Bug 1133203 - (CVE-2019-11473) VUL-1: CVE-2019-11473: GraphicsMagick: coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (out-of-bounds read and application crash) by crafting an XWD image file, a different vulnerability than and .
(CVE-2019-11473)
VUL-1: CVE-2019-11473: GraphicsMagick: coders/xwd.c in GraphicsMagick 1.3.31 ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/230159/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-24 06:17 UTC by Marcus Meissner
Modified: 2019-07-10 05:34 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-04-24 06:17:58 UTC
CVE-2019-11473

coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of
service (out-of-bounds read and application crash) by crafting an XWD image
file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11473
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11473.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11473
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd
http://www.graphicsmagick.org/Changelog.html
Comment 1 Marcus Meissner 2019-04-24 06:21:14 UTC
not clear which part of the commit is referenced for this CVE.

perhaps this one:

-                for (i=0; i < (long) image->colors; i++)
+                const unsigned int min_colors = Min(image->colors,header.ncolors);
+                for (i=0; i < min_colors; i++)
                   {

This _might_ affect ImageMagick too.
Comment 2 Petr Gajdos 2019-04-30 10:48:38 UTC
See bug 1133204 comment 4.
Comment 3 Petr Gajdos 2019-04-30 10:50:48 UTC
Will submit for: 15.0/GraphicsMagick and 42.3/GraphicsMagick.
Comment 4 Swamp Workflow Management 2019-04-30 11:50:21 UTC
This is an autogenerated message for OBS integration:
This bug (1133203) was mentioned in
https://build.opensuse.org/request/show/699628 15.0 / GraphicsMagick
https://build.opensuse.org/request/show/699629 42.3 / GraphicsMagick
Comment 5 Petr Gajdos 2019-05-02 09:20:31 UTC
I believe all fixed.
Comment 6 Swamp Workflow Management 2019-05-09 13:09:48 UTC
openSUSE-SU-2019:1354-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1133202,1133203,1133498,1133501
CVE References: CVE-2019-11008,CVE-2019-11009,CVE-2019-11473,CVE-2019-11474,CVE-2019-11505,CVE-2019-11506
Sources used:
openSUSE Leap 15.0 (src):    GraphicsMagick-1.3.29-lp150.3.28.1
Comment 7 Swamp Workflow Management 2019-05-09 13:10:57 UTC
openSUSE-SU-2019:1355-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1133202,1133203,1133498,1133501
CVE References: CVE-2019-11008,CVE-2019-11009,CVE-2019-11473,CVE-2019-11474,CVE-2019-11505,CVE-2019-11506
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-135.1
Comment 8 Swamp Workflow Management 2019-05-22 22:09:38 UTC
openSUSE-SU-2019:1437-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1132053,1132054,1133202,1133203,1133498,1133501
CVE References: CVE-2019-11008,CVE-2019-11009,CVE-2019-11473,CVE-2019-11474,CVE-2019-11505,CVE-2019-11506
Sources used:
openSUSE Backports SLE-15 (src):    GraphicsMagick-1.3.29-bp150.2.21.1
Comment 9 Swamp Workflow Management 2019-05-28 13:31:23 UTC
This is an autogenerated message for OBS integration:
This bug (1133203) was mentioned in
https://build.opensuse.org/request/show/705902 15.1 / GraphicsMagick
Comment 10 Marcus Meissner 2019-07-10 05:34:32 UTC
released