Bug 1160426 - (CVE-2019-19952) VUL-1: CVE-2019-19952: ImageMagick: use-after-free in the function MngInfoDiscardObject of coders/png.c
(CVE-2019-19952)
VUL-1: CVE-2019-19952: ImageMagick: use-after-free in the function MngInfoDis...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Petr Gajdos
Security Team bot
https://smash.suse.de/issue/249758/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-08 10:04 UTC by Alexandros Toptsoglou
Modified: 2020-01-08 12:41 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-01-08 10:04:43 UTC
CVE-2019-19952

In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the function
MngInfoDiscardObject of coders/png.c, related to ReadOneMNGImage.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19952
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19952.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19952
https://github.com/ImageMagick/ImageMagick/issues/1791
Comment 1 Petr Gajdos 2020-01-08 11:21:59 UTC
Have you also came to the conclusion we are not affected by this CVE? Free does not happen at all.
Comment 3 Alexandros Toptsoglou 2020-01-08 12:33:24 UTC
(In reply to Petr Gajdos from comment #2)
> https://github.com/ImageMagick/ImageMagick/commit/
> 963e99fea57eb33944bd925d637957c8d430577b#diff-
> 06e0c72bb0a365a2fa4145b89e0a750a
> 
> This was between 7.0.8-60 and 7.0.8-61.

I tend to agree. First the POC is not working and second the e problematic commit for ImageMagick 7 is [0] while in ImageMagick 6 is [1].

Based on these for version 7 only 7.0.8-61 and above versions are affected while for version 6 only 6.9.10-77 and on are affected.  

Thus none of our codestreams are affected. TW is already in a fixed version. 

[0] https://github.com/ImageMagick/ImageMagick/commit/963e99fea57eb33944bd925d637957c8d430577b#diff-06e0c72bb0a365a2fa4145b89e0a750a
[1] https://github.com/ImageMagick/ImageMagick6/commit/524933c56b8b9723432cd5081e4c8e53ec80024a
Comment 4 Petr Gajdos 2020-01-08 12:41:48 UTC
Thanks!