Bug 1156520 – VUL-1: CVE-2019-18853: ImageMagick: allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2

Bug 1156520 - (CVE-2019-18853) VUL-1: CVE-2019-18853: ImageMagick: allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2

(CVE-2019-18853)
Summary:	VUL-1: CVE-2019-18853: ImageMagick: allows remote attackers to cause a denial...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assigned To:	Petr Gajdos
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/246870/
Whiteboard:	CVSSv3:SUSE:CVE-2019-18853:5.3:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-11-12 10:06 UTC by Wolfgang Frisch
Modified:	2019-11-12 11:24 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
ImageMagick-CVE-2019-18853.patch (1.48 KB, patch) 2019-11-12 10:18 UTC, Wolfgang Frisch	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2019-11-12 10:06:41 UTC

CVE-2019-18853

ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service
because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to
SVG and libxml2.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18853
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18853.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18853
https://github.com/ImageMagick/ImageMagick/commit/ec9c8944af2bfc65c697ca44f93a727a99b405f1
https://fortiguard.com/zeroday/FG-VD-19-136

Comment 1 Wolfgang Frisch 2019-11-12 10:18:16 UTC

Created attachment 823915 [details]
ImageMagick-CVE-2019-18853.patch

upstream patch
https://github.com/ImageMagick/ImageMagick/commit/ec9c8944af2bfc65c697ca44f93a727a99b405f1

Comment 2 Petr Gajdos 2019-11-12 10:58:00 UTC

Fixed in Tumbleweed, code not found in older distros.

Comment 3 Petr Gajdos 2019-11-12 11:02:08 UTC

GraphicsMagick: code not found