Bug 1107609 – VUL-1: CVE-2018-16644: GraphicsMagick,ImageMagick: missing check for length in the functions ReadDCMImage of coders/dcm.c and ReadPICTImage of coders/pict

Bug 1107609 - (CVE-2018-16644) VUL-1: CVE-2018-16644: GraphicsMagick,ImageMagick: missing check for length in the functions ReadDCMImage of coders/dcm.c and ReadPICTImage of coders/pict

(CVE-2018-16644)
Summary:	VUL-1: CVE-2018-16644: GraphicsMagick,ImageMagick: missing check for length i...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/213900/
Whiteboard:	CVSSv3:SUSE:CVE-2018-16644:3.3:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-09-07 07:20 UTC by Karol Babioch
Modified:	2021-10-04 16:41 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2018-09-07 07:20:21 UTC

CVE-2018-16644

There is a missing check for length in the functions ReadDCMImage of
coders/dcm.c and ReadPICTImage of coders/pict.c in ImageMagick 7.0.8-11, which
allows remote attackers to cause a denial of service via a crafted image.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16644
http://www.cvedetails.com/cve/CVE-2018-16644/
https://github.com/ImageMagick/ImageMagick/issues/1269
https://github.com/ImageMagick/ImageMagick/commit/afa878a689870c28b6994ecf3bb8dbfb2b76d135
https://github.com/ImageMagick/ImageMagick/commit/16916c8979c32765c542e216b31cee2671b7afe7

Comment 1 Karol Babioch 2018-09-07 07:24:17 UTC

Based on the fixing commits all of our codestreams are affected:

SUSE:SLE-11:Update/GraphicsMagick
SUSE:SLE-11:Update/ImageMagick
SUSE:SLE-12:Update/ImageMagick
SUSE:SLE-15:Update/ImageMagick

Comment 2 Petr Gajdos 2018-09-10 08:52:43 UTC

No testcase found.

Comment 3 Petr Gajdos 2018-09-10 09:27:14 UTC

pict.c: I think the check is actually needed only on one place:

            type=ReadBlobMSBShort(image);
            length=ReadBlobMSBShort(image);
            if (length == 0)
              break;
            (void) ReadBlobMSBLong(image);
            length-=MagickMin(length,4);
            if (length == 0)
              break;
            info=(unsigned char *) AcquireQuantumMemory(length,sizeof(*info));

Here unchecked value of length variable just read from the image file can lead to excessive memory allocation. Everywhere else it looks like:

        length=ReadBlobMSBShort(image);
        for (i=0; i < (ssize_t) length; i++)
          if (ReadBlobByte(image) == EOF)
            break;
        continue;

This will bail out after reaching file end safely.

dcm.c: similar to second snippet above (just reading bytes until end of the file). Could you please verify? I do not think this is a security issue, except the first code snippet listed in this comment. Or is there something I do not see?

Comment 4 Karol Babioch 2018-09-10 10:50:26 UTC

You are probably right, but I still think there might be problems here.

For instance: (in theory) the other places could also trigger an out-of-bounds read.

For instance in this case:

            length=ReadBlobMSBShort(image);
            if (length != 0x000a)
              {
                for (i=0; i < (ssize_t) (length-2); i++)
                   if (ReadBlobByte(image) == EOF)
                     break;
                 break;
               }

length is user provided (i.e. specified in the image file itself). It is only checked for 0x000a here. So in case of any other value than 0x000a, it will trigger ReadBlobByte(image) for each byte. Depending on whether ReadBlobStream() will prevent this (I'm not quite sure), this might lead to an out-of-boundy read. To be on the safe side, we should check the length early on.

Comment 5 Petr Gajdos 2018-09-10 11:35:05 UTC

Of course I assume ReadBlobByte() returns EOF at the end of the file and I think we would probably a bigger problem if not. And it seems to it does in any case on the first sight, but I may be wrong.

I feel from your reply that you want to apply the patch as it is. I am not going to spent more energy to dispute it. However, I am not going to push that into 42.3/GraphicsMagick, 15.0/GraphicsMagick and GraphicsMagick upstream without any other proof there is an issue.

Comment 6 Petr Gajdos 2018-09-10 12:58:44 UTC

dcm.c patched code is only present in 12,15/ImageMagick.

Comment 7 Petr Gajdos 2018-09-10 13:21:53 UTC

Will submit for: 11,12,15/ImageMagick and 11,42.3,15.0/GraphicsMagick.

42.3,15.0/GraphicsMagick will only contain potential excessive memory allocation fix (comment 3). This I also added to the upstream bug:
https://sourceforge.net/p/graphicsmagick/bugs/572/

Comment 8 Petr Gajdos 2018-09-11 12:36:58 UTC

I believe all fixed.

