| Summary: | imagemagick new security issues CVE-2014-835[45], CVE-2014-856[12], and CVE-2014-8716 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | olchal, rverschelde, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/620052/ | ||
| Whiteboard: | MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK advisory | ||
| Source RPM: | imagemagick | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-11-13 15:51:48 CET
David Walser
2014-11-13 15:51:54 CET
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO
David Walser
2014-11-13 22:12:28 CET
Summary:
imagemagick new security issues CVE-2014-835[45], CVE-2014-856[12], and =>
imagemagick new security issues CVE-2014-835[45], CVE-2014-856[12], and CVE-2014-8716 CVE-2014-8354 fix: http://trac.imagemagick.org/changeset/16765 CVE-2014-8355 fix: http://trac.imagemagick.org/changeset/16773 For CVE-2014-8561, I'm confused. Ubuntu and an imagemagick.org forum post claim that the change in magick/profile.c in the DeleteImageProfile call's arguments from (image,name) to (image,next) was what caused the issue, but the Debian bug claims the issue was fixed in 6.8.9-9, which still has (image,next) as the arguments. The change was only made in August. So, it at least appears that Mageia 3 and Mageia 4 aren't vulnerable. Either Cauldron still is, or the upstream fix changed something elsewhere in the code. The Debian bug has a PoC, so this could be tested in Cauldron. http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8561.html http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26399%23p116146 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764872 CVE-2014-8562 fix: http://trac.imagemagick.org/changeset/16795 Other notes: There is some PoC information for some of the CVEs here: http://seclists.org/fulldisclosure/2014/Nov/1 GraphicsMagick is affected by CVE-2014-8355 and has a fix here: http://sourceforge.net/p/graphicsmagick/code/ci/4426024497f9ed26cbadc5af5a5de55ac84796ff/ GraphicsMagick also had a recent security fix in coders/psd.c (CVE-2014-1947), which we had already patched, but the upstream fix had instead of: (void) sprintf(layer_name, "L%02d", layer_count++ ); they have this: FormatString( layer_name, "L%04d", layer_count++ ); CVE-2014-8716 fix: http://trac.imagemagick.org/changeset/16872 PoC information for CVE-2014-8716: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26456 For graphicsmagick, I'll file a new bug. As for ImageMagick, patched packages uploaded for Mageia 4 and Cauldron. For Mageia 3, for some reason it won't accept the ThrowPCXException thing that is #define'd in the patch: http://pkgsubmit.mageia.org/uploads/failure/3/core/updates_testing/20141114004245.luigiwalser.valstar.1576/log/imagemagick-6.8.1.1-2.3.mga3/build.0.20141114004305.log Just saving the advisory for later, below. Advisory: ======================== Updated imagemagick packages fix security vulnerabilities: ImageMagick is vulnerable to a denial of service due to out-of-bounds memory accesses in the resize code (CVE-2014-8354), PCX parser (CVE-2014-8355), DCM decoder (CVE-2014-8562), and JPEG decoder (CVE-2014-8716). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8354 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8562 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8716 http://lists.opensuse.org/opensuse-updates/2014-11/msg00036.html Packages built so far: graphicsmagick-1.3.17-2.4.mga3 libgraphicsmagick3-1.3.17-2.4.mga3 libgraphicsmagickwand2-1.3.17-2.4.mga3 libgraphicsmagick-devel-1.3.17-2.4.mga3 perl-Graphics-Magick-1.3.17-2.4.mga3 graphicsmagick-doc-1.3.17-2.4.mga3 graphicsmagick-1.3.18-3.3.mga4 libgraphicsmagick3-1.3.18-3.3.mga4 libgraphicsmagickwand2-1.3.18-3.3.mga4 libgraphicsmagick-devel-1.3.18-3.3.mga4 perl-Graphics-Magick-1.3.18-3.3.mga4 graphicsmagick-doc-1.3.18-3.3.mga4 imagemagick-6.8.7.0-2.3.mga4 imagemagick-desktop-6.8.7.0-2.3.mga4 libmagick-6Q16_1-6.8.7.0-2.3.mga4 libmagick++-6Q16_3-6.8.7.0-2.3.mga4 libmagick-devel-6.8.7.0-2.3.mga4 perl-Image-Magick-6.8.7.0-2.3.mga4 imagemagick-doc-6.8.7.0-2.3.mga4 from SRPMS: graphicsmagick-1.3.17-2.4.mga3.src.rpm graphicsmagick-1.3.18-3.3.mga4.src.rpm imagemagick-6.8.7.0-2.3.mga4.src.rpm Version:
Cauldron =>
