Bug 1095812 - (CVE-2018-10805) VUL-1: CVE-2018-10805: ImageMagick: Memory leak in ReadYCBCRImage
(CVE-2018-10805)
VUL-1: CVE-2018-10805: ImageMagick: Memory leak in ReadYCBCRImage
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/205367/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-04 12:38 UTC by Alexander Bergmann
Modified: 2021-10-05 10:40 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Petr Gajdos 2018-06-20 07:14:55 UTC
No test case found.
Comment 2 Petr Gajdos 2018-06-20 14:54:16 UTC
ImageMagick 7 commit:
https://github.com/ImageMagick/ImageMagick/commit/53060aa22a3767a46a9ddb4ef32e7fa061a1da34

ImageMagick 6 commit:
https://github.com/ImageMagick/ImageMagick6/commit/53060aa22a3767a46a9ddb4ef32e7fa061a1da34

The commit fixes following upstream bugs:

Memory leak in ReadBGRImage #1043
Memory leak in ReadCMYKImage #1044
Memory leak in ReadGRAYImage #1046
Memory leak in ReadRGBImage #1051
Memory leak in ReadYCBCRImage #1054

Only ReadYCBCRImage fix is bound to this CVE.

15/ImageMagick:
has this fix already in, nevertheless I will add another leak fix

12/ImageMagick:
ReadBGRImage    fixed
ReadCMYKImage   fixed
ReadGRAYImage   fixed
ReadRGBImage    fixed
ReadYCBCRImage  fixed

11/ImageMagick:
ReadBGRImage    does not have bgr
ReadCMYKImage   fixed
ReadGRAYImage   fixed
ReadRGBImage    fixed
ReadYCBCRImage  fixed

11/GraphicsMagick:
ReadBGRImage    does not have bgr
ReadCMYKImage   unrelated small leak (scanline variable)
ReadGRAYImage   unrelated small leak (scanline variable)
ReadRGBImage    unrelated small leak (scanline variable)
ReadYCBCRImage  does not have ycbcr

42.3/GraphicsMagick:
ReadBGRImage    does not have bgr
ReadCMYKImage   unrelated small leak (scanline variable)
ReadGRAYImage   unrelated small leak (scanline variable)
ReadRGBImage    unrelated small leak (scanline variable)
ReadYCBCRImage  does not have ycbcr

15.0/GraphicsMagick:
ReadBGRImage    does not have bgr
ReadCMYKImage   unrelated small leak (scanline variable)
ReadGRAYImage   unrelated small leak (scanline variable)
ReadRGBImage    unrelated small leak (scanline variable)
ReadYCBCRImage  does not have ycbcr

Reported 
https://sourceforge.net/p/graphicsmagick/bugs/567/
https://github.com/ImageMagick/ImageMagick/issues/1179
Comment 3 Petr Gajdos 2018-06-20 14:56:43 UTC
Will submit for 15/ImageMagick, 12/ImageMagick, 11/ImageMagick, 11/GraphicsMagick, 42.3/GraphicsMagick and 15.0/GraphicsMagick.
Comment 4 Petr Gajdos 2018-06-20 14:57:15 UTC
I believe all fixed.
Comment 6 Swamp Workflow Management 2018-06-20 16:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (1095812) was mentioned in
https://build.opensuse.org/request/show/618094 15.0 / GraphicsMagick
https://build.opensuse.org/request/show/618095 42.3 / GraphicsMagick
Comment 8 Swamp Workflow Management 2018-06-29 19:09:24 UTC
SUSE-SU-2018:1851-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047356,1056277,1087820,1094204,1094237,1095730,1095812,1095813
CVE References: CVE-2017-10928,CVE-2017-13758,CVE-2017-18271,CVE-2018-10804,CVE-2018-10805,CVE-2018-11251,CVE-2018-11655,CVE-2018-9133
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.65.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.65.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.65.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.65.1
Comment 9 Swamp Workflow Management 2018-06-30 13:09:53 UTC
openSUSE-SU-2018:1860-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047356,1056277,1087820,1094204,1094237,1095730,1095812,1095813
CVE References: CVE-2017-10928,CVE-2017-13758,CVE-2017-18271,CVE-2018-10804,CVE-2018-10805,CVE-2018-11251,CVE-2018-11655,CVE-2018-9133
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-64.1
Comment 10 Swamp Workflow Management 2018-06-30 13:10:57 UTC
openSUSE-SU-2018:1862-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 1075821,1095812
CVE References: CVE-2018-10805
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-93.1
openSUSE Leap 15.0 (src):    GraphicsMagick-1.3.29-lp150.3.6.1
Comment 12 Swamp Workflow Management 2018-07-23 19:08:31 UTC
SUSE-SU-2018:2043-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546
CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.9.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.9.1
Comment 13 Swamp Workflow Management 2018-07-28 14:01:30 UTC
openSUSE-SU-2018:2123-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546
CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600
Sources used:
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.6.1
Comment 16 Swamp Workflow Management 2018-08-16 19:15:49 UTC
SUSE-SU-2018:2390-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1056277,1094204,1095812,1102007
CVE References: CVE-2017-13758,CVE-2017-18271,CVE-2018-10805,CVE-2018-14435
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.61.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.61.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.61.1
Comment 17 Swamp Workflow Management 2018-08-21 10:12:59 UTC
SUSE-SU-2018:2465-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1056277,1094204,1094237,1095812,1098545,1098546,1102003,1102004,1102005,1102007
CVE References: CVE-2017-13758,CVE-2017-18271,CVE-2018-10805,CVE-2018-11251,CVE-2018-12599,CVE-2018-12600,CVE-2018-14434,CVE-2018-14435,CVE-2018-14436,CVE-2018-14437
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.56.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.56.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.56.1
Comment 18 Marcus Meissner 2018-10-05 06:24:27 UTC
released
Comment 19 Swamp Workflow Management 2019-05-28 13:30:15 UTC
This is an autogenerated message for OBS integration:
This bug (1095812) was mentioned in
https://build.opensuse.org/request/show/705902 15.1 / GraphicsMagick
Comment 20 OBSbugzilla Bot 2021-10-04 16:40:20 UTC
This is an autogenerated message for OBS integration:
This bug (1095812) was mentioned in
https://build.opensuse.org/request/show/923064 Factory / ImageMagick
Comment 21 OBSbugzilla Bot 2021-10-05 10:40:20 UTC
This is an autogenerated message for OBS integration:
This bug (1095812) was mentioned in
https://build.opensuse.org/request/show/923178 Factory / ImageMagick