Bug 24103

Summary: graphicsmagick new security issues CVE-2018-2018[459]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, guillomovitch, herman.viaene, lewyssmith, marja11, mhrambo3501, nicolas.salguero, qa-bugs, shlomif, smelror, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: graphicsmagick-1.3.31-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-12-31 23:40:33 CET 
openSUSE has issued an advisory on December 29:
https://lists.opensuse.org/opensuse-updates/2018-12/msg00148.html

The issues were fixed after 1.3.31.
David Walser 2018-12-31 23:41:06 CET

Summary: graphicsmagick new security issues CVE-2018-20184 CVE-2018-20189 => graphicsmagick new security issues CVE-2018-2018[49]
CC: (none) => smelror
Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-01-02 20:26:36 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing  some more committers.

CC: (none) => geiger.david68210, guillomovitch, marja11, nicolas.salguero, shlomif
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2019-01-03 23:52:10 CET 
Mike, just FYI you pushed the graphicsmagick update to the wrong repo (backports instead of core).

CC: (none) => mrambo

Comment 3 Mike Rambo 2019-01-04 14:24:04 CET 
(Yep - doing too many things at once, but it should be getting fixed)

Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated graphicsmagick package fixes security vulnerabilities:

It was discovered that graphicsmagick was subject to two vulnerabilites.
* heap-based buffer overflow in the WriteTGAImage function of tga.c (CVE-2018-20184).
* denial of service vulnerability in ReadDIBImage function of coders/dib.c (CVE-2018-20189)


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20184
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20189
https://lists.opensuse.org/opensuse-updates/2018-12/msg00148.html
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-doc-1.3.31-1.2.mga6.noarch.rpm
graphicsmagick-1.3.31-1.2.mga6
lib64graphicsmagick++12-1.3.31-1.2.mga6
lib64graphicsmagick3-1.3.31-1.2.mga6
lib64graphicsmagick-devel-1.3.31-1.2.mga6
lib64graphicsmagickwand2-1.3.31-1.2.mga6
perl-Graphics-Magick-1.3.31-1.2.mga6

from graphicsmagick-1.3.31-1.2.mga6.src.rpm

Testing procedure: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick

Assignee: pkg-bugs => qa-bugs
Keywords: (none) => has_procedure
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 4 David Walser 2019-01-04 18:19:49 CET 
SUSE has issued an advisory on January 3:
http://lists.suse.com/pipermail/sle-security-updates/2019-January/005014.html

CVE-2018-20185 is new and also appears to have been fixed post-1.3.31:
https://bugzilla.suse.com/show_bug.cgi?id=1119823

Assignee: qa-bugs => pkg-bugs
Summary: graphicsmagick new security issues CVE-2018-2018[49] => graphicsmagick new security issues CVE-2018-2018[459]
CC: (none) => qa-bugs

Mike Rambo 2019-01-04 20:20:50 CET

Assignee: pkg-bugs => mrambo

Comment 5 Mike Rambo 2019-01-04 21:46:03 CET 
Patched package uploaded for cauldron and Mageia 6.

Revised Advisory:
========================

Updated graphicsmagick package fixes security vulnerabilities:

It was discovered that graphicsmagick was subject to vulnerabilites.
* heap-based buffer overflow in the WriteTGAImage function of tga.c (CVE-2018-20184).
* denial of service vulnerability in ReadDIBImage function of coders/dib.c (CVE-2018-20189).
* heap-based buffer over-read in the ReadBMPImage      function of bmp.c (CVE-2018-20185).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20184
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20189
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20185
https://lists.opensuse.org/opensuse-updates/2018-12/msg00148.html
http://lists.suse.com/pipermail/sle-security-updates/2019-January/005014.html
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-doc-1.3.31-1.3.mga6.noarch.rpm
graphicsmagick-1.3.31-1.3.mga6
lib64graphicsmagick++12-1.3.31-1.3.mga6
lib64graphicsmagick3-1.3.31-1.3.mga6
lib64graphicsmagick-devel-1.3.31-1.3.mga6
lib64graphicsmagickwand2-1.3.31-1.3.mga6
perl-Graphics-Magick-1.3.31-1.3.mga6

from graphicsmagick-1.3.31-1.3.mga6.src.rpm

Testing procedure: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick

Assignee: mrambo => qa-bugs

Comment 6 Lewis Smith 2019-01-08 17:43:03 CET 
CVE-2018-20184, best reference:
 https://sourceforge.net/p/graphicsmagick/bugs/583/
has useful info, with a POC file at:
 https://sourceforge.net/p/graphicsmagick/bugs/583/attachment/buffer-overflow-WriteTGAImage
to use:
 $ gm convert heap-buffer-overflow-WriteTGAImage test.tga

CVE-2018-20189
 https://sourceforge.net/p/graphicsmagick/bugs/585/
has useful test information and a POC file at:
 https://sourceforge.net/p/graphicsmagick/bugs/_discuss/thread/3c4cb86b59/2351/attachment/poc.zip
to be used:
 $ gm convert $POC 1.mng
but with the enigmatic comment "the poc.png in the zip is a copy of the POC file with another filename and it will not trigger the crash".

