imagemagick is vulnerable to CVE-2020-27829

DoneSubmitted by Léo Le Bouter.
Details
3 participants
  • Léo Le Bouter
  • Maxime Devos
  • Mark H Weaver
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 26 Mar 20:52 +0100
(address . bug-guix@gnu.org)
e3478c8a057c33edc40dff562106807e883cef99.camel@zaclys.net
CVE-2020-27829 18:15A heap based buffer overflow in coders/tiff.c may result in programcrash and denial of service in ImageMagick before 7.0.10-45.
Upstream patch available at https://github.com/ImageMagick/ImageMagick/commit/6ee5059cd3ac8d82714a1ab1321399b88539abf0
Not yet backported to 6.x series but applies more or less cleanly(besides ChangeLog file).
A patch will follow, please review!
Thank you
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeO28ACgkQRaix6GvNEKb10xAAqw1TG0xZ1Nb1mxN40Pc+xCx8oeSfy2mXltMhjIMMI4P7Mjt2mUFUYN37rt5Eu+Xs0Kiz42fXEIzLiDdRxf+8Y8/jndL4CvrcRDh/g5ndgGCaJ7hDCvG1yozXfaKOki5/wDrqYZBvyukv3CGuMAnkGSw/BMlJyiTo8KZdUM7/rppI2NLDoDJqWG+1O8v2e3Uu58fXsuvnDfPV9irpSKfsqCKYEE+TJegMWygCsRh4U3H1E8YV5679O4EWvN3VT+RN6RqwU5JzO/N8Za0kz586GV6Un8OIwegj29K2Bufbsvmz6nThYI9xYpCvt/DXmZwmRpeSwik1AmZ1cK9PrDQinRPQaZgQddG3C+6sYFvTmww7fnK93/Xe0dUzoOf9RUCKzCvb9DR11Ver3I3wCyOyg0vPVgn22F5h0sUCxOu/69RcSbWrJ9/cuSv+NtP0B1Hq/F8GWZ6HdlzaJmcNibpN4VDrkbi6/w8x5JH7SHy59QDs29BewUsyTZ//5qB9j05T4eY+z4Qm3zVr3k41eTqYIa9PVNhdHBO/eQOr7SJzyOfqCYCWuqIvovQycgUK4tGCK97ivjPW06pwQBCtsIv1IjtK1ubwP4BRaWAaXa/Fg6QZsqb20fWBhZdhx0wSIzkLy4ZyGRz6aiyGPEN/xfqj2MYSIgKG2wQlso4znJeeW08==YrvZ-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 26 Mar 20:53 +0100
[PATCH] gnu: imagemagick: Fix CVE-2020-27829.
(address . 47418@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210326195342.14152-1-lle-bout@zaclys.net
* gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch.* gnu/local.mk (dist_patch_DATA): Register it.* gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existinggraft.--- gnu/local.mk | 1 + gnu/packages/imagemagick.scm | 3 ++- .../patches/imagemagick-CVE-2020-27829.patch | 23 +++++++++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch
Toggle diff (57 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 40956598db..fe70238345 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -1220,6 +1220,7 @@ dist_patch_DATA = \ %D%/packages/patches/id3lib-UTF16-writing-bug.patch \ %D%/packages/patches/idris-disable-test.patch \ %D%/packages/patches/ilmbase-fix-tests.patch \+ %D%/packages/patches/imagemagick-CVE-2020-27829.patch \ %D%/packages/patches/inetutils-hurd.patch \ %D%/packages/patches/inkscape-poppler-0.76.patch \ %D%/packages/patches/intel-xed-fix-nondeterminism.patch \diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scmindex a3562f2e13..1618a28596 100644--- a/gnu/packages/imagemagick.scm+++ b/gnu/packages/imagemagick.scm@@ -143,7 +143,8 @@ text, lines, polygons, ellipses and Bézier curves.") "6.9.12-2.tar.xz")) (sha256 (base32- "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa"))))+ "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa"))+ (patches (search-patches "imagemagick-CVE-2020-27829.patch")))) (arguments (substitute-keyword-arguments (package-arguments imagemagick) ((#:phases phases)diff --git a/gnu/packages/patches/imagemagick-CVE-2020-27829.patch b/gnu/packages/patches/imagemagick-CVE-2020-27829.patchnew file mode 100644index 0000000000..74debdc98e--- /dev/null+++ b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch@@ -0,0 +1,23 @@+From 6ee5059cd3ac8d82714a1ab1321399b88539abf0 Mon Sep 17 00:00:00 2001+From: Cristy <urban-warrior@imagemagick.org>+Date: Mon, 30 Nov 2020 16:27:26 +0000+Subject: [PATCH] possible TIFF related-heap buffer overflow (alert & POC by+ Hardik Shah)++---+ coders/tiff.c | 2 +-+ 1 files changed, 1 insertions(+), 1 deletion(-)++diff --git a/coders/tiff.c b/coders/tiff.c+index e98f927abd..1eecf17aea 100644+--- a/coders/tiff.c++++ b/coders/tiff.c+@@ -1975,7 +1975,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,+ extent+=image->columns*sizeof(uint32);+ #endif+ strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,+- sizeof(*strip_pixels));++ 2*sizeof(*strip_pixels));+ if (strip_pixels == (unsigned char *) NULL)+ ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");+ (void) memset(strip_pixels,0,extent*sizeof(*strip_pixels));-- 2.31.0
L
L
Léo Le Bouter wrote on 26 Mar 21:55 +0100
(address . control@debbugs.gnu.org)
01f74998636bf9665438b9ebd021cb89bf7dbd29.camel@zaclys.net
tags 47418 + securityquit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeSkkACgkQRaix6GvNEKZtrA/+LsmaoIBUBfkL7EPZ5N8Eee2MbyQaAMkBIDdpdmjMbrpIz7xAfhx/PLs3dbIxuf1n0v2a2fV+dqT19GGmFg2dOE+jQ+dJkNM6xRduR4c55VcUGfmKMrxVCJfYF6EY168w70P/zzO6gtoouxJxway7Q1IwFL/79lAyGrVFziWKp28ChGNNkp3LQQ9Gr9+72H9hEE3iWiPMgRXsmnoV01Fvus95EBRR5h5cXYxu0UT6NdvIk68bciwNVwiR3V3aLyzyGQ/HABOFLhSf3q4bQYMVDMQ1k/VQfc3WKeFIP5j+3Xpu4l1IrnLR1l788ByTw/dd1pDU+1tjqqvxtUyGVzc9YB2C8E6mqgpHJanxsyf7Ye5CpvmvxhkZXPY3MNmFt2VtmJwOHfz55TYei0a3nS84TQO/fP96PXIVdviEcKRUnlMLdpz3KskhsBo8e5VNqTELR4H6qSr5EyXXxho+rGOlt+/dpBMunKxi1xshMCrSFlNar23Nuzk+EUDNowqWrtoABnLarNN9b+6xyBztJDJU1zIbUtsJbn+hzWnMK4MYavWJ2QEWqAEG1p/awnlW1JRMJu30FsE27cqqhYM4wyRhgzmSaNFrPwjwPk0GkkU3JgOe5YJ6XA0z6zAqX2uAwADMQzL0rITioCh+mmU3Qw0xpm0x+LznebFuR79EBr9nkW0==hVUt-----END PGP SIGNATURE-----

M
M
Maxime Devos wrote on 27 Mar 00:12 +0100
095ec340cf07cbb96d5dc7f53ca4b47b8ec1525d.camel@telenet.be
This patch seems about right to me. However,
$ guix lint -c cve imagemagickgnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE-2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020-27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-27760,CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020-27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-13133,CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019-7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398, CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE-2018-16750, CVE-2018-20467, CVE-2018-6405
Did we forget some bugs & patches, or is "guix lint" incorrect here?
Greetings,Maxime
-----BEGIN PGP SIGNATURE-----
iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYF5qTBccbWF4aW1lZGV2b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7njXAQDE7+/CYLDv/Mht1W2jEGrRV4nWhL9s3DKB37bqfzApPQEArRh+HvmA9vjFe2+9X1e2f1ogUIrLvProBOD16d7pBQQ==Jts5-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 27 Mar 00:16 +0100
4023b12d389fe22b89f593e4d36e716b6f9b001e.camel@zaclys.net
On Sat, 2021-03-27 at 00:12 +0100, Maxime Devos wrote:
Toggle quote (26 lines)> This patch seems about right to me. However,> > $ guix lint -c cve imagemagick> gnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably> vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE-> 2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-> 25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020-> 27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-> 27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-> 27760,> CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-> 2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020-> 27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-> 27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-> 13133,> CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-> 2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019-> 7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398,> CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE-> 2018-16750, CVE-2018-20467, CVE-2018-6405> > Did we forget some bugs & patches, or is "guix lint" incorrect here?> > Greetings,> Maxime
To me, ImageMagick is lagging behind since a long while and we need toupgrade to the latest version ASAP. Unfortunately we don't seem to beable to do that since it has lots of dependents and backporting eachand every of these patches is just impossible, also there's way more inthe commit history without security labeling like CVE.
