Bugzilla – Bug 1198351
VUL-0: CVE-2022-1270: ImageMagick, GraphicsMagick: Heap buffer overflow when parsing MIFF
Last modified: 2022-05-31 10:17:24 UTC
rh#2073097 In GraphicsMagick, a heap buffer overflow was found when parsing MIFF. References: https://sourceforge.net/p/graphicsmagick/bugs/664/ References: https://bugzilla.redhat.com/show_bug.cgi?id=2073097 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1270
Created attachment 858071 [details] QA Reproducer Commands: - for SUSE:SLE-12:Update/ImageMagick 6.8.8 $ identify example.miff - for openSUSE:Factory/GraphicsMagick 1.3.37 $ gm identify example.miff
GraphicsMagick: There is a patch for GraphicsMagick 1.4 snapshot-20220326 Patch: hg clone http://hg.code.sf.net/p/graphicsmagick/code GM hg log -p -r 16689:94f4bcf448ad ImageMagick: Reproduced with SUSE:SLE-12:Update/ImageMagick 6.8.8: $ valgrind identify example.miff [...] ==5600== Invalid write of size 1 ==5600== at 0x4C2EFF3: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==5600== by 0x4E8CD81: ReadBlob (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0) ==5600== by 0x845A55F: ??? (in /usr/lib64/ImageMagick-6.8.8/modules-Q16/coders/miff.so) ==5600== by 0x4EC2FAA: ReadImage (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0) ==5600== by 0x4FDA4F8: ReadStream (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0) ==5600== by 0x4EC2AF0: PingImage (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0) ==5600== by 0x4EC2D2A: PingImages (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0) ==5600== by 0x536154B: IdentifyImageCommand (in /usr/lib64/libMagickWand-6.Q16.so.1.0.0) ==5600== by 0x538ECB2: MagickCommandGenesis (in /usr/lib64/libMagickWand-6.Q16.so.1.0.0) ==5600== by 0x400891: IdentifyMain (identify.c:80) ==5600== by 0x400891: main (identify.c:93) ==5600== Address 0x80e49c4 is 0 bytes after a block of size 660 alloc'd ==5600== at 0x4C2A2AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==5600== by 0x84593BE: ??? (in /usr/lib64/ImageMagick-6.8.8/modules-Q16/coders/miff.so) ==5600== by 0x4EC2FAA: ReadImage (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0) ==5600== by 0x4FDA4F8: ReadStream (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0) ==5600== by 0x4EC2AF0: PingImage (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0) ==5600== by 0x4EC2D2A: PingImages (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0) ==5600== by 0x536154B: IdentifyImageCommand (in /usr/lib64/libMagickWand-6.Q16.so.1.0.0) ==5600== by 0x538ECB2: MagickCommandGenesis (in /usr/lib64/libMagickWand-6.Q16.so.1.0.0) ==5600== by 0x400891: IdentifyMain (identify.c:80) ==5600== by 0x400891: main (identify.c:93) [...]
Affected: - openSUSE:Factory/GraphicsMagick 1.3.37 - SUSE:SLE-12:Update/ImageMagick 6.8.8 Unsure if affected or not: - SUSE:SLE-11:Update/ImageMagick 6.4.3 Not Affected: - SUSE:SLE-15:Update/ImageMagick 7.0.7 - SUSE:SLE-15-SP2:Update/ImageMagick 7.0.7 - SUSE:SLE-15-SP4:Update/ImageMagick 7.1.0 - openSUSE:Factory/ImageMagick 7.1.0
BEFORE GraphicsMagick 1.3.37, 15sp3/GraphicsMagick :/198351 # gm identify example.miff gm identify: abort due to signal 11 (SIGSEGV) "Segmentation Fault"... Aborted (core dumped) :/198351 # 11/GraphicsMagick $ valgrind -q gm identify 198351 gm identify: Unexpected end-of-file (/tmp/gmqkwKQ2). $ devel,15/ImageMagick $ valgrind -q identify example.miff identify: unable to read image data `example.miff' @ error/miff.c/ReadMIFFImage/1469. $ [ considering unaffected based on the testcase and code ] 12/ImageMagick :/198351 # identify example.miff *** Error in `identify': free(): invalid pointer: 0x00000000007550c0 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x74c99)[0x7f308c6ffc99] /lib64/libc.so.6(+0x7a566)[0x7f308c705566] /usr/lib64/libMagickCore-6.Q16.so.1(RelinquishMagickMemory+0xf)[0x7f308d09cd4f] /usr/lib64/ImageMagick-6.8.8/modules-Q16/coders/miff.so(+0x4fda)[0x7f308a027fda] /usr/lib64/libMagickCore-6.Q16.so.1(ReadImage+0x1ab)[0x7f308cffcfab] /usr/lib64/libMagickCore-6.Q16.so.1(ReadStream+0x119)[0x7f308d1144a9] /usr/lib64/libMagickCore-6.Q16.so.1(PingImage+0x61)[0x7f308cffcaf1] /usr/lib64/libMagickCore-6.Q16.so.1(PingImages+0x15b)[0x7f308cffcd2b] /usr/lib64/libMagickWand-6.Q16.so.1(IdentifyImageCommand+0x67c)[0x7f308ccd554c] /usr/lib64/libMagickWand-6.Q16.so.1(MagickCommandGenesis+0x6d3)[0x7f308cd02cb3] identify[0x400892] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f308c6accb5] identify[0x4008fa] ======= Memory map: ======== [...] :/198351 # [ considering affected based on testcase, even if little bit different issue, probably ] 11/ImageMagick beth:/198351 # identify example.miff identify: Improper image header `example.miff'. beth:/198351 # [not affected based on testcase] PATCH http://hg.code.sf.net/p/graphicsmagick/code/rev/94f4bcf448ad 11/GraphicsMagick: the code is partly there 11/ImageMagick: code not found, not reproducible, considering unaffected 12/ImageMagick: the testcase crashes, however it seem a bit different problem AFTER GraphicsMagick 1.3.38, 15sp3/GraphicsMagick :/198351 # gm identify example.miff gm identify: Unable to uncompress image (example.miff). gm identify: Request did not return an image. :/198351 # 12/ImageMagick :/198351 # identify example.miff identify: improper image header `example.miff' @ error/miff.c/ReadMIFFImage/1425. :/198351 #
Submitted for: TW,15sp3,11/GraphicsMagick, 12/ImageMagick.
I believe all fixed.
SUSE-SU-2022:1274-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1198351 CVE References: CVE-2022-1270 JIRA References: Sources used: openSUSE Leap 15.4 (src): GraphicsMagick-1.3.35-150300.3.3.1 openSUSE Leap 15.3 (src): GraphicsMagick-1.3.35-150300.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done.
Used https://github.com/ImageMagick/ImageMagick6/commit/9d328305c72648a6d0ff690ac6c4f9150644a4cd for fixing testcase. Resubmitted for 12/ImageMagick.
SUSE-SU-2022:1885-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1198351,1199350 CVE References: CVE-2022-1270,CVE-2022-28463 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): ImageMagick-6.8.8.1-71.172.1 SUSE OpenStack Cloud Crowbar 8 (src): ImageMagick-6.8.8.1-71.172.1 SUSE OpenStack Cloud 9 (src): ImageMagick-6.8.8.1-71.172.1 SUSE OpenStack Cloud 8 (src): ImageMagick-6.8.8.1-71.172.1 SUSE Linux Enterprise Workstation Extension 12-SP5 (src): ImageMagick-6.8.8.1-71.172.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): ImageMagick-6.8.8.1-71.172.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): ImageMagick-6.8.8.1-71.172.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): ImageMagick-6.8.8.1-71.172.1 SUSE Linux Enterprise Server 12-SP5 (src): ImageMagick-6.8.8.1-71.172.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): ImageMagick-6.8.8.1-71.172.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): ImageMagick-6.8.8.1-71.172.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): ImageMagick-6.8.8.1-71.172.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): ImageMagick-6.8.8.1-71.172.1 HPE Helion Openstack 8 (src): ImageMagick-6.8.8.1-71.172.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.