Bugzilla – Bug 1098545
VUL-0: CVE-2018-12600: GraphicsMagick,ImageMagick: out of bounds write in ReadDIBImage and WriteDIBImage in coders/dib.c
Last modified: 2021-10-05 10:40:33 UTC
CVE-2018-12600 In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file. Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/921f208c2ea3cc45847f380257f270ff424adfff https://github.com/ImageMagick/ImageMagick6/commit/ae71c12bbaa34d942e036824ff389c22b7dacade References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12600 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12600.html https://github.com/ImageMagick/ImageMagick/issues/1178
Reproducer is not working under SLE. https://github.com/ImageMagick/ImageMagick/files/2115374/poc.zip #> valgrind --leak-check=full --show-leak-kinds=all convert ./poc output.dib ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
BEFORE 15/ImageMagick $ valgrind -q convert poc output.dib ==32233== Invalid write of size 1 ==32233== at 0x96829EB: WriteDIBImage (dib.c:1304) ==32233== by 0x4EB84A4: WriteImage (constitute.c:1188) ==32233== by 0x4EB8B8E: WriteImages (constitute.c:1338) ==32233== by 0x53290BA: ConvertImageCommand (convert.c:3280) ==32233== by 0x538DAF4: MagickCommandGenesis (mogrify.c:183) ==32233== by 0x10937F: MagickMain (magick.c:149) ==32233== by 0x584CF49: (below main) (in /lib64/libc-2.26.so) ==32233== Address 0x12360c840 is not stack'd, malloc'd or (recently) free'd ==32233== /root/bin/vgq: line 3: 32233 Aborted (core dumped) valgrind -q $@ $ 12/ImageMagick $ valgrind -q convert poc output.dib convert: Corrupt JPEG data: 68 extraneous bytes before marker 0xdb `poc' @ warning/jpeg.c/JPEGWarningHandler/349. convert: Corrupt JPEG data: 783 extraneous bytes before marker 0xda `poc' @ warning/jpeg.c/JPEGWarningHandler/349. convert: Quantization table 0x00 was not defined `poc' @ error/jpeg.c/JPEGErrorHandler/319. convert: no images defined `output.dib' @ error/convert.c/ConvertImageCommand/3149. $ 11/ImageMagick $ valgrind -q convert poc output.dib convert: Quantization table 0x00 was not defined `poc'. convert: missing an image filename `output.dib'. $ 11,42.3,15.0/GraphicsMagick $ valgrind -q gm convert poc output.dib gm convert: Quantization table 0x00 was not defined (poc). $ PATCH see comment 0 12/ImageMagick: dib_info.image_size is size_t, considering partially affected (MagickMax) 11/ImageMagick: dib_info.image_size is unsigned long, considering partially affected (MagickMax) 11/GraphicsMagick: dib_info.image_size is unsigned long, considering not affected 42.3,15.0,HG/GraphicsMagick: dib_info.image_size is magick_uint32_t, but according to upstream unaffected AFTER 15/ImageMagick $ valgrind -q convert poc output.dib [run long, 100% cpu] However, this can be overcome by relevant setting in /etc/ImageMagick*/policy.xml, e. g. by: <policy domain="resource" name="width" value="10KP"/> <policy domain="resource" name="height" value="10KP"/> to limit vertical and horizontal size of the image. Then: $ valgrind -q convert poc output.dib convert: Corrupt JPEG data: 68 extraneous bytes before marker 0xdb `poc' @ warning/jpeg.c/JPEGWarningHandler/365. convert: Corrupt JPEG data: 783 extraneous bytes before marker 0xda `poc' @ warning/jpeg.c/JPEGWarningHandler/365. convert: width or height exceeds limit `poc' @ error/cache.c/OpenPixelCache/3688. convert: no images defined `output.dib' @ error/convert.c/ConvertImageCommand/3275. $ [crash is fixed] 12/ImageMagick $ valgrind -q convert poc output.dib convert: Corrupt JPEG data: 68 extraneous bytes before marker 0xdb `poc' @ warning/jpeg.c/JPEGWarningHandler/349. convert: Corrupt JPEG data: 783 extraneous bytes before marker 0xda `poc' @ warning/jpeg.c/JPEGWarningHandler/349. convert: Quantization table 0x00 was not defined `poc' @ error/jpeg.c/JPEGErrorHandler/319. convert: no images defined `output.dib' @ error/convert.c/ConvertImageCommand/3149. $ [no change] 11/ImageMagick $ valgrind -q convert poc output.dib convert: Quantization table 0x00 was not defined `poc'. convert: missing an image filename `output.dib'. $ [no change]
Will submit for: 15/ImageMagick, 12/ImageMagick and 11/ImageMagick.
I believe all fixed.
SUSE-SU-2018:2043-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546 CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600 Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): ImageMagick-7.0.7.34-3.9.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): ImageMagick-7.0.7.34-3.9.1
openSUSE-SU-2018:2123-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546 CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600 Sources used: openSUSE Leap 15.0 (src): ImageMagick-7.0.7.34-lp150.2.6.1
SUSE-SU-2018:2465-1: An update that fixes 10 vulnerabilities is now available. Category: security (moderate) Bug References: 1056277,1094204,1094237,1095812,1098545,1098546,1102003,1102004,1102005,1102007 CVE References: CVE-2017-13758,CVE-2017-18271,CVE-2018-10805,CVE-2018-11251,CVE-2018-12599,CVE-2018-12600,CVE-2018-14434,CVE-2018-14435,CVE-2018-14436,CVE-2018-14437 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ImageMagick-6.4.3.6-78.56.1 SUSE Linux Enterprise Server 11-SP4 (src): ImageMagick-6.4.3.6-78.56.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ImageMagick-6.4.3.6-78.56.1
released
Packages submitted. I believe all fixed.
SUSE-SU-2018:3191-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1098545,1098546,1110746,1110747,1111069,1111072 CVE References: CVE-2017-13058,CVE-2018-12599,CVE-2018-12600,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): ImageMagick-6.8.8.1-71.82.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): ImageMagick-6.8.8.1-71.82.1 SUSE Linux Enterprise Server 12-SP3 (src): ImageMagick-6.8.8.1-71.82.1 SUSE Linux Enterprise Desktop 12-SP3 (src): ImageMagick-6.8.8.1-71.82.1
openSUSE-SU-2018:3225-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1098545,1098546,1110746,1110747,1111069,1111072 CVE References: CVE-2017-13058,CVE-2018-12599,CVE-2018-12600,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024 Sources used: openSUSE Leap 42.3 (src): ImageMagick-6.8.8.1-73.1
done
This is an autogenerated message for OBS integration: This bug (1098545) was mentioned in https://build.opensuse.org/request/show/923064 Factory / ImageMagick
This is an autogenerated message for OBS integration: This bug (1098545) was mentioned in https://build.opensuse.org/request/show/923178 Factory / ImageMagick