Bug 1140665 - (CVE-2019-13296) VUL-1: CVE-2019-13296: ImageMagick: direct memory leaks in AcquireMagickMemory because of an error in CLIListOperatorImages in MagickWand/operation.c
(CVE-2019-13296)
VUL-1: CVE-2019-13296: ImageMagick: direct memory leaks in AcquireMagickMemor...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/236476/
CVSSv3:SUSE:CVE-2019-13296:4.0:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-08 09:41 UTC by Alexander Bergmann
Modified: 2019-08-28 15:02 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-07-08 09:41:35 UTC
CVE-2019-13296

ImageMagick 7.0.8-50 Q16 has direct memory leaks in AcquireMagickMemory because
of an error in CLIListOperatorImages in MagickWand/operation.c for a NULL value.

Upstream issue:
https://github.com/ImageMagick/ImageMagick/issues/1604

Upstream fix:
https://github.com/ImageMagick/ImageMagick/commit/ce08a3691a8ac29125e29fc41967b3737fa3f425

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13296
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13296.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13296
Comment 1 Petr Gajdos 2019-07-23 09:41:02 UTC
BEFORE

15/ImageMagick

$ valgrind -q --leak-check=full magick -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare temp
$

12/ImageMagick

$ valgrind -q --leak-check=full convert -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare temp 
convert: delegate library support not built-in `netscape' (FFTW) @ warning/fourier.c/ForwardFourierTransformImage/996.
convert: no images defined `temp' @ error/convert.c/ConvertImageCommand/3149.
==9038== 576 bytes in 1 blocks are possibly lost in loss record 31 of 37
==9038==    at 0x4C2B200: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9038==    by 0x4011771: allocate_dtv (in /lib64/ld-2.19.so)
==9038==    by 0x4011E7D: _dl_allocate_tls (in /lib64/ld-2.19.so)
==9038==    by 0x55FCC0D: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.19.so)
==9038==    by 0x716C16D: ??? (in /usr/lib64/libgomp.so.1.0.0)
==9038==    by 0x4EA8FFB: TransformRGBImage (colorspace.c:2286)
==9038==    by 0x4F4AADA: AppendImages (image.c:523)
==9038==    by 0x538F839: MogrifyImageList (mogrify.c:7534)
==9038==    by 0x5390423: MogrifyImages (mogrify.c:8638)
==9038==    by 0x5319E2E: ConvertImageCommand (convert.c:3141)
==9038==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==9038==    by 0x400846: ConvertMain (convert.c:81)
==9038==    by 0x400846: main (convert.c:92)
==9038== 
==9038== 496,128 (13,232 direct, 482,896 indirect) bytes in 1 blocks are definitely lost in loss record 37 of 37
==9038==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9038==    by 0x4F48298: CloneImage (image.c:809)
==9038==    by 0x4F4A8B5: AppendImages (image.c:493)
==9038==    by 0x538F839: MogrifyImageList (mogrify.c:7534)
==9038==    by 0x5390423: MogrifyImages (mogrify.c:8638)
==9038==    by 0x5319E2E: ConvertImageCommand (convert.c:3141)
==9038==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==9038==    by 0x400846: ConvertMain (convert.c:81)
==9038==    by 0x400846: main (convert.c:92)
==9038==
$

11/ImageMagick

$ valgrind -q --leak-check=full convert -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare temp
==9074== 
==9074== 2,128 bytes in 7 blocks are possibly lost in loss record 3 of 3
==9074==    at 0x4C23484: calloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==9074==    by 0x4010AEE: _dl_allocate_tls (in /lib64/ld-2.9.so)
==9074==    by 0x6D7974A: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.9.so)
==9074==    by 0x6B6EF35: (within /usr/lib64/libgomp.so.1.0.0)
==9074==    by 0x4F0E8C1: SetImageBackgroundColor (image.c:662)
==9074==    by 0x4F0F69C: AppendImages (image.c:531)
==9074==    by 0x5300A03: MogrifyImageList (mogrify.c:6492)
==9074==    by 0x5306D10: MogrifyImages (mogrify.c:7336)
==9074==    by 0x52936EA: ConvertImageCommand (convert.c:2700)
==9074==    by 0x400F73: main (convert.c:122)
$

With ASAN:

15/ImageMagick:

$ magick -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare temp
$
[no issues observed]

12/ImageMagick:

$ convert -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare temp
convert: delegate library support not built-in `netscape' (FFTW) @ warning/fourier.c/ForwardFourierTransformImage/996.
convert: no images defined `temp' @ error/convert.c/ConvertImageCommand/3149.
$

*/GraphicsMagick

$ gm convert -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare temp
gm convert: Unrecognized option (-seed).
$

I am not able to get the same backtrace as in the upstream bug, above backtraces are unrelated I think.


PATCH

referenced in comment 0
15/ImageMagick: clearly affected
there's no such code in IM6 (there is similare in mogrify.c, but it is in IM7, too)
Comment 2 Petr Gajdos 2019-07-23 10:08:05 UTC
Will submit for: 15/ImageMagick
Comment 3 Petr Gajdos 2019-07-23 15:00:27 UTC
Packages submitted.

I believe all fixed.
Comment 5 Swamp Workflow Management 2019-08-09 19:13:12 UTC
SUSE-SU-2019:2106-1: An update that fixes 30 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.67.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2019-08-21 13:15:05 UTC
openSUSE-SU-2019:1983-1: An update that fixes 30 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
openSUSE Leap 15.1 (src):    ImageMagick-7.0.7.34-lp151.7.9.1
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.38.1
Comment 7 Marcus Meissner 2019-08-28 15:02:33 UTC
released