Bug 23156 - imagemagick (possible) new security issues
Summary: imagemagick (possible) new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-08 20:35 CEST by David Walser
Modified: 2018-06-16 20:21 CEST (History)
4 users (show)

See Also:
Source RPM: imagemagick-6.9.9.41-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-06-08 20:35:49 CEST
openSUSE has issued an advisory on May 11:
https://lists.opensuse.org/opensuse-updates/2018-05/msg00026.html

I'm not sure if any of the issues are still unfixed after our last update.
Comment 1 David Walser 2018-06-08 22:10:03 CEST
Similar for the Debian advisory from May 18:
https://www.debian.org/security/2018/dsa-4204
Comment 2 David Walser 2018-06-12 22:43:53 CEST
Similar for the Ubuntu advisory from today (June 12):
https://usn.ubuntu.com/3681-1/
Comment 3 Stig-Ørjan Smelror 2018-06-13 20:45:54 CEST
Advisory
========

Imagemagick has been updated to version 6.9.10.0 to fix several bugs and possible security issues.

- Fixed numerous use of uninitialized values, integer overflow, memory exceeded, and timeouts
- Missing break when checking "compliance" element.
- Fixed errant 'not enough pixel data' (reference https://github.com/ImageMagick/ImageMagick/issues/1133)
- Fixed memory corruption for MVG paths
- A SVG rectangle with a width and height of 1, is a point
- Properly initialize SVG color style
- Heap buffer overflow fix (reference https://github.com/ImageMagick/ImageMagick/issues/1156)

References
==========
https://lists.opensuse.org/opensuse-updates/2018-05/msg00026.html
https://www.debian.org/security/2018/dsa-4204
https://usn.ubuntu.com/3681-1/
https://legacy.imagemagick.org/script/changelog.php


Files
=====

Uploaded to core/updates_testing

imagemagick-6.9.10.0-1.mga6
imagemagick-doc-6.9.10.0-1.mga6
perl-Image-Magick-6.9.10.0-1.mga6
lib64magick-devel-6.9.10.0-1.mga6
lib64magick++-6Q16_8-6.9.10.0-1.mga6
lib64magick-6Q16_6-6.9.10.0-1.mga6
imagemagick-desktop-6.9.10.0-1.mga6

from imagemagick-6.9.10.0-1.mga6.src.rpm

Assignee: smelror => qa-bugs

Comment 4 Len Lawrence 2018-06-14 17:55:35 CEST
Mageia 6, x86_64
Undertook search for reproducers before updating, following links at  https://lists.opensuse.org/opensuse-updates/2018-05/msg00026.html

CVE-2017-10928
https://bugzilla.suse.com/show_bug.cgi?id=1047356
Turned out to be gzipped.  Used ark to extract it.
$ identify imagemagick-heap-buffer-overflow-4.svg.uncompressed 
imagemagick-heap-buffer-overflow-4.svg.uncompressed SVG 128x128 128x128+0+0 16-bit sRGB 16384B 0.010u 0:00.009

Does not crash so maybe already fixed.
--------------------------------------------------------------
CVE-2017-14325
https://github.com/ImageMagick/ImageMagick/issues/741
$ file *.icon
im_poc_1504841049.icon: MS Windows icon resource - 1 icon, 24x7, 2 colors
$ convert im_poc_1504841049.icon output.mpc
convert: insufficient image data in file `im_poc_1504841049.icon' @ error/icon.c/ReadICONImage/404.
convert: no images defined `output.mpc' @ error/convert.c/ConvertImageCommand/3258.
(convert output.mpc output.art)
--------------------------------------------------------------
CVE-2017-17887
https://github.com/ImageMagick/ImageMagick/issues/903
$ convert memory-leaks-wYQ0gKxwmALb50pqSNuH0mMtB2nGc6DL.mng /dev/null
Expected a message such as "cache resources exhausted" but there was nothing.
$ valgrind --leak-check=full --show-leak-kinds=all convert memory-leaks-wYQ0gKxwmALb50pqSNuH0mMtB2nGc6DL.mng /dev/null
This returned 1 error and 20 loss records.
--------------------------------------------------------------
CVE-2017-1825{0,1,2,4}
No reproducer
--------------------------------------------------------------
CVE-2018-10177
https://bugzilla.suse.com/show_bug.cgi?id=1089781
$ convert imagemagick_7-0-7_convert_infinite-loop_ReadOneMNGImage.mng foo.png
Hangs forever, as expected.  GM has the same issue but may need a different patch.
--------------------------------------------------------------
CVE-2018-8960
$ wget https://github.com/ImageMagick/ImageMagick/files/1806047/tif_heap-buffer-overflow.zip
$ unzip tif_heap-buffer-overflow.zip
$ convert tif_heap-buffer-overflow dev/null
convert: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/913.
convert: Incorrect count for "StripOffsets"; tag ignored. `TIFFFetchStripThing' @ warning/tiff.c/TIFFWarnings/913.
convert: Incorrect count for "StripByteCounts"; tag ignored. `TIFFFetchStripThing' @ warning/tiff.c/TIFFWarnings/913.
convert: Incorrect count for "ColorMap"; tag ignored. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/913.
convert: Not enough data for scanline 0, expected a request for at most 152 bytes, got a request for 1024 bytes. `DumpModeDecode' @ error/tiff.c/TIFFErrors/569.
convert: Read error at scanline 0; got 408 bytes, expected 1024. `TIFFReadEncodedStrip' @ error/tiff.c/TIFFErrors/569.
convert: Invalid strip byte count 0, strip 1. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/569.
--------------------------------------------------------------
CVE-2018-9018
https://sourceforge.net/p/graphicsmagick/bugs/554/
$ identify graphicsmagick_1-3-28_identify_divide-by-zero_ReadMNGImage.mng
graphicsmagick_1-3-28_identify_divide-by-zero_ReadMNGImage.mng MNG 160x120 160x120+0+0 16-bit sRGB 0.000u 0:00.000
This matches the "before" report at https://bugzilla.suse.com/show_bug.cgi?id=1086773 for ImageMagick version 6.9.9-40.  We have imagemagick-6.9.9.41-1.mga6 here before updating.  Other possible returns were FPE or Divide-by-zero.
--------------------------------------------------------------
CVE-2018-9135
https://bugzilla.suse.com/show_bug.cgi?id=1087825
$ identify poc.9135
poc.9135 WEBP 1610x4378 1610x4378+0+0 8-bit sRGB 1619B 0.000u 0:00.000
$ valgrind identify -verbose poc.9135
The output contains the line:
identify: corrupt image `poc.9135' @ error/webp.c/ReadWEBPImage/333.
which matches the report at the above link.
--------------------------------------------------------------

Update report later.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2018-06-14 21:48:40 CEST
Clean update of all the packages.

PoC tests:

CVE-2017-10928
No change - so it probably had already been fixed.

CVE-2017-14325
Same output.  Probably fixed already.

CVE-2017-17887
valgrind output is the same.

CVE-2018-10177
This still hangs - maybe no patch.

CVE-2018-8960
Same output.

CVE-2018-9018
identify: corrupt image `graphicsmagick_1-3-28_identify_divide-by-zero_ReadMNGImage.mng' @ error/png.c/ReadOneMNGImage/5253.
That is a definite positive result.

CVE-2018-9135
identify poc.9135
No change in the output and valgrind still identifies the image as corrupt and does not return image parameters.  identify by itself does.
One would expect identify to state that the image is corrupt if the patch works, and not return any parameter values.

Summarizing; we have not gained very much from this exercise.  Some issues may be historic.  One patch is definitely successful and some issues may still be open.

Utility tests to follow.
Comment 6 Len Lawrence 2018-06-15 00:10:28 CEST
Took the lazy way out and ran the tests outlined in bug 19078.
The examples.pl script discovered by Lewis did not work, because of some problem with Perl I think.

$ identify JessicaAlba.tif
JessicaAlba.tif TIFF 600x448 600x448+0+0 8-bit sRGB 806716B 0.000u 0:00.009

Image conversion and vignetting.
$ convert TatianaMaslany.jpg -background grey44 -vignette 0x5 Maslany.png
$ display Maslany.png

Make a squashed image of a TIFF in JPEG format, with approximately the same area.
$ identify Ikapati.tif
Ikapati.tif TIFF 1024x1024 1024x1024+0+0 8-bit Grayscale Gray 1.00118MiB 0.000u 0:00.000
$ convert -resize 120%x80% Ikapati.tif ikapati.jpg 
$ identify ikapati.jpg
ikapati.jpg JPEG 1229x819 1229x819+0+0 8-bit Gray 256c 365436B 0.000u 0:00.000

Hide a message in an image.
$ convert -gravity center -size 480x100 label:"Good morning QA" message.png
$ composite message.png SantaMaria.png -stegano +15+2 crater.png
$ display crater.png
$ convert -size 480x100+15+2 stegano:crater.png secret.png
$ display secret.png
This says "Good morning QA".  crater.png and SantaMaria.png look the same when displayed.

