Bug 24766 - graphicsmagick new security issues CVE-2019-1100[5-9], CVE-2019-11010, CVE-2019-1147[34] and CVE-2019-1150[56]
Summary: graphicsmagick new security issues CVE-2019-1100[5-9], CVE-2019-11010, CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-05-03 21:18 CEST by David Walser
Modified: 2019-06-10 21:18 CEST (History)
9 users (show)

See Also:
Source RPM: graphicsmagick-1.3.31-1.4.mga6.src.rpm
CVE:
Status comment:


Attachments
POC tests before and after (4.14 KB, text/plain)
2019-06-07 19:19 CEST, Len Lawrence
Details
Example output from 'gm import' command (114.70 KB, image/png)
2019-06-07 19:51 CEST, Len Lawrence
Details

Description David Walser 2019-05-03 21:18:55 CEST
openSUSE has issued an advisory on April 25:
https://lists.opensuse.org/opensuse-updates/2019-04/msg00188.html

Mageia 6 is also affected.
David Walser 2019-05-03 21:19:00 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-05-03 21:43:20 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing some committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11, mrambo, nicolas.salguero, smelror

Nicolas Salguero 2019-06-07 09:53:24 CEST

Summary: graphicsmagick new security issues CVE-2019-1100[5-9] and CVE-2019-11010 => graphicsmagick new security issues CVE-2019-1100[5-9], CVE-2019-11010, CVE-2019-1147[34] and CVE-2019-1150[56]

Comment 2 Nicolas Salguero 2019-06-07 10:10:24 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based buffer overflow in the function SVGStartElement of coders/svg.c, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a quoted font family value. (CVE-2019-11005)

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer over-read in the function ReadMIFFImage of coders/miff.c, which allows attackers to cause a denial of service or information disclosure via an RLE packet. (CVE-2019-11006)

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer over-read in the ReadMNGImage function of coders/png.c, which allows attackers to cause a denial of service or information disclosure via an image colormap. (CVE-2019-11007)

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer overflow in the function WriteXWDImage of coders/xwd.c, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (CVE-2019-11008)

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer over-read in the function ReadXWDImage of coders/xwd.c, which allows attackers to cause a denial of service or information disclosure via a crafted image file. (CVE-2019-11009)

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a memory leak in the function ReadMPCImage of coders/mpc.c, which allows attackers to cause a denial of service via a crafted image file. (CVE-2019-11010)

coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (out-of-bounds read and application crash) by crafting an XWD image file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009. (CVE-2019-11473)

coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (floating-point exception and application crash) by crafting an XWD image file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009. (CVE-2019-11474)

In GraphicsMagick from version 1.3.8 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WritePDBImage of coders/pdb.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file. This is related to MagickBitStreamMSBWrite in magick/bit_stream.c. (CVE-2019-11505)

In GraphicsMagick from version 1.3.30 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WriteMATLABImage of coders/mat.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file. This is related to ExportRedQuantumType in magick/export.c. (CVE-2019-11506)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11005
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11006
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11007
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11008
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11009
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11473
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11474
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11505
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11506
https://lists.opensuse.org/opensuse-updates/2019-04/msg00188.html
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.31-1.5.mga6
lib(64)graphicsmagick3-1.3.31-1.5.mga6
lib(64)graphicsmagick++12-1.3.31-1.5.mga6
lib(64)graphicsmagickwand2-1.3.31-1.5.mga6
lib(64)graphicsmagick-devel-1.3.31-1.5.mga6
perl-Graphics-Magick-1.3.31-1.5.mga6
graphicsmagick-doc-1.3.31-1.5.mga6

from SRPMS:
graphicsmagick-1.3.31-1.5.mga6.src.rpm

Version: Cauldron => 6
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA6TOO => (none)
Source RPM: graphicsmagick-1.3.31-5.mga7.src.rpm => graphicsmagick-1.3.31-1.4.mga6.src.rpm

Comment 3 Len Lawrence 2019-06-07 19:19:19 CEST
Created attachment 11069 [details]
POC tests before and after

CC: (none) => tarazed25

Comment 4 Len Lawrence 2019-06-07 19:51:29 CEST
Created attachment 11070 [details]
Example output from 'gm import' command
Comment 5 Len Lawrence 2019-06-07 20:34:26 CEST
mga6, x86_64

Checked  CVEs before and after the updates - see attachment.

