Bug 1133204 - (CVE-2019-11472) VUL-1: CVE-2019-11472: ImageMagick,GraphicsMagick: ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the
(CVE-2019-11472)
VUL-1: CVE-2019-11472: ImageMagick,GraphicsMagick: ReadXWDImage in coders/xwd...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/230158/
CVSSv2:NVD:CVE-2019-11472:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-24 06:23 UTC by Marcus Meissner
Modified: 2019-11-05 23:46 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
fpe_xwd.c:490_1.xwd (1.64 KB, image/x-xwindowdump)
2019-04-24 06:24 UTC, Marcus Meissner
Details
fpe_xwd.c:520_1.xwd (2.00 KB, image/x-xwindowdump)
2019-04-24 06:25 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-04-24 06:23:16 UTC
CVE-2019-11472

ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick
7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero
error) by crafting an XWD image file in which the header indicates neither LSB
first nor MSB first.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11472
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11472.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11472
https://github.com/ImageMagick/ImageMagick6/commit/f663dfb8431c97d95682a2b533cca1c8233d21b4
https://github.com/ImageMagick/ImageMagick/issues/1546
Comment 1 Marcus Meissner 2019-04-24 06:24:40 UTC
Created attachment 803461 [details]
fpe_xwd.c:490_1.xwd

QA REPRODUCER:

identify -verbose fpe_xwd.c\:490_1.xwd 


should not crash
Comment 2 Marcus Meissner 2019-04-24 06:25:30 UTC
Created attachment 803462 [details]
fpe_xwd.c:520_1.xwd

QA REPRODUCER:

identify -verbose fpe_xwd.c\:520_1.xwd

should not crash
Comment 3 Marcus Meissner 2019-04-24 06:25:42 UTC
affects both IM and GM
Comment 4 Petr Gajdos 2019-04-30 10:47:19 UTC
Let this be a common comment for this bug, bug 1133202 and bug 1133203. What I think that happened: Hongxu Chen reported bugs to github/ImageMagick as 

https://github.com/ImageMagick/ImageMagick/issues/1546
https://github.com/ImageMagick/ImageMagick/issues/1553 (this has not CVE yet)

and was such excellent reporter that tried also with GraphicsMagick and reported to them. 

BEFORE

15,12/ImageMagick

$ identify -verbose fpe_xwd.c_490_1.xwd 
Aborted (core dumped)
$ identify -verbose fpe_xwd.c_520_1.xwd 
Aborted (core dumped)
$ valgrind  -q identify -verbose read_xwd.c_573_1.xwd
==9071== Invalid read of size 1
==9071==    at 0x6EEB5AA: ??? (in /usr/lib64/libX11.so.6.3.0)
==9071==    by 0x91FB232: ReadXWDImage (xwd.c:520)
==9071==    by 0x4EB6BD9: ReadImage (constitute.c:558)
==9071==    by 0x4EB7B4E: ReadImages (constitute.c:870)
==9071==    by 0x535FD0C: IdentifyImageCommand (identify.c:321)
==9071==    by 0x538DB54: MagickCommandGenesis (mogrify.c:183)
==9071==    by 0x10937F: MagickMain (magick.c:149)
==9071==    by 0x584CF49: (below main) (in /lib64/libc-2.26.so)
==9071==  Address 0xeea5a36 is not stack'd, malloc'd or (recently) free'd
==9071== 
/root/bin/vgq: line 18:  9071 Aborted                 (core dumped) valgrind -q $@
$ valgrind  -q identify -verbose read_xwd.c_573_2.xwd
==9081== Invalid read of size 1
==9081==    at 0x6EEB5AA: ??? (in /usr/lib64/libX11.so.6.3.0)
==9081==    by 0x91FB232: ReadXWDImage (xwd.c:520)
==9081==    by 0x4EB6BD9: ReadImage (constitute.c:558)
==9081==    by 0x4EB7B4E: ReadImages (constitute.c:870)
==9081==    by 0x535FD0C: IdentifyImageCommand (identify.c:321)
==9081==    by 0x538DB54: MagickCommandGenesis (mogrify.c:183)
==9081==    by 0x10937F: MagickMain (magick.c:149)
==9081==    by 0x584CF49: (below main) (in /lib64/libc-2.26.so)
==9081==  Address 0x9a55430 is not stack'd, malloc'd or (recently) free'd
==9081== 
/root/bin/vgq: line 18:  9081 Aborted                 (core dumped) valgrind -q $@
$

15.0,42.3/GraphicsMagick

$ gm identify -verbose fpe_xwd.c_490_1.xwd 
gm identify: abort due to signal 8 (SIGFPE) "Arithmetic Exception"...
Aborted (core dumped)
$ gm identify -verbose fpe_xwd.c_520_1.xwd 
gm identify: abort due to signal 8 (SIGFPE) "Arithmetic Exception"...
Aborted (core dumped)
$ gm identify -verbose read_xwd.c_573_1.xwd 
gm identify: abort due to signal 11 (SIGSEGV) "Segmentation Fault"...
Aborted (core dumped)
$ gm identify -verbose read_xwd.c_573_2.xwd 
gm identify: Improper image header (read_xwd.c_573_2.xwd).
gm identify: Request did not return an image.
$

PATCH

will update xwd.c to newest version

AFTER

15,12/ImageMagick

$ identify -verbose fpe_xwd.c_490_1.xwd 
identify: improper image header `fpe_xwd.c_490_1.xwd' @ error/xwd.c/ReadXWDImage/242.
$ identify -verbose fpe_xwd.c_520_1.xwd 
identify: improper image header `fpe_xwd.c_520_1.xwd' @ error/xwd.c/ReadXWDImage/242.
$ valgrind  -q identify -verbose read_xwd.c_573_1.xwd
identify: improper image header `read_xwd.c_573_1.xwd' @ error/xwd.c/ReadXWDImage/242.
$ valgrind  -q identify -verbose read_xwd.c_573_2.xwd
identify: improper image header `read_xwd.c_573_2.xwd' @ error/xwd.c/ReadXWDImage/242.
$

42.3,15.0/GraphicsMagick

$ gm identify -verbose fpe_xwd.c_490_1.xwd 
gm identify: Improper image header (fpe_xwd.c_490_1.xwd).
gm identify: Request did not return an image.
$ gm identify -verbose fpe_xwd.c_520_1.xwd 
gm identify: Improper image header (fpe_xwd.c_520_1.xwd).
gm identify: Request did not return an image.
$ gm identify -verbose read_xwd.c_573_1.xwd 
gm identify: Improper image header (read_xwd.c_573_1.xwd).
gm identify: Request did not return an image.
$ gm identify -verbose read_xwd.c_573_2.xwd 
gm identify: Improper image header (read_xwd.c_573_2.xwd).
gm identify: Request did not return an image.
$
Comment 5 Petr Gajdos 2019-04-30 10:48:13 UTC
Will submit for: 15/ImageMagick and 12/ImageMagick.
Comment 8 Petr Gajdos 2019-05-02 09:20:29 UTC
I believe all fixed.
Comment 10 Swamp Workflow Management 2019-05-10 19:18:51 UTC
SUSE-SU-2019:14043-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1130330,1131317,1132053,1132060,1133204,1133205,1133498,1133501
CVE References: CVE-2019-10650,CVE-2019-11007,CVE-2019-11009,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-9956
Sources used:
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.97.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-06-17 19:16:12 UTC
SUSE-SU-2019:1523-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1136183,1136732
CVE References: CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11598
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.61.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2019-06-24 13:27:28 UTC
openSUSE-SU-2019:1603-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1136183,1136732
CVE References: CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11598
Sources used:
openSUSE Leap 15.1 (src):    ImageMagick-7.0.7.34-lp151.7.3.1
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.32.1
Comment 19 Swamp Workflow Management 2019-06-25 19:12:02 UTC
SUSE-SU-2019:1712-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1134075,1135232,1135236,1136183,1136732,1138425,1138464
CVE References: CVE-2017-12805,CVE-2017-12806,CVE-2019-10131,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11597,CVE-2019-11598
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Server 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2019-07-01 16:14:09 UTC
openSUSE-SU-2019:1683-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1134075,1135232,1135236,1136183,1136732,1138425,1138464
CVE References: CVE-2017-12805,CVE-2017-12806,CVE-2019-10131,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11597,CVE-2019-11598
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-85.1
Comment 21 Marcus Meissner 2019-07-10 05:34:59 UTC
released