imagemagick is vulnerable to CVE-2020-27829

  • Done
  • quality assurance status badge
Details
3 participants
  • Léo Le Bouter
  • Maxime Devos
  • Mark H Weaver
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal

Debbugs page

L
L
Léo Le Bouter wrote on 26 Mar 2021 12:52
(address . bug-guix@gnu.org)
e3478c8a057c33edc40dff562106807e883cef99.camel@zaclys.net
CVE-2020-27829 18:15
A heap based buffer overflow in coders/tiff.c may result in program
crash and denial of service in ImageMagick before 7.0.10-45.

Upstream patch available at

Not yet backported to 6.x series but applies more or less cleanly
(besides ChangeLog file).

A patch will follow, please review!

Thank you
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeO28ACgkQRaix6GvN
EKb10xAAqw1TG0xZ1Nb1mxN40Pc+xCx8oeSfy2mXltMhjIMMI4P7Mjt2mUFUYN37
rt5Eu+Xs0Kiz42fXEIzLiDdRxf+8Y8/jndL4CvrcRDh/g5ndgGCaJ7hDCvG1yozX
faKOki5/wDrqYZBvyukv3CGuMAnkGSw/BMlJyiTo8KZdUM7/rppI2NLDoDJqWG+1
O8v2e3Uu58fXsuvnDfPV9irpSKfsqCKYEE+TJegMWygCsRh4U3H1E8YV5679O4EW
vN3VT+RN6RqwU5JzO/N8Za0kz586GV6Un8OIwegj29K2Bufbsvmz6nThYI9xYpCv
t/DXmZwmRpeSwik1AmZ1cK9PrDQinRPQaZgQddG3C+6sYFvTmww7fnK93/Xe0dUz
oOf9RUCKzCvb9DR11Ver3I3wCyOyg0vPVgn22F5h0sUCxOu/69RcSbWrJ9/cuSv+
NtP0B1Hq/F8GWZ6HdlzaJmcNibpN4VDrkbi6/w8x5JH7SHy59QDs29BewUsyTZ//
5qB9j05T4eY+z4Qm3zVr3k41eTqYIa9PVNhdHBO/eQOr7SJzyOfqCYCWuqIvovQy
cgUK4tGCK97ivjPW06pwQBCtsIv1IjtK1ubwP4BRaWAaXa/Fg6QZsqb20fWBhZdh
x0wSIzkLy4ZyGRz6aiyGPEN/xfqj2MYSIgKG2wQlso4znJeeW08=
=YrvZ
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 26 Mar 2021 12:53
[PATCH] gnu: imagemagick: Fix CVE-2020-27829.
(address . 47418@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210326195342.14152-1-lle-bout@zaclys.net
* gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existing
graft.
---
gnu/local.mk | 1 +
gnu/packages/imagemagick.scm | 3 ++-
.../patches/imagemagick-CVE-2020-27829.patch | 23 +++++++++++++++++++
3 files changed, 26 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch

Toggle diff (57 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 40956598db..fe70238345 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1220,6 +1220,7 @@ dist_patch_DATA = \
%D%/packages/patches/id3lib-UTF16-writing-bug.patch \
%D%/packages/patches/idris-disable-test.patch \
%D%/packages/patches/ilmbase-fix-tests.patch \
+ %D%/packages/patches/imagemagick-CVE-2020-27829.patch \
%D%/packages/patches/inetutils-hurd.patch \
%D%/packages/patches/inkscape-poppler-0.76.patch \
%D%/packages/patches/intel-xed-fix-nondeterminism.patch \
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index a3562f2e13..1618a28596 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -143,7 +143,8 @@ text, lines, polygons, ellipses and Bézier curves.")
"6.9.12-2.tar.xz"))
(sha256
(base32
- "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa"))))
+ "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa"))
+ (patches (search-patches "imagemagick-CVE-2020-27829.patch"))))
(arguments
(substitute-keyword-arguments (package-arguments imagemagick)
((#:phases phases)
diff --git a/gnu/packages/patches/imagemagick-CVE-2020-27829.patch b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
new file mode 100644
index 0000000000..74debdc98e
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
@@ -0,0 +1,23 @@
+From 6ee5059cd3ac8d82714a1ab1321399b88539abf0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 30 Nov 2020 16:27:26 +0000
+Subject: [PATCH] possible TIFF related-heap buffer overflow (alert & POC by
+ Hardik Shah)
+
+---
+ coders/tiff.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index e98f927abd..1eecf17aea 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1975,7 +1975,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+ extent+=image->columns*sizeof(uint32);
+ #endif
+ strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+- sizeof(*strip_pixels));
++ 2*sizeof(*strip_pixels));
+ if (strip_pixels == (unsigned char *) NULL)
+ ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+ (void) memset(strip_pixels,0,extent*sizeof(*strip_pixels));
--
2.31.0
L
L
Léo Le Bouter wrote on 26 Mar 2021 13:55
(address . control@debbugs.gnu.org)
01f74998636bf9665438b9ebd021cb89bf7dbd29.camel@zaclys.net
tags 47418 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeSkkACgkQRaix6GvN
EKZtrA/+LsmaoIBUBfkL7EPZ5N8Eee2MbyQaAMkBIDdpdmjMbrpIz7xAfhx/PLs3
dbIxuf1n0v2a2fV+dqT19GGmFg2dOE+jQ+dJkNM6xRduR4c55VcUGfmKMrxVCJfY
F6EY168w70P/zzO6gtoouxJxway7Q1IwFL/79lAyGrVFziWKp28ChGNNkp3LQQ9G
r9+72H9hEE3iWiPMgRXsmnoV01Fvus95EBRR5h5cXYxu0UT6NdvIk68bciwNVwiR
3V3aLyzyGQ/HABOFLhSf3q4bQYMVDMQ1k/VQfc3WKeFIP5j+3Xpu4l1IrnLR1l78
8ByTw/dd1pDU+1tjqqvxtUyGVzc9YB2C8E6mqgpHJanxsyf7Ye5CpvmvxhkZXPY3
MNmFt2VtmJwOHfz55TYei0a3nS84TQO/fP96PXIVdviEcKRUnlMLdpz3KskhsBo8
e5VNqTELR4H6qSr5EyXXxho+rGOlt+/dpBMunKxi1xshMCrSFlNar23Nuzk+EUDN
owqWrtoABnLarNN9b+6xyBztJDJU1zIbUtsJbn+hzWnMK4MYavWJ2QEWqAEG1p/a
wnlW1JRMJu30FsE27cqqhYM4wyRhgzmSaNFrPwjwPk0GkkU3JgOe5YJ6XA0z6zAq
X2uAwADMQzL0rITioCh+mmU3Qw0xpm0x+LznebFuR79EBr9nkW0=
=hVUt
-----END PGP SIGNATURE-----


M
M
Maxime Devos wrote on 26 Mar 2021 16:12
095ec340cf07cbb96d5dc7f53ca4b47b8ec1525d.camel@telenet.be
This patch seems about right to me. However,

$ guix lint -c cve imagemagick
gnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE-
2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020-
27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-27760,
CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020-
27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-13133,
CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019-
7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398, CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE-
2018-16750, CVE-2018-20467, CVE-2018-6405

Did we forget some bugs & patches, or is "guix lint" incorrect here?

Greetings,
Maxime
-----BEGIN PGP SIGNATURE-----

iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYF5qTBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7njXAQDE7+/CYLDv/Mht1W2jEGrRV4nW
hL9s3DKB37bqfzApPQEArRh+HvmA9vjFe2+9X1e2f1ogUIrLvProBOD16d7pBQQ=
=Jts5
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 26 Mar 2021 16:16
4023b12d389fe22b89f593e4d36e716b6f9b001e.camel@zaclys.net
On Sat, 2021-03-27 at 00:12 +0100, Maxime Devos wrote:
Toggle quote (26 lines)
> This patch seems about right to me. However,
>
> $ guix lint -c cve imagemagick
> gnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably
> vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE-
> 2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-
> 25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020-
> 27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-
> 27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-
> 27760,
> CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-
> 2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020-
> 27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-
> 27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-
> 13133,
> CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-
> 2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019-
> 7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398,
> CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE-
> 2018-16750, CVE-2018-20467, CVE-2018-6405
>
> Did we forget some bugs & patches, or is "guix lint" incorrect here?
>
> Greetings,
> Maxime

To me, ImageMagick is lagging behind since a long while and we need to
upgrade to the latest version ASAP. Unfortunately we don't seem to be
able to do that since it has lots of dependents and backporting each
and every of these patches is just impossible, also there's way more in
the commit history without security labeling like CVE.

