graphicsmagick: CVE-2018-20185

Debian Bug report logs - #916719
graphicsmagick: CVE-2018-20185

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: graphicsmagick: CVE-2018-20185

Date: Mon, 17 Dec 2018 21:35:10 +0100

Source: graphicsmagick
Version: 1.3.31-1
Severity: important
Tags: patch security upstream
Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/582/

Hi,

The following vulnerability was published for graphicsmagick.

CVE-2018-20185[0]:
| In GraphicsMagick 1.4 snapshot-20181209 Q8 on 32-bit platforms, there
| is a heap-based buffer over-read in the ReadBMPImage function of bmp.c,
| which allows attackers to cause a denial of service via a crafted bmp
| image file. This only affects GraphicsMagick installations with
| customized BMP limits.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-20185
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20185
[1] https://sourceforge.net/p/graphicsmagick/bugs/582/
[2] http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/648e3977a293

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 916719-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 916719-close@bugs.debian.org

Subject: Bug#916719: fixed in graphicsmagick 1.4~hg15873-1

Date: Fri, 21 Dec 2018 01:49:12 +0000

Source: graphicsmagick
Source-Version: 1.4~hg15873-1

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 916719@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 20 Dec 2018 19:04:33 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source
Version: 1.4~hg15873-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared library
 libgraphicsmagick++1-dev - format-independent image processing - C++ development files
 libgraphicsmagick-q16-3 - format-independent image processing - C shared library
 libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 916719 916721 916752
Changes:
 graphicsmagick (1.4~hg15873-1) unstable; urgency=high
 .
   * Mercurial snapshot, fixing the following security issues:
     - WriteImage(): Eliminate use of just-freed memory in clone_info->magick,
     - ReadMIFFImage(): Fix memory leak of profiles 'name' when claimed length
       is zero,
     - WriteXPMImage(): Assure that added colormap entry for transparent XPM
       is initialized,
     - ReadMNGImage(): Fix non-terminal MNG looping,
     - ReadMIFFImage(): Sanitize claimed profile size before allocating memory
       for it,
     - CVE-2018-20185: ReadBMPImage(): Fix heap overflow in 32-bit build due
       to arithmetic overflow (closes: #916719),
     - CVE-2018-20184: WriteTGAImage(): Image rows/columns must not be larger
       than 65535 (closes: #916721),
     - ReadTIFFImage(): More validations and stricter error reporting,
     - ReadMIFFImage(): Detect and reject zero-length deflate-encoded row in
       MIFF version 0,
     - CVE-2018-20189: ReadDIBImage(): DIB images claiming more than 8-bits
       per pixel are not colormapped (closes: #916752).
   * Add pkg-config to build dependency for FreeType 2.9.1+ detection.
   * Update library symbols for this release.
Checksums-Sha1:
 570a64fc1c84f10e250fe16658ec184ad5feda11 2855 graphicsmagick_1.4~hg15873-1.dsc
 b8b928725b9dc11ae384492fa9a3fff72ea5249e 8601140 graphicsmagick_1.4~hg15873.orig.tar.xz
 01104bf756373ea16b215370920e7dc82076ed18 142760 graphicsmagick_1.4~hg15873-1.debian.tar.xz
 cd484cf006c65e55aa2a4fc67d4bbdffffc147f8 11902 graphicsmagick_1.4~hg15873-1_amd64.buildinfo
Checksums-Sha256:
 9693950df9b7ada072bd3a01e63ef777f632fd2ea29e41ffc721120ad38fa9d3 2855 graphicsmagick_1.4~hg15873-1.dsc
 7fd10c6f70273af33d40671195682f1b3a8bb478523388e49eee98b0fceda930 8601140 graphicsmagick_1.4~hg15873.orig.tar.xz
 e7ee0d298f63f06906d01b95bf9adc05c0c4e06ca3f9f4108a249088d1aca57e 142760 graphicsmagick_1.4~hg15873-1.debian.tar.xz
 b418fd324f3be55c2b8827c39f063c3b5c864f3e6f9f8d752e530ba236937f57 11902 graphicsmagick_1.4~hg15873-1_amd64.buildinfo
Files:
 6d743b2f0ce9591b00615b495d1eba94 2855 graphics optional graphicsmagick_1.4~hg15873-1.dsc
 436d86adba099cf081c25fda5203d4b0 8601140 graphics optional graphicsmagick_1.4~hg15873.orig.tar.xz
 4997053a300319d4e660d0f70e595e27 142760 graphics optional graphicsmagick_1.4~hg15873-1.debian.tar.xz
 ed36e05e528f8b06a7637e17e9b13f7b 11902 graphics optional graphicsmagick_1.4~hg15873-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlwcQq4ACgkQ3OMQ54ZM
yL8ZLg/+O7y8a5z7x0kvywOfrEfcox5siIv/0OY4U5WuVorc/SlKTptcmc/U5t8u
bGGgRvP9U1RhFTXM9KvOxsDU9jo48ZbuS6K9HjxvUDM3zxgNqCtcuQI7A7dVIrml
qKAdaY6cjKDqjVcRw0HjXmuXf9cy8b8RzPWaA3VRRZ3Hd+RDmu6YICVE8cGEvMrq
2dM0dC4Ih4LAt7DfvHt4l0Hvha1B8dxo0KSbP74F6dmtimXFDb2C9Okxl5JVi0sJ
rk/9ZvAHN0pmrBjCegJuYtmI6u6vvZtNmkSPO+hyhidhqKT/8uEMoHJA2Wbg9RwN
KGHjhXH7OWooeKvH7d3BP8DWGmunx4tbevQ43ncRTEhys4GHlq2EajiRITJiMwdb
bc6+oqv50j3tIWms7NmX3g58irnOE8/acsAOlHmsVVRYdJBtfjBlyDrBwUH2mfp/
Y/ClSNQQsaaBCqAJcnocqjfpcvgDXD+xmeWutSjk+zivNRQKIDxyo0jiUDT9s9QT
B3GZS5rx1qsQG+6RrEsT11jnTL4esLRiMLavqJO5htKkNt5x/yKyp7vsmR9qR7xE
lr+as848W7UWsZWajvFXvv17Qh4HGSWulPW+atBFkNzsPZzt/3+kCF5ZkA6ipMxT
U+EwY49ljer/dRYsxp2W5t9xCAo7PW4ezw0PAFWABa5BPPcW8Kc=
=0f0w
-----END PGP SIGNATURE-----

Message #15 received at 916719@bugs.debian.org (full text, mbox, reply):

From: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

To: 916719@bugs.debian.org

Cc: Laszlo Boszormenyi <gcs@debian.org>

Subject: Re: Bug#916719: marked as done (graphicsmagick: CVE-2018-20185)

Date: Fri, 21 Dec 2018 07:56:24 -0600 (CST)

On Fri, 21 Dec 2018, Debian Bug Tracking System wrote:

> Your message dated Fri, 21 Dec 2018 01:49:12 +0000
> with message-id <E1ga9w8-0009Rq-9l@fasolo.debian.org>
> and subject line Bug#916719: fixed in graphicsmagick 1.4~hg15873-1
> has caused the Debian Bug report #916719,
> regarding graphicsmagick: CVE-2018-20185
> to be marked as done.

It has been suggested to me by the Suse Linux maintainer that the fix 
I submitted for CVE-2018-20185 may be less than adequate.  However, I 
will be away for 1-1/2 weeks and will not have time to investigate.

Bob
-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt

Message #28 received at 916719@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>, 916719@bugs.debian.org

Cc: Laszlo Boszormenyi <gcs@debian.org>, team@security.debian.org

Subject: On the fix of CVE-2018-20185

Date: Sat, 5 Jan 2019 22:38:33 +0100

Hi Bob,

On Fri, Dec 21, 2018 at 07:56:24AM -0600, Bob Friesenhahn wrote:
> On Fri, 21 Dec 2018, Debian Bug Tracking System wrote:
> 
> > Your message dated Fri, 21 Dec 2018 01:49:12 +0000
> > with message-id <E1ga9w8-0009Rq-9l@fasolo.debian.org>
> > and subject line Bug#916719: fixed in graphicsmagick 1.4~hg15873-1
> > has caused the Debian Bug report #916719,
> > regarding graphicsmagick: CVE-2018-20185
> > to be marked as done.
> 
> It has been suggested to me by the Suse Linux maintainer that the fix I
> submitted for CVE-2018-20185 may be less than adequate.  However, I will be
> away for 1-1/2 weeks and will not have time to investigate.

Did you found time for further investigation of the report from the
SuSE maintainer? Is the original fix as per
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/648e3977a293 not
(completely) solving the security issue or incomplete/inadeguate in
the sense it introduces some regresssion (e.g. functionality wise)?

What was the concern of the SuSE maintainer?

Regards,
Salvatore

Message #33 received at 916719@bugs.debian.org (full text, mbox, reply):

From: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 916719@bugs.debian.org, Laszlo Boszormenyi <gcs@debian.org>, team@security.debian.org

Subject: Re: On the fix of CVE-2018-20185

Date: Sat, 5 Jan 2019 16:40:52 -0600 (CST)

On Sat, 5 Jan 2019, Salvatore Bonaccorso wrote:

> Hi Bob,
>
> On Fri, Dec 21, 2018 at 07:56:24AM -0600, Bob Friesenhahn wrote:
>> On Fri, 21 Dec 2018, Debian Bug Tracking System wrote:
>>
>>> Your message dated Fri, 21 Dec 2018 01:49:12 +0000
>>> with message-id <E1ga9w8-0009Rq-9l@fasolo.debian.org>
>>> and subject line Bug#916719: fixed in graphicsmagick 1.4~hg15873-1
>>> has caused the Debian Bug report #916719,
>>> regarding graphicsmagick: CVE-2018-20185
>>> to be marked as done.
>>
>> It has been suggested to me by the Suse Linux maintainer that the fix I
>> submitted for CVE-2018-20185 may be less than adequate.  However, I will be
>> away for 1-1/2 weeks and will not have time to investigate.
>
> Did you found time for further investigation of the report from the
> SuSE maintainer? Is the original fix as per
> http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/648e3977a293 not
> (completely) solving the security issue or incomplete/inadeguate in
> the sense it introduces some regresssion (e.g. functionality wise)?
>
> What was the concern of the SuSE maintainer?

I am back from vacation but have not investigated the issue yet.

Petr Gajdos referred me to this Suse issue:

  https://bugzilla.suse.com/show_bug.cgi?id=1119823#c1

Bob
-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt

Message #38 received at 916719@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>, Debian Security Team <team@security.debian.org>

Cc: 916719@bugs.debian.org

Subject: Re: On the fix of CVE-2018-20185

Date: Sun, 6 Jan 2019 02:08:15 +0100

On Sun, Jan 6, 2019 at 12:11 AM Bob Friesenhahn
<bfriesen@simple.dallas.tx.us> wrote:
> On Sat, 5 Jan 2019, Salvatore Bonaccorso wrote:
> > On Fri, Dec 21, 2018 at 07:56:24AM -0600, Bob Friesenhahn wrote:
> >> It has been suggested to me by the Suse Linux maintainer that the fix I
> >> submitted for CVE-2018-20185 may be less than adequate.  However, I will be
> >> away for 1-1/2 weeks and will not have time to investigate.
> >
> > Did you found time for further investigation of the report from the
> > SuSE maintainer? Is the original fix as per
> > http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/648e3977a293 not
> > (completely) solving the security issue or incomplete/inadeguate in
> > the sense it introduces some regresssion (e.g. functionality wise)?
> >
> > What was the concern of the SuSE maintainer?
>
> I am back from vacation but have not investigated the issue yet.
>
> Petr Gajdos referred me to this Suse issue:
>
>    https://bugzilla.suse.com/show_bug.cgi?id=1119823#c1
 If I understand it correctly, only builds with quantum depth = 8 are
affected, right?
But please ping us when you had time to further investigate this.

Thanks,
Laszlo/GCS

Message #45 received at 916719@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>, Debian Security Team <team@security.debian.org>

Cc: 916719@bugs.debian.org

Subject: Re: On the fix of CVE-2018-20185

Date: Sun, 3 Feb 2019 16:37:28 +0100

Hi Bob,

On Sun, Jan 6, 2019 at 12:11 AM Bob Friesenhahn
<bfriesen@simple.dallas.tx.us> wrote:
> On Sat, 5 Jan 2019, Salvatore Bonaccorso wrote:
> > Did you found time for further investigation of the report from the
> > SuSE maintainer? Is the original fix as per
> > http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/648e3977a293 not
> > (completely) solving the security issue or incomplete/inadeguate in
> > the sense it introduces some regresssion (e.g. functionality wise)?
> >
> > What was the concern of the SuSE maintainer?
>
> I am back from vacation but have not investigated the issue yet.
 Just a friendly reminder if you could look into this. The original
bugreport[1] doesn't contain any new information. But the SuSE
bugreport[2] which is referenced says "I believe all fixed".

Kind regards,
Laszlo/GCS
[1] https://sourceforge.net/p/graphicsmagick/bugs/582/
[2] https://bugzilla.suse.com/show_bug.cgi?id=1119823#c1

Message #50 received at 916719@bugs.debian.org (full text, mbox, reply):

From: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: Debian Security Team <team@security.debian.org>, 916719@bugs.debian.org

Subject: Re: On the fix of CVE-2018-20185

Date: Sun, 3 Feb 2019 12:25:27 -0600 (CST)

[Message part 1 (text/plain, inline)]

On Sun, 3 Feb 2019, László Böszörményi (GCS) wrote:

> Hi Bob,
>
> On Sun, Jan 6, 2019 at 12:11 AM Bob Friesenhahn
> <bfriesen@simple.dallas.tx.us> wrote:
>> On Sat, 5 Jan 2019, Salvatore Bonaccorso wrote:
>>> Did you found time for further investigation of the report from the
>>> SuSE maintainer? Is the original fix as per
>>> http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/648e3977a293 not
>>> (completely) solving the security issue or incomplete/inadeguate in
>>> the sense it introduces some regresssion (e.g. functionality wise)?
>>>
>>> What was the concern of the SuSE maintainer?
>>
>> I am back from vacation but have not investigated the issue yet.
> Just a friendly reminder if you could look into this. The original
> bugreport[1] doesn't contain any new information. But the SuSE
> bugreport[2] which is referenced says "I believe all fixed".

I just checked and I am able to reproduce the problem using current 
source code using a "Q8" AMD64 build.  I think that a "Q16" build does 
not fail in the same way.  The difference may be due to the maximum 
allowed pixels in one row (twice as many are allowed in a Q8 build).

Bob
-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt

Message #55 received at 916719@bugs.debian.org (full text, mbox, reply):

From: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: Debian Security Team <team@security.debian.org>, 916719@bugs.debian.org

Subject: Re: On the fix of CVE-2018-20185

Date: Sun, 3 Feb 2019 14:47:10 -0600 (CST)

This issue (and some similar issues in the dib.c code) is addressed by 
Mercurial changeset 15880:c38fc0e3e465.

Bob
-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt

Message #66 received at 916719-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: control@bugs.debian.org

Cc: 916719-submitter@bugs.debian.org

Subject: closing 916719

Date: Thu, 07 Feb 2019 14:38:37 +0100

close 916719 1.4~hg15880-1
thanks

Send a report that this bug log contains spam.