Bug 1198701 - (CVE-2022-1115) VUL-0: CVE-2022-1115: ImageMagick: heap-buffer-overflow in PushShortPixel of quantum-private.h
(CVE-2022-1115)
VUL-0: CVE-2022-1115: ImageMagick: heap-buffer-overflow in PushShortPixel of ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/327381/
CVSSv3.1:SUSE:CVE-2022-1115:5.5:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-20 13:32 UTC by Alexander Bergmann
Modified: 2022-08-19 13:32 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-04-20 13:32:11 UTC
rh#2067022

A heap-buffer-overflow flaw was found in PushShortPixel function of quantum-private.h

References:
https://github.com/ImageMagick/ImageMagick/issues/4974

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2067022
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1115
Comment 1 Petr Gajdos 2022-04-22 08:41:36 UTC
BEFORE

15sp4/ImageMagick

$ valgrind  -q convert poc /dev/null
==11920== Invalid read of size 2
==11920==    at 0x4FB6057: PushShortPixel (quantum-private.h:271)
==11920==    by 0x4FB6057: ImportRGBAQuantum (quantum-import.c:4233)
==11920==    by 0x4FBD422: ImportQuantumPixels (quantum-import.c:4781)
==11920==    by 0x94D17E0: ReadTIFFImage (tiff.c:2058)
==11920==    by 0x4EB9137: ReadImage (constitute.c:624)
==11920==    by 0x4EBA2AE: ReadImages (constitute.c:955)
==11920==    by 0x534A803: ConvertImageCommand (convert.c:611)
==11920==    by 0x53B5AAF: MagickCommandGenesis (mogrify.c:188)
==11920==    by 0x10941F: MagickMain (magick.c:150)
==11920==    by 0x589D2BC: (below main) (in /lib64/libc-2.31.so)
==11920==  Address 0x919530a is 0 bytes after a block of size 330 alloc'd
==11920==    at 0x4C346A4: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11920==    by 0x94D169D: ReadTIFFImage (tiff.c:2004)
==11920==    by 0x4EB9137: ReadImage (constitute.c:624)
==11920==    by 0x4EBA2AE: ReadImages (constitute.c:955)
==11920==    by 0x534A803: ConvertImageCommand (convert.c:611)
==11920==    by 0x53B5AAF: MagickCommandGenesis (mogrify.c:188)
==11920==    by 0x10941F: MagickMain (magick.c:150)
==11920==    by 0x589D2BC: (below main) (in /lib64/libc-2.31.so)
==11920== 
==11920== Invalid read of size 2
==11920==    at 0x4FB6071: ImportRGBAQuantum (quantum-import.c:4238)
==11920==    by 0x4FBD422: ImportQuantumPixels (quantum-import.c:4781)
==11920==    by 0x94D17E0: ReadTIFFImage (tiff.c:2058)
==11920==    by 0x4EB9137: ReadImage (constitute.c:624)
==11920==    by 0x4EBA2AE: ReadImages (constitute.c:955)
==11920==    by 0x534A803: ConvertImageCommand (convert.c:611)
==11920==    by 0x53B5AAF: MagickCommandGenesis (mogrify.c:188)
==11920==    by 0x10941F: MagickMain (magick.c:150)
==11920==    by 0x589D2BC: (below main) (in /lib64/libc-2.31.so)
==11920==  Address 0x919530c is 2 bytes after a block of size 330 alloc'd
==11920==    at 0x4C346A4: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11920==    by 0x94D169D: ReadTIFFImage (tiff.c:2004)
==11920==    by 0x4EB9137: ReadImage (constitute.c:624)
==11920==    by 0x4EBA2AE: ReadImages (constitute.c:955)
==11920==    by 0x534A803: ConvertImageCommand (convert.c:611)
==11920==    by 0x53B5AAF: MagickCommandGenesis (mogrify.c:188)
==11920==    by 0x10941F: MagickMain (magick.c:150)
==11920==    by 0x589D2BC: (below main) (in /lib64/libc-2.31.so)
==11920== 
==11920== Invalid read of size 2
==11920==    at 0x4FB608D: ImportRGBAQuantum (quantum-import.c:4241)
==11920==    by 0x4FBD422: ImportQuantumPixels (quantum-import.c:4781)
==11920==    by 0x94D17E0: ReadTIFFImage (tiff.c:2058)
==11920==    by 0x4EB9137: ReadImage (constitute.c:624)
==11920==    by 0x4EBA2AE: ReadImages (constitute.c:955)
==11920==    by 0x534A803: ConvertImageCommand (convert.c:611)
==11920==    by 0x53B5AAF: MagickCommandGenesis (mogrify.c:188)
==11920==    by 0x10941F: MagickMain (magick.c:150)
==11920==    by 0x589D2BC: (below main) (in /lib64/libc-2.31.so)
==11920==  Address 0x919530e is 4 bytes after a block of size 330 alloc'd
==11920==    at 0x4C346A4: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11920==    by 0x94D169D: ReadTIFFImage (tiff.c:2004)
==11920==    by 0x4EB9137: ReadImage (constitute.c:624)
==11920==    by 0x4EBA2AE: ReadImages (constitute.c:955)
==11920==    by 0x534A803: ConvertImageCommand (convert.c:611)
==11920==    by 0x53B5AAF: MagickCommandGenesis (mogrify.c:188)
==11920==    by 0x10941F: MagickMain (magick.c:150)
==11920==    by 0x589D2BC: (below main) (in /lib64/libc-2.31.so)
==11920== 
==11920== Invalid read of size 2
==11920==    at 0x4FB60A5: SetPixelBlue (pixel-accessor.h:684)
==11920==    by 0x4FB60A5: ImportRGBAQuantum (quantum-import.c:4240)
==11920==    by 0x4FBD422: ImportQuantumPixels (quantum-import.c:4781)
==11920==    by 0x94D17E0: ReadTIFFImage (tiff.c:2058)
==11920==    by 0x4EB9137: ReadImage (constitute.c:624)
==11920==    by 0x4EBA2AE: ReadImages (constitute.c:955)
==11920==    by 0x534A803: ConvertImageCommand (convert.c:611)
==11920==    by 0x53B5AAF: MagickCommandGenesis (mogrify.c:188)
==11920==    by 0x10941F: MagickMain (magick.c:150)
==11920==    by 0x589D2BC: (below main) (in /lib64/libc-2.31.so)
==11920==  Address 0x9195310 is 6 bytes after a block of size 330 alloc'd
==11920==    at 0x4C346A4: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11920==    by 0x94D169D: ReadTIFFImage (tiff.c:2004)
==11920==    by 0x4EB9137: ReadImage (constitute.c:624)
==11920==    by 0x4EBA2AE: ReadImages (constitute.c:955)
==11920==    by 0x534A803: ConvertImageCommand (convert.c:611)
==11920==    by 0x53B5AAF: MagickCommandGenesis (mogrify.c:188)
==11920==    by 0x10941F: MagickMain (magick.c:150)
==11920==    by 0x589D2BC: (below main) (in /lib64/libc-2.31.so)
[..]
$

15,12,11/ImageMagick:

$ valgrind  -q convert poc /dev/null
convert: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/1006.
convert: Nonstandard tile length 2, convert file. `poc' @ warning/tiff.c/TIFFWarnings/1006.
convert: Incorrect count for "YResolution"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/1006.
convert: Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/1006.
convert: Sorry, can not handle images with IEEE floating-point samples. `poc' @ error/tiff.c/TIFFErrors/658.
$

[could not reproduce]


PATCH

IM7:
https://github.com/ImageMagick/ImageMagick/commit/c8718305f120293d8bf13724f12eed885d830b09
IM6:
https://github.com/ImageMagick/ImageMagick6/commit/1f860f52bd8d58737ad883072203391096b30b51

There is no such code in older codestreams than 15sp4/ImageMagick.


AFTER

$ valgrind  -q convert poc /dev/null
convert: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/964.
convert: Nonstandard tile length 2, convert file. `poc' @ warning/tiff.c/TIFFWarnings/964.
convert: Incorrect count for "YResolution"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/964.
convert: Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/964.
$
Comment 2 Petr Gajdos 2022-04-22 08:42:20 UTC
Will submit for 15sp4/ImageMagick.
Comment 4 Petr Gajdos 2022-04-22 09:03:38 UTC
https://build.suse.de/request/show/270537

I believe all fixed.
Comment 5 Deshun Wang 2022-06-02 02:36:39 UTC
(In reply to Petr Gajdos from comment #1)
> There is no such code in older codestreams than 15sp4/ImageMagick.

Does this mean that SPs (SLES 12/15) prior to 15SP4 are not affected by this CVE?
Comment 6 Hu 2022-08-19 13:32:54 UTC
Yes they are not affected, thanks for your submission Petr! Closing.