Bug 1140666 – VUL-1: CVE-2019-13297: ImageMagick: heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage

Bug 1140666 - (CVE-2019-13297) VUL-1: CVE-2019-13297: ImageMagick: heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage

(CVE-2019-13297)
Summary:	VUL-1: CVE-2019-13297: ImageMagick: heap-based buffer over-read at MagickCore...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/236477/
Whiteboard:	CVSSv3:SUSE:CVE-2019-13297:5.1:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-07-08 09:41 UTC by Alexander Bergmann
Modified:	2019-08-28 15:03 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2019-07-08 09:41:38 UTC

CVE-2019-13297

ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at
MagickCore/threshold.c in AdaptiveThresholdImage because a height of zero is
mishandled.

Upstream issue:
https://github.com/ImageMagick/ImageMagick/issues/1609

Upstream fix:
https://github.com/ImageMagick/ImageMagick6/commit/35c7032723d85eee7318ff6c82f031fa2666b773
https://github.com/ImageMagick/ImageMagick/commit/604588fc35c7585abb7a9e71f69bb82e4389fefc

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13297
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13297.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13297

Comment 1 Petr Gajdos 2019-07-22 12:41:24 UTC

BEFORE

15/ImageMagick

$ valgrind -q convert -seed 0 -dispose Background "(" magick:netscape -lat 514x0-41 ")" "(" magick:granite -charcoal 3 -level 0%,125,0.328 ")" -combine -print "" temp
$ 
[no issue observed]

12/ImageMagick

$ valgrind -q convert -seed 0 -dispose Background "(" magick:netscape -lat 514x0-41 ")" "(" magick:granite -charcoal 3 -level 0%,125,0.328 ")" -combine -print "" temp
convert: memory allocation failed `netscape[0]' @ error/cache.c/AcquireCacheNexusPixels/4650.
convert: images are not the same size `netscape' @ error/channel.c/CombineImages/128.
$
[no issue observed]

11/ImageMagick

$ valgrind -q convert -seed 0 -dispose Background "(" magick:netscape -lat 514x0-41 ")" "(" magick:granite -charcoal 3 -level 0%,125,0.328 ")" -combine -print "" temp
==22018== Conditional jump or move depends on uninitialised value(s)
==22018==    at 0x4C25B2C: index (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==22018==    by 0x4F24EC6: ParseMagickOption (option.c:1941)
==22018==    by 0x4F7E40C: ExpandFilenames (utility.c:713)
==22018==    by 0x5292792: ConvertImageCommand (convert.c:523)
==22018==    by 0x400F73: main (convert.c:122)
==22018== 
==22018== Conditional jump or move depends on uninitialised value(s)
==22018==    at 0x4C25B40: index (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==22018==    by 0x4F24EC6: ParseMagickOption (option.c:1941)
==22018==    by 0x4F7E40C: ExpandFilenames (utility.c:713)
==22018==    by 0x5292792: ConvertImageCommand (convert.c:523)
==22018==    by 0x400F73: main (convert.c:122)
==22018== 
==22018== Conditional jump or move depends on uninitialised value(s)
==22018==    at 0x4C25B39: index (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==22018==    by 0x4F24EC6: ParseMagickOption (option.c:1941)
==22018==    by 0x4F7E40C: ExpandFilenames (utility.c:713)
==22018==    by 0x5292792: ConvertImageCommand (convert.c:523)
==22018==    by 0x400F73: main (convert.c:122)
==22018== 
==22018== Conditional jump or move depends on uninitialised value(s)
==22018==    at 0x4C25B2C: index (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==22018==    by 0x4F24FD2: ParseMagickOption (option.c:1941)
==22018==    by 0x4F7E40C: ExpandFilenames (utility.c:713)
==22018==    by 0x5292792: ConvertImageCommand (convert.c:523)
==22018==    by 0x400F73: main (convert.c:122)
==22018== 
==22018== Conditional jump or move depends on uninitialised value(s)
==22018==    at 0x4C25B40: index (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==22018==    by 0x4F24FD2: ParseMagickOption (option.c:1941)
==22018==    by 0x4F7E40C: ExpandFilenames (utility.c:713)
==22018==    by 0x5292792: ConvertImageCommand (convert.c:523)
==22018==    by 0x400F73: main (convert.c:122)
==22018== 
==22018== Conditional jump or move depends on uninitialised value(s)
==22018==    at 0x4C25B39: index (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==22018==    by 0x4F24FD2: ParseMagickOption (option.c:1941)
==22018==    by 0x4F7E40C: ExpandFilenames (utility.c:713)
==22018==    by 0x5292792: ConvertImageCommand (convert.c:523)
==22018==    by 0x400F73: main (convert.c:122)
convert: image smaller than radius `netscape'.
convert: images are not the same size `netscape'.
convert: no encode delegate for this image format `temp'.
$
[unrelated conditional jumps, otherwise nothing]

*/GraphicsMagick

$ gm convert -seed 0 -dispose Background "(" magick:netscape -lat 514x0-41 ")" "(" magick:granite -charcoal 3 -level 0%,125,0.328 ")" -combine -print "" temp
gm convert: Unrecognized option (-seed).
$
[test case not applicable]