I don't want to deal with backporting things for ImageMagick to catch
up with the previous security fixes that no one cared to apply in due
time earlier. It's just too much.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBea0IACgkQRaix6GvN
EKYR8A//TgmbO911vbZQx2hEcDxwxWjSHRIbd8Ororfnm8q5CTbqdS857ArH7/CJ
MEu1tOvkgKIzbwZpSrexUaXfEh4f2xLUbDE84r8isowPMbhHiQTEfh5bsOyJnIci
rd6kZyDkq7kQiaiyvAX6n9QV3dgtML6jPyDgX+/eiOpO063dKSpTtzhLg7o5baZr
AJ/+6hzb0wr5x3+OiCjGCxSmar47Ev2Pszs9JsTkObJXYw7FDQe+IaZce8o/CYTh
9sN9KFUPh05xCO5197dzs8fGV19ejzAQBqPD1S0TGSAJefxIlGOYqvTL060WvQ/l
RhZ8t5fjuXK7/ivLZ34ZxS4SgqFGgsS2x8mbCTb1ust824W/MdO2WXJazAdJJ9Ef
7On6N5JjeQAUum2vtp9lhm0mnBJTSUrXOAIQI0mrqbtCJnv2aVn0MyJOBXITi3/q
QEoHB+Z9UzeSCgYb8+hn2G5sTaqyAa6melopKFTqL6uI8YUM0xAY/rYuzrx9/4z5
NBZgVa3T6jsGNEEsfy6tct6UdgKLvjUc+2mSBjdtO7glxuU8pY8lo+8hNMTyZlNQ
ZlvJ6Rrcv+APrH1QFDkTzKAF6Ex4SI9Qq3GGqoOXGObVnkQwwb585p1QiIQQdpkD
SrNrOCFa+ZJ8QLUhEzIiYNQ5c12qfBhQBDMieZ+40JRq4X/hGHo=
=Detg
-----END PGP SIGNATURE-----


M
M
Mark H Weaver wrote on 27 Mar 2021 06:27
(address . 47418@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
875z1czpxm.fsf@netris.org
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

Toggle quote (11 lines)
> * gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existing
> graft.
> ---
> gnu/local.mk | 1 +
> gnu/packages/imagemagick.scm | 3 ++-
> .../patches/imagemagick-CVE-2020-27829.patch | 23 +++++++++++++++++++
> 3 files changed, 26 insertions(+), 1 deletion(-)
> create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch

Your patch looks good to me, but I've just posted an alternative patch
set to 'guix-devel' which should enable us to keep ImageMagick
up-to-date without grafting, and which fixes this security flaw and
more.


It's not a big deal, but if you push your patch now, I would need to
rebase the patch set on top of it.

Mark
L
L
Léo Le Bouter wrote on 27 Mar 2021 06:30
cec7633f5fac61ebd29a6dd1e075b12e854aded8.camel@zaclys.net
On Sat, 2021-03-27 at 09:27 -0400, Mark H Weaver wrote:
Toggle quote (13 lines)
> Your patch looks good to me, but I've just posted an alternative
> patch
> set to 'guix-devel' which should enable us to keep ImageMagick
> up-to-date without grafting, and which fixes this security flaw and
> more.
>
> https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html
>
> It's not a big deal, but if you push your patch now, I would need to
> rebase the patch set on top of it.
>
> Mark

Thank you, let's get your better patch in then close this.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBfM40ACgkQRaix6GvN
EKZD3xAAteBJmhqQzJZfoeTqFWkEahJhUtBWY2BgACAQeDhHXPlGKBv9EwNNDT4J
eaj3G64ZfuoMBynU/sxa/Djr0WEw9ojSxmaWU4ykorFxAuYC/T3RYwyACayFKo3o
qiIaOEzKDoxFKazss4BMJsIffrR8obQWBRlWhFnvVe8+xUCNUgJCxIfeCiGBYpNL
w6LXigrm8M3bZVPodNG3pwnzTB9sc2N2+T9AMMx7TtMZnm8LqGod3mrJKY7LwLK2
R84xpV0O6STXm0ixDtbArXa1SYBz4AtRPzULvyns7eQ/q4owVhHfh4XyTUmgjWnk
ipiD0mHSE9jq1hwSy4f5EeX5fEXmQ84wNHPsPoiIzuPxqxmh5OGXEg4muqEGJl0+
AQI/rj+krsOryKcSw52B38Qs0jYd61KdJ0Onpdiah3UjA64yJAEo6bUZqYCB52Nz
axGNeL+sHRjKAER8VhfqbPvbb4x0LTpwhGvVWMzUgyYUQrYoahXNeE1lcPPAU7ed
enHUf6XO+pls9ukbln+CayhPmlGKW5etWgw9/RtDSthouERtWDJZlLT2UvTlv6qg
odgnj1R32rQalpE6OESQnLlc4myfJcvQFVzxQInimmNvBGg5srLgz5ZHRlS5lx20
pDF9KebU5YqzsfpI+XX3ZcrQNTXsxQjZwuY2w1jLMJUld8DWNCA=
=zpLq
-----END PGP SIGNATURE-----


M
M
Mark H Weaver wrote on 27 Mar 2021 17:15
87eeg0dtgc.fsf@netris.org
Léo Le Bouter <lle-bout@zaclys.net> writes:
Toggle quote (2 lines)
> Thank you, let's get your better patch in then close this.

I've now pushed those patches to 'master'. CVE-2020-27829 is fixed in
commit bfc69d5e7c45eac865e231643b58396580afb231, so I'm closing this bug
now.

Thanks!
Mark
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 47418@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47418
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch