Bug 1195563 - (CVE-2022-0284) VUL-0: CVE-2022-0284: ImageMagick: Heap buffer overread in GetPixelAlpha() in MagickCore/pixel-accessor.h
(CVE-2022-0284)
VUL-0: CVE-2022-0284: ImageMagick: Heap buffer overread in GetPixelAlpha() in...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/322517/
CVSSv3.1:SUSE:CVE-2022-0284:6.1:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-02-04 15:07 UTC by Carlos López
Modified: 2022-09-08 11:20 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-02-04 15:07:38 UTC
rh#2045943

There's a heap buffer overread that was discovered in ImageMagick version 7.1.0-20 in GetPixelAlpha() declared in MagickCore/pixel-accessor.h. A specially crafted file could trigger this and potentially cause a denial of service or information leak.

Reference: https://github.com/ImageMagick/ImageMagick/issues/4729
Upstream patch commit: https://github.com/ImageMagick/ImageMagick/commit/e50f19fd73c792ebe912df8ab83aa51a243a3da7

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2045943
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0284
Comment 1 Carlos López 2022-02-04 15:13:57 UTC
Affected:
 - SUSE:SLE-15:Update
 - SUSE:SLE-15-SP2:Update
 - SUSE:SLE-15-SP4:Update
 - openSUSE:Factory
Comment 2 Petr Gajdos 2022-02-08 14:42:40 UTC
BEFORE

15sp4/ImageMagick

$ valgrind  -q convert poc.tiff output.picon
==18321== Invalid read of size 4
==18321==    at 0x9C080DD: WritePICONImage (xpm.c:811)
==18321==    by 0x4EBA86E: WriteImage (constitute.c:1286)
==18321==    by 0x4EBB17A: WriteImages (constitute.c:1438)
==18321==    by 0x534A3A5: ConvertImageCommand (convert.c:3327)
==18321==    by 0x53B5AAF: MagickCommandGenesis (mogrify.c:188)
==18321==    by 0x10941F: MagickMain (magick.c:150)
==18321==    by 0x589D29C: (below main) (in /lib64/libc-2.31.so)
==18321==  Address 0xa121440 is 0 bytes after a block of size 21,312 alloc'd
==18321==    at 0x4C39926: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18321==    by 0x4C39A69: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18321==    by 0x4F54AEF: AcquireAlignedMemory_POSIX (memory.c:299)
==18321==    by 0x4F54AEF: AcquireAlignedMemory (memory.c:377)
==18321==    by 0x4E94D8E: OpenPixelCache (cache.c:3746)
==18321==    by 0x4E71628: GetImagePixelCache (cache.c:1775)
==18321==    by 0x4E9774A: SyncImagePixelCache (cache.c:5516)
==18321==    by 0x4F91D2A: SetGrayscaleImage (quantize.c:3773)
==18321==    by 0x4F91D2A: QuantizeImage (quantize.c:3119)
==18321==    by 0x4F92538: CompressImageColormap (quantize.c:1205)
==18321==    by 0x9C08977: WritePICONImage (xpm.c:759)
==18321==    by 0x4EBA86E: WriteImage (constitute.c:1286)
==18321==    by 0x4EBB17A: WriteImages (constitute.c:1438)
==18321==    by 0x534A3A5: ConvertImageCommand (convert.c:3327)
==18321== 
convert: Unknown field with tag 342 (0x156) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: Unknown field with tag 32932 (0x80a4) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: Unknown field with tag 33919 (0x847f) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: Unknown field with tag 33922 (0x8482) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: Unknown field with tag 50784 (0xc660) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: Incorrect count for "TransferFunction"; tag ignored. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: incorrect count for field "DNGBackwardVersion", expected 4, got 7. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/964.
convert: Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: Decoding error at scanline 0, incorrect header check. `ZIPDecode' @ error/tiff.c/TIFFErrors/600.
$

[issue reproduced]

15sp2,15/ImageMagick

$ valgrind  -q convert poc.tiff output.picon
convert: Unknown field with tag 342 (0x156) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006.
convert: Unknown field with tag 32932 (0x80a4) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006.
convert: Unknown field with tag 33919 (0x847f) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006.
convert: Unknown field with tag 33922 (0x8482) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006.
convert: Unknown field with tag 50784 (0xc660) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006.
convert: Incorrect count for "TransferFunction"; tag ignored. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006.
convert: incorrect count for field "DNGBackwardVersion", expected 4, got 7. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/1006.
convert: Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006.
convert: Decoding error at scanline 0, incorrect header check. `ZIPDecode' @ error/tiff.c/TIFFErrors/658.
convert: improper image header `/tmp/magick-183904Od2dPAO2mmO' @ error/xpm.c/ReadXPMImage/344.
$

[issue not reproduced]


PATCH

see comment 0


AFTER

15sp4,15sp2,15/ImageMagick

$ valgrind  -q convert poc.tiff output.picon
convert: Unknown field with tag 342 (0x156) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: Unknown field with tag 32932 (0x80a4) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: Unknown field with tag 33919 (0x847f) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: Unknown field with tag 33922 (0x8482) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: Unknown field with tag 50784 (0xc660) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: Incorrect count for "TransferFunction"; tag ignored. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: incorrect count for field "DNGBackwardVersion", expected 4, got 7. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/964.
convert: Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
convert: Decoding error at scanline 0, incorrect header check. `ZIPDecode' @ error/tiff.c/TIFFErrors/600.
$
Comment 3 Petr Gajdos 2022-02-08 14:43:42 UTC
Submitted into 15sp4,15sp2,15.

Tumbleweed's version have this fix already in.
Comment 4 Petr Gajdos 2022-02-08 14:44:15 UTC
I believe all fixed.
Comment 6 Swamp Workflow Management 2022-02-21 17:17:47 UTC
openSUSE-SU-2022:0540-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1195563
CVE References: CVE-2022-0284
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ImageMagick-7.0.7.34-10.21.1
openSUSE Leap 15.3 (src):    ImageMagick-7.0.7.34-10.21.1
Comment 7 Swamp Workflow Management 2022-02-21 17:26:47 UTC
SUSE-SU-2022:0540-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1195563
CVE References: CVE-2022-0284
JIRA References: 
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    ImageMagick-7.0.7.34-10.21.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    ImageMagick-7.0.7.34-10.21.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    ImageMagick-7.0.7.34-10.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.