Bug 1198700 - (CVE-2022-1114) VUL-0: CVE-2022-1114: ImageMagick: heap-use-after-free in RelinquishDCMInfo of dcm.c
(CVE-2022-1114)
VUL-0: CVE-2022-1114: ImageMagick: heap-use-after-free in RelinquishDCMInfo o...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/327385/
CVSSv3.1:SUSE:CVE-2022-1114:6.1:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-20 13:21 UTC by Alexander Bergmann
Modified: 2022-08-23 07:13 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-04-20 13:21:42 UTC
rh#2064538

A heap-use-after-free vulnerability was found in ImageMagick's RelinquishDCMInfo function of dcm.c.

References:
https://github.com/ImageMagick/ImageMagick/issues/4947

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2064538
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1114
Comment 1 Petr Gajdos 2022-04-22 08:41:40 UTC
BEFORE

15sp4,15,12,11/ImageMagick

$ valgrind  -q convert poc /dev/null
convert: insufficient image data in file `poc' @ error/dcm.c/ReadDCMImage/3283.
convert: no images defined `/dev/null' @ error/convert.c/ConvertImageCommand/3275.
$

[could not reproduce]


PATCH

IM7:
https://github.com/ImageMagick/ImageMagick/commit/8043433ba9ce0c550e09f2b3b6a3f5f62d802e6d
IM6:
https://github.com/ImageMagick/ImageMagick6/commit/78f03b619d08d7c2e0fcaccab407e3ac93c2ee8f
(this looks like just variable name sync)

This code is in 15sp4 only:
if (strcmp(explicit_vr,"SQ") == 0)
{
  [..]
}
Considering affected this code stream only.


15sp4/ImageMagick

$ valgrind  -q convert poc /dev/null
convert: insufficient image data in file `poc' @ error/dcm.c/ReadDCMImage/3356.
convert: no images defined `/dev/null' @ error/convert.c/ConvertImageCommand/3322.
$

[no change]
Comment 2 Petr Gajdos 2022-04-22 08:42:01 UTC
Will submit for 15sp4/ImageMagick.
Comment 4 Petr Gajdos 2022-04-22 08:51:15 UTC
(In reply to Petr Gajdos from comment #3)
> (added also
> https://github.com/ImageMagick/ImageMagick6/commit/
> 85a370c79afeb45a97842b0959366af5236e9023)

Nope, wrong window.
Comment 5 Petr Gajdos 2022-04-22 09:03:14 UTC
https://build.suse.de/request/show/270537

I believe all fixed.
Comment 6 Deshun Wang 2022-06-02 02:37:35 UTC
(In reply to Petr Gajdos from comment #1)
> This code is in 15sp4 only:
> if (strcmp(explicit_vr,"SQ") == 0)
> {
>   [..]
> }
> Considering affected this code stream only.

Does this mean that SPs (SLES 12/15) prior to 15SP4 are not affected by this CVE?