Bugzilla – Bug 1096203
VUL-1: CVE-2018-11624: GraphicsMagick,ImageMagick: use after free in ReadMATImage function in coders/mat.c
Last modified: 2021-10-05 10:40:29 UTC
In ImageMagick 7.0.7-36 Q16, the ReadMATImage function in coders/mat.c allows attackers to cause a use after free via a crafted file. References: https://bugzilla.redhat.com/show_bug.cgi?id=1584898 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11624 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11624.html https://github.com/ImageMagick/ImageMagick/issues/1149
BEFORE 15/ImageMagick $ valgrind -q identify poc ==26185== Invalid read of size 8 ==26185== at 0x4E8BAF4: CloseBlob (blob.c:605) ==26185== by 0x920EA3F: ReadMATImage (mat.c:1238) ==26185== by 0x4EB6EA9: ReadImage (constitute.c:558) ==26185== by 0x4FD69EB: ReadStream (stream.c:1043) ==26185== by 0x4EB6962: PingImage (constitute.c:226) ==26185== by 0x4EB6BDA: PingImages (constitute.c:327) ==26185== by 0x535FF03: IdentifyImageCommand (identify.c:319) ==26185== by 0x538DAF4: MagickCommandGenesis (mogrify.c:183) ==26185== by 0x10937F: MagickMain (magick.c:149) ==26185== by 0x584CF49: (below main) (in /lib64/libc-2.26.so) ==26185== Address 0x8e6e030 is 13,392 bytes inside a block of size 13,504 free'd ==26185== at 0x4C2F2BB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26185== by 0x4F4F37E: RelinquishMagickMemory (memory.c:1058) ==26185== by 0x9210933: ReadMATImage (mat.c:1084) ==26185== by 0x4EB6EA9: ReadImage (constitute.c:558) ==26185== by 0x4FD69EB: ReadStream (stream.c:1043) ==26185== by 0x4EB6962: PingImage (constitute.c:226) ==26185== by 0x4EB6BDA: PingImages (constitute.c:327) ==26185== by 0x535FF03: IdentifyImageCommand (identify.c:319) ==26185== by 0x538DAF4: MagickCommandGenesis (mogrify.c:183) ==26185== by 0x10937F: MagickMain (magick.c:149) ==26185== by 0x584CF49: (below main) (in /lib64/libc-2.26.so) ==26185== Block was alloc'd at ==26185== at 0x4C2E08F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26185== by 0x4F3CDDF: AcquireCriticalMemory (memory-private.h:64) ==26185== by 0x4F3CDDF: AcquireImage (image.c:171) ==26185== by 0x920E508: ReadMATImage (mat.c:895) ==26185== by 0x4EB6EA9: ReadImage (constitute.c:558) ==26185== by 0x4FD69EB: ReadStream (stream.c:1043) ==26185== by 0x4EB6962: PingImage (constitute.c:226) ==26185== by 0x4EB6BDA: PingImages (constitute.c:327) ==26185== by 0x535FF03: IdentifyImageCommand (identify.c:319) ==26185== by 0x538DAF4: MagickCommandGenesis (mogrify.c:183) ==26185== by 0x10937F: MagickMain (magick.c:149) ==26185== by 0x584CF49: (below main) (in /lib64/libc-2.26.so) ==26185== identify: MagickCore/blob.c:605: CloseBlob: Assertion `image->signature == MagickCoreSignature' failed. /root/bin/vgq: line 3: 26185 Aborted (core dumped) valgrind -q $@ $ 12/ImageMagick $ valgrind -q identify poc identify: UnsupportedCellTypeInTheMatrix `poc' @ error/mat.c/ReadMATImage/1078. $ 11/ImageMagick $ valgrind -q identify mat:poc identify: UnsupportedCellTypeInTheMatrix `poc'. $ [note the mat: prefix, otherwise command quits sooner via 'no decode delegate'] 11/GraphicsMagick $ valgrind -q gm identify mat:poc gm identify: Unsupported cell type in the matrix (poc). $ 42.3,15.0/GraphicsMagick $ valgrind -q gm identify poc gm identify: Unsupported cell type in the matrix (poc). gm identify: Request did not return an image. $ PATCH https://github.com/ImageMagick/ImageMagick6/commit/172d82afe89d3499ef0cab06dc58d380cc1ab946 15/ImageMagick: the fix is needed 11,12/ImageMagick: already solved via ImageMagick-mat.c-update.patch 11/GraphicsMagick: no image2 code 42.3/GraphicsMagick: already solved in ThrowImg2MATReaderException() via GraphicsMagick-mat.c-update.patch 15.0/GraphicsMagick: already solved AFTER 15/ImageMagick $ valgrind -q identify poc identify: UnsupportedCellTypeInTheMatrix `poc' @ error/mat.c/ReadMATImage/1088. $
Given the date of the upstream bug and date of ImageMagick-mat.c-update.patch, I will 11,12/ImageMagick consider unaffected as the bug was probably introduced between these dates. Also, the bug seem to never existed in 42.3/GraphicsMagick as ThrowImg2MATReaderException() was introduced with ImageMagick-mat.c-update.patch with the correct shape. I consider 15/ImageMagick the only affected codestream.
I believe all fixed.
SUSE-SU-2018:2043-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546 CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600 Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): ImageMagick-7.0.7.34-3.9.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): ImageMagick-7.0.7.34-3.9.1
openSUSE-SU-2018:2123-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546 CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600 Sources used: openSUSE Leap 15.0 (src): ImageMagick-7.0.7.34-lp150.2.6.1
released
This is an autogenerated message for OBS integration: This bug (1096203) was mentioned in https://build.opensuse.org/request/show/923064 Factory / ImageMagick
This is an autogenerated message for OBS integration: This bug (1096203) was mentioned in https://build.opensuse.org/request/show/923178 Factory / ImageMagick