I don't want to deal with backporting things for ImageMagick to catchup with the previous security fixes that no one cared to apply in duetime earlier. It's just too much.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBea0IACgkQRaix6GvNEKYR8A//TgmbO911vbZQx2hEcDxwxWjSHRIbd8Ororfnm8q5CTbqdS857ArH7/CJMEu1tOvkgKIzbwZpSrexUaXfEh4f2xLUbDE84r8isowPMbhHiQTEfh5bsOyJnIcird6kZyDkq7kQiaiyvAX6n9QV3dgtML6jPyDgX+/eiOpO063dKSpTtzhLg7o5baZrAJ/+6hzb0wr5x3+OiCjGCxSmar47Ev2Pszs9JsTkObJXYw7FDQe+IaZce8o/CYTh9sN9KFUPh05xCO5197dzs8fGV19ejzAQBqPD1S0TGSAJefxIlGOYqvTL060WvQ/lRhZ8t5fjuXK7/ivLZ34ZxS4SgqFGgsS2x8mbCTb1ust824W/MdO2WXJazAdJJ9Ef7On6N5JjeQAUum2vtp9lhm0mnBJTSUrXOAIQI0mrqbtCJnv2aVn0MyJOBXITi3/qQEoHB+Z9UzeSCgYb8+hn2G5sTaqyAa6melopKFTqL6uI8YUM0xAY/rYuzrx9/4z5NBZgVa3T6jsGNEEsfy6tct6UdgKLvjUc+2mSBjdtO7glxuU8pY8lo+8hNMTyZlNQZlvJ6Rrcv+APrH1QFDkTzKAF6Ex4SI9Qq3GGqoOXGObVnkQwwb585p1QiIQQdpkDSrNrOCFa+ZJ8QLUhEzIiYNQ5c12qfBhQBDMieZ+40JRq4X/hGHo==Detg-----END PGP SIGNATURE-----

M
M
Mark H Weaver wrote on 27 Mar 14:27 +0100
(address . 47418@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
875z1czpxm.fsf@netris.org
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> writes:
Toggle quote (11 lines)> * gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch.> * gnu/local.mk (dist_patch_DATA): Register it.> * gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existing> graft.> ---> gnu/local.mk | 1 +> gnu/packages/imagemagick.scm | 3 ++-> .../patches/imagemagick-CVE-2020-27829.patch | 23 +++++++++++++++++++> 3 files changed, 26 insertions(+), 1 deletion(-)> create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch
Your patch looks good to me, but I've just posted an alternative patchset to 'guix-devel' which should enable us to keep ImageMagickup-to-date without grafting, and which fixes this security flaw andmore.
https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html
It's not a big deal, but if you push your patch now, I would need torebase the patch set on top of it.
Mark
L
L
Léo Le Bouter wrote on 27 Mar 14:30 +0100
cec7633f5fac61ebd29a6dd1e075b12e854aded8.camel@zaclys.net
On Sat, 2021-03-27 at 09:27 -0400, Mark H Weaver wrote:
Toggle quote (13 lines)> Your patch looks good to me, but I've just posted an alternative> patch> set to 'guix-devel' which should enable us to keep ImageMagick> up-to-date without grafting, and which fixes this security flaw and> more.> > https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html> > It's not a big deal, but if you push your patch now, I would need to> rebase the patch set on top of it.> > Mark
Thank you, let's get your better patch in then close this.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBfM40ACgkQRaix6GvNEKZD3xAAteBJmhqQzJZfoeTqFWkEahJhUtBWY2BgACAQeDhHXPlGKBv9EwNNDT4Jeaj3G64ZfuoMBynU/sxa/Djr0WEw9ojSxmaWU4ykorFxAuYC/T3RYwyACayFKo3oqiIaOEzKDoxFKazss4BMJsIffrR8obQWBRlWhFnvVe8+xUCNUgJCxIfeCiGBYpNLw6LXigrm8M3bZVPodNG3pwnzTB9sc2N2+T9AMMx7TtMZnm8LqGod3mrJKY7LwLK2R84xpV0O6STXm0ixDtbArXa1SYBz4AtRPzULvyns7eQ/q4owVhHfh4XyTUmgjWnkipiD0mHSE9jq1hwSy4f5EeX5fEXmQ84wNHPsPoiIzuPxqxmh5OGXEg4muqEGJl0+AQI/rj+krsOryKcSw52B38Qs0jYd61KdJ0Onpdiah3UjA64yJAEo6bUZqYCB52NzaxGNeL+sHRjKAER8VhfqbPvbb4x0LTpwhGvVWMzUgyYUQrYoahXNeE1lcPPAU7edenHUf6XO+pls9ukbln+CayhPmlGKW5etWgw9/RtDSthouERtWDJZlLT2UvTlv6qgodgnj1R32rQalpE6OESQnLlc4myfJcvQFVzxQInimmNvBGg5srLgz5ZHRlS5lx20pDF9KebU5YqzsfpI+XX3ZcrQNTXsxQjZwuY2w1jLMJUld8DWNCA==zpLq-----END PGP SIGNATURE-----

M
M
Mark H Weaver wrote on 28 Mar 01:15 +0100
87eeg0dtgc.fsf@netris.org
Léo Le Bouter <lle-bout@zaclys.net> writes:
Toggle quote (2 lines)> Thank you, let's get your better patch in then close this.
I've now pushed those patches to 'master'. CVE-2020-27829 is fixed incommit bfc69d5e7c45eac865e231643b58396580afb231, so I'm closing this bugnow.
Thanks! Mark
Closed
?