Bug 25319 - libheif security issue CVE-2019-11471
Summary: libheif security issue CVE-2019-11471
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2019-08-16 22:35 CEST by Stig-Ørjan Smelror
Modified: 2019-09-20 11:05 CEST (History)
2 users (show)

See Also:
Source RPM: libheif
CVE:
Status comment: Fixed upstream in version 1.4.1 and 1.5.0


Attachments

Description Stig-Ørjan Smelror 2019-08-16 22:35:04 CEST
Upstream has published version 1.5.0 to fix this issue.

https://github.com/strukturag/libheif/releases/tag/v1.5.0


libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images.

https://nvd.nist.gov/vuln/detail/CVE-2019-11471
Comment 1 Stig-Ørjan Smelror 2019-08-31 00:39:23 CEST
Advisory
========

CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images.

References
==========

https://nvd.nist.gov/vuln/detail/CVE-2019-11471
https://github.com/strukturag/libheif/releases/tag/v1.5.0

Files
=====

Uploaded to tainted/updates_testing

libheif-1.4.1-1.mga7.tainted
libheif-devel-1.4.1-1.mga7.tainted
libheif1-1.4.1-1.mga7.tainted

from libheif-1.4.1-1.mga7.src.rpm

Uploaded to tainted/updates_testing

imagemagick-7.0.8.62-1.mga7.tainted
imagemagick-desktop-7.0.8.62-1.mga7.tainted
libmagick-7Q16HDRI_6-7.0.8.62-1.mga7.tainted
libmagick++-7Q16HDRI_4-7.0.8.62-1.mga7.tainted
libmagick-devel-7.0.8.62-1.mga7.tainted
perl-Image-Magick-7.0.8.62-1.mga7.tainted
imagemagick-doc-7.0.8.62-1.mga7.tainted

Uploaded to core/updates_testing

imagemagick-7.0.8.62-1.mga7
imagemagick-desktop-7.0.8.62-1.mga7
libmagick-7Q16HDRI_6-7.0.8.62-1.mga7
libmagick++-7Q16HDRI_4-7.0.8.62-1.mga7
libmagick-devel-7.0.8.62-1.mga7
perl-Image-Magick-7.0.8.62-1.mga7
imagemagick-doc-7.0.8.62-1.mga7

from imagemagick-7.0.8.62-1.mga7.src.rpm

Status comment: (none) => Fixed upstream in version 1.4.1 and 1.5.0
Assignee: smelror => qa-bugs

Comment 2 Stig-Ørjan Smelror 2019-08-31 00:40:41 CEST
A possible PoC.

https://github.com/strukturag/libheif/issues/123
Comment 3 Len Lawrence 2019-08-31 10:18:29 CEST
mga7, x86_64

libheif was already installed.  Ran some checks before installing updates.
$ which heif-convert
/usr/bin/heif-convert
$ strace -o trace heif-convert JessicaAlba.jpg jessica.heif
Unknown file type in jessica.heif
$ locate heif | grep /bin
/usr/bin/heif-convert
/usr/bin/heif-enc
/usr/bin/heif-info
/usr/bin/heif-thumbnailer
$ heif-enc JessicaAlba.jpg jessica.heif
Cannot load JPEG because libjpeg support was not compiled.
Maybe better luck later.
$ heif-enc Tatiana.png
libpng warning: iCCP: known incorrect sRGB profile
This produces Tatiana.heic which does not look like the original image - the colour map has been completely changed.
This might explain it:
$ heif-enc -L Tatiana.png
libpng warning: iCCP: known incorrect sRGB profile
Warning: input image is in RGB colorspace, but encoding is currently
  always done in YCbCr colorspace. Hence, even though you specified lossless
  compression, there will be differences because of the color conversion.

Thanks Stig for the pointer.  Your cautionary "Possible" may well be correct because the tests are expected to be run in an ASAN harness.

CVE-2019-11471
https://github.com/strukturag/libheif/issues/123
The zip file contains 5 files.
$ heif-convert uaf_heif_context.h:117_5.heic test.png
File contains 1 images
Could not decode HEIF image: 0: Invalid input: Unexpected end of file: Extent in iloc box references data outside of file bounds (points to file position 583)

The results were the same for the other 4 files and might indicate that the library had already been fixed.  Without ASAN we cannot be sure.

Updated all tainted packages.

The POC tests show a different message which probably reflects the application of the patches.  All good.
$ heif-convert uaf_heif_context.h:117_4.heic test.png
Could not read HEIF file: Invalid input: Non-existing item ID referenced: Non-existing alpha image referenced


$ heif-convert -q 100 JessicaAlba.jpg jessica.heic
Unknown file type in jessica.heic
No output file.
$ heif-convert -q 100 JessicaAlba.png jessica.png
Input file is not an HEIF file
$ heif-convert -q 100 Tatiana.heic tatiana.png
File contains 1 images
libpng error: known incorrect sRGB profile
Error while encoding image
could not write image

These obviously do not work the way one expects.
Could not find any heic images online.
Could not figure out how to run the "demo" at https://strukturag.github.io/libheif/  The displayed images appear to be PNG although they come down as JPEG if "Save image" is selected.
The source code for libheif contains routines for converting colourspace from TCbCr to RGB.  Maybe ImageMagick has some utility to convert colourspaces?
There is mention of a GIMP plugin at https://github.com/strukturag/heif-gimp-plugin.
A quote from strukturag:
The program heif-convert converts all images stored in an HEIF file to JPEG or PNG. heif-enc lets you convert JPEG files to HEIF. The program heif-info is a simple, minimal decoder that dumps the file structure to the console.
$ heif-info Tatiana.heic
image: 1080x760 (id=1), primary
  color profile: prof
  alpha channel: no
  depth channel: no

That is as far as we can take this in QA.  Allotting a tentative 64bit OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 4 Len Lawrence 2019-08-31 10:43:29 CEST
Rider to comment 3;

It appears that Apple is promoting the HEIC format as an alternative to JPEG so anybody with an iPhone should be able to test this update on real HEIC images.  The core updates testing version still needs to be tested.
Comment 5 Stig-Ørjan Smelror 2019-08-31 12:07:03 CEST
Imagemagick in tainted is compiled with support for HEIF/HEIC. I've used it successfully to convert images from the GF's iPhone.

% convert image.heic image.jpg
% file image.jpg
image.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=11, manufacturer=Apple, model=iPhone 8 Plus, orientation=upper-left, xresolution=166, yresolution=174, resolutionunit=2, software=12.0, datetime=2018:10:01 15:29:09, GPS-Data], baseline, precision 8, 4032x3024, components 3

% convert image.heic image.png
% file image.png
image.png: PNG image data, 4032 x 3024, 8-bit/color RGB, non-interlaced

% file image.heic
image.heic: ISO Media, HEIF Image HEVC Main or Main Still Picture Profile
Comment 6 Thomas Backlund 2019-08-31 12:26:00 CEST
Why is imagemagick-7.0.8.62 part of this update ?

Keywords: (none) => feedback
CC: (none) => tmb

Comment 7 Stig-Ørjan Smelror 2019-08-31 12:40:55 CEST
(In reply to Thomas Backlund from comment #6)
> Why is imagemagick-7.0.8.62 part of this update ?

Because it's built with the libheif library.

Cheers,
Stig
Comment 8 Len Lawrence 2019-08-31 13:19:53 CEST
In reply to Stig, comment 5.

Yes, after the update IM succeeded in converting a JPEG to HEIF format.
$ file jessica.heic
jessica.heic: ISO Media, HEIF Image HEVC Main or Main Still Picture Profile

but it does not cope with RGB.  The output file has a YCbCr colour profile which is probably all it is designed to produce.  It does not complain about the mismatch.  

Anyway, thanks for testing with native HEIF images.  Your PNG test shows that RGB output is possible starting with a real HEIF image.  And thanks also to the GF.
Comment 9 Thomas Backlund 2019-08-31 13:22:27 CEST
(In reply to Stig-Ørjan Smelror from comment #7)
> (In reply to Thomas Backlund from comment #6)
> > Why is imagemagick-7.0.8.62 part of this update ?
> 
> Because it's built with the libheif library.
> 

Yes, but i dont see any static libs, so the current imagemagick should happily load the fixed libheif unless there is an ABI break...

And the imagemagick packages would then belong to https://bugs.mageia.org/show_bug.cgi?id=25389
Rémi Verschelde 2019-09-20 11:05:40 CEST

Source RPM: (none) => libheif


Note You need to log in before you can comment on or make changes to this bug.