Bug 1131439 - (CVE-2019-10714) VUL-1: CVE-2019-10714: GraphicsMagick,ImageMagick: An out-of-bounds access exists in function LocaleLowercase in MagickCore/locale.c leads to SIGSEGV
(CVE-2019-10714)
VUL-1: CVE-2019-10714: GraphicsMagick,ImageMagick: An out-of-bounds access e...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Petr Gajdos
Security Team bot
https://smash.suse.de/issue/228694/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-03 14:43 UTC by Alexandros Toptsoglou
Modified: 2019-04-03 17:29 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Alexandros Toptsoglou 2019-04-03 17:29:49 UTC
Failed to reproduce the issue in all the codestreams. 
After investigation it seems that the vulnerable function introduced when upstream tried to fix [1]. The fix of [1] introduced in 7.0.8-25 and backported to version 6.9.10-25. 
The versions that fix this CVE are 7.0.8.34 and  6.9.0-36

Regarding our codestreams, none seems affected. Tested with valgrind the POC [2] and did not work. 
Regarding openSUSE LEAP codestreams are not affected while TW ships an already fixed version. 


[1] https://github.com/ImageMagick/ImageMagick/issues/1455
[2] https://github.com/Dk0n9/MyFuzzy/blob/master/oob_LocaleLowercase_crash