openSUSE has issued an advisory on December 29: https://lists.opensuse.org/opensuse-updates/2018-12/msg00148.html The issues were fixed after 1.3.31.
Summary: graphicsmagick new security issues CVE-2018-20184 CVE-2018-20189 => graphicsmagick new security issues CVE-2018-2018[49]CC: (none) => smelrorWhiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing some more committers.
CC: (none) => geiger.david68210, guillomovitch, marja11, nicolas.salguero, shlomifAssignee: bugsquad => pkg-bugs
Mike, just FYI you pushed the graphicsmagick update to the wrong repo (backports instead of core).
CC: (none) => mrambo
(Yep - doing too many things at once, but it should be getting fixed) Patched package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated graphicsmagick package fixes security vulnerabilities: It was discovered that graphicsmagick was subject to two vulnerabilites. * heap-based buffer overflow in the WriteTGAImage function of tga.c (CVE-2018-20184). * denial of service vulnerability in ReadDIBImage function of coders/dib.c (CVE-2018-20189) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20184 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20189 https://lists.opensuse.org/opensuse-updates/2018-12/msg00148.html ======================== Updated packages in core/updates_testing: ======================== graphicsmagick-doc-1.3.31-1.2.mga6.noarch.rpm graphicsmagick-1.3.31-1.2.mga6 lib64graphicsmagick++12-1.3.31-1.2.mga6 lib64graphicsmagick3-1.3.31-1.2.mga6 lib64graphicsmagick-devel-1.3.31-1.2.mga6 lib64graphicsmagickwand2-1.3.31-1.2.mga6 perl-Graphics-Magick-1.3.31-1.2.mga6 from graphicsmagick-1.3.31-1.2.mga6.src.rpm Testing procedure: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
Assignee: pkg-bugs => qa-bugsKeywords: (none) => has_procedureWhiteboard: MGA6TOO => (none)Version: Cauldron => 6
SUSE has issued an advisory on January 3: http://lists.suse.com/pipermail/sle-security-updates/2019-January/005014.html CVE-2018-20185 is new and also appears to have been fixed post-1.3.31: https://bugzilla.suse.com/show_bug.cgi?id=1119823
Assignee: qa-bugs => pkg-bugsSummary: graphicsmagick new security issues CVE-2018-2018[49] => graphicsmagick new security issues CVE-2018-2018[459]CC: (none) => qa-bugs
Assignee: pkg-bugs => mrambo
Patched package uploaded for cauldron and Mageia 6. Revised Advisory: ======================== Updated graphicsmagick package fixes security vulnerabilities: It was discovered that graphicsmagick was subject to vulnerabilites. * heap-based buffer overflow in the WriteTGAImage function of tga.c (CVE-2018-20184). * denial of service vulnerability in ReadDIBImage function of coders/dib.c (CVE-2018-20189). * heap-based buffer over-read in the ReadBMPImage function of bmp.c (CVE-2018-20185). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20184 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20189 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20185 https://lists.opensuse.org/opensuse-updates/2018-12/msg00148.html http://lists.suse.com/pipermail/sle-security-updates/2019-January/005014.html ======================== Updated packages in core/updates_testing: ======================== graphicsmagick-doc-1.3.31-1.3.mga6.noarch.rpm graphicsmagick-1.3.31-1.3.mga6 lib64graphicsmagick++12-1.3.31-1.3.mga6 lib64graphicsmagick3-1.3.31-1.3.mga6 lib64graphicsmagick-devel-1.3.31-1.3.mga6 lib64graphicsmagickwand2-1.3.31-1.3.mga6 perl-Graphics-Magick-1.3.31-1.3.mga6 from graphicsmagick-1.3.31-1.3.mga6.src.rpm Testing procedure: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
Assignee: mrambo => qa-bugs
CVE-2018-20184, best reference: https://sourceforge.net/p/graphicsmagick/bugs/583/ has useful info, with a POC file at: https://sourceforge.net/p/graphicsmagick/bugs/583/attachment/buffer-overflow-WriteTGAImage to use: $ gm convert heap-buffer-overflow-WriteTGAImage test.tga CVE-2018-20189 https://sourceforge.net/p/graphicsmagick/bugs/585/ has useful test information and a POC file at: https://sourceforge.net/p/graphicsmagick/bugs/_discuss/thread/3c4cb86b59/2351/attachment/poc.zip to be used: $ gm convert $POC 1.mng but with the enigmatic comment "the poc.png in the zip is a copy of the POC file with another filename and it will not trigger the crash". CVE-2018-20185 https://sourceforge.net/p/graphicsmagick/bugs/582/ has useful information, including a test file at: https://sourceforge.net/p/graphicsmagick/bugs/582/attachment/heap-buffer-overflow-readbmpimage to be used: $ gm convert ./heap-buffer-overflow-readbmpimage /dev/null but is it worth it? "Problem (now identified as CVE-2018-20185) is claimed to still exist after my fix. See https://bugzilla.suse.com/show_bug.cgi?id=1119823#c1". Enough for now.
CC: (none) => lewyssmith
Testing M6 x64 BEFORE update: graphicsmagick-1.3.31-1.mga6 lib64graphicsmagick3-1.3.31-1.mga6 lib64graphicsmagickwand2-1.3.31-1.mga6 lib64graphicsmagick++12-1.3.31-1.mga6 CVE-2018-20184 $ gm convert buffer-overflow-WriteTGAImage test.tga *** Error in `gm': free(): invalid next size (fast): 0x000000000238fd30 *** ======= Backtrace: ========= /usr/lib64/libc.so.6(+0x72435)[0x7f10876d3435] ... ======= Memory map: ======== 00400000-00401000 r-xp 00000000 08:0b 835940 /usr/bin/gm ... fffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] gm convert: abort due to signal 6 (SIGABRT) "Abort"... Aborted (core dumped) CVE-2018-20189 $ gm convert crash6789012345678901234567890123456.png 1.mng gm convert: Invalid background palette index (1.mng). $ gm convert poc.png 1.mng gm: coders/png.c:7503: WriteOnePNGImage: Assertion `(unsigned long) index < number_colors' failed. gm convert: abort due to signal 6 (SIGABRT) "Abort"... Aborted (core dumped) CVE-2018-20185 $ gm convert heap-buffer-overflow-readbmpimage /dev/null gm convert: Insufficient image data in file (./heap-buffer-overflow-readbmpimage). ---------------------------------- AFTER update: graphicsmagick-1.3.31-1.3.mga6 lib64graphicsmagickwand2-1.3.31-1.3.mga6 lib64graphicsmagick3-1.3.31-1.3.mga6 lib64graphicsmagick++12-1.3.31-1.3.mga6 CVE-2018-20184 $ gm convert buffer-overflow-WriteTGAImage test.tga gm convert: Image column or row size is not supported (test.tga) [No such file or directory]. NO crash, good. CVE-2018-20189 $ gm convert crash6789012345678901234567890123456.png 1.mng gm convert: Improper image header (crash6789012345678901234567890123456.png). Different, looks good. $ gm convert poc.png 1.mng gm convert: Improper image header (poc.png). NO crash; good. CVE-2018-20185 $ gm convert heap-buffer-overflow-readbmpimage /dev/null gm convert: Insufficient image data in file (./heap-buffer-overflow-readbmpimage). Same as before. Ah! I forgot (c6): "In GraphicsMagick 1.4 snapshot-20181209 Q8 on *32-bit platforms*, there is a heap-based buffer over-read in the ReadBMPImage function of bmp.c, which allows attackers to cause a denial of service via a crafted bmp image file. *This only affects GraphicsMagick installations with customized BMP limits.* Two restrictions, so not surprising no change. The 32-bit matters here. @Herman: could you please try just this one POC *before* and *after* the update, 32-bit. Ideally it will behave differently (=OK), but if it does not, no matter. Validate it anyway afterwards. Advisory done from comment 5.
Keywords: (none) => advisoryWhiteboard: (none) => MGA6-64-OKCC: (none) => herman.viaene
MGA6-32 MATE on IBM Thinkpad R50e No installation issues First installed 1.3.31-1 and $ gm convert ./heap-buffer-overflow-readbmpimage /dev/null gm convert: abort due to signal 7 (SIGBUS) "Bus Error"... Afgebroken (geheugendump gemaakt) i.e. Aborted (memory dump made) Then updated to 1.3.31-1.3 and got $ gm convert ./heap-buffer-overflow-readbmpimage /dev/null gm convert: abort due to signal 7 (SIGBUS) "Bus Error"... Afgebroken (geheugendump gemaakt) I assure you, that's not a copy of the first command, the update did not make a difference here.
(In reply to Herman Viaene from comment #8) > MGA6-32 MATE on IBM Thinkpad R50e > I assure you, that's not a copy of the first command, the update did not > make a difference here. Thanks for trying, anyway. At least no reversion! All my own +ves justify validation.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0033.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED