Bug 1107612 - (CVE-2018-16643) VUL-1: CVE-2018-16643: GraphicsMagick,ImageMagick: ReadDCMImage in coders/dcm.c, ReadPWPImage in coders/pwp.c, ReadCALSImage in coders/cals.c, and ReadPICTImage in coders/pict.c in do not check the return value
(CVE-2018-16643)
VUL-1: CVE-2018-16643: GraphicsMagick,ImageMagick: ReadDCMImage in coders/dcm...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/213899/
CVSSv3:SUSE:CVE-2018-16643:3.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-07 07:26 UTC by Karol Babioch
Modified: 2021-10-04 16:41 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-09-07 07:26:27 UTC
CVE-2018-16643

The functions ReadDCMImage in coders/dcm.c, ReadPWPImage in coders/pwp.c,
ReadCALSImage in coders/cals.c, and ReadPICTImage in coders/pict.c in
ImageMagick 7.0.8-4 do not check the return value of the fputc function, which
allows remote attackers to cause a denial of service via a crafted image file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16643
https://github.com/ImageMagick/ImageMagick/issues/1199
https://github.com/ImageMagick/ImageMagick/commit/6b6bff054d569a77973f2140c0e86366e6168a6c
Comment 1 Karol Babioch 2018-09-07 07:32:50 UTC
All codestreams seem to be affected by this (based on a quick glance at the source code):

SUSE:SLE-11:Update/GraphicsMagick
SUSE:SLE-11:Update/ImageMagick
SUSE:SLE-12:Update/ImageMagick
SUSE:SLE-15:Update/ImageMagick

The SLE-11 packages are a little bit different, though, and the upstream patch is probably not applicable without some (minor) modifications, since some coders are not available, and the code has changed/moved a little bit.
Comment 2 Petr Gajdos 2018-09-10 10:42:20 UTC
   while ((c=ReadBlobByte(image)) != EOF)
    (void) fputc(c,file);

I am not sure I see a security bug there, could you please advice? I understand:

   while ((c=ReadBlobByte(image)) != EOF)
-    (void) fputc(c,file);
+    if (fputc(c,file) != c)
+      break;

will save some cycles in case of failing fputc, but why it has the security flag? At least, there have to be an image file of that size already on the system.
Comment 3 Karol Babioch 2018-09-10 12:27:05 UTC
I guess this comes down to the same issue as discussed in bug 1107609. Without this check fputc() and ReadBlobByte() might be invoked multiple times (up to / beyond EOF). I'm not sure if this is an issue in this particular case, but it has been an issue in the past. According to the GitHub issue, this is similar to issue #196 [1] for instance.

Unfortunately there is no reproducer available, so it is difficult to trigger this issue without investing some serious amount of time.

To be on the safe side, I would advice to apply the upstream patch, if at all possible.

https://github.com/ImageMagick/ImageMagick/issues/196
Comment 4 Petr Gajdos 2018-09-10 14:09:16 UTC
(In reply to Karol Babioch from comment #3)
> I guess this comes down to the same issue as discussed in bug 1107609.
> Without this check fputc() and ReadBlobByte() might be invoked multiple
> times (up to / beyond EOF). I'm not sure if this is an issue in this

Hmm, this seems to be another issue than bug 1107609. The check there talks about reading the input file based to the extend depending on the user input. The check in this bug is not depending on user input at all and relates to writing a file.

Not convinced, but, let us fix this bug, again not for 42.3,15.0,HG/GraphicsMagick until an explanation is found.
Comment 5 Petr Gajdos 2018-09-10 14:10:05 UTC
No testcase found.
Comment 6 Petr Gajdos 2018-09-11 12:32:09 UTC
Will submit for 15,12,11/ImageMagick and 11/GraphicsMagick.
Comment 7 Petr Gajdos 2018-09-11 12:36:55 UTC
I believe all fixed.
Comment 12 Swamp Workflow Management 2018-10-02 19:14:56 UTC
SUSE-SU-2018:2977-1: An update that fixes 10 vulnerabilities is now available.

Category: security (low)
Bug References: 1106855,1106857,1106858,1106989,1107604,1107609,1107612,1107616,1107618,1107619
CVE References: CVE-2018-16323,CVE-2018-16328,CVE-2018-16329,CVE-2018-16413,CVE-2018-16640,CVE-2018-16641,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.24.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.24.1
Comment 14 Swamp Workflow Management 2018-10-05 10:10:30 UTC
openSUSE-SU-2018:3014-1: An update that fixes 10 vulnerabilities is now available.

Category: security (low)
Bug References: 1106855,1106857,1106858,1106989,1107604,1107609,1107612,1107616,1107618,1107619
CVE References: CVE-2018-16323,CVE-2018-16328,CVE-2018-16329,CVE-2018-16413,CVE-2018-16640,CVE-2018-16641,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645
Sources used:
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.15.1
Comment 15 Swamp Workflow Management 2018-10-11 07:09:33 UTC
SUSE-SU-2018:3095-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1050129,1105592,1106989,1107604,1107609,1107612,1107616,1107619,1108282,1108283
CVE References: CVE-2017-11532,CVE-2018-16413,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
Comment 18 Swamp Workflow Management 2018-10-17 19:24:04 UTC
openSUSE-SU-2018:3203-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1050129,1105592,1106989,1107604,1107609,1107612,1107616,1107619,1108282,1108283
CVE References: CVE-2017-11532,CVE-2018-16413,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-70.2
Comment 19 Swamp Workflow Management 2018-10-22 13:13:00 UTC
SUSE-SU-2018:3269-1: An update that fixes 12 vulnerabilities is now available.

Category: security (low)
Bug References: 1106855,1107604,1107609,1107612,1107616,1107619,1108282,1108283,1110746,1110747,1111069,1111072
CVE References: CVE-2018-16323,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.72.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.72.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.72.1
Comment 22 Swamp Workflow Management 2018-10-23 19:18:55 UTC
SUSE-SU-2018:3348-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1074170,1106855,1106989,1107604,1107609,1107612,1107616,1108282,1108283,1110746,1110747,1111069,1111072
CVE References: CVE-2017-17934,CVE-2018-16323,CVE-2018-16413,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750,CVE-2018-17965,CVE-2018-17966,CVE-2018-18016,CVE-2018-18024
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.74.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.74.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.74.1
Comment 23 Marcus Meissner 2018-10-26 06:48:32 UTC
released
Comment 24 OBSbugzilla Bot 2021-10-04 16:41:39 UTC
This is an autogenerated message for OBS integration:
This bug (1107612) was mentioned in
https://build.opensuse.org/request/show/923064 Factory / ImageMagick