Bug 1133204 – VUL-1: CVE-2019-11472: ImageMagick,GraphicsMagick: ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the

Bug 1133204 - (CVE-2019-11472) VUL-1: CVE-2019-11472: ImageMagick,GraphicsMagick: ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the

(CVE-2019-11472)
Summary:	VUL-1: CVE-2019-11472: ImageMagick,GraphicsMagick: ReadXWDImage in coders/xwd...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/230158/
Whiteboard:	CVSSv2:NVD:CVE-2019-11472:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-04-24 06:23 UTC by Marcus Meissner
Modified:	2019-11-05 23:46 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
fpe_xwd.c:490_1.xwd (1.64 KB, image/x-xwindowdump) 2019-04-24 06:24 UTC, Marcus Meissner	Details
fpe_xwd.c:520_1.xwd (2.00 KB, image/x-xwindowdump) 2019-04-24 06:25 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2019-04-24 06:23:16 UTC

CVE-2019-11472

ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick
7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero
error) by crafting an XWD image file in which the header indicates neither LSB
first nor MSB first.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11472
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11472.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11472
https://github.com/ImageMagick/ImageMagick6/commit/f663dfb8431c97d95682a2b533cca1c8233d21b4
https://github.com/ImageMagick/ImageMagick/issues/1546

Comment 1 Marcus Meissner 2019-04-24 06:24:40 UTC

Created attachment 803461 [details]
fpe_xwd.c:490_1.xwd

QA REPRODUCER:

identify -verbose fpe_xwd.c\:490_1.xwd 


should not crash

Comment 2 Marcus Meissner 2019-04-24 06:25:30 UTC

Created attachment 803462 [details]
fpe_xwd.c:520_1.xwd

QA REPRODUCER:

identify -verbose fpe_xwd.c\:520_1.xwd

should not crash

Comment 3 Marcus Meissner 2019-04-24 06:25:42 UTC

affects both IM and GM

Comment 4 Petr Gajdos 2019-04-30 10:47:19 UTC

Let this be a common comment for this bug, bug 1133202 and bug 1133203. What I think that happened: Hongxu Chen reported bugs to github/ImageMagick as 

https://github.com/ImageMagick/ImageMagick/issues/1546
https://github.com/ImageMagick/ImageMagick/issues/1553 (this has not CVE yet)

and was such excellent reporter that tried also with GraphicsMagick and reported to them. 

BEFORE

15,12/ImageMagick

$ identify -verbose fpe_xwd.c_490_1.xwd 
Aborted (core dumped)
$ identify -verbose fpe_xwd.c_520_1.xwd 
Aborted (core dumped)
$ valgrind  -q identify -verbose read_xwd.c_573_1.xwd
==9071== Invalid read of size 1
==9071==    at 0x6EEB5AA: ??? (in /usr/lib64/libX11.so.6.3.0)
==9071==    by 0x91FB232: ReadXWDImage (xwd.c:520)
==9071==    by 0x4EB6BD9: ReadImage (constitute.c:558)
==9071==    by 0x4EB7B4E: ReadImages (constitute.c:870)
==9071==    by 0x535FD0C: IdentifyImageCommand (identify.c:321)
==9071==    by 0x538DB54: MagickCommandGenesis (mogrify.c:183)
==9071==    by 0x10937F: MagickMain (magick.c:149)
==9071==    by 0x584CF49: (below main) (in /lib64/libc-2.26.so)
==9071==  Address 0xeea5a36 is not stack'd, malloc'd or (recently) free'd
==9071== 
/root/bin/vgq: line 18:  9071 Aborted                 (core dumped) valgrind -q $@
$ valgrind  -q identify -verbose read_xwd.c_573_2.xwd
==9081== Invalid read of size 1
==9081==    at 0x6EEB5AA: ??? (in /usr/lib64/libX11.so.6.3.0)
==9081==    by 0x91FB232: ReadXWDImage (xwd.c:520)
==9081==    by 0x4EB6BD9: ReadImage (constitute.c:558)
==9081==    by 0x4EB7B4E: ReadImages (constitute.c:870)
==9081==    by 0x535FD0C: IdentifyImageCommand (identify.c:321)
==9081==    by 0x538DB54: MagickCommandGenesis (mogrify.c:183)
==9081==    by 0x10937F: MagickMain (magick.c:149)
==9081==    by 0x584CF49: (below main) (in /lib64/libc-2.26.so)
==9081==  Address 0x9a55430 is not stack'd, malloc'd or (recently) free'd
==9081== 
/root/bin/vgq: line 18:  9081 Aborted                 (core dumped) valgrind -q $@
$

15.0,42.3/GraphicsMagick

$ gm identify -verbose fpe_xwd.c_490_1.xwd 
gm identify: abort due to signal 8 (SIGFPE) "Arithmetic Exception"...
Aborted (core dumped)
$ gm identify -verbose fpe_xwd.c_520_1.xwd 
gm identify: abort due to signal 8 (SIGFPE) "Arithmetic Exception"...
Aborted (core dumped)
$ gm identify -verbose read_xwd.c_573_1.xwd 
gm identify: abort due to signal 11 (SIGSEGV) "Segmentation Fault"...
Aborted (core dumped)
$ gm identify -verbose read_xwd.c_573_2.xwd 
gm identify: Improper image header (read_xwd.c_573_2.xwd).
gm identify: Request did not return an image.
$

PATCH

will update xwd.c to newest version

AFTER

15,12/ImageMagick

$ identify -verbose fpe_xwd.c_490_1.xwd 
identify: improper image header `fpe_xwd.c_490_1.xwd' @ error/xwd.c/ReadXWDImage/242.
$ identify -verbose fpe_xwd.c_520_1.xwd 
identify: improper image header `fpe_xwd.c_520_1.xwd' @ error/xwd.c/ReadXWDImage/242.
$ valgrind  -q identify -verbose read_xwd.c_573_1.xwd
identify: improper image header `read_xwd.c_573_1.xwd' @ error/xwd.c/ReadXWDImage/242.
$ valgrind  -q identify -verbose read_xwd.c_573_2.xwd
identify: improper image header `read_xwd.c_573_2.xwd' @ error/xwd.c/ReadXWDImage/242.
$

42.3,15.0/GraphicsMagick

$ gm identify -verbose fpe_xwd.c_490_1.xwd 
gm identify: Improper image header (fpe_xwd.c_490_1.xwd).
gm identify: Request did not return an image.
$ gm identify -verbose fpe_xwd.c_520_1.xwd 
gm identify: Improper image header (fpe_xwd.c_520_1.xwd).
gm identify: Request did not return an image.
$ gm identify -verbose read_xwd.c_573_1.xwd 
gm identify: Improper image header (read_xwd.c_573_1.xwd).
gm identify: Request did not return an image.
$ gm identify -verbose read_xwd.c_573_2.xwd 
gm identify: Improper image header (read_xwd.c_573_2.xwd).
gm identify: Request did not return an image.
$

Comment 5 Petr Gajdos 2019-04-30 10:48:13 UTC

Will submit for: 15/ImageMagick and 12/ImageMagick.

Comment 8 Petr Gajdos 2019-05-02 09:20:29 UTC

I believe all fixed.

Comment 10 Swamp Workflow Management 2019-05-10 19:18:51 UTC

SUSE-SU-2019:14043-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1130330,1131317,1132053,1132060,1133204,1133205,1133498,1133501
CVE References: CVE-2019-10650,CVE-2019-11007,CVE-2019-11009,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-9956
Sources used:
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.97.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2019-06-17 19:16:12 UTC

SUSE-SU-2019:1523-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1136183,1136732
CVE References: CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11598
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.61.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Swamp Workflow Management 2019-06-24 13:27:28 UTC

openSUSE-SU-2019:1603-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1136183,1136732
CVE References: CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11598
Sources used:
openSUSE Leap 15.1 (src):    ImageMagick-7.0.7.34-lp151.7.3.1
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.32.1

Comment 19 Swamp Workflow Management 2019-06-25 19:12:02 UTC

SUSE-SU-2019:1712-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1134075,1135232,1135236,1136183,1136732,1138425,1138464
CVE References: CVE-2017-12805,CVE-2017-12806,CVE-2019-10131,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11597,CVE-2019-11598
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Server 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2019-07-01 16:14:09 UTC

openSUSE-SU-2019:1683-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1134075,1135232,1135236,1136183,1136732,1138425,1138464
CVE References: CVE-2017-12805,CVE-2017-12806,CVE-2019-10131,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11597,CVE-2019-11598
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-85.1

Comment 21 Marcus Meissner 2019-07-10 05:34:59 UTC

released