Modify an image in place.  Apply a series of rotations and reflections which restore the image to its original state.
$ mogrify -rotate 270 newbridge.tif
$ mogrify -flip newbridge.tif
$ mogrify -flop newbridge.tif
$ mogrify -rotate -90 newbridge.tif

Convert can be used to create images as well and it can make use of builtin objects.
Create a coloured bar which displays nearly all the colours of the optical spectrum.
$ convert -size 60x500 gradient:'#FFF-#0FF' -rotate 90 -set colorspace HSB -colorspace RGB rainbow_2.jpg

Create a panel shaded diagonally from blue to black.
$ convert -size 400x200 xc: -sparse-color barycentric '0,0 skyblue  -%w,%h skyblue  %w,%h black' diagonal_gradient.jpg

Create a montage consisting of thumbnails of the 10 referenced images.
$ montage -adjoin lakedistrict32?.gif lakes.gif

Create a rose pink rectangle.
$ convert -size 200x160 canvas:MistyRose rose.png

Create a square shaded vertically from tomato-red to blue.
$ convert -size 100x100  gradient:tomato-steelblue gradient_5.jpg

A rose in a blue frame.
$ convert rose: -fill none -stroke navy -strokewidth 11 -draw 'rectangle 0,0 69,45' borderrose.jpg

Create an image of a rose with a bevelled border.
$ convert rose: -raise 5 framed_rose.png

$ convert LochLubnaig_4.jpg GlenShiel_7.jpg -composite scotland.jpg
This overlays a picture of a glen on an image of a lake, the smaller image in the top left-hand corner.

You could go on and on with this but these operations would indicate that IM is functioning normally.
Comment 7 Len Lawrence 2018-06-15 19:37:40 CEST
Also checked the animate function of ImageMagick, running an animation of several images and also building a stacked frame image and animating that by specifying a delay interval.  That all worked as intended.

Re comment 0.  Have made no comparisons with previous bug tests regarding fixed or unfixed issues.  Would that be worth doing?
Comment 8 William Kenney 2018-06-16 00:02:21 CEST
In VirtualBox, M6, MATE, 32-bit

Package(s) under test:
imagemagick imagemagick-desktop

default install of imagemagick & imagemagick-desktop

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.9.9.41-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.9.9.41-1.mga6.i586 is already installed

I can open files ( jpeg, png, bmp ) with imagemagick, enhance and modify
those files then save them under a different name. Those saved files can be
opened with gimp.

install imagemagick & imagemagick-desktop from updates_testing

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.9.10.0-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.9.10.0-1.mga6.i586 is already installed

I can open different files with imagemagick, modify those files then save
them under a different name. Those saved files can be opened with gimp.
I can open the previously created image files.

CC: (none) => wilcal.int

Comment 9 William Kenney 2018-06-16 00:19:46 CEST
In VirtualBox, M6, MATE, 64-bit

Package(s) under test:
imagemagick imagemagick-desktop

default install of imagemagick & imagemagick-desktop

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.9.9.41-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.9.9.41-1.mga6.x86_64 is already installed

I can open files ( jpg, png, gif ) with imagemagick, enhance and modify
those files then save them under a different name. Those saved files can be
opened with gimp.

install imagemagick & imagemagick-desktop from updates_testing

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.9.10.0-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.9.10.0-1.mga6.x86_64 is already installed

I can open different files with imagemagick, modify those files then save
them under a different name. Those saved files can be opened with gimp.
I can open the previously created image files.
Comment 10 William Kenney 2018-06-16 00:20:13 CEST
Good to go Len.

Whiteboard: (none) => MGA6-32-OK MGA6-64-O

William Kenney 2018-06-16 00:20:27 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 Len Lawrence 2018-06-16 02:19:51 CEST
Right you are Bill.

Whiteboard: MGA6-32-OK MGA6-64-O => MGA6-32-OK MGA6-64-OK

Thomas Backlund 2018-06-16 10:42:02 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 12 Mageia Robot 2018-06-16 11:29:26 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0285.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 13 Len Lawrence 2018-06-16 20:21:36 CEST
Re comment 6.
examples.pl is for use with Perl::Magick.

Note You need to log in before you can comment on or make changes to this bug.