Bugzilla – Bug 1195563
VUL-0: CVE-2022-0284: ImageMagick: Heap buffer overread in GetPixelAlpha() in MagickCore/pixel-accessor.h
Last modified: 2022-09-08 11:20:33 UTC
rh#2045943 There's a heap buffer overread that was discovered in ImageMagick version 7.1.0-20 in GetPixelAlpha() declared in MagickCore/pixel-accessor.h. A specially crafted file could trigger this and potentially cause a denial of service or information leak. Reference: https://github.com/ImageMagick/ImageMagick/issues/4729 Upstream patch commit: https://github.com/ImageMagick/ImageMagick/commit/e50f19fd73c792ebe912df8ab83aa51a243a3da7 References: https://bugzilla.redhat.com/show_bug.cgi?id=2045943 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0284
Affected: - SUSE:SLE-15:Update - SUSE:SLE-15-SP2:Update - SUSE:SLE-15-SP4:Update - openSUSE:Factory
BEFORE 15sp4/ImageMagick $ valgrind -q convert poc.tiff output.picon ==18321== Invalid read of size 4 ==18321== at 0x9C080DD: WritePICONImage (xpm.c:811) ==18321== by 0x4EBA86E: WriteImage (constitute.c:1286) ==18321== by 0x4EBB17A: WriteImages (constitute.c:1438) ==18321== by 0x534A3A5: ConvertImageCommand (convert.c:3327) ==18321== by 0x53B5AAF: MagickCommandGenesis (mogrify.c:188) ==18321== by 0x10941F: MagickMain (magick.c:150) ==18321== by 0x589D29C: (below main) (in /lib64/libc-2.31.so) ==18321== Address 0xa121440 is 0 bytes after a block of size 21,312 alloc'd ==18321== at 0x4C39926: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==18321== by 0x4C39A69: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==18321== by 0x4F54AEF: AcquireAlignedMemory_POSIX (memory.c:299) ==18321== by 0x4F54AEF: AcquireAlignedMemory (memory.c:377) ==18321== by 0x4E94D8E: OpenPixelCache (cache.c:3746) ==18321== by 0x4E71628: GetImagePixelCache (cache.c:1775) ==18321== by 0x4E9774A: SyncImagePixelCache (cache.c:5516) ==18321== by 0x4F91D2A: SetGrayscaleImage (quantize.c:3773) ==18321== by 0x4F91D2A: QuantizeImage (quantize.c:3119) ==18321== by 0x4F92538: CompressImageColormap (quantize.c:1205) ==18321== by 0x9C08977: WritePICONImage (xpm.c:759) ==18321== by 0x4EBA86E: WriteImage (constitute.c:1286) ==18321== by 0x4EBB17A: WriteImages (constitute.c:1438) ==18321== by 0x534A3A5: ConvertImageCommand (convert.c:3327) ==18321== convert: Unknown field with tag 342 (0x156) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: Unknown field with tag 32932 (0x80a4) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: Unknown field with tag 33919 (0x847f) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: Unknown field with tag 33922 (0x8482) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: Unknown field with tag 50784 (0xc660) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: Incorrect count for "TransferFunction"; tag ignored. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: incorrect count for field "DNGBackwardVersion", expected 4, got 7. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/964. convert: Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: Decoding error at scanline 0, incorrect header check. `ZIPDecode' @ error/tiff.c/TIFFErrors/600. $ [issue reproduced] 15sp2,15/ImageMagick $ valgrind -q convert poc.tiff output.picon convert: Unknown field with tag 342 (0x156) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006. convert: Unknown field with tag 32932 (0x80a4) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006. convert: Unknown field with tag 33919 (0x847f) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006. convert: Unknown field with tag 33922 (0x8482) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006. convert: Unknown field with tag 50784 (0xc660) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006. convert: Incorrect count for "TransferFunction"; tag ignored. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006. convert: incorrect count for field "DNGBackwardVersion", expected 4, got 7. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/1006. convert: Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006. convert: Decoding error at scanline 0, incorrect header check. `ZIPDecode' @ error/tiff.c/TIFFErrors/658. convert: improper image header `/tmp/magick-183904Od2dPAO2mmO' @ error/xpm.c/ReadXPMImage/344. $ [issue not reproduced] PATCH see comment 0 AFTER 15sp4,15sp2,15/ImageMagick $ valgrind -q convert poc.tiff output.picon convert: Unknown field with tag 342 (0x156) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: Unknown field with tag 32932 (0x80a4) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: Unknown field with tag 33919 (0x847f) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: Unknown field with tag 33922 (0x8482) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: Unknown field with tag 50784 (0xc660) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: Incorrect count for "TransferFunction"; tag ignored. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: incorrect count for field "DNGBackwardVersion", expected 4, got 7. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/964. convert: Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964. convert: Decoding error at scanline 0, incorrect header check. `ZIPDecode' @ error/tiff.c/TIFFErrors/600. $
Submitted into 15sp4,15sp2,15. Tumbleweed's version have this fix already in.
I believe all fixed.
openSUSE-SU-2022:0540-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1195563 CVE References: CVE-2022-0284 JIRA References: Sources used: openSUSE Leap 15.4 (src): ImageMagick-7.0.7.34-10.21.1 openSUSE Leap 15.3 (src): ImageMagick-7.0.7.34-10.21.1
SUSE-SU-2022:0540-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1195563 CVE References: CVE-2022-0284 JIRA References: Sources used: SUSE Linux Enterprise Realtime Extension 15-SP2 (src): ImageMagick-7.0.7.34-10.21.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): ImageMagick-7.0.7.34-10.21.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): ImageMagick-7.0.7.34-10.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.