Upstream has published version 1.5.0 to fix this issue. https://github.com/strukturag/libheif/releases/tag/v1.5.0 libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. https://nvd.nist.gov/vuln/detail/CVE-2019-11471
Advisory ======== CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. References ========== https://nvd.nist.gov/vuln/detail/CVE-2019-11471 https://github.com/strukturag/libheif/releases/tag/v1.5.0 Files ===== Uploaded to tainted/updates_testing libheif-1.4.1-1.mga7.tainted libheif-devel-1.4.1-1.mga7.tainted libheif1-1.4.1-1.mga7.tainted from libheif-1.4.1-1.mga7.src.rpm Uploaded to tainted/updates_testing imagemagick-7.0.8.62-1.mga7.tainted imagemagick-desktop-7.0.8.62-1.mga7.tainted libmagick-7Q16HDRI_6-7.0.8.62-1.mga7.tainted libmagick++-7Q16HDRI_4-7.0.8.62-1.mga7.tainted libmagick-devel-7.0.8.62-1.mga7.tainted perl-Image-Magick-7.0.8.62-1.mga7.tainted imagemagick-doc-7.0.8.62-1.mga7.tainted Uploaded to core/updates_testing imagemagick-7.0.8.62-1.mga7 imagemagick-desktop-7.0.8.62-1.mga7 libmagick-7Q16HDRI_6-7.0.8.62-1.mga7 libmagick++-7Q16HDRI_4-7.0.8.62-1.mga7 libmagick-devel-7.0.8.62-1.mga7 perl-Image-Magick-7.0.8.62-1.mga7 imagemagick-doc-7.0.8.62-1.mga7 from imagemagick-7.0.8.62-1.mga7.src.rpm
Assignee: smelror => qa-bugsStatus comment: (none) => Fixed upstream in version 1.4.1 and 1.5.0
A possible PoC. https://github.com/strukturag/libheif/issues/123
mga7, x86_64 libheif was already installed. Ran some checks before installing updates. $ which heif-convert /usr/bin/heif-convert $ strace -o trace heif-convert JessicaAlba.jpg jessica.heif Unknown file type in jessica.heif $ locate heif | grep /bin /usr/bin/heif-convert /usr/bin/heif-enc /usr/bin/heif-info /usr/bin/heif-thumbnailer $ heif-enc JessicaAlba.jpg jessica.heif Cannot load JPEG because libjpeg support was not compiled. Maybe better luck later. $ heif-enc Tatiana.png libpng warning: iCCP: known incorrect sRGB profile This produces Tatiana.heic which does not look like the original image - the colour map has been completely changed. This might explain it: $ heif-enc -L Tatiana.png libpng warning: iCCP: known incorrect sRGB profile Warning: input image is in RGB colorspace, but encoding is currently always done in YCbCr colorspace. Hence, even though you specified lossless compression, there will be differences because of the color conversion. Thanks Stig for the pointer. Your cautionary "Possible" may well be correct because the tests are expected to be run in an ASAN harness. CVE-2019-11471 https://github.com/strukturag/libheif/issues/123 The zip file contains 5 files. $ heif-convert uaf_heif_context.h:117_5.heic test.png File contains 1 images Could not decode HEIF image: 0: Invalid input: Unexpected end of file: Extent in iloc box references data outside of file bounds (points to file position 583) The results were the same for the other 4 files and might indicate that the library had already been fixed. Without ASAN we cannot be sure. Updated all tainted packages. The POC tests show a different message which probably reflects the application of the patches. All good. $ heif-convert uaf_heif_context.h:117_4.heic test.png Could not read HEIF file: Invalid input: Non-existing item ID referenced: Non-existing alpha image referenced $ heif-convert -q 100 JessicaAlba.jpg jessica.heic Unknown file type in jessica.heic No output file. $ heif-convert -q 100 JessicaAlba.png jessica.png Input file is not an HEIF file $ heif-convert -q 100 Tatiana.heic tatiana.png File contains 1 images libpng error: known incorrect sRGB profile Error while encoding image could not write image These obviously do not work the way one expects. Could not find any heic images online. Could not figure out how to run the "demo" at https://strukturag.github.io/libheif/ The displayed images appear to be PNG although they come down as JPEG if "Save image" is selected. The source code for libheif contains routines for converting colourspace from TCbCr to RGB. Maybe ImageMagick has some utility to convert colourspaces? There is mention of a GIMP plugin at https://github.com/strukturag/heif-gimp-plugin. A quote from strukturag: The program heif-convert converts all images stored in an HEIF file to JPEG or PNG. heif-enc lets you convert JPEG files to HEIF. The program heif-info is a simple, minimal decoder that dumps the file structure to the console. $ heif-info Tatiana.heic image: 1080x760 (id=1), primary color profile: prof alpha channel: no depth channel: no That is as far as we can take this in QA. Allotting a tentative 64bit OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Rider to comment 3; It appears that Apple is promoting the HEIC format as an alternative to JPEG so anybody with an iPhone should be able to test this update on real HEIC images. The core updates testing version still needs to be tested.
