Bug 1096200 - (CVE-2018-11625) VUL-1: CVE-2018-11625: GraphicsMagick,ImageMagick: heap-based buffer over-read in SetGrayscaleImage in the quantize.c
(CVE-2018-11625)
VUL-1: CVE-2018-11625: GraphicsMagick,ImageMagick: heap-based buffer over-rea...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/206846/
CVSSv3:RedHat:CVE-2018-11625:3.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-06 09:28 UTC by Karol Babioch
Modified: 2021-10-05 10:40 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-06-06 09:28:32 UTC
In ImageMagick 7.0.7-37 Q16, SetGrayscaleImage in the quantize.c file allows
attackers to cause a heap-based buffer over-read via a crafted file.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1584904
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11625
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11625.html
https://github.com/ImageMagick/ImageMagick/issues/1156
Comment 1 Petr Gajdos 2018-06-15 12:50:45 UTC
BEFORE

15/ImageMagick

$ valgrind -q convert poc output.gif
convert: InvalidColormapIndex `poc' @ warning/image.c/SyncImage/3869.
$

12/ImageMagick

$ valgrind -q convert poc output.gif
convert: invalid colormap index `poc' @ error/image.c/SyncImage/3477.
$

11/ImageMagick

$ valgrind -q convert poc output.gif
convert: Invalid colormap index `poc'.
$

11,42.3/GraphicsMagick

$ valgrind -q gm convert poc output.gif
[many conditional jumps depends on unitialized values or use of uninitialized values errors, but no over-read observed]
$

15.0/GraphicsMagick

$ valgrind -q gm convert poc output.gif
$
Comment 3 Petr Gajdos 2018-06-15 14:19:45 UTC
With 7.0.8-0, the '+1' is needed:

Breakpoint 3, SetGrayscaleImage (image=0x5555557760a0, exception=0x55555575ee90) at MagickCore/quantize.c:3321
3321	  if (image->storage_class == PseudoClass)
(gdb) n
3322	    colormap_index=(ssize_t *) AcquireQuantumMemory(image->colors+1,
(gdb) p image->colors
$4 = 65535
(gdb) c
Continuing.

Breakpoint 2, SetGrayscaleImage (image=0x5555557760a0, exception=0x55555575ee90) at MagickCore/quantize.c:3442
3442	    for (x=0; x < (ssize_t) image->columns; x++)
(gdb) n
3444	      SetPixelIndex(image,(Quantum) colormap_index[ScaleQuantumToMap(
(gdb) l
3439	        status=MagickFalse;
3440	        continue;
3441	      }
3442	    for (x=0; x < (ssize_t) image->columns; x++)
3443	    {
3444	      SetPixelIndex(image,(Quantum) colormap_index[ScaleQuantumToMap(
3445	        GetPixelIndex(image,q))],q);
3446	      q+=GetPixelChannels(image);
3447	    }
3448	    if (SyncCacheViewAuthenticPixels(image_view,exception) == MagickFalse)
(gdb) call ScaleQuantumToMap(GetPixelIndex(image,q))
$5 = 65535
(gdb)
Comment 4 Petr Gajdos 2018-06-15 14:20:49 UTC
Next week I will look at other code streams.
Comment 5 Petr Gajdos 2018-06-19 15:42:16 UTC
15/ImageMagick: '+1' needed
12/ImageMagick: code is different and for the testcase I get:
$ call ScaleQuantumToMap(*(indexes+x))
$1 = 0
$
considering not affected by this CVE
11/ImageMagick: code is different and code control does not reach SetGrayscaleImage() at all, considering unaffected by this CVE
*/GraphicsMagick: code is different and code control does not reach GrayscalePseudoClassImage() at all, considering unaffected by this CVE
Comment 6 Petr Gajdos 2018-06-19 15:45:16 UTC
Already submitted for 15/ImageMagick.
Comment 10 Swamp Workflow Management 2018-07-23 19:08:40 UTC
SUSE-SU-2018:2043-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546
CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.9.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.9.1
Comment 11 Swamp Workflow Management 2018-07-28 14:01:37 UTC
openSUSE-SU-2018:2123-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1094742,1094745,1095812,1096200,1096203,1098545,1098546
CVE References: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600
Sources used:
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.6.1
Comment 12 Marcus Meissner 2018-10-05 06:24:46 UTC
released
Comment 13 OBSbugzilla Bot 2021-10-04 16:40:24 UTC
This is an autogenerated message for OBS integration:
This bug (1096200) was mentioned in
https://build.opensuse.org/request/show/923064 Factory / ImageMagick
Comment 14 OBSbugzilla Bot 2021-10-05 10:40:24 UTC
This is an autogenerated message for OBS integration:
This bug (1096200) was mentioned in
https://build.opensuse.org/request/show/923178 Factory / ImageMagick