Advisory
========

CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images.

References
==========

https://nvd.nist.gov/vuln/detail/CVE-2019-11471
https://github.com/strukturag/libheif/releases/tag/v1.5.0

Files
=====

Uploaded to tainted/updates_testing

libheif-1.4.1-1.mga7.tainted
libheif-devel-1.4.1-1.mga7.tainted
libheif1-1.4.1-1.mga7.tainted

from libheif-1.4.1-1.mga7.src.rpm

Uploaded to tainted/updates_testing

imagemagick-7.0.8.62-1.mga7.tainted
imagemagick-desktop-7.0.8.62-1.mga7.tainted
libmagick-7Q16HDRI_6-7.0.8.62-1.mga7.tainted
libmagick++-7Q16HDRI_4-7.0.8.62-1.mga7.tainted
libmagick-devel-7.0.8.62-1.mga7.tainted
perl-Image-Magick-7.0.8.62-1.mga7.tainted
imagemagick-doc-7.0.8.62-1.mga7.tainted

Uploaded to core/updates_testing

imagemagick-7.0.8.62-1.mga7
imagemagick-desktop-7.0.8.62-1.mga7
libmagick-7Q16HDRI_6-7.0.8.62-1.mga7
libmagick++-7Q16HDRI_4-7.0.8.62-1.mga7
libmagick-devel-7.0.8.62-1.mga7
perl-Image-Magick-7.0.8.62-1.mga7
imagemagick-doc-7.0.8.62-1.mga7

from imagemagick-7.0.8.62-1.mga7.src.rpm

Assignee: smelror => qa-bugs
Status comment: (none) => Fixed upstream in version 1.4.1 and 1.5.0

A possible PoC.

https://github.com/strukturag/libheif/issues/123

mga7, x86_64

libheif was already installed.  Ran some checks before installing updates.
$ which heif-convert
/usr/bin/heif-convert
$ strace -o trace heif-convert JessicaAlba.jpg jessica.heif
Unknown file type in jessica.heif
$ locate heif | grep /bin
/usr/bin/heif-convert
/usr/bin/heif-enc
/usr/bin/heif-info
/usr/bin/heif-thumbnailer
$ heif-enc JessicaAlba.jpg jessica.heif
Cannot load JPEG because libjpeg support was not compiled.
Maybe better luck later.
$ heif-enc Tatiana.png
libpng warning: iCCP: known incorrect sRGB profile
This produces Tatiana.heic which does not look like the original image - the colour map has been completely changed.
This might explain it:
$ heif-enc -L Tatiana.png
libpng warning: iCCP: known incorrect sRGB profile
Warning: input image is in RGB colorspace, but encoding is currently
  always done in YCbCr colorspace. Hence, even though you specified lossless
  compression, there will be differences because of the color conversion.

Thanks Stig for the pointer.  Your cautionary "Possible" may well be correct because the tests are expected to be run in an ASAN harness.

CVE-2019-11471
https://github.com/strukturag/libheif/issues/123
The zip file contains 5 files.
$ heif-convert uaf_heif_context.h:117_5.heic test.png
File contains 1 images
Could not decode HEIF image: 0: Invalid input: Unexpected end of file: Extent in iloc box references data outside of file bounds (points to file position 583)

The results were the same for the other 4 files and might indicate that the library had already been fixed.  Without ASAN we cannot be sure.

Updated all tainted packages.

The POC tests show a different message which probably reflects the application of the patches.  All good.
$ heif-convert uaf_heif_context.h:117_4.heic test.png
Could not read HEIF file: Invalid input: Non-existing item ID referenced: Non-existing alpha image referenced


$ heif-convert -q 100 JessicaAlba.jpg jessica.heic
Unknown file type in jessica.heic
No output file.
$ heif-convert -q 100 JessicaAlba.png jessica.png
Input file is not an HEIF file
$ heif-convert -q 100 Tatiana.heic tatiana.png
File contains 1 images
libpng error: known incorrect sRGB profile
Error while encoding image
could not write image