A few of the POC tests indicate that the issues had already been fixed and the rest of
them validate the  recent patches.

$ gm version
GraphicsMagick 1.3.31 2018-11-17 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2018 GraphicsMagick Group.
<and a surfeit of other information>

$ cat gmtest.pl
#!/bin/env perl
# http://www.graphicsmagick.org/perl.html#example-script
use Graphics::Magick;
my($image, $status);
$image = Graphics::Magick->new;
$status = $image->Read('frame1.png', 'frame2.png', 'frame3.png', 'frame4.png');
warn "$status" if "$status";
$status = $image->Write('frames.gif');
warn "$status" if "$status";

$ ls frame?.png
frame1.png  frame3.png  frame5.png  frame7.png  frame9.png
frame2.png  frame4.png  frame6.png  frame8.png
$ gmtest.pl
$ gm identify frames.gif
frames.gif[0] GIF 3008x2000+0+0 PseudoClass 256c 8-bit 9.7Mi 0.000u 0m:0.000002s
frames.gif[1] GIF 3008x2000+0+0 PseudoClass 256c 8-bit 9.7Mi 0.080u 0m:0.076800s
frames.gif[2] GIF 1440x1080+0+0 PseudoClass 256c 8-bit 9.7Mi 0.040u 0m:0.032041s
frames.gif[3] GIF 2000x1500+0+0 PseudoClass 256c 8-bit 9.7Mi 0.020u 0m:0.019655s
$ gm display frames.gif
Using the 'next' function displayed each frame in turn.

$ gm import bugz.png
Use mouse to define a rectangle on the screen and left-click to save it to a file.

$ gm convert -rotate 180 GlenShiel_4.jpg flipped.ppm
The resultant image shows a bit of Scotland upside down.

$ gm montage loch*.png showcase.pgm
This produced a thumbnail greyscale index of 11 images in a 6x2 mosaic, including the
montage itself.  Colours were preserved by specifying a PNG output file.

There is still a problem with conversions to TIFF format.  SVG can be converted but
without colour and lacking detail.

http://www.graphicsmagick.org/perl.html#example-script
$ perl imagestack.pl
$ gm identify x.gif
x.gif[0] GIF 100x100+100+100 PseudoClass 256c 8-bit 35.6Ki 0.000u 0m:0.000004s
x.gif[1] GIF 100x100+100+100 PseudoClass 256c 8-bit 35.6Ki 0.000u 0m:0.000333s
x.gif[2] GIF 100x100+100+100 PseudoClass 256c 8-bit 35.6Ki 0.000u 0m:0.000243s
x.gif[3] GIF 100x100+100+100 PseudoClass 256c 8-bit 35.6Ki 0.000u 0m:0.000144s
$ gm animate -delay 50 x.gif
Continuous loop animation at 2 frames per second.

$ gm mogrify -resize 200% JessicaAlba.tif
$ gm display JessicaAlba.tif
Original image mutiplied in area by 4.

$ cat graffiti.pl
#!/bin/env perl
use Graphics::Magick;
my($image, $p, $q);
$image = Graphics::Magick->new;
$image->Set(size=>'100x100');
$image->ReadImage('xc:white');
#$image->Set('pixel[49,49]'=>'red');
$image->Draw(stroke=>'red', primitive=>'rectangle', points=>'20,20 80,80');
$image->Write('x.ppm');
undef $image;    
$p = Graphics::Magick->new;
$p->Read('J*.jpg');
$p->Draw(stroke=>'red', primitive=>'rectangle', points=>'20,20 80,80');
$p->Write('xyz.ppm');
undef $p;

$ ./graffiti.pl
This produced a new image x.ppm showing a red rectangle on a white background and a modified image with a red rectangle superimposed.

These sample tests should be enough to show that GM is in good shape.

Whiteboard: (none) => MGA6-64-OK

Comment 6 Thomas Andrews 2019-06-09 14:32:01 CEST
Validating. Suggested advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 David Walser 2019-06-09 16:58:45 CEST
Just noting that this needs to be pushed in Mageia 7/Cauldron as well as Mageia 6.
Thomas Backlund 2019-06-10 20:03:21 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 8 Mageia Robot 2019-06-10 21:18:09 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0187.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.