Bug 1106996 - (CVE-2018-16412) VUL-1: CVE-2018-16412: GraphicsMagick,ImageMagick: heap-based buffer over-read in the coders/psd.c ParseImageResourceBlocks function
(CVE-2018-16412)
VUL-1: CVE-2018-16412: GraphicsMagick,ImageMagick: heap-based buffer over-rea...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/213690/
CVSSv3:SUSE:CVE-2018-16412:3.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-04 07:38 UTC by Karol Babioch
Modified: 2021-10-05 10:41 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-09-04 07:38:43 UTC
CVE-2018-16412

ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the coders/psd.c
ParseImageResourceBlocks function.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16412
http://www.cvedetails.com/cve/CVE-2018-16412/
https://github.com/ImageMagick/ImageMagick/issues/1250
Comment 1 Petr Gajdos 2018-09-05 08:07:01 UTC
From the upstream bug (backtrace, later comments) it seems like dup of CVE-2018-16413 (bug 1106989). I will try to examine trough the test case.
Comment 2 Petr Gajdos 2018-09-05 10:12:23 UTC
I tried testcases for bugs 1249, 1250 and 1251 and I get following with 7.0.8-11 on 32-bit system. This is already _with_ 
https://github.com/ImageMagick/ImageMagick/commit/17a1a6f97fd088a71931bdc422f4e96bb6ffc549
even if the reporter in upstream bugs claims he has 7.0.8-11 installed, which is a contradiction. Perhaps he test some beta version.

Anyway, the program control always bails out from the main loop of ParseImageResourceBlocks() in the patched if condition:

(gdb) run test-1249 /dev/null
Breakpoint 1, ParseImageResourceBlocks (image=0x56573e90, blocks=0x56573990 "8BIM", <incomplete sequence \355>, length=16, 
    has_merged_image=0xffff402c, exception=0x5655e910) at coders/psd.c:797
797	    if (((p+offset) < blocks) || ((p+offset) > (blocks+length)))
(gdb) p ((p+offset) < blocks)
$1 = 1
(gdb) p ((p+offset) > (blocks+length))
$2 = 0
(gdb)

(gdb) run test-1250 /dev/null
Breakpoint 1, ParseImageResourceBlocks (image=0x56573e90, blocks=0x56571950 "8BIM\004!\016", length=28, has_merged_image=0xffff402c, 
    exception=0x5655e910) at coders/psd.c:797
797	    if (((p+offset) < blocks) || ((p+offset) > (blocks+length)))
(gdb) p ((p+offset) < blocks)
$3 = 0
(gdb) p ((p+offset) > (blocks+length))
$4 = 1
(gdb)

(gdb) run test-1251 /dev/null
Breakpoint 1, ParseImageResourceBlocks (image=0x56573e90, blocks=0x56573990 "8bIM", <incomplete sequence \355>, length=21, 
    has_merged_image=0xffff402c, exception=0x5655e910) at coders/psd.c:797
797	    if (((p+offset) < blocks) || ((p+offset) > (blocks+length)))
(gdb) p ((p+offset) < blocks)
$5 = 1
(gdb) p  ((p+offset) > (blocks+length))
$6 = 0
(gdb)

But you see that test-1249 and test-1251 for other reason than test-1250. That means two things. CVE-2018-16412 related to upstream issue 1250, indeed looks like slightly different issue. Second, I cannot reproduce CVE-2018-16412 as the program control bails out before it actually reaches the problematic code inside the switch (id).

I would like to know if we can assume that we are not affected or rather try to wait what upstream do in the bug.
Comment 3 Petr Gajdos 2018-09-05 10:35:17 UTC
*/GraphicsMagick: the code similar to ParseImageResourceBlocks() not found. If I missed something, please let me know where the code lies.
Comment 4 Petr Gajdos 2018-09-05 11:32:19 UTC
No single valgrind error running the testcase for 15,12,11/ImageMagick 32-bit.
Comment 5 Petr Gajdos 2018-09-05 11:44:02 UTC
Related to bug 984160.
Comment 6 Petr Gajdos 2018-09-05 12:00:25 UTC
Note the upstream cannot reproduce 1250. Perhaps it was temporary state in development versions (see the beginning of comment 2)?
Comment 7 Petr Gajdos 2018-09-05 12:01:19 UTC
(I am not friend of assigning CVEs to bugs which upstream does not confirm.)
Comment 8 Karol Babioch 2018-09-05 15:10:47 UTC
> I would like to know if we can assume that we are not affected or rather try
> to wait what upstream do in the bug.