These obviously do not work the way one expects.
Could not find any heic images online.
Could not figure out how to run the "demo" at https://strukturag.github.io/libheif/  The displayed images appear to be PNG although they come down as JPEG if "Save image" is selected.
The source code for libheif contains routines for converting colourspace from TCbCr to RGB.  Maybe ImageMagick has some utility to convert colourspaces?
There is mention of a GIMP plugin at https://github.com/strukturag/heif-gimp-plugin.
A quote from strukturag:
The program heif-convert converts all images stored in an HEIF file to JPEG or PNG. heif-enc lets you convert JPEG files to HEIF. The program heif-info is a simple, minimal decoder that dumps the file structure to the console.
$ heif-info Tatiana.heic
image: 1080x760 (id=1), primary
  color profile: prof
  alpha channel: no
  depth channel: no

That is as far as we can take this in QA.  Allotting a tentative 64bit OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Rider to comment 3;

It appears that Apple is promoting the HEIC format as an alternative to JPEG so anybody with an iPhone should be able to test this update on real HEIC images.  The core updates testing version still needs to be tested.

Imagemagick in tainted is compiled with support for HEIF/HEIC. I've used it successfully to convert images from the GF's iPhone.

% convert image.heic image.jpg
% file image.jpg
image.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=11, manufacturer=Apple, model=iPhone 8 Plus, orientation=upper-left, xresolution=166, yresolution=174, resolutionunit=2, software=12.0, datetime=2018:10:01 15:29:09, GPS-Data], baseline, precision 8, 4032x3024, components 3

% convert image.heic image.png
% file image.png
image.png: PNG image data, 4032 x 3024, 8-bit/color RGB, non-interlaced

% file image.heic
image.heic: ISO Media, HEIF Image HEVC Main or Main Still Picture Profile

Why is imagemagick-7.0.8.62 part of this update ?

CC: (none) => tmb
Keywords: (none) => feedback

(In reply to Thomas Backlund from comment #6)
> Why is imagemagick-7.0.8.62 part of this update ?

Because it's built with the libheif library.

Cheers,
Stig

In reply to Stig, comment 5.

Yes, after the update IM succeeded in converting a JPEG to HEIF format.
$ file jessica.heic
jessica.heic: ISO Media, HEIF Image HEVC Main or Main Still Picture Profile

but it does not cope with RGB.  The output file has a YCbCr colour profile which is probably all it is designed to produce.  It does not complain about the mismatch.  

Anyway, thanks for testing with native HEIF images.  Your PNG test shows that RGB output is possible starting with a real HEIF image.  And thanks also to the GF.

(In reply to Stig-Ørjan Smelror from comment #7)
> (In reply to Thomas Backlund from comment #6)
> > Why is imagemagick-7.0.8.62 part of this update ?
> 
> Because it's built with the libheif library.
> 

Yes, but i dont see any static libs, so the current imagemagick should happily load the fixed libheif unless there is an ABI break...

And the imagemagick packages would then belong to https://bugs.mageia.org/show_bug.cgi?id=25389

@Stig:

It looks like running ImageMagick after the update would be one of the things QA could do to test the library - providing relevant images were available.  So I am removing the feedback marker.  Let's release it.

Keywords: feedback => (none)

(In reply to Thomas Backlund from comment #9)
> (In reply to Stig-Ørjan Smelror from comment #7)
> > (In reply to Thomas Backlund from comment #6)
> > > Why is imagemagick-7.0.8.62 part of this update ?
> > 
> > Because it's built with the libheif library.
> > 
> 
> Yes, but i dont see any static libs, so the current imagemagick should
> happily load the fixed libheif unless there is an ABI break...
> 
> And the imagemagick packages would then belong to
> https://bugs.mageia.org/show_bug.cgi?id=25389

Since Bug 25389 has already gone out with the older imagemagick packages, and since this bug was tested with the newer ones, I'm going to go ahead and validate with the new imagemagick included. If you believe the imagemagick update needs to be put into a separate bug, please let us know.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0290.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED