SUSE has issued an advisory today (April 20): https://lists.suse.com/pipermail/sle-security-updates/2023-April/014519.html The issue is fixed upstream in 7.1.1.6 (already in Cauldron): https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247
Assigning this to Stig who now looks after imagemagick.
Assignee: bugsquad => smelror
Advisory ======== Upstream fix for CVE-2023-1906. CVE-2023-1906: A heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service. References ========== https://lists.suse.com/pipermail/sle-security-updates/2023-April/014519.html https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-1906 Files ===== Uploaded to core/updates_testing imagemagick-desktop-7.1.0.62-1.1.mga8 perl-Image-Magick-7.1.0.62-1.1.mga8 lib64magick++-7Q16HDRI_5-7.1.0.62-1.1.mga8 lib64magick-devel-7.1.0.62-1.1.mga8 lib64magick-7Q16HDRI_10-7.1.0.62-1.1.mga8 imagemagick-7.1.0.62-1.1.mga8 imagemagick-doc-7.1.0.62-1.1.mga8 Uploaded to tainted/updates_testing imagemagick-desktop-7.1.0.62-1.1.mga8.tainted perl-Image-Magick-7.1.0.62-1.1.mga8.tainted lib64magick++-7Q16HDRI_5-7.1.0.62-1.1.mga8.tainted lib64magick-devel-7.1.0.62-1.1.mga8.tainted lib64magick-7Q16HDRI_10-7.1.0.62-1.1.mga8.tainted imagemagick-7.1.0.62-1.1.mga8.tainted imagemagick-doc-7.1.0.62-1.1.mga8.tainted from imagemagick-7.1.0.62-1.1.mga8.src.rpm
Assignee: smelror => qa-bugs
CC: (none) => smelror
Mageia8, x86_64 *Before update* CVE-2023-1906 Heap based buffer overflow https://bugzilla.suse.com/show_bug.cgi?id=1210308&_gl=1*mjwjcl*_ga*NzkxNjM3MDE1LjE2NzkzMDgyODE.*_ga_JEVBS2XFKK*MTY4MjM1MjExMi40LjAuMTY4MjM1MjExNy41NS4wLjA. $ valgrind -q convert heapoverflow-poc /dev/null convert: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/951. convert: Unknown field with tag 0 (0x0) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/951. convert: Unknown field with tag 3330 (0xd02) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/951. convert: IO error during reading of "DocumentName"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/951. convert: IO error during reading of "Tag 0"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/951. convert: IO error during reading of "Software"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/951. convert: Bogus "StripByteCounts" field, ignoring and calculating from imagelength. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/951. convert: IO error writing tag data. `TIFFWriteDirectoryTagData' @ error/tiff.c/TIFFErrors/598. <As reported upstream> This looks like a clean outcome, as if the problem has been intercepted. IM working fine heretofore. $ rpm -q imagemagick imagemagick-7.1.0.62-1.mga8.tainted So, testing tainted version. Clean update. *After update* As expected, the poc test returned the same diagnostics which probably means that the heap overflow issue is fixed. Functionality tests went OK. $ display fuji.* Accessed following images using the 'next' button in the on-demand menu. jpg and raw formats displayed properly - not sure about jp2 but another jp2 tested later was OK. Most standard formats of test images are handled by identify and display: PPM, JPEG, TIFF, GIF, PNG, PNM, J2K/JP2 and PostScript, including PDF. Bitmapped formats like BMP and PGX also supported and XML based SVG images. Tried image format conversions and manipulation through mogrify and convert. $ convert Tatiana.jpg Maslany.png $ convert TatianaMaslany.jpg -background grey44 -vignette 0x5 OrphanBlack.gif $ convert logo.svg mageia.png Modify in place: 3/4 turn $ mogrify -rotate 270 newbridge.tif Back to original $ mogrify -rotate 90 newbridge.tif Squash an image. $ identify Ikapati.tif Ikapati.tif TIFF 1024x1024 1024x1024+0+0 8-bit Grayscale Gray 1.00118MiB 0.000u 0:00.012 $ convert -resize 120%x80% Ikapati.tif ikapati.jpg $ identify ikapati.jpg ikapati.jpg JPEG 1229x819 1229x819+0+0 8-bit Grayscale Gray 256c 366604B 0.000u 0:00.000 It would take all day to cover all the possibilities so finish with this: $ convert -gravity center -size 640x120 label:"Good morning QA!" message.png $ composite message.png SantaMaria.png -stegano +15+2 crater.png $ display crater.png Matches the original. Extract the message. $ convert -size 640x120+15+2 stegano:crater.png secret.png $ display secret.png Good morning QA! Parlour trick. Not going to sell many. It all looks OK from here. Perhaps somebody else would like to test the untainted version?
CC: (none) => tarazed25
I fired up my very special "Mageia Untainted" VirtualBox Plasma guest, and updated Imagemagick with no issues. I played with the gui, loading up a trailcam image of a beautiful 8-point whitetail buck from our farm. I flipped it, flopped it, then put it back. "Enhanced" it with effects until it was no longer recognizable, then reversed the process with "undo." Everything seemed to work, and while the deer might have been a bit shaken up, he didn't express any discomfort. Sending this on. Advisory in comment 2.
Whiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Thanks TJ; especially for exercising the gui, something I always forget.
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0161.html
Status: NEW => RESOLVEDResolution: (none) => FIXED