Bug 12742 - imagemagick new security issue CVE-2014-1958 and CVE-2014-2030
Summary: imagemagick new security issue CVE-2014-1958 and CVE-2014-2030
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/588051/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-02-12 17:16 CET by David Walser
Modified: 2014-02-24 23:03 CET (History)
5 users (show)

See Also:
Source RPM: imagemagick
CVE:
Status comment:


Attachments

Description David Walser 2014-02-12 17:16:28 CET
A CVE has been assigned for a security issue fixed recently in ImageMagick (possibly in 6.8.8-5):
http://openwall.com/lists/oss-security/2014/02/12/13

The CVE request contains a possible patch for the issue:
http://openwall.com/lists/oss-security/2014/02/12/2

Mageia 3 and possibly Mageia 4 are affected.  Cauldron has version 6.8.8-5.

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-12 17:16:40 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-02-13 23:54:52 CET
OK there's been some confusion with this CVE assignment, but I think the current status is, CVE-2014-1947 refers to older (older than what we have in Mageia 3) versions of ImageMagick that have "L%02ld" as the format string.

A new CVE will be assigned (but hasn't been yet) for the issue the patch posted in the request fixed, and the origin of that patch is this:
http://trac.imagemagick.org/changeset/13736

CVE-2014-1958 refers to an even more recent commit:
http://trac.imagemagick.org/changeset/14801

Mageia 4 is missing both commits, so we'll need patches for both in Mageia 3 and Mageia 4 once the CVE assignments are sorted out.

Summary: imagemagick new security issue CVE-2014-1947 => imagemagick new security issue CVE-2014-1958 and CVE-2014-XXXX

Comment 2 David Walser 2014-02-20 01:10:23 CET
CVE-2014-2030 has finally been assigned for the first issue:
http://openwall.com/lists/oss-security/2014/02/19/13

Summary: imagemagick new security issue CVE-2014-1958 and CVE-2014-XXXX => imagemagick new security issue CVE-2014-1958 and CVE-2014-2030

Comment 3 David Walser 2014-02-20 18:40:37 CET
Patched packages uploaded for Mageia 3 and Mageia 4.

I *think* my description for CVE-2014-2030 is accurate :o)

Advisory:
========================

Updated imagemagick packages fix security vulnerabilities:

A buffer overflow flaw was found in the way ImageMagick handled PSD images
that use RLE encoding. An attacker could create a malicious PSD image file
that, when opened in ImageMagick, would cause ImageMagick to crash or,
potentially, execute arbitrary code with the privileges of the user running
ImageMagick (CVE-2014-1958).

A buffer overflow flaw was found in the way ImageMagick writes PSD images when
the input data has a large number of unlabeled layers (CVE-2014-2030).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2030
http://secunia.com/advisories/56844/
https://bugzilla.redhat.com/show_bug.cgi?id=1067276
https://bugzilla.redhat.com/show_bug.cgi?id=1064098
========================

Updated packages in core/updates_testing:
========================
imagemagick-6.8.1.1-2.1.mga3
imagemagick-desktop-6.8.1.1-2.1.mga3
libmagick7-6.8.1.1-2.1.mga3
libmagick-devel-6.8.1.1-2.1.mga3
perl-Image-Magick-6.8.1.1-2.1.mga3
imagemagick-doc-6.8.1.1-2.1.mga3
imagemagick-6.8.7.0-2.1.mga4
imagemagick-desktop-6.8.7.0-2.1.mga4
libmagick-6Q16_1-6.8.7.0-2.1.mga4
libmagick++-6Q16_3-6.8.7.0-2.1.mga4
libmagick-devel-6.8.7.0-2.1.mga4
perl-Image-Magick-6.8.7.0-2.1.mga4
imagemagick-doc-6.8.7.0-2.1.mga4

from SRPMS:
imagemagick-6.8.1.1-2.1.mga3.src.rpm
imagemagick-6.8.7.0-2.1.mga4.src.rpm

Assignee: fundawang => qa-bugs
Severity: normal => major

Comment 4 claire robinson 2014-02-21 11:22:55 CET
Testing mga3 32 & 64

The CVEs relate to opening PSD files so downloaded some example ones to test with.
Comment 5 claire robinson 2014-02-21 12:55:27 CET
Testing complete mga3 32 & 64 using the examples.pl script from here and two images model.gif and smile.gif. Created the two images using the 'convert' cli tool from any-old-picture.jpg and a-smilie-from-the-net.png.
http://www.imagemagick.org/script/examples.php


$ convert any-old-picture.jpg model.gif
$ convert a-smilie-from-the-net.png smile.gif

$ perl examples.pl
Read...
Transform image...
Adaptive Blur...
Adaptive Resize...