Comment 10 Swamp Workflow Management 2018-09-11 13:10:09 UTC

This is an autogenerated message for OBS integration:
This bug (1107609) was mentioned in
https://build.opensuse.org/request/show/634960 42.3 / GraphicsMagick
https://build.opensuse.org/request/show/634961 15.0 / GraphicsMagick

Comment 11 Swamp Workflow Management 2018-09-15 11:50:10 UTC

This is an autogenerated message for OBS integration:
This bug (1107609) was mentioned in
https://build.opensuse.org/request/show/635859 42.3 / GraphicsMagick

Comment 13 Swamp Workflow Management 2018-09-17 13:08:24 UTC

openSUSE-SU-2018:2742-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 1107604,1107609
CVE References: CVE-2018-16644,CVE-2018-16645
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-105.1
openSUSE Leap 15.0 (src):    GraphicsMagick-1.3.29-lp150.3.12.1

Comment 16 Swamp Workflow Management 2018-09-22 07:27:30 UTC

openSUSE-SU-2018:2742-2: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 1107604,1107609
CVE References: CVE-2018-16644,CVE-2018-16645
Sources used:
openSUSE Backports SLE-15 (src):    GraphicsMagick-1.3.29-bp150.2.6.1

Comment 17 Swamp Workflow Management 2018-10-02 19:14:48 UTC

SUSE-SU-2018:2977-1: An update that fixes 10 vulnerabilities is now available.

Category: security (low)
Bug References: 1106855,1106857,1106858,1106989,1107604,1107609,1107612,1107616,1107618,1107619
CVE References: CVE-2018-16323,CVE-2018-16328,CVE-2018-16329,CVE-2018-16413,CVE-2018-16640,CVE-2018-16641,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.24.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.24.1

Comment 19 Swamp Workflow Management 2018-10-05 10:10:21 UTC

openSUSE-SU-2018:3014-1: An update that fixes 10 vulnerabilities is now available.

Category: security (low)
Bug References: 1106855,1106857,1106858,1106989,1107604,1107609,1107612,1107616,1107618,1107619
CVE References: CVE-2018-16323,CVE-2018-16328,CVE-2018-16329,CVE-2018-16413,CVE-2018-16640,CVE-2018-16641,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645
Sources used:
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.15.1

Comment 20 Swamp Workflow Management 2018-10-11 07:09:23 UTC

SUSE-SU-2018:3095-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1050129,1105592,1106989,1107604,1107609,1107612,1107616,1107619,1108282,1108283
CVE References: CVE-2017-11532,CVE-2018-16413,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1

Comment 23 Swamp Workflow Management 2018-10-17 19:23:56 UTC

openSUSE-SU-2018:3203-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1050129,1105592,1106989,1107604,1107609,1107612,1107616,1107619,1108282,1108283
CVE References: CVE-2017-11532,CVE-2018-16413,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-70.2

Comment 24 Petr Gajdos 2018-10-22 11:21:00 UTC

I found a regression in ImageMagick-CVE-2018-16644.patch, I will resubmit against 12/ImageMagick and 11/ImageMagick.

Comment 25 Swamp Workflow Management 2018-10-22 13:12:52 UTC

SUSE-SU-2018:3269-1: An update that fixes 12 vulnerabilities is now available.

Category: security (low)
Bug References: 1106855,1107604,1107609,1107612,1107616,1107619,1108282,1108283,1110746,1110747,1111069,1111072
CVE References: CVE-2018-16323,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.72.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.72.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.72.1

Comment 26 Petr Gajdos 2018-10-23 08:26:27 UTC

Packages submitted into 11,12/ImageMagick.

Comment 30 Swamp Workflow Management 2018-10-23 19:18:47 UTC

SUSE-SU-2018:3348-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1074170,1106855,1106989,1107604,1107609,1107612,1107616,1108282,1108283,1110746,1110747,1111069,1111072
CVE References: CVE-2017-17934,CVE-2018-16323,CVE-2018-16413,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.74.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.74.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.74.1

Comment 32 Swamp Workflow Management 2018-10-25 19:17:55 UTC

SUSE-SU-2018:3465-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1107609,1112399
CVE References: CVE-2017-14997,CVE-2018-16644
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.85.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.85.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.85.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.85.1

Comment 33 Swamp Workflow Management 2018-10-26 22:27:58 UTC

openSUSE-SU-2018:3524-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1107609,1112399
CVE References: CVE-2017-14997,CVE-2018-16644
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-76.1

Comment 35 Swamp Workflow Management 2018-11-19 14:11:56 UTC

SUSE-SU-2018:3808-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1050129,1050635,1107609,1112399
CVE References: CVE-2017-11532,CVE-2017-11639,CVE-2017-14997,CVE-2018-16644
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.79.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.79.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.79.1

Comment 36 Petr Gajdos 2019-02-14 14:43:02 UTC

I found a regression in dcm.c decoder introduced by the fix. Will resubmit for 12/ImageMagick.

Comment 42 Swamp Workflow Management 2019-04-25 16:16:16 UTC

SUSE-SU-2019:1033-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
SUSE OpenStack Cloud 7 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Enterprise Storage 4 (src):    ImageMagick-6.8.8.1-71.108.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 43 Swamp Workflow Management 2019-04-27 01:12:06 UTC

SUSE-SU-2019:1033-2: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ImageMagick-6.8.8.1-71.108.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 44 Swamp Workflow Management 2019-05-03 19:13:40 UTC

openSUSE-SU-2019:1320-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-82.1

Comment 45 Marcus Meissner 2019-05-04 05:44:20 UTC

released

Comment 46 Swamp Workflow Management 2019-05-28 13:30:33 UTC

This is an autogenerated message for OBS integration:
This bug (1107609) was mentioned in
https://build.opensuse.org/request/show/705902 15.1 / GraphicsMagick

Comment 47 OBSbugzilla Bot 2021-10-04 16:41:34 UTC

This is an autogenerated message for OBS integration:
This bug (1107609) was mentioned in
https://build.opensuse.org/request/show/923064 Factory / ImageMagick