Bug 1096203 - (CVE-2018-11624) VUL-1: CVE-2018-11624: GraphicsMagick,ImageMagick: use after free in ReadMATImage function in coders/mat.c
(CVE-2018-11624)
VUL-1: CVE-2018-11624: GraphicsMagick,ImageMagick: use after free in ReadMATI...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/206845/
CVSSv2:NVD:CVE-2018-11624:6.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-06 09:30 UTC by Karol Babioch
Modified: 2021-10-05 10:40 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-06-06 09:30:18 UTC
In ImageMagick 7.0.7-36 Q16, the ReadMATImage function in coders/mat.c allows
attackers to cause a use after free via a crafted file.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1584898
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11624
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11624.html
https://github.com/ImageMagick/ImageMagick/issues/1149
Comment 1 Petr Gajdos 2018-06-14 11:11:18 UTC
BEFORE

15/ImageMagick

$ valgrind -q identify poc
==26185== Invalid read of size 8
==26185==    at 0x4E8BAF4: CloseBlob (blob.c:605)
==26185==    by 0x920EA3F: ReadMATImage (mat.c:1238)
==26185==    by 0x4EB6EA9: ReadImage (constitute.c:558)
==26185==    by 0x4FD69EB: ReadStream (stream.c:1043)
==26185==    by 0x4EB6962: PingImage (constitute.c:226)
==26185==    by 0x4EB6BDA: PingImages (constitute.c:327)
==26185==    by 0x535FF03: IdentifyImageCommand (identify.c:319)
==26185==    by 0x538DAF4: MagickCommandGenesis (mogrify.c:183)
==26185==    by 0x10937F: MagickMain (magick.c:149)
==26185==    by 0x584CF49: (below main) (in /lib64/libc-2.26.so)
==26185==  Address 0x8e6e030 is 13,392 bytes inside a block of size 13,504 free'd
==26185==    at 0x4C2F2BB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26185==    by 0x4F4F37E: RelinquishMagickMemory (memory.c:1058)
==26185==    by 0x9210933: ReadMATImage (mat.c:1084)
==26185==    by 0x4EB6EA9: ReadImage (constitute.c:558)
==26185==    by 0x4FD69EB: ReadStream (stream.c:1043)
==26185==    by 0x4EB6962: PingImage (constitute.c:226)
==26185==    by 0x4EB6BDA: PingImages (constitute.c:327)
==26185==    by 0x535FF03: IdentifyImageCommand (identify.c:319)
==26185==    by 0x538DAF4: MagickCommandGenesis (mogrify.c:183)
==26185==    by 0x10937F: MagickMain (magick.c:149)
==26185==    by 0x584CF49: (below main) (in /lib64/libc-2.26.so)
==26185==  Block was alloc'd at
==26185==    at 0x4C2E08F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26185==    by 0x4F3CDDF: AcquireCriticalMemory (memory-private.h:64)
==26185==    by 0x4F3CDDF: AcquireImage (image.c:171)
==26185==    by 0x920E508: ReadMATImage (mat.c:895)
==26185==    by 0x4EB6EA9: ReadImage (constitute.c:558)
==26185==    by 0x4FD69EB: ReadStream (stream.c:1043)
==26185==    by 0x4EB6962: PingImage (constitute.c:226)
==26185==    by 0x4EB6BDA: PingImages (constitute.c:327)
==26185==    by 0x535FF03: IdentifyImageCommand (identify.c:319)
==26185==    by 0x538DAF4: MagickCommandGenesis (mogrify.c:183)
==26185==    by 0x10937F: MagickMain (magick.c:149)
==26185==    by 0x584CF49: (below main) (in /lib64/libc-2.26.so)
==26185== 
identify: MagickCore/blob.c:605: CloseBlob: Assertion `image->signature == MagickCoreSignature' failed.
/root/bin/vgq: line 3: 26185 Aborted                 (core dumped) valgrind -q $@
$

12/ImageMagick

$ valgrind -q identify poc
identify: UnsupportedCellTypeInTheMatrix `poc' @ error/mat.c/ReadMATImage/1078.
$

11/ImageMagick

$ valgrind -q identify mat:poc
identify: UnsupportedCellTypeInTheMatrix `poc'.
$
[note the mat: prefix, otherwise command quits sooner via 'no decode delegate']

11/GraphicsMagick

$ valgrind -q gm identify mat:poc
gm identify: Unsupported cell type in the matrix (poc).
$

42.3,15.0/GraphicsMagick

$ valgrind -q gm identify poc
gm identify: Unsupported cell type in the matrix (poc).
gm identify: Request did not return an image.
$


PATCH

https://github.com/ImageMagick/ImageMagick6/commit/172d82afe89d3499ef0cab06dc58d380cc1ab946

15/ImageMagick:      the fix is needed
11,12/ImageMagick:      already solved via ImageMagick-mat.c-update.patch
11/GraphicsMagick:   no image2 code
42.3/GraphicsMagick: already solved in ThrowImg2MATReaderException() via 
                     GraphicsMagick-mat.c-update.patch
15.0/GraphicsMagick: already solved


AFTER

15/ImageMagick

$ valgrind -q identify poc
identify: UnsupportedCellTypeInTheMatrix `poc' @ error/mat.c/ReadMATImage/1088.
$
Comment 2 Petr Gajdos 2018-06-14 11:22:21 UTC
Given the date of the upstream bug and date of ImageMagick-mat.c-update.patch, I will 11,12/ImageMagick consider unaffected as the bug was probably introduced between these dates.

Also, the bug seem to never existed in 42.3/GraphicsMagick as ThrowImg2MATReaderException() was introduced with ImageMagick-mat.c-update.patch with the correct shape.

I consider 15/ImageMagick the only affected codestream.
Comment 3 Petr Gajdos 2018-06-15 12:59:02 UTC
I believe all fixed.
Comment 8 Swamp Workflow Management 2018-07-23 19:08:49 UTC
SUSE-SU-2018:2043-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546
CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.9.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.9.1
Comment 9 Swamp Workflow Management 2018-07-28 14:01:44 UTC
openSUSE-SU-2018:2123-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546
CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600
Sources used:
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.6.1
Comment 10 Marcus Meissner 2018-10-05 06:26:20 UTC
released
Comment 11 OBSbugzilla Bot 2021-10-04 16:40:29 UTC
This is an autogenerated message for OBS integration:
This bug (1096203) was mentioned in
https://build.opensuse.org/request/show/923064 Factory / ImageMagick
Comment 12 OBSbugzilla Bot 2021-10-05 10:40:29 UTC
This is an autogenerated message for OBS integration:
This bug (1096203) was mentioned in
https://build.opensuse.org/request/show/923178 Factory / ImageMagick