Bug 1140668 - (CVE-2019-13299) VUL-1: CVE-2019-13299: ImageMagick: heap-based buffer over-read at MagickCore/pixel-accessor.h in GetPixelChannel
(CVE-2019-13299)
VUL-1: CVE-2019-13299: ImageMagick: heap-based buffer over-read at MagickCore...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/236479/
CVSSv3:SUSE:CVE-2019-13299:5.1:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-08 09:41 UTC by Alexander Bergmann
Modified: 2019-08-28 15:05 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Petr Gajdos 2019-07-22 14:48:57 UTC
BEFORE

15/ImageMagick

$ valgrind -q convert -seed 0 "(" magick:netscape -monochrome ")" "(" magick:netscape +repage ")" -geometry 433%-80-57 -adjoin -evaluate-sequence Median temp
==7464== Invalid read of size 4
==7464==    at 0x4FCC19A: EvaluateImages (statistic.c:592)
==7464==    by 0x5395980: MogrifyImageList (mogrify.c:8491)
==7464==    by 0x5396EE8: MogrifyImages (mogrify.c:8920)
==7464==    by 0x5329004: ConvertImageCommand (convert.c:3267)
==7464==    by 0x538DB54: MagickCommandGenesis (mogrify.c:183)
==7464==    by 0x10937F: MagickMain (magick.c:149)
==7464==    by 0x584CF49: (below main) (in /lib64/libc-2.26.so)
==7464==  Address 0x91d7c00 is 0 bytes after a block of size 248,832 alloc'd
==7464==    at 0x4C30386: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==7464==    by 0x4C304A1: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==7464==    by 0x4F4F424: AcquireAlignedMemory (memory.c:266)
==7464==    by 0x4E9591D: OpenPixelCache (cache.c:3744)
==7464==    by 0x4E75BFD: GetImagePixelCache (cache.c:1761)
==7464==    by 0x4E97E3A: SyncImagePixelCache (cache.c:5505)
==7464==    by 0x4F85D12: AssignImageColors (quantize.c:512)
==7464==    by 0x4F87CA2: QuantizeImage (quantize.c:2714)
==7464==    by 0x4E88671: SetImageType (attribute.c:1260)
==7464==    by 0x5393D25: MogrifyImage (mogrify.c:2207)
==7464==    by 0x5396EA0: MogrifyImages (mogrify.c:8901)
==7464==    by 0x53278B6: ConvertImageCommand (convert.c:620)
==7464==
$

12/ImageMagick

$ valgrind -q convert -seed 0 "(" magick:netscape -monochrome ")" "(" magick:netscape +repage ")" -geometry 433%-80-57 -adjoin -evaluate-sequence Median temp
$
[no issues observed]

11/ImageMagick

$ convert -seed 0 "(" magick:netscape -monochrome ")" "(" magick:netscape +repage ")" -geometry 433%-80-57 -adjoin -evaluate-sequence Median temp
convert: unrecognized option `-evaluate-sequence'.
$
[testcase not applicable]


PATCH

https://github.com/ImageMagick/ImageMagick/commit/8187d2d8fd010d2d6b1a3a8edd935beec404dddc
https://github.com/ImageMagick/ImageMagick/commit/933bf025119f0de25ee589b706c09c8bb46d5a48
https://github.com/ImageMagick/ImageMagick/commit/d4fc44b58a14f76b1ac997517d742ee12c9dc5d3

d4fc44b fixes unrelated issue #1611, but by the way it reverts 8187d2d. So considering 933bf02 be a proper fix for this CVE.

IM7-only


AFTER

15/ImageMagick

$ valgrind -q convert -seed 0 "(" magick:netscape -monochrome ")" "(" magick:netscape +repage ")" -geometry 433%-80-57 -adjoin -evaluate-sequence Median temp
$
Comment 2 Petr Gajdos 2019-07-22 14:50:47 UTC
Will submit for: 15/ImageMagick
Comment 3 Petr Gajdos 2019-07-23 15:00:26 UTC
Packages submitted.

I believe all fixed.
Comment 5 Swamp Workflow Management 2019-08-09 19:13:33 UTC
SUSE-SU-2019:2106-1: An update that fixes 30 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.67.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2019-08-21 13:15:28 UTC
openSUSE-SU-2019:1983-1: An update that fixes 30 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
openSUSE Leap 15.1 (src):    ImageMagick-7.0.7.34-lp151.7.9.1
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.38.1
Comment 7 Marcus Meissner 2019-08-28 15:05:22 UTC
released