CVE-2018-20185
 https://sourceforge.net/p/graphicsmagick/bugs/582/
has useful information, including a test file at:
 https://sourceforge.net/p/graphicsmagick/bugs/582/attachment/heap-buffer-overflow-readbmpimage
to be used:
 $ gm convert ./heap-buffer-overflow-readbmpimage /dev/null
but is it worth it?
"Problem (now identified as CVE-2018-20185) is claimed to still exist after my fix. See https://bugzilla.suse.com/show_bug.cgi?id=1119823#c1".

Enough for now.

CC: (none) => lewyssmith

Comment 7 Lewis Smith 2019-01-08 21:50:17 CET 
Testing M6 x64

BEFORE update:
 graphicsmagick-1.3.31-1.mga6
 lib64graphicsmagick3-1.3.31-1.mga6
 lib64graphicsmagickwand2-1.3.31-1.mga6
 lib64graphicsmagick++12-1.3.31-1.mga6

CVE-2018-20184
$ gm convert buffer-overflow-WriteTGAImage test.tga     
*** Error in `gm': free(): invalid next size (fast): 0x000000000238fd30 ***
======= Backtrace: =========
/usr/lib64/libc.so.6(+0x72435)[0x7f10876d3435]
...
======= Memory map: ========
00400000-00401000 r-xp 00000000 08:0b 835940              /usr/bin/gm
...
fffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0    [vsyscall]
gm convert: abort due to signal 6 (SIGABRT) "Abort"...
Aborted (core dumped)

CVE-2018-20189
$ gm convert crash6789012345678901234567890123456.png 1.mng
gm convert: Invalid background palette index (1.mng).

$ gm convert poc.png 1.mng
gm: coders/png.c:7503: WriteOnePNGImage: Assertion `(unsigned long) index < number_colors' failed.
gm convert: abort due to signal 6 (SIGABRT) "Abort"...
Aborted (core dumped)

CVE-2018-20185
$ gm convert heap-buffer-overflow-readbmpimage /dev/null
gm convert: Insufficient image data in file (./heap-buffer-overflow-readbmpimage).
----------------------------------
AFTER update:
 graphicsmagick-1.3.31-1.3.mga6
 lib64graphicsmagickwand2-1.3.31-1.3.mga6
 lib64graphicsmagick3-1.3.31-1.3.mga6
 lib64graphicsmagick++12-1.3.31-1.3.mga6

CVE-2018-20184
$ gm convert buffer-overflow-WriteTGAImage test.tga
gm convert: Image column or row size is not supported (test.tga) [No such file or directory].
 NO crash, good.

CVE-2018-20189
$ gm convert crash6789012345678901234567890123456.png 1.mng
gm convert: Improper image header (crash6789012345678901234567890123456.png).
 Different, looks good.

$ gm convert poc.png 1.mng
gm convert: Improper image header (poc.png).
 NO crash; good.

CVE-2018-20185
$ gm convert heap-buffer-overflow-readbmpimage /dev/null
gm convert: Insufficient image data in file (./heap-buffer-overflow-readbmpimage).
 Same as before. Ah! I forgot (c6):
"In GraphicsMagick 1.4 snapshot-20181209 Q8 on *32-bit platforms*, there is a heap-based buffer over-read in the ReadBMPImage function of bmp.c, which allows attackers to cause a denial of service via a crafted bmp image file. *This only affects GraphicsMagick installations with customized BMP limits.*
 Two restrictions, so not surprising no change. The 32-bit matters here.

@Herman: could you please try just this one POC *before* and *after* the update, 32-bit. Ideally it will behave differently (=OK), but if it does not, no matter. Validate it anyway afterwards.

Advisory done from comment 5.

Keywords: (none) => advisory
Whiteboard: (none) => MGA6-64-OK
CC: (none) => herman.viaene

Comment 8 Herman Viaene 2019-01-11 09:33:31 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
First installed 1.3.31-1 and
$ gm convert ./heap-buffer-overflow-readbmpimage /dev/null
gm convert: abort due to signal 7 (SIGBUS) "Bus Error"...
Afgebroken (geheugendump gemaakt) i.e. Aborted (memory dump made)
Then updated to 1.3.31-1.3 and got
$ gm convert ./heap-buffer-overflow-readbmpimage /dev/null
gm convert: abort due to signal 7 (SIGBUS) "Bus Error"...
Afgebroken (geheugendump gemaakt)

I assure you, that's not a copy of the first command, the update did not make a difference here.
Comment 9 Lewis Smith 2019-01-11 19:40:25 CET 
(In reply to Herman Viaene from comment #8)
> MGA6-32 MATE on IBM Thinkpad R50e
> I assure you, that's not a copy of the first command, the update did not
> make a difference here.
Thanks for trying, anyway. At least no reversion! All my own +ves justify validation.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2019-01-11 22:09:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0033.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED