Bug 1132053 – VUL-0: CVE-2019-11009: GraphicsMagick,ImageMagick: a heap-based buffer over-read in the function ReadXWDImage of coders/xwd.c, allows attackers to cause DOS or information disclosure

Bug 1132053 - (CVE-2019-11009) VUL-0: CVE-2019-11009: GraphicsMagick,ImageMagick: a heap-based buffer over-read in the function ReadXWDImage of coders/xwd.c, allows attackers to cause DOS or information disclosure

(CVE-2019-11009)
Summary:	VUL-0: CVE-2019-11009: GraphicsMagick,ImageMagick: a heap-based buffer over-r...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/229221/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-04-10 07:59 UTC by Alexandros Toptsoglou
Modified:	2019-07-10 06:37 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2019-04-10 07:59:32 UTC

CVE-2019-11009

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer
over-read in the function ReadXWDImage of coders/xwd.c, which allows attackers
to cause a denial of service or information disclosure via a crafted image file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11009
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11009.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11009
https://sourceforge.net/p/graphicsmagick/bugs/597/
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/7cff2b1792de

Comment 1 Alexandros Toptsoglou 2019-04-10 16:33:34 UTC

A fix is available in [1] and a POC in [2]. To reproduce the issue simply run:

For GraphicsMagick: 

valgrind --leak-check=full gm convert heap_buffer_overflow_ReadXWDImag /dev/null
Reproduce the issue in TW, Leap 15.0 and SLE11. In SLE11 valgrind's output was slightly different but it seems that is triggered by the same issue. I did not test Leap 42.3 

For ImageMagick:

valgrind --leak-check=full convert heap_buffer_overflow_ReadXWDImag /dev/null
or 
valgrind --leak-check=full magick convert heap_buffer_overflow_ReadXWDImag /dev/null

Reproduced the issue in SLE11, SLE12 and failed in SLE15,TW 

[1] http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/7cff2b1792de
[2] https://sourceforge.net/p/graphicsmagick/bugs/597/attachment/heap_buffer_overflow_ReadXWDImag

Comment 3 Petr Gajdos 2019-04-15 12:04:16 UTC

Indeed:

BEFORE

15.0,42.3/GraphicsMagick

$ valgrind -q gm convert heap_buffer_overflow_ReadXWDImag /dev/null
--22754-- WARNING: Serious error when reading debug info
--22754-- When reading debug info from /usr/lib64/GraphicsMagick-1.3.29/modules-Q16/coders/xwd.so:
--22754-- get_Form_contents: DW_FORM_GNU_strp_alt used, but no alternate .debug_str
==22754== Invalid read of size 2
==22754==    at 0x7A6F44A: ReadXWDImage (xwd.c:528)
==22754==    by 0x4EC5A4A: ReadImage (constitute.c:1607)
==22754==    by 0x4EA5D84: ConvertImageCommand (command.c:4348)
==22754==    by 0x4E967BB: MagickCommand (command.c:8872)
==22754==    by 0x4E978C5: GMCommandSingle (command.c:17393)
==22754==    by 0x4EB84CD: GMCommand (command.c:17446)
==22754==    by 0x5450F49: (below main) (in /lib64/libc-2.26.so)
==22754==  Address 0x7683c1c is 28 bytes inside a block of size 64 free'd
==22754==    at 0x4C2F24B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==22754==    by 0x4F13710: DestroyThreadViewSet (pixel_cache.c:441)
==22754==    by 0x4EF2FA2: DestroyImage (image.c:1457)
==22754==    by 0x4EF6200: SetImageInfo (image.c:3237)
==22754==    by 0x4EC58E9: ReadImage (constitute.c:1484)
==22754==    by 0x4EA5D84: ConvertImageCommand (command.c:4348)
==22754==    by 0x4E967BB: MagickCommand (command.c:8872)
==22754==    by 0x4E978C5: GMCommandSingle (command.c:17393)
==22754==    by 0x4EB84CD: GMCommand (command.c:17446)
==22754==    by 0x5450F49: (below main) (in /lib64/libc-2.26.so)
==22754==  Block was alloc'd at
==22754==    at 0x4C30386: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==22754==    by 0x4C304A1: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==22754==    by 0x4F07DC7: MagickMallocAligned (memory.c:236)
==22754==    by 0x4F1469D: OpenCacheView (pixel_cache.c:3524)
==22754==    by 0x4F14841: AllocateThreadViewSet (pixel_cache.c:481)
==22754==    by 0x4EF49CE: AllocateImage (image.c:408)
==22754==    by 0x4EF60DA: SetImageInfo (image.c:3200)
==22754==    by 0x4EC58E9: ReadImage (constitute.c:1484)
==22754==    by 0x4EA5D84: ConvertImageCommand (command.c:4348)
==22754==    by 0x4E967BB: MagickCommand (command.c:8872)
==22754==    by 0x4E978C5: GMCommandSingle (command.c:17393)
==22754==    by 0x4EB84CD: GMCommand (command.c:17446)
==22754== 
==22754== Invalid read of size 2
==22754==    at 0x7A6F437: ReadXWDImage (xwd.c:525)
==22754==    by 0x4EC5A4A: ReadImage (constitute.c:1607)
==22754==    by 0x4EA5D84: ConvertImageCommand (command.c:4348)
==22754==    by 0x4E967BB: MagickCommand (command.c:8872)
==22754==    by 0x4E978C5: GMCommandSingle (command.c:17393)
==22754==    by 0x4EB84CD: GMCommand (command.c:17446)
==22754==    by 0x5450F49: (below main) (in /lib64/libc-2.26.so)
==22754==  Address 0x7683c9a is 10 bytes inside an unallocated block of size 48 in arena "client"
==22754== 
==22754== Invalid read of size 2
==22754==    at 0x7A6F410: ReadXWDImage (xwd.c:522)
==22754==    by 0x4EC5A4A: ReadImage (constitute.c:1607)
==22754==    by 0x4EA5D84: ConvertImageCommand (command.c:4348)
==22754==    by 0x4E967BB: MagickCommand (command.c:8872)
==22754==    by 0x4E978C5: GMCommandSingle (command.c:17393)
==22754==    by 0x4EB84CD: GMCommand (command.c:17446)
==22754==    by 0x5450F49: (below main) (in /lib64/libc-2.26.so)
==22754==  Address 0x7683d08 is 8 bytes inside a block of size 128 free'd
==22754==    at 0x4C2F24B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==22754==    by 0x4F13682: DestroyCacheNexus (pixel_cache.c:1983)
==22754==    by 0x4F13682: CloseCacheView (pixel_cache.c:1984)
==22754==    by 0x4F13710: DestroyThreadViewSet (pixel_cache.c:441)
==22754==    by 0x4EF2FA2: DestroyImage (image.c:1457)
==22754==    by 0x4EF6200: SetImageInfo (image.c:3237)
==22754==    by 0x4EC58E9: ReadImage (constitute.c:1484)
==22754==    by 0x4EA5D84: ConvertImageCommand (command.c:4348)
==22754==    by 0x4E967BB: MagickCommand (command.c:8872)
==22754==    by 0x4E978C5: GMCommandSingle (command.c:17393)
==22754==    by 0x4EB84CD: GMCommand (command.c:17446)
==22754==    by 0x5450F49: (below main) (in /lib64/libc-2.26.so)
==22754==  Block was alloc'd at
==22754==    at 0x4C30386: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==22754==    by 0x4C304A1: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==22754==    by 0x4F07DC7: MagickMallocAligned (memory.c:236)
==22754==    by 0x4F113A2: AllocateCacheNexus (pixel_cache.c:2690)
==22754==    by 0x4F146B9: OpenCacheView (pixel_cache.c:3530)
==22754==    by 0x4F14841: AllocateThreadViewSet (pixel_cache.c:481)
==22754==    by 0x4EF49CE: AllocateImage (image.c:408)
==22754==    by 0x4EF60DA: SetImageInfo (image.c:3200)
==22754==    by 0x4EC58E9: ReadImage (constitute.c:1484)
==22754==    by 0x4EA5D84: ConvertImageCommand (command.c:4348)
==22754==    by 0x4E967BB: MagickCommand (command.c:8872)
==22754==    by 0x4E978C5: GMCommandSingle (command.c:17393)
==22754== 
$

12/ImageMagick

$ valgrind  -q convert heap_buffer_overflow_ReadXWDImag /dev/null
==19871== Invalid read of size 2
==19871==    at 0x841BA67: ReadXWDImage (xwd.c:479)
==19871==    by 0x4EBFDCA: ReadImage (constitute.c:601)
==19871==    by 0x4EC0E8A: ReadImages (constitute.c:907)
==19871==    by 0x5319B9E: ConvertImageCommand (convert.c:617)
==19871==    by 0x5385C62: MagickCommandGenesis (mogrify.c:166)
==19871==    by 0x400836: ConvertMain (convert.c:81)
==19871==    by 0x400836: main (convert.c:92)
==19871==  Address 0x806a3ac is 44 bytes inside a block of size 64 free'd
==19871==    at 0x4C2A37C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19871==    by 0x4FBBA18: RelinquishSemaphoreMemory (semaphore.c:180)
==19871==    by 0x4FBBA18: DestroySemaphoreInfo (semaphore.c:311)
==19871==    by 0x4F3EDD1: DestroyLinkedList (hashmap.c:419)
==19871==    by 0x4F238B1: DestroyExceptionInfo (exception.c:388)
==19871==    by 0x4F576F2: IsEventLogging (log.c:579)
==19871==    by 0x4F5788F: LogMagickEventList (log.c:1144)
==19871==    by 0x4F584E7: LogMagickEvent (log.c:1257)
==19871==    by 0x4F5E6BA: TagToModuleName (module.c:1554)
==19871==    by 0x4F5FB5E: OpenModule (module.c:1300)
==19871==    by 0x4F5B312: GetMagickInfo (magick.c:455)
==19871==    by 0x4F4DAC3: SetImageInfo (image.c:2782)
==19871==    by 0x4EBFCC0: ReadImage (constitute.c:456)
==19871== 
==19871== Invalid read of size 2
==19871==    at 0x841BA56: ReadXWDImage (xwd.c:476)
==19871==    by 0x4EBFDCA: ReadImage (constitute.c:601)
==19871==    by 0x4EC0E8A: ReadImages (constitute.c:907)
==19871==    by 0x5319B9E: ConvertImageCommand (convert.c:617)
==19871==    by 0x5385C62: MagickCommandGenesis (mogrify.c:166)
==19871==    by 0x400836: ConvertMain (convert.c:81)
==19871==    by 0x400836: main (convert.c:92)
==19871==  Address 0x806a42a is 10 bytes inside an unallocated block of size 32 in arena "client"
==19871== 
==19871== Invalid read of size 2
==19871==    at 0x841BA30: ReadXWDImage (xwd.c:473)
==19871==    by 0x4EBFDCA: ReadImage (constitute.c:601)
==19871==    by 0x4EC0E8A: ReadImages (constitute.c:907)
==19871==    by 0x5319B9E: ConvertImageCommand (convert.c:617)
==19871==    by 0x5385C62: MagickCommandGenesis (mogrify.c:166)
==19871==    by 0x400836: ConvertMain (convert.c:81)
==19871==    by 0x400836: main (convert.c:92)
==19871==  Address 0x806a498 is 24 bytes inside a block of size 64 free'd
==19871==    at 0x4C2A37C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19871==    by 0x4FBBA18: RelinquishSemaphoreMemory (semaphore.c:180)
==19871==    by 0x4FBBA18: DestroySemaphoreInfo (semaphore.c:311)
==19871==    by 0x4F238DB: DestroyExceptionInfo (exception.c:394)
==19871==    by 0x4F576F2: IsEventLogging (log.c:579)
==19871==    by 0x4F5788F: LogMagickEventList (log.c:1144)
==19871==    by 0x4F584E7: LogMagickEvent (log.c:1257)
==19871==    by 0x4F5E6BA: TagToModuleName (module.c:1554)
==19871==    by 0x4F5FB5E: OpenModule (module.c:1300)
==19871==    by 0x4F5B312: GetMagickInfo (magick.c:455)
==19871==    by 0x4F4DAC3: SetImageInfo (image.c:2782)
==19871==    by 0x4EBFCC0: ReadImage (constitute.c:456)
==19871==    by 0x4EC0E8A: ReadImages (constitute.c:907)
==19871== 
$

PATCH

GraphicsMagick: comment 0
ImageMagick:
Probably https://github.com/ImageMagick/ImageMagick/commit/dcb1bc9bb8a2ea584a56b907b895c1c3b04c14b5
Will do update of xwd.c to newest version.

