Bug 1140513 – VUL-1: CVE-2019-13311: ImageMagick: memory leaks at AcquireMagickMemory because of a wand/mogrify.c error

Bug 1140513 - (CVE-2019-13311) VUL-1: CVE-2019-13311: ImageMagick: memory leaks at AcquireMagickMemory because of a wand/mogrify.c error

(CVE-2019-13311)
Summary:	VUL-1: CVE-2019-13311: ImageMagick: memory leaks at AcquireMagickMemory becau...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/236491/
Whiteboard:	CVSSv3:SUSE:CVE-2019-13311:3.3:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-07-05 12:17 UTC by Alexandros Toptsoglou
Modified:	2019-08-28 14:53 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2019-07-05 12:17:27 UTC

CVE-2019-13311

ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of a
wand/mogrify.c error.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13311
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13311
https://github.com/ImageMagick/ImageMagick/issues/1623
https://github.com/ImageMagick/ImageMagick/commit/4a334bbf5584de37c6f5a47c380a531c8c4b140a
https://github.com/ImageMagick/ImageMagick6/commit/bb812022d0bc12107db215c981cab0b1ccd73d91

Comment 1 Alexandros Toptsoglou 2019-07-05 12:33:02 UTC

Managed to reproduce it in SLE15 not in SLE12 and SLE11. However, from code review it seems that in partially the commit for imagemagick6 could potentially be applied in SLE 11 and SLE12. What do you think Petr?

Tracked for now SLE15, SLE12 and SLE11 as affected.

To reproduce in SLE15 simply run: valgrind --leak-check=full magick -seed 0 -label "%r%W&%tZRD%r%A" -units PixelsPerCentimeter -caption "%s%m%w" "(" magick:logo +repage ")" "(" magick:granite -shade 13x85 ")" -compress RLE -combine -ift -complex magnitude-phase tmp

OUTPUT:

valgrind --leak-check=full magick -seed 0 -label "%r%W&%tZRD%r%A" -units PixelsPerCentimeter -caption "%s%m%w" "(" magick:logo +repage ")" "(" magick:granite -shade 13x85 ")" -compress RLE -combine -ift -complex magnitude-phase tmp
==10476== Memcheck, a memory error detector
==10476== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==10476== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==10476== Command: magick -seed 0 -label %r%W&%tZRD%r%A -units PixelsPerCentimeter -caption %s%m%w ( magick:logo +repage ) ( magick:granite -shade 13x85 ) -compress RLE -combine -ift -complex magnitude-phase tmp
==10476== 
magick: no images found for operation `-complex' at CLI arg 22 @ error/operation.c/CLIOption/5225.
==10476== 
==10476== HEAP SUMMARY:
==10476==     in use at exit: 3,765,936 bytes in 61 blocks
==10476==   total heap usage: 9,254 allocs, 9,193 frees, 15,659,617 bytes allocated
==10476== 
==10476== 3,746,788 (13,504 direct, 3,733,284 indirect) bytes in 1 blocks are definitely lost in loss record 43 of 43
==10476==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10476==    by 0x4F39C10: CloneImage (in /usr/lib64/libMagickCore-7.Q16HDRI.so.6.0.0)
==10476==    by 0x4E99F5B: CombineImages (in /usr/lib64/libMagickCore-7.Q16HDRI.so.6.0.0)
==10476==    by 0x53D3329: ??? (in /usr/lib64/libMagickWand-7.Q16HDRI.so.6.0.0)
==10476==    by 0x53D4CF7: CLIOption (in /usr/lib64/libMagickWand-7.Q16HDRI.so.6.0.0)
==10476==    by 0x5371534: ProcessCommandOptions (in /usr/lib64/libMagickWand-7.Q16HDRI.so.6.0.0)
==10476==    by 0x5371DFA: MagickImageCommand (in /usr/lib64/libMagickWand-7.Q16HDRI.so.6.0.0)
==10476==    by 0x538DB54: MagickCommandGenesis (in /usr/lib64/libMagickWand-7.Q16HDRI.so.6.0.0)
==10476==    by 0x10937F: MagickMain (magick.c:149)
==10476==    by 0x584CF89: (below main) (in /lib64/libc-2.26.so)
==10476== 
==10476== LEAK SUMMARY:
==10476==    definitely lost: 13,504 bytes in 1 blocks
==10476==    indirectly lost: 3,733,284 bytes in 42 blocks
==10476==      possibly lost: 0 bytes in 0 blocks
==10476==    still reachable: 19,148 bytes in 18 blocks
==10476==         suppressed: 0 bytes in 0 blocks
==10476== Reachable blocks (those to which a pointer was found) are not shown.
==10476== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==10476== 
==10476== For counts of detected and suppressed errors, rerun with: -v
==10476== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Comment 2 Petr Gajdos 2019-07-23 11:45:39 UTC

(In reply to Alexandros Toptsoglou from comment #1)
> Managed to reproduce it in SLE15 not in SLE12 and SLE11. However, from code
> review it seems that in partially the commit for imagemagick6 could
> potentially be applied in SLE 11 and SLE12. What do you think Petr?

Thanks Alexandros for the analysis. Yes, I think so as well.

AFTER

15/ImageMagick

$ valgrind -q --leak-check=full magick -seed 0 -label "%r%W&%tZRD%r%A" -units PixelsPerCentimeter -caption "%s%m%w" "(" magick:logo +repage ")" "(" magick:granite -shade 13x85 ")" -compress RLE -combine -ift -complex magnitude-phase temp
magick: ImageSequenceRequired `-ift' @ error/operation.c/CLIListOperatorImages/4128.
$

Comment 3 Petr Gajdos 2019-07-23 11:46:34 UTC

Will submit for: 15,12,11/ImageMagick

Comment 4 Petr Gajdos 2019-07-23 15:00:28 UTC

Packages submitted.

I believe all fixed.

Comment 6 Swamp Workflow Management 2019-07-29 16:24:02 UTC

SUSE-SU-2019:2010-1: An update that fixes 18 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139885,1139886,1140100,1140102,1140103,1140106,1140110,1140111,1140501,1140513,1140534,1140538,1140554,1140664,1140666,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13295,CVE-2019-13297,CVE-2019-13300,CVE-2019-13301,CVE-2019-13307,CVE-2019-13308,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ImageMagick-6.8.8.1-71.126.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ImageMagick-6.8.8.1-71.126.1
SUSE Linux Enterprise Server 12-SP4 (src):    ImageMagick-6.8.8.1-71.126.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ImageMagick-6.8.8.1-71.126.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2019-08-09 19:11:53 UTC

SUSE-SU-2019:2106-1: An update that fixes 30 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    ImageMagick-7.0.7.34-3.67.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.67.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2019-08-21 13:13:45 UTC

openSUSE-SU-2019:1983-1: An update that fixes 30 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1139884,1139885,1139886,1140100,1140102,1140103,1140104,1140105,1140106,1140110,1140111,1140501,1140513,1140520,1140534,1140538,1140543,1140545,1140547,1140549,1140552,1140554,1140664,1140665,1140666,1140667,1140668,1140669,1140673,1141171
CVE References: CVE-2019-12974,CVE-2019-12975,CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133,CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295,CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300,CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305,CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310,CVE-2019-13311,CVE-2019-13391,CVE-2019-13454
Sources used:
openSUSE Leap 15.1 (src):    ImageMagick-7.0.7.34-lp151.7.9.1
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.38.1

Comment 9 Marcus Meissner 2019-08-28 14:53:26 UTC

released