First of all, thank you very much for your detailed analysis. It is very much appreciated. Given your findings and the upstream status, I tend to close this as WONTFIX, since I don't expect for anything usable to come out here, but we can certainly wait for a couple of more days and follow the upstream status.
Comment 9 Petr Gajdos 2018-09-05 15:24:45 UTC
Okay, let's keep it open for now.
Comment 10 Karol Babioch 2018-12-20 14:24:56 UTC
There has been some activity in the upstream bug after our last comment here, but it seems that it is also depending on the architecture.

The commits fixing the problem have also been identified:

> I was also able to confirm that 7.0.8-10 exhibits the behavior while 7.0.8-11
> does not. This was done on Debian unstable. I was able to confirm that the 
> specific commit which fixes the problem is 17a1a6f (for IM6 it is 
> ImageMagick/ImageMagick6@4745eb1).

Petr, could you check whether or not we have those commits/patches already applied?
Comment 11 Petr Gajdos 2018-12-21 08:28:03 UTC
Yes, in ImageMagick-CVE-2018-16413.patch. Adding the check indeed catch the issue with the test case (comment 2). While I have no proof it would not also resolve CVE-2018-16412 completely, lets consider it as a fix for CVE-2018-16412, too. Will adjust rpm change logs.
Comment 12 Petr Gajdos 2018-12-21 09:00:37 UTC
I will submit the rpm changelog adjustment for: 15,12,11/ImageMagick
Comment 13 Petr Gajdos 2018-12-21 11:04:31 UTC
I believe all fixed.
Comment 23 Swamp Workflow Management 2019-03-26 17:15:53 UTC
SUSE-SU-2019:0739-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106415,1106996,1113064,1120381,1124365,1124366,1124367,1124368,1128649
CVE References: CVE-2018-16412,CVE-2018-18544,CVE-2018-20467,CVE-2019-7175,CVE-2019-7395,CVE-2019-7396,CVE-2019-7397,CVE-2019-7398
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ImageMagick-7.0.7.34-3.49.4
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.49.4
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.49.4

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2019-03-28 02:13:23 UTC
SUSE-SU-2019:13993-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1113064,1120381,1124365,1124366,1128649
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-18544,CVE-2018-20467,CVE-2019-7175,CVE-2019-7397,CVE-2019-7398
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.92.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.92.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    ImageMagick-6.4.3.6-78.92.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.92.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2019-04-04 22:28:07 UTC
openSUSE-SU-2019:1141-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106415,1106996,1113064,1120381,1124365,1124366,1124367,1124368,1128649
CVE References: CVE-2018-16412,CVE-2018-18544,CVE-2018-20467,CVE-2019-7175,CVE-2019-7395,CVE-2019-7396,CVE-2019-7397,CVE-2019-7398
Sources used:
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.26.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2019-04-25 16:16:07 UTC
SUSE-SU-2019:1033-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
SUSE OpenStack Cloud 7 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Enterprise Storage 4 (src):    ImageMagick-6.8.8.1-71.108.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2019-04-27 01:11:58 UTC
SUSE-SU-2019:1033-2: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ImageMagick-6.8.8.1-71.108.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2019-05-03 19:13:31 UTC
openSUSE-SU-2019:1320-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-82.1
Comment 31 Marcus Meissner 2019-07-09 07:00:16 UTC
released
Comment 32 OBSbugzilla Bot 2021-10-04 16:41:25 UTC
This is an autogenerated message for OBS integration:
This bug (1106996) was mentioned in
https://build.opensuse.org/request/show/923064 Factory / ImageMagick
Comment 33 OBSbugzilla Bot 2021-10-05 10:41:20 UTC
This is an autogenerated message for OBS integration:
This bug (1106996) was mentioned in
https://build.opensuse.org/request/show/923178 Factory / ImageMagick