graphicsmagick: Multiple heap-based buffer over-reads

Debian Bug report logs - #927029
graphicsmagick: Multiple heap-based buffer over-reads

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: submit@bugs.debian.org

Subject: graphicsmagick: Multiple heap-based buffer over-reads

Date: Sat, 13 Apr 2019 23:45:40 +0200

[Message part 1 (text/plain, inline)]

Package: graphicsmagick
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for graphicsmagick.

CVE-2019-11005[0]:
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based
| buffer overflow in the function SVGStartElement of coders/svg.c, which
| allows remote attackers to cause a denial of service (application
| crash) or possibly have unspecified other impact via a quoted font
| family value.


CVE-2019-11006[1]:
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based
| buffer over-read in the function ReadMIFFImage of coders/miff.c, which
| allows attackers to cause a denial of service or information
| disclosure via an RLE packet.


CVE-2019-11007[2]:
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based
| buffer over-read in the ReadMNGImage function of coders/png.c, which
| allows attackers to cause a denial of service or information
| disclosure via an image colormap.


CVE-2019-11008[3]:
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based
| buffer overflow in the function WriteXWDImage of coders/xwd.c, which
| allows remote attackers to cause a denial of service (application
| crash) or possibly have unspecified other impact via a crafted image
| file.


CVE-2019-11009[4]:
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based
| buffer over-read in the function ReadXWDImage of coders/xwd.c, which
| allows attackers to cause a denial of service or information
| disclosure via a crafted image file.


CVE-2019-11010[5]:
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a memory leak in
| the function ReadMPCImage of coders/mpc.c, which allows attackers to
| cause a denial of service via a crafted image file.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11005
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11005
[1] https://security-tracker.debian.org/tracker/CVE-2019-11006
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11006
[2] https://security-tracker.debian.org/tracker/CVE-2019-11007
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11007
[3] https://security-tracker.debian.org/tracker/CVE-2019-11008
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11008
[4] https://security-tracker.debian.org/tracker/CVE-2019-11009
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11009
[5] https://security-tracker.debian.org/tracker/CVE-2019-11010
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11010

Please adjust the affected versions in the BTS as needed.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #16 received at 927029-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 927029-close@bugs.debian.org

Subject: Bug#927029: fixed in graphicsmagick 1.4~hg15968-1

Date: Mon, 15 Apr 2019 20:42:15 +0000

Source: graphicsmagick
Source-Version: 1.4~hg15968-1

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 927029@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 15 Apr 2019 17:40:12 +0000
Source: graphicsmagick
Architecture: source
Version: 1.4~hg15968-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 927029
Changes:
 graphicsmagick (1.4~hg15968-1) unstable; urgency=high
 .
   * Mercurial snapshot, fixing the following security issues
     (closes: #927029):
     - ReadMATImage(): Report a corrupt image exception if reader encounters
       end of file while reading scanlines (use of uninitialized value in
       IsGrayImag() ),
     - ReadTOPOLImage(): Report a corrupt image if reader encounters end of
       file while reading header rows (use of uninitialized value in
       InsertRow() ),
     - OpenCache(): Use unsigned 64-bit value to store CacheInfo offset and
       length as well as for the total pixels calculation to prevent some more
       arithmetic overflows,
     - SetNexus(): Apply resource limits to pixel nexus allocations to prevent
       arithmetic and integer overflows,
     - SetNexus(): Report error for empty region rather than crashing due to
       divide by zero exception,
     - ReadTXTImage(): Don't start new line if x_max < x_min to avoid floating
       point exception in SetNexus(),
     - ReadMATImage(): Quit if image scanlines are not fully populated due to
       exception to prevent use of uninitialized value in
       InsertComplexFloatRow(),
     - ReadMATImage(): Fix memory leak on unexpected end of file,
     - Throwing an exception is now thread-safe,
     - Fx module error handling/reporting improvements,
     - Fix various uses of allocated memory without checking if memory
       allocation has failed,
     - CVE-2019-11010: ReadMPCImage(): Deal with a profile length of zero, or
       an irrationally large profile length to prevent memory leak,
     - CVE-2019-11007: ReadMNGImage(): Fix small buffer overflow (one
       PixelPacket) of image colormap,
     - CVE-2019-11009: ReadXWDImage(): Fix heap buffer overflow while reading
       DirectClass XWD file,
     - CVE-2019-11006: ReadMIFFImage(): Detect end of file while reading RLE
       packets to prevent heap buffer overflow,
     - CVE-2019-11005: SVGStartElement(): Fix stack buffer overflow while
       parsing quoted font family value,
     - CVE-2019-11008: XWD: Perform more header validations, a file size
       validation, and fix arithmetic overflows leading to heap overwrite,
     - ReadWMFImage(): Reject WMF files with an empty bounding box to prevent
       division by zero problems,
     - WritePDBImage(): Use correct bits/sample rather than image->depth to
       prevent potential buffer overflow,
     - WriteMATLABImage(): Add completely missing error handling to prevent
       heap buffer overflow,
     - SetNexus(): Fix arithmetic overflow while testing x/y offset limits,
     - DrawPrimitive(): Check primitive point x/y values for NaN to prevent
       integer overflow,
     - DrawImage(): Fix integer overflow while validating gradient dimensions,
     - WritePDBImage(): Assure that input scanline is cleared in order to
       cover up some decoder bug to prevent use of uninitialized value,
     - ReadXWDImage(): Add more validation logic to avoid crashes due to FPE
       and invalid reads.
   * Update library symbols for this release.
Checksums-Sha1:
 d593adbae3d3cd1d7e131e33160f90f4e33f5fdc 2855 graphicsmagick_1.4~hg15968-1.dsc
 005f1e479987a46ff2ce27ce88a80ec53f7d855d 8881012 graphicsmagick_1.4~hg15968.orig.tar.xz
 59f407e71f2ca2b7f6ce7e926a5c4bcb671561dc 144216 graphicsmagick_1.4~hg15968-1.debian.tar.xz
 a98d1f0f10819aa8993c3b8fc89da8983fc9154e 11892 graphicsmagick_1.4~hg15968-1_amd64.buildinfo
Checksums-Sha256:
 2345b0c587141b5c569cde846da414c67a975464387505e5406006eacb7f8a09 2855 graphicsmagick_1.4~hg15968-1.dsc
 eac04fefacac3bc8bd38f92ca35847b4702ebec9e2e13bde03dca3c936b4c1b1 8881012 graphicsmagick_1.4~hg15968.orig.tar.xz
 38d353149c577577d4c15a8ded5463b0bb7d13e4e2a334c22f4ae772f56a9c12 144216 graphicsmagick_1.4~hg15968-1.debian.tar.xz
 dd121ebc9f39f36030d18d9f61c743788663f2b90adc0a91418a840930dcbd5c 11892 graphicsmagick_1.4~hg15968-1_amd64.buildinfo
Files:
 3f421092d03042c2932d3876fb09984a 2855 graphics optional graphicsmagick_1.4~hg15968-1.dsc
 a30fbac5f5aff370d6ec1b181f0704d6 8881012 graphics optional graphicsmagick_1.4~hg15968.orig.tar.xz
 0acd37a677107e493d1b57f2ee615c23 144216 graphics optional graphicsmagick_1.4~hg15968-1.debian.tar.xz
 56baed2ecf58eae0c81aad5a3b35ed74 11892 graphics optional graphicsmagick_1.4~hg15968-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAly02b0ACgkQ3OMQ54ZM
yL/Msg//XitPpv++PfFe/mfSTXPHkXnsY73Pgdz6d+Nirr5a91DiCfxy1R3vOfi3
rb73Bmwss/UcRC46A7PngBsAKdD5vsm0vdicf6602X7nQVEBARVErSaDLkyUH/X7
OB7/qc+DrmAh4b8dtedZmjVcj7nvC1L47E2J3LvtstH68jndD6n/AOB2gYC/ATWo
CwhpsizUTVwl0w7rLt/PDrqzWbdVoimw1V1qVXRsfG0YC8+2TKa5Ix3O/WGJRZyW
ZD4TLl/OKe3bPhAWfslRuFTd04cZqmWPBiBd/esJTtX7ofhQzmj02TufopXkGf60
irkeKiMTmqa/yegnQ/nRwoGFxwCwyHb3xVBRYA/Of7SmOuN4LvixPHLlolBjOrw/
xQVd0Pglo06+LxaYP3wYjTO6vrFrm30pIAwg5UKpsM42sYWPTgMZY964Dh0hMAJe
VWW4Ou9wqbjLADpjnev/m10ZCJaY/S3etVsMtGPWqTt/PRE9LYO8bM/IP2+wAi3M
wHIIRTCdJJMG7QeoggCU8QyiUhPWhWeHX2dcEkuMs27+20W2ktZ/ZusS5HIL4uf/
Gx9A0HJp1VrM1zYCJXCZrMkU19kwet6cQDiHMc5iACXNCD1EkW5jMVwFw6F2/Kyl
xJ84XbmoaVTUMBO+yZhQ4sI4rYVZH87MCQc+xq5PxvUu0j/RyKw=
=pqZc
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.