PATCH

referenced in comment 0

AFTER

15/ImageMagick

$ valgrind -q convert -seed 0 -dispose Background "(" magick:netscape -lat 514x0-41 ")" "(" magick:granite -charcoal 3 -level 0%,125,0.328 ")" -combine -print "" temp
==4001== Conditional jump or move depends on uninitialised value(s)
==4001==    at 0x4E8749B: AbsolutePixelValue (pixel-accessor.h:457)
==4001==    by 0x4E8749B: IsPixelGray (pixel-accessor.h:525)
==4001==    by 0x4E8749B: IdentifyImageGray (attribute.c:664)
==4001==    by 0x4EA4AEA: SetImageGray (colorspace.c:1234)
==4001==    by 0x4F87CCA: QuantizeImage (quantize.c:2665)
==4001==    by 0x4E88671: SetImageType (attribute.c:1260)
==4001==    by 0x94300CC: WriteGIFImage (gif.c:1612)
==4001==    by 0x4EB8184: WriteImage (constitute.c:1188)
==4001==    by 0x4EB886E: WriteImages (constitute.c:1338)
==4001==    by 0x532911A: ConvertImageCommand (convert.c:3280)
==4001==    by 0x538DB54: MagickCommandGenesis (mogrify.c:183)
==4001==    by 0x10937F: MagickMain (magick.c:149)
==4001==    by 0x584CF49: (below main) (in /lib64/libc-2.26.so)
[..]
$
[there is lot of conditional jumps depending on uninitialized values in WriteGIFImage() call, unrelated to this CVE I think; not a regression I would say, see also bsc#1140664]

12/ImageMagick

$ valgrind -q convert -seed 0 -dispose Background "(" magick:netscape -lat 514x0-41 ")" "(" magick:granite -charcoal 3 -level 0%,125,0.328 ")" -combine -print "" temp
convert: images are not the same size `netscape' @ error/channel.c/CombineImages/128.
$

11/ImageMagick

$ valgrind -q convert -seed 0 -dispose Background "(" magick:netscape -lat 514x0-41 ")" "(" magick:granite -charcoal 3 -level 0%,125,0.328 ")" -combine -print "" gif:temp
==4112== Conditional jump or move depends on uninitialised value(s)
==4112==    at 0x4C25B2C: index (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==4112==    by 0x4F24EC6: ParseMagickOption (option.c:1941)
==4112==    by 0x4F7E41C: ExpandFilenames (utility.c:713)
==4112==    by 0x5292792: ConvertImageCommand (convert.c:523)
==4112==    by 0x400F73: main (convert.c:122)
==4112== 
==4112== Conditional jump or move depends on uninitialised value(s)
==4112==    at 0x4C25B40: index (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==4112==    by 0x4F24EC6: ParseMagickOption (option.c:1941)
==4112==    by 0x4F7E41C: ExpandFilenames (utility.c:713)
==4112==    by 0x5292792: ConvertImageCommand (convert.c:523)
==4112==    by 0x400F73: main (convert.c:122)
==4112== 
==4112== Conditional jump or move depends on uninitialised value(s)
==4112==    at 0x4C25B39: index (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==4112==    by 0x4F24EC6: ParseMagickOption (option.c:1941)
==4112==    by 0x4F7E41C: ExpandFilenames (utility.c:713)
==4112==    by 0x5292792: ConvertImageCommand (convert.c:523)
==4112==    by 0x400F73: main (convert.c:122)
==4112== 
==4112== Conditional jump or move depends on uninitialised value(s)
==4112==    at 0x4C25B2C: index (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==4112==    by 0x4F24FD2: ParseMagickOption (option.c:1941)
==4112==    by 0x4F7E41C: ExpandFilenames (utility.c:713)
==4112==    by 0x5292792: ConvertImageCommand (convert.c:523)
==4112==    by 0x400F73: main (convert.c:122)
==4112== 
==4112== Conditional jump or move depends on uninitialised value(s)
==4112==    at 0x4C25B40: index (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==4112==    by 0x4F24FD2: ParseMagickOption (option.c:1941)
==4112==    by 0x4F7E41C: ExpandFilenames (utility.c:713)
==4112==    by 0x5292792: ConvertImageCommand (convert.c:523)
==4112==    by 0x400F73: main (convert.c:122)
==4112== 
==4112== Conditional jump or move depends on uninitialised value(s)
==4112==    at 0x4C25B39: index (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==4112==    by 0x4F24FD2: ParseMagickOption (option.c:1941)
==4112==    by 0x4F7E41C: ExpandFilenames (utility.c:713)
==4112==    by 0x5292792: ConvertImageCommand (convert.c:523)
==4112==    by 0x400F73: main (convert.c:122)
convert: image smaller than radius `netscape'.
convert: images are not the same size `netscape'.
$
[no change]

Comment 2 Petr Gajdos 2019-07-22 12:41:59 UTC

Will submit for 15,12,11/ImageMagick.

Comment 3 Petr Gajdos 2019-07-23 15:00:27 UTC

Packages submitted.

I believe all fixed.

Comment 5 Swamp Workflow Management 2019-07-29 16:24:35 UTC

SUSE-SU-2019:2010-1: An update that fixes 18 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139885,1139886,1140100,1140102,1140103,1140106,1140110,1140111,1140501,1140513,1140534,1140538,1140554,1140664,1140666,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13295,CVE-2019-13297,CVE-2019-13300,CVE-2019-13301,CVE-2019-13307,CVE-2019-13308,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ImageMagick-6.8.8.1-71.126.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ImageMagick-6.8.8.1-71.126.1
SUSE Linux Enterprise Server 12-SP4 (src):    ImageMagick-6.8.8.1-71.126.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ImageMagick-6.8.8.1-71.126.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Swamp Workflow Management 2019-08-09 19:13:19 UTC

SUSE-SU-2019:2106-1: An update that fixes 30 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.67.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2019-08-21 13:15:12 UTC

openSUSE-SU-2019:1983-1: An update that fixes 30 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
openSUSE Leap 15.1 (src):    ImageMagick-7.0.7.34-lp151.7.9.1
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.38.1

Comment 8 Marcus Meissner 2019-08-28 15:03:01 UTC

released