVE-2019-13306: ImageMagick: stack-based buffer overflow at coders/pnm.c in WritePNMImage
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/236486/
Whiteboard: CVSSv3:SUSE:CVE-2019-13306:5.1:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) CVSSv2:NVD:CVE-2019-13306:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2019-13306:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2019-13306:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Alexandros Toptsoglou 2019-07-05 15:27:52 UTC 
SLE15 is affected SLE12 seems not. Tracked as affected SLE15. Reproduced as following: 

valgrind magick -seed 0 -dispose Previous -compress None "(" magick:rose +repage ")" "(" magick:logo -level 64,0%,0.874 ")" -loop 5 tmp

OUTPUT:

valgrind magick -seed 0 -dispose Previous -compress None "(" magick:rose +repage ")" "(" magick:logo -level 64,0%,0.874 ")" -loop 5 tmp
==22304== Memcheck, a memory error detector
==22304== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==22304== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==22304== Command: magick -seed 0 -dispose Previous -compress None ( magick:rose +repage ) ( magick:logo -level 64,0%,0.874 ) -loop 5 tmp
==22304== 
==22304== Source and destination overlap in strncpy(0x1ffeff7892, 0x1ffeff789a, 10)
==22304==    at 0x4C318E8: __strncpy_sse2_unaligned (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==22304==    by 0x942F7A3: strncpy (string_fortified.h:106)
==22304==    by 0x942F7A3: WritePNMImage (pnm.c:1892)
==22304==    by 0x4EB81D4: WriteImage (constitute.c:1188)
==22304==    by 0x4EB8863: WriteImages (constitute.c:1338)
==22304==    by 0x53D4009: CLINoImageOperator (operation.c:4757)
==22304==    by 0x53D4D60: CLIOption (operation.c:5217)
==22304==    by 0x53716C7: ProcessCommandOptions (magick-cli.c:529)
==22304==    by 0x5371DFA: MagickImageCommand (magick-cli.c:796)
==22304==    by 0x538DB54: MagickCommandGenesis (mogrify.c:183)
==22304==    by 0x10937F: MagickMain (magick.c:149)
==22304==    by 0x584CF89: (below main) (in /lib64/libc-2.26.so)
==22304== 
==22304== 
==22304== HEAP SUMMARY:
==22304==     in use at exit: 19,148 bytes in 18 blocks
==22304==   total heap usage: 2,453 allocs, 2,435 frees, 6,268,659 bytes allocated
Comment 2 Petr Gajdos 2019-07-18 10:51:35 UTC 
BEFORE

15/ImageMagick

$ magick -seed 0 -dispose Previous -compress None "(" magick:rose +repage ")" "(" magick:logo -level 64,0%,0.874 ")" -loop 5 temp
=================================================================
==7200==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe5f9d9a90 at pc 0x7f630093c53b bp 0x7ffe5f9d8180 sp 0x7ffe5f9d7930
WRITE of size 10 at 0x7ffe5f9d9a90 thread T0
    #0 0x7f630093c53a in __interceptor_strncpy (/usr/lib64/libasan.so.4+0x9353a)
    #1 0x7f62f8db32ac  (/usr/lib64/ImageMagick-7.0.7/modules-7_Q16HDRI6/coders/pnm.so+0x52ac)
    #2 0x7f6300141a42 in WriteImage (/usr/lib64/libMagickCore-7.Q16HDRI.so.6+0x1a6a42)
    #3 0x7f6300142531 in WriteImages (/usr/lib64/libMagickCore-7.Q16HDRI.so.6+0x1a7531)
    #4 0x7f62ffca5965  (/usr/lib64/libMagickWand-7.Q16HDRI.so.6+0x251965)
    #5 0x7f62ffca7899 in CLIOption (/usr/lib64/libMagickWand-7.Q16HDRI.so.6+0x253899)
    #6 0x7f62ffbe7d39 in ProcessCommandOptions (/usr/lib64/libMagickWand-7.Q16HDRI.so.6+0x193d39)
    #7 0x7f62ffbe8ba3 in MagickImageCommand (/usr/lib64/libMagickWand-7.Q16HDRI.so.6+0x194ba3)
    #8 0x7f62ffc16011 in MagickCommandGenesis (/usr/lib64/libMagickWand-7.Q16HDRI.so.6+0x1c2011)
    #9 0x55fbc95ecd9d  (/usr/bin/magick+0x1d9d)
    #10 0x7f62ff49cf49 in __libc_start_main (/lib64/libc.so.6+0x20f49)
    #11 0x55fbc95ec989  (/usr/bin/magick+0x1989)

Address 0x7ffe5f9d9a90 is located in stack of thread T0 at offset 6240 in frame
    #0 0x7f62f8db1b0f  (/usr/lib64/ImageMagick-7.0.7/modules-7_Q16HDRI6/coders/pnm.so+0x3b0f)

  This frame has 15 object(s):
    [32, 2080) 'pixels'
    [2112, 4160) 'pixels'
    [4192, 6240) 'pixels' <== Memory access at offset 6240 overflows this variable
    [6272, 10368) 'buffer'
    [10400, 14496) 'magick'
    [14528, 18624) 'type'
    [18656, 22752) 'message'
    [22784, 26880) 'message'
    [26912, 31008) 'message'
    [31040, 35136) 'message'
    [35168, 39264) 'message'
    [39296, 43392) 'message'
    [43424, 47520) 'message'
    [47552, 51648) 'message'
    [51680, 55776) 'message'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib64/libasan.so.4+0x9353a) in __interceptor_strncpy
Shadow bytes around the buggy address:
  0x10004bf33300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004bf33310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004bf33320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004bf33330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004bf33340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004bf33350: 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00 00 00
  0x10004bf33360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004bf33370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004bf33380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004bf33390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004bf333a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7200==ABORTING
$
[asan report replicated]

12/ImageMagick

$ convert -seed 0 -dispose Previous -compress None "(" magick:rose +repage ")" "(" magick:logo -level 64,0%,0.874 ")" -loop 5 temp
$
[no asan error]

11/ImageMagick

$ valgrind -q convert -seed 0 -dispose Previous -compress None "(" magick:rose +repage ")" "(" magick:logo -level 64,0%,0.874 ")" -loop 5 ppm:temp
$
[no valgrind error]

15.1,15.0/GraphicsMagick

$ gm convert -seed 0 -dispose Previous -compress None "(" magick:rose +repage ")" "(" magick:logo -level 64,0%,0.874 ")" -loop 5 ppm:temp
gm convert: Unrecognized option (-seed).
$
[testcase not applicable]


PATCH

referenced in comment 0
12,11/ImageMagick: code is different, writes 80 bytes only, considering unaffected

AFTER

15/ImageMagick

$ magick -seed 0 -dispose Previous -compress None "(" magick:rose +repage ")" "(" magick:logo -level 64,0%,0.874 ")" -loop 5 temp
$
Comment 3 Petr Gajdos 2019-07-18 12:07:28 UTC 
Will submit for: 15/ImageMagick
Comment 4 Petr Gajdos 2019-07-19 13:58:48 UTC 
I believe all fixed.
Comment 7 Swamp Workflow Management 2019-08-09 19:12:22 UTC 
SUSE-SU-2019:2106-1: An update that fixes 30 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.67.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-08-21 13:14:14 UTC 
openSUSE-SU-2019:1983-1: An update that fixes 30 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
openSUSE Leap 15.1 (src):    ImageMagick-7.0.7.34-lp151.7.9.1
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.38.1
Comment 9 Marcus Meissner 2019-08-28 14:54:58 UTC 
released