Bug 1198351 - (CVE-2022-1270) VUL-0: CVE-2022-1270: ImageMagick, GraphicsMagick: Heap buffer overflow when parsing MIFF
(CVE-2022-1270)
VUL-0: CVE-2022-1270: ImageMagick, GraphicsMagick: Heap buffer overflow when ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/328355/
CVSSv3.1:SUSE:CVE-2022-1270:7.3:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-11 15:19 UTC by Hu
Modified: 2022-05-31 10:17 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
QA Reproducer (6.89 KB, application/octet-stream)
2022-04-12 11:14 UTC, Hu
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-04-11 15:19:26 UTC
rh#2073097

In GraphicsMagick, a heap buffer overflow was found when parsing MIFF. 

References:

https://sourceforge.net/p/graphicsmagick/bugs/664/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2073097
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1270
Comment 1 Hu 2022-04-12 11:14:20 UTC
Created attachment 858071 [details]
QA Reproducer

Commands: 
   
- for SUSE:SLE-12:Update/ImageMagick        6.8.8    
$ identify example.miff    

- for openSUSE:Factory/GraphicsMagick       1.3.37    
$ gm identify example.miff
Comment 3 Hu 2022-04-12 11:25:56 UTC
GraphicsMagick:

There is a patch for GraphicsMagick 1.4 snapshot-20220326    
Patch:
hg clone http://hg.code.sf.net/p/graphicsmagick/code GM    
hg log -p -r 16689:94f4bcf448ad


ImageMagick:

Reproduced with SUSE:SLE-12:Update/ImageMagick 6.8.8:

$ valgrind identify example.miff 
[...]
==5600== Invalid write of size 1
==5600==    at 0x4C2EFF3: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==5600==    by 0x4E8CD81: ReadBlob (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0)
==5600==    by 0x845A55F: ??? (in /usr/lib64/ImageMagick-6.8.8/modules-Q16/coders/miff.so)
==5600==    by 0x4EC2FAA: ReadImage (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0)
==5600==    by 0x4FDA4F8: ReadStream (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0)
==5600==    by 0x4EC2AF0: PingImage (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0)
==5600==    by 0x4EC2D2A: PingImages (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0)
==5600==    by 0x536154B: IdentifyImageCommand (in /usr/lib64/libMagickWand-6.Q16.so.1.0.0)
==5600==    by 0x538ECB2: MagickCommandGenesis (in /usr/lib64/libMagickWand-6.Q16.so.1.0.0)
==5600==    by 0x400891: IdentifyMain (identify.c:80)
==5600==    by 0x400891: main (identify.c:93)
==5600==  Address 0x80e49c4 is 0 bytes after a block of size 660 alloc'd
==5600==    at 0x4C2A2AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==5600==    by 0x84593BE: ??? (in /usr/lib64/ImageMagick-6.8.8/modules-Q16/coders/miff.so)
==5600==    by 0x4EC2FAA: ReadImage (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0)
==5600==    by 0x4FDA4F8: ReadStream (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0)
==5600==    by 0x4EC2AF0: PingImage (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0)
==5600==    by 0x4EC2D2A: PingImages (in /usr/lib64/libMagickCore-6.Q16.so.1.0.0)
==5600==    by 0x536154B: IdentifyImageCommand (in /usr/lib64/libMagickWand-6.Q16.so.1.0.0)
==5600==    by 0x538ECB2: MagickCommandGenesis (in /usr/lib64/libMagickWand-6.Q16.so.1.0.0)
==5600==    by 0x400891: IdentifyMain (identify.c:80)
==5600==    by 0x400891: main (identify.c:93)
[...]
Comment 4 Hu 2022-04-12 11:27:23 UTC
Affected:  
- openSUSE:Factory/GraphicsMagick       1.3.37
- SUSE:SLE-12:Update/ImageMagick        6.8.8

Unsure if affected or not: 
- SUSE:SLE-11:Update/ImageMagick        6.4.3

Not Affected:
- SUSE:SLE-15:Update/ImageMagick        7.0.7
- SUSE:SLE-15-SP2:Update/ImageMagick    7.0.7
- SUSE:SLE-15-SP4:Update/ImageMagick    7.1.0
- openSUSE:Factory/ImageMagick          7.1.0
Comment 6 Petr Gajdos 2022-04-12 12:40:54 UTC
BEFORE

GraphicsMagick 1.3.37, 15sp3/GraphicsMagick

:/198351 # gm identify example.miff
gm identify: abort due to signal 11 (SIGSEGV) "Segmentation Fault"...
Aborted (core dumped)
:/198351 #

11/GraphicsMagick

$ valgrind  -q gm identify 198351
gm identify: Unexpected end-of-file (/tmp/gmqkwKQ2).
$

devel,15/ImageMagick

$ valgrind  -q identify example.miff
identify: unable to read image data `example.miff' @ error/miff.c/ReadMIFFImage/1469.
$
[ considering unaffected based on the testcase and code ]

12/ImageMagick
:/198351 # identify example.miff 
*** Error in `identify': free(): invalid pointer: 0x00000000007550c0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x74c99)[0x7f308c6ffc99]
/lib64/libc.so.6(+0x7a566)[0x7f308c705566]
/usr/lib64/libMagickCore-6.Q16.so.1(RelinquishMagickMemory+0xf)[0x7f308d09cd4f]
/usr/lib64/ImageMagick-6.8.8/modules-Q16/coders/miff.so(+0x4fda)[0x7f308a027fda]
/usr/lib64/libMagickCore-6.Q16.so.1(ReadImage+0x1ab)[0x7f308cffcfab]
/usr/lib64/libMagickCore-6.Q16.so.1(ReadStream+0x119)[0x7f308d1144a9]
/usr/lib64/libMagickCore-6.Q16.so.1(PingImage+0x61)[0x7f308cffcaf1]
/usr/lib64/libMagickCore-6.Q16.so.1(PingImages+0x15b)[0x7f308cffcd2b]
/usr/lib64/libMagickWand-6.Q16.so.1(IdentifyImageCommand+0x67c)[0x7f308ccd554c]
/usr/lib64/libMagickWand-6.Q16.so.1(MagickCommandGenesis+0x6d3)[0x7f308cd02cb3]
identify[0x400892]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f308c6accb5]
identify[0x4008fa]
======= Memory map: ========
[...]
:/198351 #
[ considering affected based on testcase, even if little bit different issue, probably ]

11/ImageMagick

beth:/198351 # identify example.miff     
identify: Improper image header `example.miff'.
beth:/198351 #
[not affected based on testcase]


PATCH

http://hg.code.sf.net/p/graphicsmagick/code/rev/94f4bcf448ad

11/GraphicsMagick: the code is partly there
11/ImageMagick: code not found, not reproducible, considering unaffected
12/ImageMagick: the testcase crashes, however it seem a bit different problem


AFTER

GraphicsMagick 1.3.38, 15sp3/GraphicsMagick

:/198351 # gm identify example.miff
gm identify: Unable to uncompress image (example.miff).
gm identify: Request did not return an image.
:/198351 #


12/ImageMagick

:/198351 # identify example.miff 
identify: improper image header `example.miff' @ error/miff.c/ReadMIFFImage/1425.
:/198351 #
Comment 7 Petr Gajdos 2022-04-12 12:42:07 UTC
Submitted for: TW,15sp3,11/GraphicsMagick, 12/ImageMagick.
Comment 8 Petr Gajdos 2022-04-12 12:42:33 UTC
I believe all fixed.
Comment 10 Swamp Workflow Management 2022-04-20 10:25:16 UTC
SUSE-SU-2022:1274-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198351
CVE References: CVE-2022-1270
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    GraphicsMagick-1.3.35-150300.3.3.1
openSUSE Leap 15.3 (src):    GraphicsMagick-1.3.35-150300.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Gabriele Sonnu 2022-04-29 08:20:00 UTC
Done.
Comment 14 Petr Gajdos 2022-05-20 06:17:35 UTC
Used
https://github.com/ImageMagick/ImageMagick6/commit/9d328305c72648a6d0ff690ac6c4f9150644a4cd
for fixing testcase. Resubmitted for 12/ImageMagick.
Comment 16 Swamp Workflow Management 2022-05-31 10:17:24 UTC
SUSE-SU-2022:1885-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1198351,1199350
CVE References: CVE-2022-1270,CVE-2022-28463
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    ImageMagick-6.8.8.1-71.172.1
SUSE OpenStack Cloud Crowbar 8 (src):    ImageMagick-6.8.8.1-71.172.1
SUSE OpenStack Cloud 9 (src):    ImageMagick-6.8.8.1-71.172.1
SUSE OpenStack Cloud 8 (src):    ImageMagick-6.8.8.1-71.172.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    ImageMagick-6.8.8.1-71.172.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ImageMagick-6.8.8.1-71.172.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    ImageMagick-6.8.8.1-71.172.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    ImageMagick-6.8.8.1-71.172.1
SUSE Linux Enterprise Server 12-SP5 (src):    ImageMagick-6.8.8.1-71.172.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    ImageMagick-6.8.8.1-71.172.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    ImageMagick-6.8.8.1-71.172.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    ImageMagick-6.8.8.1-71.172.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ImageMagick-6.8.8.1-71.172.1
HPE Helion Openstack 8 (src):    ImageMagick-6.8.8.1-71.172.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.