First Last Prev Next    This bug is not in your last search results.
Bug 1136732 - (CVE-2019-11598) VUL-0: CVE-2019-11598: ImageMagick: heap-based buffer over-read in the function WritePNMImage of coders/pnm.c leading to DoS or information disclosure
(CVE-2019-11598)
VUL-0: CVE-2019-11598: ImageMagick: heap-based buffer over-read in the functi...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/230450/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-29 11:20 UTC by Marcus Meissner
Modified: 2019-07-10 05:39 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
heap-buffer-overflow-WritePNMImage (392 bytes, application/octet-stream)
2019-05-29 11:24 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-05-29 11:20:13 UTC 
rh#1705414

In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file.

Upstream issue:
https://github.com/ImageMagick/ImageMagick/issues/1540

References:
http://www.securityfocus.com/bid/108102
https://github.com/ImageMagick/ImageMagick/issues/1540
https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html
Comment 1 Marcus Meissner 2019-05-29 11:24:57 UTC 
Created attachment 806356 [details]
heap-buffer-overflow-WritePNMImage

QA REPRODUCER:

valgrind magick convert heap-buffer-overflow-WritePNMImage out.pnm

should not show invalid reads of memory
Comment 2 Petr Gajdos 2019-05-30 10:42:08 UTC 
BEFORE

15/ImageMagick

$ valgrind  -q convert heap-buffer-overflow-WritePNMImage out.pnm
==14504== Invalid read of size 8
==14504==    at 0x4F88488: SetGrayscaleImage (quantize.c:3444)
==14504==    by 0x4F88488: QuantizeImage (quantize.c:2668)
==14504==    by 0x4E886C1: SetImageType (attribute.c:1260)
==14504==    by 0x980027D: WritePNMImage (pnm.c:1928)
==14504==    by 0x4EB81D4: WriteImage (constitute.c:1188)
==14504==    by 0x4EB8863: WriteImages (constitute.c:1338)
==14504==    by 0x532911A: ConvertImageCommand (convert.c:3280)
==14504==    by 0x538DB54: MagickCommandGenesis (mogrify.c:183)
==14504==    by 0x10937F: MagickMain (magick.c:149)
==14504==    by 0x584CF49: (below main) (in /lib64/libc-2.26.so)
==14504==  Address 0x94e5270 is 16 bytes before a block of size 64 free'd
==14504==    at 0x4C2F24B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14504==    by 0x4FC2306: RelinquishSemaphoreMemory (semaphore.c:183)
==14504==    by 0x4FC2306: RelinquishSemaphoreInfo (semaphore.c:377)
==14504==    by 0x4F43D31: DestroyLinkedList (linked-list.c:241)
==14504==    by 0x4F0F962: DestroyExceptionInfo (exception.c:426)
==14504==    by 0x4EB7F8A: WriteImage (constitute.c:1033)
==14504==    by 0x4EB8863: WriteImages (constitute.c:1338)
==14504==    by 0x532911A: ConvertImageCommand (convert.c:3280)
==14504==    by 0x538DB54: MagickCommandGenesis (mogrify.c:183)
==14504==    by 0x10937F: MagickMain (magick.c:149)
==14504==    by 0x584CF49: (below main) (in /lib64/libc-2.26.so)
==14504==  Block was alloc'd at
==14504==    at 0x4C30386: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14504==    by 0x4C304A1: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14504==    by 0x4FC1F6B: AcquireSemaphoreMemory (semaphore.c:154)
==14504==    by 0x4FC1F6B: AcquireSemaphoreInfo (semaphore.c:200)
==14504==    by 0x4F44508: NewLinkedList (linked-list.c:725)
==14504==    by 0x4F0FF8C: InitializeExceptionInfo (exception.c:681)
==14504==    by 0x4F1024A: AcquireExceptionInfo (exception.c:114)
==14504==    by 0x4EB7EEC: WriteImage (constitute.c:1019)
==14504==    by 0x4EB8863: WriteImages (constitute.c:1338)
==14504==    by 0x532911A: ConvertImageCommand (convert.c:3280)
==14504==    by 0x538DB54: MagickCommandGenesis (mogrify.c:183)
==14504==    by 0x10937F: MagickMain (magick.c:149)
==14504==    by 0x584CF49: (below main) (in /lib64/libc-2.26.so)
==14504== 
convert: invalid colormap index `heap-buffer-overflow-WritePNMImage' @ error/colormap-private.h/ValidateColormapValue/48.
convert: InvalidColormapIndex `heap-buffer-overflow-WritePNMImage' @ warning/image.c/SyncImage/3869.
convert: InvalidColormapIndex `heap-buffer-overflow-WritePNMImage' @ warning/image.c/SyncImage/3869.
convert: InvalidColormapIndex `heap-buffer-overflow-WritePNMImage' @ warning/image.c/SyncImage/3869.
convert: InvalidColormapIndex `heap-buffer-overflow-WritePNMImage' @ warning/image.c/SyncImage/3869.
convert: InvalidColormapIndex `heap-buffer-overflow-WritePNMImage' @ warning/image.c/SyncImage/3869.
$
[invalid read went away]

12,11/ImageMagick

$ valgrind  -q convert heap-buffer-overflow-WritePNMImage out.pnm
==11777== Syscall param write(buf) points to uninitialised byte(s)
==11777==    at 0x58ED4ED: ??? (in /lib64/libc-2.19.so)
==11777==    by 0x5886F02: _IO_file_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==11777==    by 0x58865C2: new_do_write (in /lib64/libc-2.19.so)
==11777==    by 0x5887D64: _IO_do_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==11777==    by 0x5887430: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==11777==    by 0x587D51C: fwrite (in /lib64/libc-2.19.so)
==11777==    by 0xFA29699: WritePNMImage (pnm.c:2187)
==11777==    by 0x4EC137C: WriteImage (constitute.c:1237)
==11777==    by 0x4EC1BFE: WriteImages (constitute.c:1394)
==11777==    by 0x531B943: ConvertImageCommand (convert.c:3154)
==11777==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==11777==    by 0x400846: ConvertMain (convert.c:81)
==11777==    by 0x400846: main (convert.c:92)
==11777==  Address 0x402ae64 is not stack'd, malloc'd or (recently) free'd
==11777== 
convert: invalid colormap index `heap-buffer-overflow-WritePNMImage' @ error/colormap-private.h/ConstrainColormapIndex/34.
convert: invalid colormap index `heap-buffer-overflow-WritePNMImage' @ error/image.c/SyncImage/3477.
$

PATCH

ImageMagick 7
https://github.com/ImageMagick/ImageMagick/commit/7dbf5b259e39e76197035e1e58d8392d4712d1b1
ImageMagick 6
https://github.com/ImageMagick/ImageMagick6/commit/dd8efbac0b7fa9dd2da527ea3f629f39bf1c02cb

AFTER

15/ImageMagick

$ valgrind  -q convert heap-buffer-overflow-WritePNMImage out.pnm
convert: invalid colormap index `heap-buffer-overflow-WritePNMImage' @ error/colormap-private.h/ValidateColormapValue/48.
convert: InvalidColormapIndex `heap-buffer-overflow-WritePNMImage' @ warning/image.c/SyncImage/3869.
convert: InvalidColormapIndex `heap-buffer-overflow-WritePNMImage' @ warning/image.c/SyncImage/3869.
convert: InvalidColormapIndex `heap-buffer-overflow-WritePNMImage' @ warning/image.c/SyncImage/3869.
convert: InvalidColormapIndex `heap-buffer-overflow-WritePNMImage' @ warning/image.c/SyncImage/3869.
convert: InvalidColormapIndex `heap-buffer-overflow-WritePNMImage' @ warning/image.c/SyncImage/3869.
$

11,12/ImageMagick

$ valgrind  -q convert heap-buffer-overflow-WritePNMImage out.pnm
==9518== Syscall param write(buf) points to uninitialised byte(s)
==9518==    at 0x58ED4ED: ??? (in /lib64/libc-2.19.so)
==9518==    by 0x5886F02: _IO_file_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==9518==    by 0x58865C2: new_do_write (in /lib64/libc-2.19.so)
==9518==    by 0x5887D64: _IO_do_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==9518==    by 0x5887430: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==9518==    by 0x587D51C: fwrite (in /lib64/libc-2.19.so)
==9518==    by 0xFA29699: WritePNMImage (pnm.c:2187)
==9518==    by 0x4EC137C: WriteImage (constitute.c:1237)
==9518==    by 0x4EC1BFE: WriteImages (constitute.c:1394)
==9518==    by 0x531B943: ConvertImageCommand (convert.c:3154)
==9518==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==9518==    by 0x400846: ConvertMain (convert.c:81)
==9518==    by 0x400846: main (convert.c:92)
==9518==  Address 0x402ae64 is not stack'd, malloc'd or (recently) free'd
==9518== 
convert: invalid colormap index `heap-buffer-overflow-WritePNMImage' @ error/colormap-private.h/ConstrainColormapIndex/34.
convert: invalid colormap index `heap-buffer-overflow-WritePNMImage' @ error/image.c/SyncImage/3477.
$
[no change]
Comment 3 Petr Gajdos 2019-05-30 10:42:48 UTC 
Submitted for 15,12,11/ImageMagick.
Comment 6 Swamp Workflow Management 2019-06-17 19:16:47 UTC 
SUSE-SU-2019:1523-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1136183,1136732
CVE References: CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11598
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    ImageMagick-7.0.7.34-3.61.3
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.61.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-06-24 13:28:06 UTC 
openSUSE-SU-2019:1603-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1136183,1136732
CVE References: CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11598
Sources used:
openSUSE Leap 15.1 (src):    ImageMagick-7.0.7.34-lp151.7.3.1
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.32.1
Comment 10 Swamp Workflow Management 2019-06-25 19:13:01 UTC 
SUSE-SU-2019:1712-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1134075,1135232,1135236,1136183,1136732,1138425,1138464
CVE References: CVE-2017-12805,CVE-2017-12806,CVE-2019-10131,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11597,CVE-2019-11598
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Server 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    ImageMagick-6.8.8.1-71.123.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.123.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-07-01 16:15:05 UTC 
openSUSE-SU-2019:1683-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1133204,1133205,1133498,1133501,1134075,1135232,1135236,1136183,1136732,1138425,1138464
CVE References: CVE-2017-12805,CVE-2017-12806,CVE-2019-10131,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-11597,CVE-2019-11598
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-85.1
Comment 12 Marcus Meissner 2019-07-10 05:39:35 UTC 
released
First Last Prev Next    This bug is not in your last search results.