4 Thanks to an extra set of eyes from Pascal, a couple of errors in the CVE-2014-8355 patch were fixed, so now Mageia 3's update is built. imagemagick-6.8.1.1-2.3.mga3 imagemagick-desktop-6.8.1.1-2.3.mga3 libmagick7-6.8.1.1-2.3.mga3 libmagick-devel-6.8.1.1-2.3.mga3 perl-Image-Magick-6.8.1.1-2.3.mga3 imagemagick-doc-6.8.1.1-2.3.mga3 from imagemagick-6.8.1.1-2.3.mga3.src.rpm Fortunately this made me look at the Mageia 4 patch too, which had been blank initially somehow, so I fixed that too (already in the build from the previous comment). Assigning to QA. Note the PoC information referenced in Comment 1 and Comment 3. It would be nice if someone could test CVE-2014-8561 on Cauldron, to see if I still need patch that. GraphicsMagick CVE-2014-8355 has been filed as Bug 14546. Advisory: ======================== Updated imagemagick packages fix security vulnerabilities: ImageMagick is vulnerable to a denial of service due to out-of-bounds memory accesses in the resize code (CVE-2014-8354), PCX parser (CVE-2014-8355), DCM decoder (CVE-2014-8562), and JPEG decoder (CVE-2014-8716). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8354 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8562 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8716 http://lists.opensuse.org/opensuse-updates/2014-11/msg00036.html ======================== Updated packages in core/updates_testing: ======================== imagemagick-6.8.1.1-2.3.mga3 imagemagick-desktop-6.8.1.1-2.3.mga3 libmagick7-6.8.1.1-2.3.mga3 libmagick-devel-6.8.1.1-2.3.mga3 perl-Image-Magick-6.8.1.1-2.3.mga3 imagemagick-doc-6.8.1.1-2.3.mga3 imagemagick-6.8.7.0-2.3.mga4 imagemagick-desktop-6.8.7.0-2.3.mga4 libmagick-6Q16_1-6.8.7.0-2.3.mga4 libmagick++-6Q16_3-6.8.7.0-2.3.mga4 libmagick-devel-6.8.7.0-2.3.mga4 perl-Image-Magick-6.8.7.0-2.3.mga4 imagemagick-doc-6.8.7.0-2.3.mga4 from SRPMS: imagemagick-6.8.1.1-2.3.mga3.src.rpm imagemagick-6.8.7.0-2.3.mga4.src.rpm Assignee:
bugsquad =>
qa-bugs Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12742#c5 Please also see the PoC information in comment 1 and comment 3. Advisory uploaded. CC:
(none) =>
remi I couldn't reproduce crashes with any of the PoCs. The CVE-2014-8355 gave normal identify output, as it did with GraphicsMagick, and the others gave error messages (but not a SEGV). After the update, the CVE-2014-8355 one gave an error message, as it also did with the GraphicsMagick update, and the other ones still gave the same error messages as before. I also tested some of the commands from Claire's testcase. Testing complete Mageia 3 i586 and Mageia 4 i586. Whiteboard:
MGA3TOO has_procedure advisory =>
MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK advisory Testing on Mageia3-64 real HW Current packages : ---------------- $ rpm -q imagemagick imagemagick-6.8.1.1-2.1.mga3 CVE-2014-8716 $ convert imagetest png:/dev/null convert: Corrupt JPEG data: premature end of data segment `imagetest' @ warning/jpeg.c/JPEGWarningHandler/348. CVE-2014-8355 : identify command didn't give any error. and convert could convert imagetest2.pcx in imagetest2.gif Following procedure mentionned in comment 8 : Could convert, identify and tested some of Claire's tests in testing procedure found in comment 8 as well as the perl script Update to testing packages : -------------------------- - imagemagick-6.8.1.1-2.3.mga3.x86_64 - imagemagick-desktop-6.8.1.1-2.3.mga3.x86_64 - imagemagick-doc-6.8.1.1-2.3.mga3.noarch - lib64magick-devel-6.8.1.1-2.3.mga3.x86_64 - lib64magick7-6.8.1.1-2.3.mga3.x86_64 - perl-Image-Magick-6.8.1.1-2.3.mga3.x86_64 $ convert imagetest png:/dev/null convert: Corrupt JPEG data: premature end of data segment `imagetest' @ warning/jpeg.c/JPEGWarningHandler/348. CVE-2014-8355 : identify and convert commands gave error messages (identify: En-tête d'image incorrect `imagetest2.pcx' @ error/pcx.c/ReadPCXImage/393.) Other tests ok. I don't know about both CVEs if that results were expected. CC:
(none) =>
olchal (In reply to olivier charles from comment #10) > I don't know about both CVEs if that results were expected. Yep, thanks. Adding the OK. Whiteboard:
MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK advisory =>
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK advisory Validating, it's been well tested already. Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0482.html Status:
NEW =>
RESOLVED LWN reference for CVE-2014-8716: http://lwn.net/Vulnerabilities/622954/ |