Imagemagick in tainted is compiled with support for HEIF/HEIC. I've used it successfully to convert images from the GF's iPhone. % convert image.heic image.jpg % file image.jpg image.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=11, manufacturer=Apple, model=iPhone 8 Plus, orientation=upper-left, xresolution=166, yresolution=174, resolutionunit=2, software=12.0, datetime=2018:10:01 15:29:09, GPS-Data], baseline, precision 8, 4032x3024, components 3 % convert image.heic image.png % file image.png image.png: PNG image data, 4032 x 3024, 8-bit/color RGB, non-interlaced % file image.heic image.heic: ISO Media, HEIF Image HEVC Main or Main Still Picture Profile
Why is imagemagick-7.0.8.62 part of this update ?
CC: (none) => tmbKeywords: (none) => feedback
(In reply to Thomas Backlund from comment #6) > Why is imagemagick-7.0.8.62 part of this update ? Because it's built with the libheif library. Cheers, Stig
In reply to Stig, comment 5. Yes, after the update IM succeeded in converting a JPEG to HEIF format. $ file jessica.heic jessica.heic: ISO Media, HEIF Image HEVC Main or Main Still Picture Profile but it does not cope with RGB. The output file has a YCbCr colour profile which is probably all it is designed to produce. It does not complain about the mismatch. Anyway, thanks for testing with native HEIF images. Your PNG test shows that RGB output is possible starting with a real HEIF image. And thanks also to the GF.
(In reply to Stig-Ørjan Smelror from comment #7) > (In reply to Thomas Backlund from comment #6) > > Why is imagemagick-7.0.8.62 part of this update ? > > Because it's built with the libheif library. > Yes, but i dont see any static libs, so the current imagemagick should happily load the fixed libheif unless there is an ABI break... And the imagemagick packages would then belong to https://bugs.mageia.org/show_bug.cgi?id=25389
Source RPM: (none) => libheif
@Stig: It looks like running ImageMagick after the update would be one of the things QA could do to test the library - providing relevant images were available. So I am removing the feedback marker. Let's release it.
Keywords: feedback => (none)
(In reply to Thomas Backlund from comment #9) > (In reply to Stig-Ørjan Smelror from comment #7) > > (In reply to Thomas Backlund from comment #6) > > > Why is imagemagick-7.0.8.62 part of this update ? > > > > Because it's built with the libheif library. > > > > Yes, but i dont see any static libs, so the current imagemagick should > happily load the fixed libheif unless there is an ABI break... > > And the imagemagick packages would then belong to > https://bugs.mageia.org/show_bug.cgi?id=25389 Since Bug 25389 has already gone out with the older imagemagick packages, and since this bug was tested with the newer ones, I'm going to go ahead and validate with the new imagemagick included. If you believe the imagemagick update needs to be put into a separate bug, please let us know.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0290.html
Status: NEW => RESOLVEDResolution: (none) => FIXED