Bugzilla – Bug 1130330
VUL-1: CVE-2019-9956: GraphicsMagick,ImageMagick: stack-based buffer overflow in the function PopHexPixel of coders/ps.c
Last modified: 2022-02-13 10:42:45 UTC
CVE-2019-9956 In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9956 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9956 https://github.com/ImageMagick/ImageMagick/issues/1523
Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/34a6a5a45e83a4af852090b4e43f168a380df979
I get the issue for TW/ImageMagick, too: ================================================================= ==30269==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff4390 at pc 0x7ffff6c3f2c1 bp 0x7fffffff3780 sp 0x7fffffff3778 WRITE of size 1 at 0x7fffffff4390 thread T0 #0 0x7ffff6c3f2c0 in PopHexPixel coders/ps.c:1184 #1 0x7ffff6c4418b in WritePSImage coders/ps.c:2232 #2 0x7ffff66f89fb in WriteImage MagickCore/constitute.c:1159 #3 0x7ffff66f9756 in WriteImages MagickCore/constitute.c:1376 #4 0x7ffff612b1f2 in ConvertImageCommand MagickWand/convert.c:3305 #5 0x7ffff622f732 in MagickCommandGenesis MagickWand/mogrify.c:184 #6 0x555555556784 in MagickMain utilities/magick.c:149 #7 0x555555556a18 in main utilities/magick.c:180 #8 0x7ffff5d97b7a in __libc_start_main (/lib64/libc.so.6+0x26b7a) #9 0x555555556219 (/usr/bin/magick+0x2219) Address 0x7fffffff4390 is located in stack of thread T0 at offset 2752 in frame #0 0x7ffff6c3f35a in WritePSImage coders/ps.c:1191 This frame has 13 object(s): [32, 48) 'delta' [96, 112) 'resolution' [160, 176) 'scale' [224, 256) 'geometry' [288, 320) 'media_info' [352, 384) 'page_info' [416, 448) 'bounds' [480, 520) 'geometry_info' [576, 664) 'pixel' [704, 2752) 'pixels' <== Memory access at offset 2752 overflows this variable [2784, 6880) 'buffer' [6912, 11008) 'date' [11040, 15136) 'page_geometry' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow coders/ps.c:1184 in PopHexPixel Shadow bytes around the buggy address: 0x10007fff6820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff6830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff6840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff6850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff6860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007fff6870: 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00 00 00 0x10007fff6880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff6890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff68a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff68b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff68c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==30269==ABORTING but I cannot for TW/GraphicsMagick. The write function even is not entered in GraphicsMagick: $ gm convert stack-buffer-overflow-in-ps out.ps gm convert: Insufficient image data in file (stack-buffer-overflow-in-ps). $ However, the code is very similar. I have asked GraphicsMagick upstream for help.
There's no valgrind error anywhere.
Package submitted for 15,12,11/ImageMagick. Keeping the bug while waiting for GraphicsMagick upstream response.
SUSE-SU-2019:1019-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1122033,1130330,1131317,1132054,1132060 CVE References: CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-9956 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): ImageMagick-7.0.7.34-3.54.3 SUSE Linux Enterprise Module for Development Tools 15 (src): ImageMagick-7.0.7.34-3.54.3 SUSE Linux Enterprise Module for Desktop Applications 15 (src): ImageMagick-7.0.7.34-3.54.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1033-1: An update that solves 13 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060 CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956 Sources used: SUSE OpenStack Cloud 7 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Workstation Extension 12-SP4 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Workstation Extension 12-SP3 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server 12-SP4 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server 12-SP3 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Server 12-LTSS (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Desktop 12-SP4 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Linux Enterprise Desktop 12-SP3 (src): ImageMagick-6.8.8.1-71.108.1 SUSE Enterprise Storage 4 (src): ImageMagick-6.8.8.1-71.108.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1033-2: An update that solves 13 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060 CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): ImageMagick-6.8.8.1-71.108.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1320-1: An update that solves 13 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1106989,1106996,1107609,1120381,1122033,1124365,1124366,1124368,1128649,1130330,1131317,1132053,1132054,1132060 CVE References: CVE-2018-16412,CVE-2018-16413,CVE-2018-16644,CVE-2018-20467,CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-11009,CVE-2019-7175,CVE-2019-7395,CVE-2019-7397,CVE-2019-7398,CVE-2019-9956 Sources used: openSUSE Leap 42.3 (src): ImageMagick-6.8.8.1-82.1
openSUSE-SU-2019:1331-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1122033,1130330,1131317,1132054,1132060 CVE References: CVE-2019-10650,CVE-2019-11007,CVE-2019-11008,CVE-2019-9956 Sources used: openSUSE Leap 15.0 (src): ImageMagick-7.0.7.34-lp150.2.29.1
SUSE-SU-2019:14043-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 1130330,1131317,1132053,1132060,1133204,1133205,1133498,1133501 CVE References: CVE-2019-10650,CVE-2019-11007,CVE-2019-11009,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505,CVE-2019-11506,CVE-2019-9956 Sources used: SUSE Linux Enterprise Debuginfo 11-SP4 (src): ImageMagick-6.4.3.6-78.97.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
11/GraphicsMagick is not maintained anymore. ps.c should not be used anyway. Let's leave it on GraphicsMagick upstream to fix in any further release, if it is vulnerable at all.