|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-1: CVE-2019-13296: ImageMagick: direct memory leaks in AcquireMagickMemory because of an error in CLIListOperatorImages in MagickWand/operation.c | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Alexander Bergmann <abergmann> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P4 - Low | CC: | smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/236476/ | ||
| Whiteboard: | CVSSv3:SUSE:CVE-2019-13296:4.0:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv2:NVD:CVE-2019-13296:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2019-13296:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2019-13296:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Alexander Bergmann
2019-07-08 09:41:35 UTC
BEFORE
15/ImageMagick
$ valgrind -q --leak-check=full magick -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare temp
$
12/ImageMagick
$ valgrind -q --leak-check=full convert -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare temp
convert: delegate library support not built-in `netscape' (FFTW) @ warning/fourier.c/ForwardFourierTransformImage/996.
convert: no images defined `temp' @ error/convert.c/ConvertImageCommand/3149.
==9038== 576 bytes in 1 blocks are possibly lost in loss record 31 of 37
==9038== at 0x4C2B200: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9038== by 0x4011771: allocate_dtv (in /lib64/ld-2.19.so)
==9038== by 0x4011E7D: _dl_allocate_tls (in /lib64/ld-2.19.so)
==9038== by 0x55FCC0D: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.19.so)
==9038== by 0x716C16D: ??? (in /usr/lib64/libgomp.so.1.0.0)
==9038== by 0x4EA8FFB: TransformRGBImage (colorspace.c:2286)
==9038== by 0x4F4AADA: AppendImages (image.c:523)
==9038== by 0x538F839: MogrifyImageList (mogrify.c:7534)
==9038== by 0x5390423: MogrifyImages (mogrify.c:8638)
==9038== by 0x5319E2E: ConvertImageCommand (convert.c:3141)
==9038== by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==9038== by 0x400846: ConvertMain (convert.c:81)
==9038== by 0x400846: main (convert.c:92)
==9038==
==9038== 496,128 (13,232 direct, 482,896 indirect) bytes in 1 blocks are definitely lost in loss record 37 of 37
==9038== at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9038== by 0x4F48298: CloneImage (image.c:809)
==9038== by 0x4F4A8B5: AppendImages (image.c:493)
==9038== by 0x538F839: MogrifyImageList (mogrify.c:7534)
==9038== by 0x5390423: MogrifyImages (mogrify.c:8638)
==9038== by 0x5319E2E: ConvertImageCommand (convert.c:3141)
==9038== by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==9038== by 0x400846: ConvertMain (convert.c:81)
==9038== by 0x400846: main (convert.c:92)
==9038==
$
11/ImageMagick
$ valgrind -q --leak-check=full convert -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare temp
==9074==
==9074== 2,128 bytes in 7 blocks are possibly lost in loss record 3 of 3
==9074== at 0x4C23484: calloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==9074== by 0x4010AEE: _dl_allocate_tls (in /lib64/ld-2.9.so)
==9074== by 0x6D7974A: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.9.so)
==9074== by 0x6B6EF35: (within /usr/lib64/libgomp.so.1.0.0)
==9074== by 0x4F0E8C1: SetImageBackgroundColor (image.c:662)
==9074== by 0x4F0F69C: AppendImages (image.c:531)
==9074== by 0x5300A03: MogrifyImageList (mogrify.c:6492)
==9074== by 0x5306D10: MogrifyImages (mogrify.c:7336)
==9074== by 0x52936EA: ConvertImageCommand (convert.c:2700)
==9074== by 0x400F73: main (convert.c:122)
$
With ASAN:
15/ImageMagick:
$ magick -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare temp
$
[no issues observed]
12/ImageMagick:
$ convert -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare temp
convert: delegate library support not built-in `netscape' (FFTW) @ warning/fourier.c/ForwardFourierTransformImage/996.
convert: no images defined `temp' @ error/convert.c/ConvertImageCommand/3149.
$
*/GraphicsMagick
$ gm convert -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare temp
gm convert: Unrecognized option (-seed).
$
I am not able to get the same backtrace as in the upstream bug, above backtraces are unrelated I think.
PATCH
referenced in comment 0
15/ImageMagick: clearly affected
there's no such code in IM6 (there is similare in mogrify.c, but it is in IM7, too)
Will submit for: 15/ImageMagick Packages submitted. I believe all fixed. SUSE-SU-2019:2106-1: An update that fixes 30 vulnerabilities is now available. Category: security (moderate) Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171 CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): ImageMagick-7.0.7.34-3.67.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): ImageMagick-7.0.7.34-3.67.1 SUSE Linux Enterprise Module for Development Tools 15-SP1 (src): ImageMagick-7.0.7.34-3.67.1 SUSE Linux Enterprise Module for Development Tools 15 (src): ImageMagick-7.0.7.34-3.67.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): ImageMagick-7.0.7.34-3.67.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): ImageMagick-7.0.7.34-3.67.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-SU-2019:1983-1: An update that fixes 30 vulnerabilities is now available. Category: security (moderate) Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171 CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454 Sources used: openSUSE Leap 15.1 (src): ImageMagick-7.0.7.34-lp151.7.9.1 openSUSE Leap 15.0 (src): ImageMagick-7.0.7.34-lp150.2.38.1 released |