Bug 24614 - imagemagick new security issues CVE-2019-10649 and CVE-2019-10650
Summary: imagemagick new security issues CVE-2019-10649 and CVE-2019-10650
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2019-04-03 12:53 CEST by Nicolas Salguero
Modified: 2019-08-11 20:14 CEST (History)
5 users (show)

See Also:
Source RPM: imagemagick-
CVE: CVE-2019-10649, CVE-2019-10650
Status comment:


Description Nicolas Salguero 2019-04-03 12:53:24 CEST

imagemagick before 7.0.8-36 (and 6.9.10-36 for mageia 6) is affected by CVE-2019-10649 and CVE-2019-10650.


Best regards,

Nicolas Salguero 2019-04-03 12:54:21 CEST

Source RPM: (none) => imagemagick-
Whiteboard: (none) => MGA6TOO
CVE: (none) => CVE-2019-10649, CVE-2019-10650

Comment 1 Nicolas Salguero 2019-04-03 12:58:12 CEST
Suggested advisory:

The updated packages fix security vulnerabilities:

In ImageMagick 7.0.8-36 Q16, there is a memory leak in the function SVGKeyValuePairs of coders/svg.c, which allows an attacker to cause a denial of service via a crafted image file. (CVE-2019-10649)

In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file. (CVE-2019-10650)


Updated packages in core/updates_testing:

from SRPMS:

Version: Cauldron => 6
Source RPM: imagemagick- => imagemagick-
Whiteboard: MGA6TOO => (none)
Assignee: bugsquad => qa-bugs

Comment 2 Len Lawrence 2019-04-04 20:18:20 CEST
mga6, x86_64

$ valgrind --leak-check=full convert view /dev/null
==14911== ERROR SUMMARY: 34 errors from 34 contexts (suppressed: 0 from 0)
view is an SVG image which displays as a small blank white square.

Leads to heap_buffer_overflow_WriteTIFFImage.tiff

$ convert heap_buffer_overflow_WriteTIFFImage.tiff /dev/null
convert: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/943.
convert: Too large strip byte count 2130706437, strip 0. Limiting to 4116. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/608.
convert: Read error at scanline 4294967295; got 1168 bytes, expected 4116. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/608.
convert: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/943.
convert: Unknown field with tag 1024 (0x400) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/943.
convert: TIFF directory is missing required "StripOffsets" field. `MissingRequired' @ error/tiff.c/TIFFErrors/608.

Updated and ran POC again.
- imagemagick-
- imagemagick-desktop-
- imagemagick-doc-
- lib64magick++-6Q16_8-
- lib64magick-6Q16_6-
- lib64magick-devel-
- perl-Image-Magick-

*After updates*

$ valgrind --leak-check=full convert view /dev/null
==32310== ERROR SUMMARY: 36 errors from 36 contexts (suppressed: 0 from 0)
Error count  2 greater.

$ convert heap_buffer_overflow_WriteTIFFImage.tiff /dev/null
This returned the same information as before so it is likely that the  vulnerabilities
had already been fixed.

Utility tests later.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2019-04-05 09:53:04 CEST
Following on from comment 2:

Ran the usual battery of tests to exercize display, convert, mogrify and identify on local
image collection.

$ identify GlenShiel*
GlenShiel_0.jpg JPEG 2048x1536 2048x1536+0+0 8-bit sRGB 1.08993MiB 0.000u 0:00.009
GlenShiel_9.jpg JPEG 3008x2000 3008x2000+0+0 8-bit sRGB 3.1408MiB 0.000u 0:00.000
GlenShiel_greyscale.tif TIFF 2304x1728 2304x1728+0+0 8-bit Grayscale Gray 3.80156MiB 0.000u 0:00.010

Image conversion and vignetting.
$ convert TatianaMaslany.jpg -background grey44 -vignette 0x5 Maslany.png
$ display Maslany.png

$ identify Ikapati.tif
Ikapati.tif TIFF 1024x1024 1024x1024+0+0 8-bit Grayscale Gray 1.00118MiB 0.000u 0:00.000
$ convert -resize 120%x80% Ikapati.tif ikapati.jpg 
$ identify ikapati.jpg
ikapati.jpg JPEG 1229x819 1229x819+0+0 8-bit Gray 256c 365436B 0.000u 0:00.000

$ convert -gravity center -size 480x100 label:"Hello World!" message.png
$ composite message.png SantaMaria.png -stegano +15+2 crater.png
$ display crater.png
Image showed no changes.
Extract message from image:
$ convert -size 480x100+15+2 stegano:crater.png secret.png
$ display secret.png
"Hello World!" on cue.

Modify an image in place.  Apply a series of rotations and reflections which restore the image to its original state.
$ mogrify -rotate 270 newbridge.tif
$ mogrify -flip newbridge.tif
$ mogrify -flop newbridge.tif
$ mogrify -rotate -90 newbridge.tif

Create an image.
$ convert -size 60x500 gradient:'#FFF-#0FF' -rotate 90 -set colorspace HSB -colorspace RGB rainbow_2.jpg

Create a panel shaded diagonally from blue to black.
$ convert -size 400x200 xc: -sparse-color barycentric '0,0 skyblue  -%w,%h skyblue  %w,%h black' diagonal_gradient.jpg

Create a square shaded vertically from tomato-red to blue.
$ convert -size 200x200  gradient:tomato-steelblue gradient_6.jpg

Create a montage consisting of thumbnails of the 10 referenced images.
$ montage -adjoin GlenShiel_?.jpg tenlakes.png
Displayed as thumbnails in rows of four (4,4,2).

$ convert rose: -fill none -stroke navy -strokewidth 11 -draw 'rectangle 0,0 69,45' borderrose.jpg

$ convert LochLubnaig_9.jpg TatianaMaslany.jpg -composite overlay.jpg
$ display overlay.jpg
Shows a smaller image in the top lefthand corner superimposed on a larger image.

Working as well as always.  OK for 64-bits.

Whiteboard: (none) => MGA6-64-OK

Comment 4 Thomas Andrews 2019-04-10 03:07:57 CEST
Sounds good, Len. Validating. Suggested advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-04-10 22:00:26 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2019-04-10 23:26:47 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 6 David Walser 2019-08-11 20:14:08 CEST
This update also fixed CVE-2019-9956:

CC: (none) => luigiwalser

Note You need to log in before you can comment on or make changes to this bug.