Bug 24761 - imagemagick new security issues CVE-2018-16412, CVE-2019-739[56], CVE-2019-9956, CVE-2019-1100[7-9]
Summary: imagemagick new security issues CVE-2018-16412, CVE-2019-739[56], CVE-2019-99...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-05-03 20:57 CEST by David Walser
Modified: 2019-06-10 21:18 CEST (History)
9 users (show)

See Also:
Source RPM: imagemagick
CVE:
Status comment:


Attachments
perl script which runs the whole gamut of IM functions on two test images. (11.82 KB, application/x-perl)
2019-06-08 00:04 CEST, Len Lawrence
Details

Comment 1 David Walser 2019-05-03 21:20:59 CEST
openSUSE advisory from today (May 3):
https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00006.html
Comment 2 David Walser 2019-05-03 21:21:12 CEST
Alternate link:
https://lists.opensuse.org/opensuse-updates/2019-05/msg00023.html
Comment 3 Marja Van Waes 2019-05-03 21:33:49 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing some committers.

CC: (none) => geiger.david68210, marja11, nicolas.salguero, shlomif, smelror
Assignee: bugsquad => pkg-bugs

Comment 4 Nicolas Salguero 2019-06-07 11:17:40 CEST
I checked all those CVEs and only CVE-2019-1100[7-9] did not seem to already be fixed in ImageMagick-6.9.10-36.

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Fixed a heap-based buffer overflow in ReadMNGImage(). (CVE-2019-11007)

Fixed a heap-based buffer overflow in WriteXWDImage(). (CVE-2019-11008 and CVE-2019-11009)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11007
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11008
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11009
https://lists.opensuse.org/opensuse-updates/2019-04/msg00067.html
http://lists.suse.com/pipermail/sle-security-updates/2019-April/005358.html
http://lists.suse.com/pipermail/sle-security-updates/2019-April/005366.html
https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00006.html
https://lists.opensuse.org/opensuse-updates/2019-05/msg00023.html
========================

Updated packages in core/updates_testing:
========================
imagemagick-6.9.10.48-1.mga6
imagemagick-desktop-6.9.10.48-1.mga6
lib(64)magick-6Q16_6-6.9.10.48-1.mga6
lib(64)magick++-6Q16_8-6.9.10.48-1.mga6
lib(64)magick-devel-6.9.10.48-1.mga6
perl-Image-Magick-6.9.10.48-1.mga6
imagemagick-doc-6.9.10.48-1.mga6

from SRPMS:
imagemagick-6.9.10.48-1.mga6.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 5 Len Lawrence 2019-06-07 23:42:00 CEST
mga6, x86_64

For the POC used the images downloaded for bug 24766.

*Before updates*

CVE-2019-11007
$ convert heap_buffer_overflow_in_ReadMNGImage out
$ file out
out: MNG video data, 1 x 1

CVE-2019-11008
$ convert heap_buffer_overflow_ReadXWDImag /dev/null
convert: no decode delegate for this image format `' @ error/constitute.c/ReadImage/560.
$ identify heap_buffer_overflow_WRITE_in_WriteXWDImage
identify: no decode delegate for this image format `' @ error/constitute.c/ReadImage/560.

CVE-2019-11009
$ identify heap_buffer_overflow_ReadXWDImag
identify: no decode delegate for this image format `' @ error/constitute.c/ReadImage/560.

Updated the seven packages.

Checked the POC; no difference in the output messages after updating which probably
means that the issues had already been taken care of.

Ran a few utility tests on images used in earlier IM tests.  All behaved as expected.

Image conversion and vignetting.
$ convert TatianaMaslany.jpg -background grey44 -vignette 0x5 Maslany.png

Make a squashed image of a TIFF in JPEG format, with approximately the same area.
$ identify Ikapati.tif
Ikapati.tif TIFF 1024x1024 1024x1024+0+0 8-bit Grayscale Gray 1.00118MiB 0.000u 0:00.012
$ convert -resize 120%x80% Ikapati.tif ikapati.jpg
$ identify ikapati.jpg
ikapati.jpg JPEG 1229x819 1229x819+0+0 8-bit Gray 256c 366559B 0.000u 0:00.000

Modify an image in place.  Apply a series of rotations and reflections which restore the image to its original state.
$ mogrify -rotate 270 newbridge.tif
$ mogrify -flip newbridge.tif
$ mogrify -flop newbridge.tif
$ mogrify -rotate -90 newbridge.tif

Create a coloured bar which displays nearly all the colours of the optical spectrum.
$ convert -size 60x500 gradient:'#FFF-#0FF' -rotate 90 -set colorspace HSB -colorspace RGB rainbow_2.jpg

Create a panel shaded diagonally from blue to black.
$ convert -size 400x200 xc: -sparse-color barycentric '0,0 skyblue  -%w,%h skyblue  %w,%h black' diagonal_gradient.jpg

Create a montage consisting of thumbnails of the 10 referenced images in a 4x3 mosaic.
$ montage -adjoin lakedistrict51?.gif lakes.gif

Create a rose pink rectangle.
$ convert -size 200x160 canvas:MistyRose rose.png

Create a square shaded vertically from tomato-red to blue.
$ convert -size 200x200 gradient:tomato-steelblue gradient_5.jpg

That should do for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 6 Len Lawrence 2019-06-08 00:04:20 CEST
Created attachment 11073 [details]
perl script which runs the whole gamut of IM functions on two test images.

Test images are smile.gif and model.gif but these can be edited in the script.
Comment 7 Thomas Andrews 2019-06-09 14:30:02 CEST
Validating. Suggested advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-06-10 19:54:53 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 8 Mageia Robot 2019-06-10 21:18:06 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0186.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.