Bug 1132055 - (CVE-2019-11010) VUL-1: CVE-2019-11010: GraphicsMagick,ImageMagick: there is a memory leak in ReadMPCImage of coders/mpc.c, which allows attackers to cause DOS via a crafted image file
(CVE-2019-11010)
VUL-1: CVE-2019-11010: GraphicsMagick,ImageMagick: there is a memory leak in ...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.3
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Security Team bot
E-mail List
https://smash.suse.de/issue/229222/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-10 08:11 UTC by Alexandros Toptsoglou
Modified: 2019-07-10 05:30 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-04-10 08:11:03 UTC
CVE-2019-11010

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a memory leak in the
function ReadMPCImage of coders/mpc.c, which allows attackers to cause a denial
of service via a crafted image file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11010
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11010.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11010
https://sourceforge.net/p/graphicsmagick/bugs/601/
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/a348d9661019
Comment 1 Alexandros Toptsoglou 2019-04-11 14:34:29 UTC
A fix can be found at [1] and a POC [2]
Reproduced the bug in GraphicsMagick in TW. 


[1] http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/a348d9661019
[2] https://sourceforge.net/p/graphicsmagick/bugs/601/attachment/memory_leak_ReadMPCImage
Comment 2 Petr Gajdos 2019-04-16 07:28:29 UTC
BEFORE

I get with TW,15.0/GraphicsMagick:

$ gm convert memory_leak_ReadMPCImage /dev/null 
gm convert: Unexpected end-of-file (memory_leak_ReadMPCImage).

=================================================================
==30856==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 768 byte(s) in 3 object(s) allocated from:
    #0 0x7f99ca6dd590 in malloc (/usr/lib64/libasan.so.4+0xdc590)
    #1 0x7f99ca1a9e64 in AllocateString (/usr/lib64/libGraphicsMagick-Q16.so.3+0x2d2e64)
    #2 0x3932332e302c3731  (<unknown module>)

Direct leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x7f99ca6dd590 in malloc (/usr/lib64/libasan.so.4+0xdc590)
    #1 0x7f99ca1a9e64 in AllocateString (/usr/lib64/libGraphicsMagick-Q16.so.3+0x2d2e64)
    #2 0x302d656c69666f31  (<unknown module>)

Direct leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x7f99ca6dd590 in malloc (/usr/lib64/libasan.so.4+0xdc590)
    #1 0x7f99ca1a9e64 in AllocateString (/usr/lib64/libGraphicsMagick-Q16.so.3+0x2d2e64)
    #2 0x3266636573543630  (<unknown module>)

Direct leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x7f99ca6dd590 in malloc (/usr/lib64/libasan.so.4+0xdc590)
    #1 0x7f99ca1a9e64 in AllocateString (/usr/lib64/libGraphicsMagick-Q16.so.3+0x2d2e64)
    #2 0x73700ad776703a38  (<unknown module>)

Direct leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x7f99ca6dd590 in malloc (/usr/lib64/libasan.so.4+0xdc590)
    #1 0x7f99ca1a9e64 in AllocateString (/usr/lib64/libGraphicsMagick-Q16.so.3+0x2d2e64)
    #2 0x3731  (<unknown module>)

Direct leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x7f99ca6dd590 in malloc (/usr/lib64/libasan.so.4+0xdc590)
    #1 0x7f99ca1a9e64 in AllocateString (/usr/lib64/libGraphicsMagick-Q16.so.3+0x2d2e64)
    #2 0x3435346175727009  (<unknown module>)

Direct leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x7f99ca6dd590 in malloc (/usr/lib64/libasan.so.4+0xdc590)
    #1 0x7f99ca1a9e64 in AllocateString (/usr/lib64/libGraphicsMagick-Q16.so.3+0x2d2e64)
    #2 0x200002e302c3731  (<unknown module>)

SUMMARY: AddressSanitizer: 2304 byte(s) leaked in 9 allocation(s).
$

I guess 42.3 does not have LeakSanitizer. ImageMagick 15 and TW has no leak detected. I have not seen any valgrind error.

PATCH

GraphicsMagick: mpc.c part of that referenced in comment 1
                applicable even in 42.3
ImageMagick: no code found

AFTER

15.0,42.3/GraphicsMagick

$ gm convert memory_leak_ReadMPCImage /dev/null
gm convert: Improper image header (memory_leak_ReadMPCImage).
$
Comment 3 Petr Gajdos 2019-04-16 07:43:59 UTC
Will submit for: 15.0,42.3/GraphicsMagick
Comment 4 Petr Gajdos 2019-04-16 15:32:45 UTC
Packages submitted.

I believe all fixed.
Comment 5 Swamp Workflow Management 2019-04-16 16:10:16 UTC
This is an autogenerated message for OBS integration:
This bug (1132055) was mentioned in
https://build.opensuse.org/request/show/694830 15.0 / GraphicsMagick
https://build.opensuse.org/request/show/694831 42.3 / GraphicsMagick
Comment 6 Swamp Workflow Management 2019-04-25 19:10:44 UTC
openSUSE-SU-2019:1272-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1132055,1132058,1132060,1132061
CVE References: CVE-2019-11005,CVE-2019-11006,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-11010
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-132.1
openSUSE Leap 15.0 (src):    GraphicsMagick-1.3.29-lp150.3.25.1
Comment 7 Swamp Workflow Management 2019-04-29 22:15:00 UTC
openSUSE-SU-2019:1295-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1132055,1132058,1132060,1132061
CVE References: CVE-2019-11005,CVE-2019-11006,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-11010
Sources used:
openSUSE Backports SLE-15 (src):    GraphicsMagick-1.3.29-bp150.2.18.1
Comment 8 Swamp Workflow Management 2019-05-28 13:40:11 UTC
This is an autogenerated message for OBS integration:
This bug (1132055) was mentioned in
https://build.opensuse.org/request/show/705902 15.1 / GraphicsMagick
Comment 9 Marcus Meissner 2019-07-10 05:30:47 UTC
was released