Bug 1119822 - (CVE-2018-20184) VUL-0: CVE-2018-20184: GraphicsMagick,ImageMagick: heap-based buffer overflow in the WriteTGAImage function of tga.c
(CVE-2018-20184)
VUL-0: CVE-2018-20184: GraphicsMagick,ImageMagick: heap-based buffer overflow...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/221281/
CVSSv2:NVD:CVE-2018-20184:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-12-18 12:21 UTC by Alexander Bergmann
Modified: 2019-07-10 05:19 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-12-18 12:21:26 UTC
CVE-2018-20184

In GraphicsMagick 1.4 snapshot-20181209 Q8, there is a heap-based buffer
overflow in the WriteTGAImage function of tga.c, which allows attackers to
cause a denial of service via a crafted image file, because the number of
rows or columns can exceed the pixel-dimension restrictions of the TGA
specification.

Upstream fix:
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/15d1b5fd003b

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20184
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20184.html
http://www.cvedetails.com/cve/CVE-2018-20184/
Comment 2 Petr Gajdos 2018-12-19 16:10:56 UTC
HG/GraphicsMagick (15872:07d174cdf983, after fix) 

$ gm convert buffer-overflow-WriteTGAImage test.tga
gm convert: Image column or row size is not supported (test.tga)
$
[it still tooks several seconds to finish]

devel/GraphicsMagick (1.3.31, before fix)

$ gm convert buffer-overflow-WriteTGAImage test.tga
gm convert: abort due to signal 11 (SIGSEGV) "Segmentation Fault"...
Aborted (core dumped)
$
[it tooks several seconds to finish]
Comment 3 Petr Gajdos 2018-12-21 10:57:14 UTC
BEFORE

15.0/GraphicsMagick

$ gm convert buffer-overflow-WriteTGAImage test.tga
gm convert: abort due to signal 11 (SIGSEGV) "Segmentation Fault"...
Aborted (core dumped)
$

11,42.3/GraphicsMagick

$ gm convert buffer-overflow-WriteTGAImage test.tga
gm convert: Improper image header (buffer-overflow-WriteTGAImage).
$

11,12/ImageMagick

$ convert buffer-overflow-WriteTGAImage test.tga   
convert: Improper image header `buffer-overflow-WriteTGAImage'.
convert: missing an image filename `test.tga'.
$

15/ImageMagick

$ convert tga:buffer-overflow-WriteTGAImage test.tga
convert: improper image header `buffer-overflow-WriteTGAImage' @ error/tga.c/ReadTGAImage/223.
convert: no images defined `test.tga' @ error/convert.c/ConvertImageCommand/3275.
$

PATCH

referenced in comment 0
11,42.3/GraphicsMagick: does not have the limit
*/ImageMagick: already limits the size of written TGA image appropriately

AFTER

15.0/GraphicsMagick

$ gm convert buffer-overflow-WriteTGAImage test.tga
gm convert: Image column or row size is not supported (test.tga).
$

42.3,11/GraphicsMagick

$ gm convert buffer-overflow-WriteTGAImage test.tga
gm convert: Improper image header (buffer-overflow-WriteTGAImage).
$
Comment 4 Petr Gajdos 2018-12-21 10:57:38 UTC
Will submit for: 15.0,42.3,11/GraphicsMagick
Comment 5 Petr Gajdos 2018-12-21 11:05:30 UTC
I believe all fixed.
Comment 7 Swamp Workflow Management 2018-12-21 11:40:10 UTC
This is an autogenerated message for OBS integration:
This bug (1119822) was mentioned in
https://build.opensuse.org/request/show/660497 42.3 / GraphicsMagick
https://build.opensuse.org/request/show/660498 15.0 / GraphicsMagick
Comment 9 Swamp Workflow Management 2018-12-29 20:08:50 UTC
openSUSE-SU-2018:4313-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1119790,1119822
CVE References: CVE-2018-20184,CVE-2018-20189
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-120.1
Comment 10 Swamp Workflow Management 2019-01-01 14:08:55 UTC
openSUSE-SU-2019:1-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1119790,1119822
CVE References: CVE-2018-20184,CVE-2018-20189
Sources used:
openSUSE Leap 15.0 (src):    GraphicsMagick-1.3.29-lp150.3.18.1
Comment 11 Swamp Workflow Management 2019-01-01 20:08:59 UTC
openSUSE-SU-2019:0003-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1119790,1119822
CVE References: CVE-2018-20184,CVE-2018-20189
Sources used:
openSUSE Backports SLE-15 (src):    GraphicsMagick-1.3.29-bp150.2.12.1
Comment 13 Swamp Workflow Management 2019-01-03 20:09:51 UTC
SUSE-SU-2019:13923-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042911,1052754,1078433,1112392,1112399,1113064,1119822,1119823
CVE References: CVE-2017-10794,CVE-2017-12663,CVE-2017-14997,CVE-2017-9405,CVE-2018-18544,CVE-2018-20184,CVE-2018-20185,CVE-2018-6405
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.78.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.78.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.78.1
Comment 14 Swamp Workflow Management 2019-05-28 13:30:48 UTC
This is an autogenerated message for OBS integration:
This bug (1119822) was mentioned in
https://build.opensuse.org/request/show/705902 15.1 / GraphicsMagick
Comment 15 Marcus Meissner 2019-07-10 05:19:57 UTC
released