Bug 1124366 – VUL-1: CVE-2019-7397: GraphicsMagick,ImageMagick: Memory leak in the WritePDFImage function in coders/pdf.c

Bug 1124366 - (CVE-2019-7397) VUL-1: CVE-2019-7397: GraphicsMagick,ImageMagick: Memory leak in the WritePDFImage function in coders/pdf.c

(CVE-2019-7397)
Summary:	VUL-1: CVE-2019-7397: GraphicsMagick,ImageMagick: Memory leak in the WritePDF...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/224242/
Whiteboard:	CVSSv2:NVD:CVE-2019-7397:5.0:(AV:N/AC...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-02-05 16:48 UTC by Robert Frohl
Modified:	2019-07-10 05:22 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2019-02-05 16:48:18 UTC

rh#1672564

In ImageMagick before 7.0.8-25, several memory leaks exist in WritePDFImage in
coders/pdf.c.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1672564
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-7397
https://github.com/ImageMagick/ImageMagick/issues/1454
https://github.com/ImageMagick/ImageMagick/commit/306c1f0fa5754ca78efd16ab752f0e981d4f6b82

Comment 1 Robert Frohl 2019-02-06 10:27:02 UTC

ImageMagick seems to be affected in SLE11, SLE12 and SLE15. In older versions the code has changed a bit.

GraphicsMagick I do not believe is affected. It looks like the memory is released via MagickFreeMemory(). Petr could you confirm this assumption please?

Comment 2 Petr Gajdos 2019-02-11 15:30:19 UTC

It should be noted that pdf coder is disabled by default and if enabled, there are significantly wider issues trough using ghostscript than and ordinary memory leak.

Comment 3 Petr Gajdos 2019-02-11 15:47:59 UTC

(In reply to Petr Gajdos from comment #2)
> It should be noted that pdf coder is disabled by default and if enabled,
> there are significantly wider issues trough using ghostscript than and
> ordinary memory leak.

Actually, this is in WritePDFImage(), which is not prohibited.

Comment 4 Petr Gajdos 2019-02-11 18:29:43 UTC

I think all versions are affected, even including HG/GraphicsMagick on two places, upstream notified. If I am mistaken, let me know.

Will submit for: 15,12,11/ImageMagick and 11,42.3,15.0/GraphicsMagick.

Comment 5 Petr Gajdos 2019-02-11 18:30:48 UTC

I believe all fixed.

Comment 7 Swamp Workflow Management 2019-02-12 10:40:06 UTC

This is an autogenerated message for OBS integration:
This bug (1124366) was mentioned in
https://build.opensuse.org/request/show/673603 15.0 / GraphicsMagick
https://build.opensuse.org/request/show/673604 42.3 / GraphicsMagick

Comment 11 Swamp Workflow Management 2019-02-19 14:15:29 UTC

openSUSE-SU-2019:0214-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1124366
CVE References: CVE-2019-7397
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-126.1

Comment 12 Swamp Workflow Management 2019-02-19 14:16:19 UTC

openSUSE-SU-2019:0215-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1124366
CVE References: CVE-2019-7397
Sources used:
openSUSE Leap 15.0 (src):    GraphicsMagick-1.3.29-lp150.3.21.1

Comment 13 Swamp Workflow Management 2019-02-22 20:09:09 UTC

openSUSE-SU-2019:0235-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1124366
CVE References: CVE-2019-7397
Sources used:
openSUSE Backports SLE-15 (src):    GraphicsMagick-1.3.29-bp150.2.15.1

Comment 15 Swamp Workflow Management 2019-03-26 17:16:28 UTC

SUSE-SU-2019:0739-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106415,1106996,1113064,1120381,1124365,1124366,1124367,1124368,1128649
CVE References: CVE-2018-16412,CVE-2018-18544,CVE-2018-20467,CVE-2019-7175,CVE-2019-7395,CVE-2019-7396,CVE-2019-7397,CVE-2019-7398
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ImageMagick-7.0.7.34-3.49.4
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.49.4
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.49.4

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2019-03-28 02:14:04 UTC

SUSE-SU-2019:13993-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1113064,1120381,1124365,1124366,1128649
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-18544,CVE-2018-20467,CVE-2019-7175,CVE-2019-7397,CVE-2019-7398
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.92.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.92.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    ImageMagick-6.4.3.6-78.92.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.92.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2019-03-29 17:14:31 UTC

SUSE-SU-2019:13995-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1120381,1124365,1124366,1128649
CVE References: CVE-2018-20467,CVE-2019-7175,CVE-2019-7397,CVE-2019-7398
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.85.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.85.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.85.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 19 Swamp Workflow Management 2019-04-04 22:28:41 UTC

openSUSE-SU-2019:1141-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106415,1106996,1113064,1120381,1124365,1124366,1124367,1124368,1128649
CVE References: CVE-2018-16412,CVE-2018-18544,CVE-2018-20467,CVE-2019-7175,CVE-2019-7395,CVE-2019-7396,CVE-2019-7397,CVE-2019-7398
Sources used:
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.26.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2019-04-25 16:16:57 UTC

SUSE-SU-2019:1033-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
SUSE OpenStack Cloud 7 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Server 12-LTSS (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.108.1
SUSE Enterprise Storage 4 (src):    ImageMagick-6.8.8.1-71.108.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Swamp Workflow Management 2019-04-27 01:12:45 UTC

SUSE-SU-2019:1033-2: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ImageMagick-6.8.8.1-71.108.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Swamp Workflow Management 2019-05-03 19:14:24 UTC

openSUSE-SU-2019:1320-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060
CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-82.1

Comment 24 Swamp Workflow Management 2019-05-28 13:30:52 UTC

This is an autogenerated message for OBS integration:
This bug (1124366) was mentioned in
https://build.opensuse.org/request/show/705902 15.1 / GraphicsMagick

Comment 25 Marcus Meissner 2019-07-10 05:22:43 UTC

released