Bug 1132058 - (CVE-2019-11005) VUL-1: CVE-2019-11005: GraphicsMagick,ImageMagick: a stack-based buffer overflow in SVGStartElement of coders/svg.c allows attackers to cause DOS or an unspecified impact
(CVE-2019-11005)
VUL-1: CVE-2019-11005: GraphicsMagick,ImageMagick: a stack-based buffer overf...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/229217/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-10 08:41 UTC by Alexandros Toptsoglou
Modified: 2019-07-10 06:37 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-04-10 08:41:58 UTC
CVE-2019-11005

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based buffer
overflow in the function SVGStartElement of coders/svg.c, which allows remote
attackers to cause a denial of service (application crash) or possibly have
unspecified other impact via a quoted font family value.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11005
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11005.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11005
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b6fb77d7d54d
https://sourceforge.net/p/graphicsmagick/bugs/600/
Comment 1 Alexandros Toptsoglou 2019-04-11 13:50:26 UTC
There is a fix in [1] and a POC at [2]. 

Reproduced the issue only in ImageMagick in SLE11. When I tried to reproduce it in SLE12 I received some different memory leaks which, however, may be triggered by the same issue. SLE15 seems not affected. 
Regarding openSUSE TW seems affected in both ImageMagick and GraphicsMagick. 

To reproduce simply run 

valgrind convert $POC /dev/null 
or 
valgrind magick convert $POC /dev/null

valgrind gm convert $POC /dev/null  -->GraphicsMagick 


[1] http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b6fb77d7d54d
[2] https://sourceforge.net/p/graphicsmagick/bugs/600/attachment/stack_buffer_overflow_WRITE_in_SVGStartElement
Comment 2 Petr Gajdos 2019-04-16 11:06:39 UTC
BEFORE

42.3,15.0,TW/GraphicsMagick

$ gm convert stack_buffer_overflow_WRITE_in_SVGStartElement out.svg
=================================================================
==28782==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd06978c6f at pc 0x7f0e541ecf9e bp 0x7ffd06976f60 sp 0x7ffd06976f58
WRITE of size 1 at 0x7ffd06978c6f thread T0
    #0 0x7f0e541ecf9d  (/usr/lib64/GraphicsMagick-1.3.29/modules-Q16/coders/svg.so+0x14f9d)
    #1 0x7f0e53eba44f in xmlParseStartTag (/usr/lib64/libxml2.so.2+0x4a44f)
    #2 0x7f0e53ec1b27  (/usr/lib64/libxml2.so.2+0x51b27)
    #3 0x7f0e53ec26cd in xmlParseChunk (/usr/lib64/libxml2.so.2+0x526cd)
    #4 0x7f0e541f1da4  (/usr/lib64/GraphicsMagick-1.3.29/modules-Q16/coders/svg.so+0x19da4)
    #5 0x7f0e59a53bb0 in ReadImage (/usr/lib64/libGraphicsMagick-Q16.so.3+0x195bb0)
    #6 0x7f0e59a122ae in ConvertImageCommand (/usr/lib64/libGraphicsMagick-Q16.so.3+0x1542ae)
    #7 0x7f0e599eec17 in MagickCommand (/usr/lib64/libGraphicsMagick-Q16.so.3+0x130c17)
    #8 0x7f0e599f0d14  (/usr/lib64/libGraphicsMagick-Q16.so.3+0x132d14)
    #9 0x7f0e59a2f751 in GMCommand (/usr/lib64/libGraphicsMagick-Q16.so.3+0x171751)
    #10 0x7f0e59306f49 in __libc_start_main (/lib64/libc.so.6+0x20f49)
    #11 0x56237abd57b9  (/usr/bin/gm+0x7b9)

Address 0x7ffd06978c6f is located in stack of thread T0 at offset 7199 in frame
    #0 0x7f0e541e509f  (/usr/lib64/GraphicsMagick-1.3.29/modules-Q16/coders/svg.so+0xd09f)

  This frame has 16 object(s):
    [32, 40) 'color'
    [96, 104) 'p'
    [160, 168) 'units'
    [224, 232) 'number_tokens'
    [288, 296) 'pClassNames'
    [352, 360) 'pUnit'
    [416, 424) 'pUnit'
    [480, 488) 'stroke_miterlimit'
    [544, 552) 'stroke_miterlimit'
    [608, 640) 'page'
    [672, 720) 'affine'
    [768, 816) 'transform'
    [864, 2917) 'id'
    [2976, 5029) 'token'
    [5088, 7141) 'svg_element_background_color'
    [7200, 9253) 'nvalue' <== Memory access at offset 7199 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib64/GraphicsMagick-1.3.29/modules-Q16/coders/svg.so+0x14f9d) 
Shadow bytes around the buggy address:
  0x100020d27130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020d27140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020d27150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020d27160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020d27170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100020d27180: 00 00 00 00 00 00 05 f2 f2 f2 f2 f2 f2[f2]00 00
  0x100020d27190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020d271a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020d271b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020d271c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020d271d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28782==ABORTING
$

ImageMagick: no stack overflow detected


PATCH

GraphicsMagick: in comment 1
ImageMagick: code different

AFTER

$ gm convert stack_buffer_overflow_WRITE_in_SVGStartElement out.svg
gm convert: Couldn't find end of Start Tag pattern
.
$
Comment 3 Petr Gajdos 2019-04-16 11:07:14 UTC
Will submit for 15.0,42.3/GraphicsMagick
Comment 4 Petr Gajdos 2019-04-16 15:32:39 UTC
Packages submitted.

I believe all fixed.
Comment 5 Swamp Workflow Management 2019-04-16 16:10:20 UTC
This is an autogenerated message for OBS integration:
This bug (1132058) was mentioned in
https://build.opensuse.org/request/show/694830 15.0 / GraphicsMagick
https://build.opensuse.org/request/show/694831 42.3 / GraphicsMagick
Comment 6 Swamp Workflow Management 2019-04-25 19:10:52 UTC
openSUSE-SU-2019:1272-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1132055,1132058,1132060,1132061
CVE References: CVE-2019-11005,CVE-2019-11006,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-11010
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-132.1
openSUSE Leap 15.0 (src):    GraphicsMagick-1.3.29-lp150.3.25.1
Comment 7 Swamp Workflow Management 2019-04-29 22:15:10 UTC
openSUSE-SU-2019:1295-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1132055,1132058,1132060,1132061
CVE References: CVE-2019-11005,CVE-2019-11006,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-11010
Sources used:
openSUSE Backports SLE-15 (src):    GraphicsMagick-1.3.29-bp150.2.18.1
Comment 8 Swamp Workflow Management 2019-05-28 13:31:07 UTC
This is an autogenerated message for OBS integration:
This bug (1132058) was mentioned in
https://build.opensuse.org/request/show/705902 15.1 / GraphicsMagick
Comment 9 Marcus Meissner 2019-07-10 05:31:25 UTC
done