...etc

Vignette...
Wave...
Montage...
Write...
Display...

$ display demo.jpg

Clicked on the image and used played with some options in the menu which appears.

Used some of the other imagemagick commands..
$ urpmf imagemagick | grep bin
imagemagick:/usr/bin/animate
imagemagick:/usr/bin/compare
imagemagick:/usr/bin/composite
imagemagick:/usr/bin/conjure
imagemagick:/usr/bin/convert
imagemagick:/usr/bin/display
imagemagick:/usr/bin/identify
imagemagick:/usr/bin/import
imagemagick:/usr/bin/mogrify
imagemagick:/usr/bin/montage
imagemagick:/usr/bin/stream


$ import -window root screencap.tiff
$ display screencap.tiff

$ identify screencap.tiff 
screencap.tiff TIFF 1024x768 1024x768+0+0 16-bit sRGB 4.725MB 0.000u 0:00.000

$ mogrify -gaussian-blur 20 screencap.tiff 
$ display screencap.tiff

Some stuff with psd's for the CVE..

$ mogrify -gaussian-blur 20 ../04Start.psd 
$ display ../04Start.psd 

$ convert screencap.tiff screencap.psd
$ display screencap.psd

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-32-ok mga3-64-ok

Comment 6 David Walser 2014-02-21 16:05:31 CET
I ran the same commands as Claire did at the end from 'import' on.  I also created an XCF file in the GIMP with over 100 layers and converted it to a PSD file with convert and displayed it.  (Note that only psd.c in the source is affected by this update).  Didn't have any issues before or after the update.  Tested on Mageia 4 i586.
Comment 7 William Kenney 2014-02-21 16:14:28 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
imagemagick

default updated install of imagemagick

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.7.0-2.mga4.i586 is already installed

[wilcal@localhost Pictures]$ convert desktop.png desktop.jpg
works just fine

install imagemagick from updates_testing

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.7.0-2.1.mga4.i586 is already installed

[wilcal@localhost Pictures]$ convert desktop.png desktop.jpg
works just fine

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm

CC: (none) => wilcal.int
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK

Comment 8 William Kenney 2014-02-21 16:15:36 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
imagemagick

default updated install of imagemagick

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.7.0-2.mga4.x86_64 is already installed

[wilcal@localhost Pictures]$ convert desktop.png desktop.jpg
works just fine

install imagemagick from updates_testing

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.7.0-2.1.mga4.x86_64 is already installed

[wilcal@localhost Pictures]$ convert desktop.png desktop.jpg
works just fine

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK

Comment 9 William Kenney 2014-02-21 16:16:01 CET
For me this update works fine.
Go ahead and push it.
Comment 10 Rémi Verschelde 2014-02-21 16:34:27 CET
Validating update, advisory uploaded. Please push to 3 & 4 core/updates.

CC: (none) => remi

Rémi Verschelde 2014-02-21 16:34:38 CET

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 11 Thomas Backlund 2014-02-21 19:26:44 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0087.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 12 Lewis Smith 2014-02-21 22:02:16 CET
Tested MGA4 64 re

CC: (none) => lewyssmith

Comment 13 Lewis Smith 2014-02-21 22:13:56 CET
Comment 12 irrelevant.
Tested MGA4 64 real hardware OK.
Further to comments 8 & 9 (again working in parallel).

Installed current ImageMagick, tried it [display + playing] on several psd images.
Updated from Testing to
imagemagick-6.8.7.0-2.1.mga4
lib64magick++-6Q16_3-6.8.7.0-2.1.mga4
lib64magick-6Q16_1-6.8.7.0-2.1.mga4
perl-Image-Magick-6.8.7.0-2.1.mga4
Ran lots of tests directly on psd images for the clever perl script ex comment 5
 http://www.imagemagick.org/source/examples.pl
plus directly from 'display' menu possibilities. Apart from a few enigmas, all works fine. Converted different psd images to png, jpg, tiff, bmp, gif OK. Note that if the source image is multi-layer, it produces unique additional files for each layer.

Confirm MGA4-64-OK
David Walser 2014-02-24 23:03:27 CET

URL: (none) => http://lwn.net/Vulnerabilities/588051/


Note You need to log in before you can comment on or make changes to this bug.