imagemagick is vulnerable to CVE-2020-27829

Done

Details

3 participants

Léo Le Bouter
Maxime Devos
Mark H Weaver

Owner: unassigned

Submitted by: Léo Le Bouter

Severity: normal

Léo Le Bouter wrote on 26 Mar 2021 20:52

Recipients:(address . bug-guix@gnu.org)

Message-ID:e3478c8a057c33edc40dff562106807e883cef99.camel@zaclys.net

CVE-2020-27829 18:15

A heap based buffer overflow in coders/tiff.c may result in program

crash and denial of service in ImageMagick before 7.0.10-45.

Upstream patch available at

https://github.com/ImageMagick/ImageMagick/commit/6ee5059cd3ac8d82714a1ab1321399b88539abf0

Not yet backported to 6.x series but applies more or less cleanly

(besides ChangeLog file).

A patch will follow, please review!

Thank you

Léo Le Bouter wrote on 26 Mar 2021 20:53

[PATCH] gnu: imagemagick: Fix CVE-2020-27829.

Recipients:(address . 47418@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)

Message-ID:20210326195342.14152-1-lle-bout@zaclys.net

* gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existing
graft.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/imagemagick.scm                  |  3 ++-
 .../patches/imagemagick-CVE-2020-27829.patch  | 23 +++++++++++++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch

Toggle diff (57 lines)diff --git a/gnu/local.mk b/gnu/local.mk
index 40956598db..fe70238345 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1220,6 +1220,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/id3lib-UTF16-writing-bug.patch			\
   %D%/packages/patches/idris-disable-test.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
+  %D%/packages/patches/imagemagick-CVE-2020-27829.patch	\
   %D%/packages/patches/inetutils-hurd.patch			\
   %D%/packages/patches/inkscape-poppler-0.76.patch		\
   %D%/packages/patches/intel-xed-fix-nondeterminism.patch	\
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index a3562f2e13..1618a28596 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -143,7 +143,8 @@ text, lines, polygons, ellipses and Bézier curves.")
                                   "6.9.12-2.tar.xz"))
               (sha256
                (base32
-                "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa"))))
+                "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa"))
+              (patches (search-patches "imagemagick-CVE-2020-27829.patch"))))
     (arguments
      (substitute-keyword-arguments (package-arguments imagemagick)
        ((#:phases phases)
diff --git a/gnu/packages/patches/imagemagick-CVE-2020-27829.patch b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
new file mode 100644
index 0000000000..74debdc98e
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
@@ -0,0 +1,23 @@
+From 6ee5059cd3ac8d82714a1ab1321399b88539abf0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 30 Nov 2020 16:27:26 +0000
+Subject: [PATCH] possible TIFF related-heap buffer overflow (alert & POC by
+ Hardik Shah)
+
+---
+ coders/tiff.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index e98f927abd..1eecf17aea 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1975,7 +1975,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         extent+=image->columns*sizeof(uint32);
+ #endif
+         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+-          sizeof(*strip_pixels));
++          2*sizeof(*strip_pixels));
+         if (strip_pixels == (unsigned char *) NULL)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+         (void) memset(strip_pixels,0,extent*sizeof(*strip_pixels));
-- 
2.31.0

Léo Le Bouter wrote on 26 Mar 2021 21:55

Recipients:(address . control@debbugs.gnu.org)

Message-ID:01f74998636bf9665438b9ebd021cb89bf7dbd29.camel@zaclys.net

tags 47418 + security

quit

Maxime Devos wrote on 27 Mar 2021 00:12

Recipients:

Message-ID:095ec340cf07cbb96d5dc7f53ca4b47b8ec1525d.camel@telenet.be

This patch seems about right to me.  However,

$ guix lint -c cve imagemagick
gnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE-
2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020-
27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-27760,
CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020-
27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-13133,
CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019-
7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398, CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE-
2018-16750, CVE-2018-20467, CVE-2018-6405

Did we forget some bugs & patches, or is "guix lint" incorrect here?

Greetings,
Maxime

-----BEGIN PGP SIGNATURE-----

iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYF5qTBccbWF4aW1lZGV2

b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7njXAQDE7+/CYLDv/Mht1W2jEGrRV4nW

hL9s3DKB37bqfzApPQEArRh+HvmA9vjFe2+9X1e2f1ogUIrLvProBOD16d7pBQQ=

=Jts5

-----END PGP SIGNATURE-----

Léo Le Bouter wrote on 27 Mar 2021 00:16

Recipients:

Message-ID:4023b12d389fe22b89f593e4d36e716b6f9b001e.camel@zaclys.net

On Sat, 2021-03-27 at 00:12 +0100, Maxime Devos wrote:

Toggle quote (26 lines)> This patch seems about right to me.  However,
> 
> $ guix lint -c cve imagemagick
> gnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably
> vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE-
> 2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-
> 25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020-
> 27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-
> 27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-
> 27760,
> CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-
> 2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020-
> 27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-
> 27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-
> 13133,
> CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-
> 2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019-
> 7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398,
> CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE-
> 2018-16750, CVE-2018-20467, CVE-2018-6405
> 
> Did we forget some bugs & patches, or is "guix lint" incorrect here?
> 
> Greetings,
> Maxime

To me, ImageMagick is lagging behind since a long while and we need to
upgrade to the latest version ASAP. Unfortunately we don't seem to be
able to do that since it has lots of dependents and backporting each
and every of these patches is just impossible, also there's way more in
the commit history without security labeling like CVE.

I don't want to deal with backporting things for ImageMagick to catch
up with the previous security fixes that no one cared to apply in due
time earlier. It's just too much.

Mark H Weaver wrote on 27 Mar 2021 14:27

Recipients:(address . 47418@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)

Message-ID:875z1czpxm.fsf@netris.org

Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

Toggle quote (11 lines)> * gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existing
> graft.
> ---
>  gnu/local.mk                                  |  1 +
>  gnu/packages/imagemagick.scm                  |  3 ++-
>  .../patches/imagemagick-CVE-2020-27829.patch  | 23 +++++++++++++++++++
>  3 files changed, 26 insertions(+), 1 deletion(-)
>  create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch

Your patch looks good to me, but I've just posted an alternative patch

set to 'guix-devel' which should enable us to keep ImageMagick

up-to-date without grafting, and which fixes this security flaw and

more.

https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html

It's not a big deal, but if you push your patch now, I would need to

rebase the patch set on top of it.

Mark

Léo Le Bouter wrote on 27 Mar 2021 14:30

Recipients:

Message-ID:cec7633f5fac61ebd29a6dd1e075b12e854aded8.camel@zaclys.net

On Sat, 2021-03-27 at 09:27 -0400, Mark H Weaver wrote:

Toggle quote (13 lines)> Your patch looks good to me, but I've just posted an alternative
> patch
> set to 'guix-devel' which should enable us to keep ImageMagick
> up-to-date without grafting, and which fixes this security flaw and
> more.
> 
>   https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html
> 
> It's not a big deal, but if you push your patch now, I would need to
> rebase the patch set on top of it.
> 
>       Mark

Thank you, let's get your better patch in then close this.

Mark H Weaver wrote on 28 Mar 2021 01:15

Recipients:

Message-ID:87eeg0dtgc.fsf@netris.org

Léo Le Bouter <lle-bout@zaclys.net> writes:

Toggle quote (2 lines)

> Thank you, let's get your better patch in then close this.

I've now pushed those patches to 'master'.  CVE-2020-27829 is fixed in
commit bfc69d5e7c45eac865e231643b58396580afb231, so I'm closing this bug
now.

     Thanks!
       Mark

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 47418@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 47418

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date