Bugzilla – Bug 1098546
VUL-0: CVE-2018-12599: GraphicsMagick,ImageMagick: out of bounds write in ReadBMPImage and WriteBMPImage in coders/bmp.c
Last modified: 2021-10-05 10:40:37 UTC
CVE-2018-12599 In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file. Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/ae04fa4be910255e5d363edebd77adeee99a525d https://github.com/ImageMagick/ImageMagick6/commit/081f518eb9cb38e683b8b9ccb9e4ab5c52f82c2f References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12599 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12599.html https://github.com/ImageMagick/ImageMagick/issues/1177
Reproducer is not working under SLE. https://github.com/ImageMagick/ImageMagick/files/2115374/poc.zip #> valgrind --leak-check=full --show-leak-kinds=all convert ./poc output.bmp ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
BEFORE 15/ImageMagick $ valgrind -q convert poc output.bmp ==8108== Invalid write of size 1 ==8108== at 0x982042A: WriteBMPImage (bmp.c:2061) ==8108== by 0x4ECDEC7: WriteImage (constitute.c:1124) ==8108== by 0x4ECE70B: WriteImages (constitute.c:1338) ==8108== by 0x542F15D: ConvertImageCommand (convert.c:3280) ==8108== by 0x54B389E: MagickCommandGenesis (mogrify.c:183) ==8108== by 0x109434: MagickMain (magick.c:149) ==8108== by 0x109571: main (magick.c:180) ==8108== Address 0x1237aa800 is not stack'd, malloc'd or (recently) free'd ==8108== /root/bin/vgq: line 3: 8108 Aborted (core dumped) valgrind -q $@ $ 12/ImageMagick $ valgrind -q convert poc output.bmp convert: Corrupt JPEG data: 68 extraneous bytes before marker 0xdb `poc' @ warning/jpeg.c/JPEGWarningHandler/349. convert: Corrupt JPEG data: 783 extraneous bytes before marker 0xda `poc' @ warning/jpeg.c/JPEGWarningHandler/349. convert: Quantization table 0x00 was not defined `poc' @ error/jpeg.c/JPEGErrorHandler/319. convert: no images defined `output.bmp' @ error/convert.c/ConvertImageCommand/3149. $ 11/ImageMagick $ valgrind -q convert poc output.bmp convert: Quantization table 0x00 was not defined `poc'. convert: missing an image filename `output.bmp'. $ 11/GraphicsMagick $ valgrind -q gm convert poc output.bmp gm convert: Quantization table 0x00 was not defined (poc). $ 42.3/GraphicsMagick $ valgrind -q gm convert poc output.bmp gm convert: Quantization table 0x00 was not defined (poc). $ 15.0/GraphicsMagick $ valgrind -q gm convert poc output.bmp gm convert: Quantization table 0x00 was not defined (poc). $ PATCH see comment 0 12/ImageMagick: bmp_info.image_size is unsigned int, affected 11/ImageMagick: bmp_info.image_size is unsigned long, considering partially affected (MagickMax) 11/GraphicsMagick: bmp_info.image_size is unsigned long, considering not affected 42.3,15.0,HG/GraphicsMagick: bmp_info.image_size is unsigned long, according to upstream unaffected AFTER 15/ImageMagick $ valgrind -q convert poc output.bmp [run long, 100% cpu] However, this can be overcome by relevant setting in /etc/ImageMagick*/policy.xml, e. g. by: <policy domain="resource" name="width" value="10KP"/> <policy domain="resource" name="height" value="10KP"/> to limit vertical and horizontal size of the image. Then: $ valgrind -q convert poc output.bmp convert: Corrupt JPEG data: 68 extraneous bytes before marker 0xdb `poc' @ warning/jpeg.c/JPEGWarningHandler/365. convert: Corrupt JPEG data: 783 extraneous bytes before marker 0xda `poc' @ warning/jpeg.c/JPEGWarningHandler/365. convert: width or height exceeds limit `poc' @ error/cache.c/OpenPixelCache/3688. convert: no images defined `output.bmp' @ error/convert.c/ConvertImageCommand/3275. $ [crash fixed] 12/ImageMagick $ valgrind -q convert poc output.bmp convert: Corrupt JPEG data: 68 extraneous bytes before marker 0xdb `poc' @ warning/jpeg.c/JPEGWarningHandler/349. convert: Corrupt JPEG data: 783 extraneous bytes before marker 0xda `poc' @ warning/jpeg.c/JPEGWarningHandler/349. convert: Quantization table 0x00 was not defined `poc' @ error/jpeg.c/JPEGErrorHandler/319. convert: no images defined `output.bmp' @ error/convert.c/ConvertImageCommand/3149. $ [no change] 11/ImageMagick $ valgrind -q convert poc output.bmp convert: Quantization table 0x00 was not defined `poc'. convert: missing an image filename `output.bmp'. $ [no change]
Will submit for: 15/ImageMagick, 12/ImageMagick and 11/ImageMagick.
I believe all fixed.
SUSE-SU-2018:2043-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546 CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600 Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): ImageMagick-7.0.7.34-3.9.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): ImageMagick-7.0.7.34-3.9.1
openSUSE-SU-2018:2123-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546 CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600 Sources used: openSUSE Leap 15.0 (src): ImageMagick-7.0.7.34-lp150.2.6.1
SUSE-SU-2018:2465-1: An update that fixes 10 vulnerabilities is now available. Category: security (moderate) Bug References: 1056277,1094204,1094237,1095812,1098545,1098546,1102003,1102004,1102005,1102007 CVE References: CVE-2017-13758,CVE-2017-18271,CVE-2018-10805,CVE-2018-11251,CVE-2018-12599,CVE-2018-12600,CVE-2018-14434,CVE-2018-14435,CVE-2018-14436,CVE-2018-14437 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ImageMagick-6.4.3.6-78.56.1 SUSE Linux Enterprise Server 11-SP4 (src): ImageMagick-6.4.3.6-78.56.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ImageMagick-6.4.3.6-78.56.1
all released
SUSE-SU-2018:3191-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1098545,1098546,1110746,1110747,1111069,1111072 CVE References: CVE-2017-13058,CVE-2018-12599,CVE-2018-12600,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): ImageMagick-6.8.8.1-71.82.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): ImageMagick-6.8.8.1-71.82.1 SUSE Linux Enterprise Server 12-SP3 (src): ImageMagick-6.8.8.1-71.82.1 SUSE Linux Enterprise Desktop 12-SP3 (src): ImageMagick-6.8.8.1-71.82.1
openSUSE-SU-2018:3225-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1098545,1098546,1110746,1110747,1111069,1111072 CVE References: CVE-2017-13058,CVE-2018-12599,CVE-2018-12600,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024 Sources used: openSUSE Leap 42.3 (src): ImageMagick-6.8.8.1-73.1
This is an autogenerated message for OBS integration: This bug (1098546) was mentioned in https://build.opensuse.org/request/show/923064 Factory / ImageMagick
This is an autogenerated message for OBS integration: This bug (1098546) was mentioned in https://build.opensuse.org/request/show/923178 Factory / ImageMagick