AFTER

15.0,42.3/GraphicsMagick:

$ valgrind  -q gm convert heap_buffer_overflow_ReadXWDImag /dev/null
gm convert: Invalid colormap index (index 8 >= 2 colors, heap_buffer_overflow_ReadXWDImag).
$

12/ImageMagick

$ valgrind  -q convert heap_buffer_overflow_WRITE_in_WriteXWDImage out.xwd
convert: improper image header `heap_buffer_overflow_WRITE_in_WriteXWDImage' @ error/xwd.c/ReadXWDImage/245.
convert: no images defined `out.xwd' @ error/convert.c/ConvertImageCommand/3149.
$

Comment 4 Petr Gajdos 2019-04-15 12:51:17 UTC

Will submit for: 15.0/GraphicsMagick, 42.3/GraphicsMagick and 12/ImageMagick

Comment 5 Petr Gajdos 2019-04-16 15:32:40 UTC

Packages submitted.

I believe all fixed.

Comment 7 Swamp Workflow Management 2019-04-16 16:10:08 UTC

This is an autogenerated message for OBS integration:
This bug (1132053) was mentioned in
https://build.opensuse.org/request/show/694830 15.0 / GraphicsMagick
https://build.opensuse.org/request/show/694831 42.3 / GraphicsMagick

Comment 8 Swamp Workflow Management 2019-04-25 16:17:42 UTC

SUSE-SU-2019:1033-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
SUSE OpenStack Cloud 7 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Enterprise Storage 4 (src):    ImageMagick-6.8.8.1-71.108.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2019-04-25 19:10:28 UTC

openSUSE-SU-2019:1272-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1132055,1132058,1132060,1132061
CVE References: CVE-2019-11005,CVE-2019-11006,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-11010
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-132.1
openSUSE Leap 15.0 (src):    GraphicsMagick-1.3.29-lp150.3.25.1

Comment 10 Swamp Workflow Management 2019-04-27 01:13:23 UTC

SUSE-SU-2019:1033-2: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ImageMagick-6.8.8.1-71.108.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2019-04-29 22:14:43 UTC

openSUSE-SU-2019:1295-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1132055,1132058,1132060,1132061
CVE References: CVE-2019-11005,CVE-2019-11006,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-11010
Sources used:
openSUSE Backports SLE-15 (src):    GraphicsMagick-1.3.29-bp150.2.18.1

Comment 12 Swamp Workflow Management 2019-04-30 11:50:06 UTC

This is an autogenerated message for OBS integration:
This bug (1132053) was mentioned in
https://build.opensuse.org/request/show/699628 15.0 / GraphicsMagick
https://build.opensuse.org/request/show/699629 42.3 / GraphicsMagick

Comment 17 Swamp Workflow Management 2019-05-03 19:15:14 UTC

openSUSE-SU-2019:1320-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-82.1

Comment 18 Swamp Workflow Management 2019-05-09 13:09:22 UTC

openSUSE-SU-2019:1354-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1133202,1133203,1133498,1133501
CVE References: CVE-2019-11008,CVE-2019-11009,CVE-2019-11473,CVE-2019-11474,CVE-2019-11505,CVE-2019-11506
Sources used:
openSUSE Leap 15.0 (src):    GraphicsMagick-1.3.29-lp150.3.28.1

Comment 19 Swamp Workflow Management 2019-05-09 13:10:31 UTC

openSUSE-SU-2019:1355-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1133202,1133203,1133498,1133501
CVE References: CVE-2019-11008,CVE-2019-11009,CVE-2019-11473,CVE-2019-11474,CVE-2019-11505,CVE-2019-11506
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-135.1

Comment 20 Swamp Workflow Management 2019-05-10 19:18:34 UTC

SUSE-SU-2019:14043-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1130330,1131317,1132053,1132060,1133204,1133205,1133498,1133501
CVE References: CVE-2019-10650,CVE-2019-11007,CVE-2019-11009,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-9956
Sources used:
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.97.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Swamp Workflow Management 2019-05-22 22:09:13 UTC

openSUSE-SU-2019:1437-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1133202,1133203,1133498,1133501
CVE References: CVE-2019-11008,CVE-2019-11009,CVE-2019-11473,CVE-2019-11474,CVE-2019-11505,CVE-2019-11506
Sources used:
openSUSE Backports SLE-15 (src):    GraphicsMagick-1.3.29-bp150.2.21.1

Comment 25 Swamp Workflow Management 2019-05-28 13:30:56 UTC

This is an autogenerated message for OBS integration:
This bug (1132053) was mentioned in
https://build.opensuse.org/request/show/705902 15.1 / GraphicsMagick

Comment 29 Marcus Meissner 2019-07-10 05:29:31 UTC

done