GNU bug report logs -
#47418
imagemagick is vulnerable to CVE-2020-27829
Previous Next
Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>
Date: Fri, 26 Mar 2021 19:53:02 UTC
Severity: normal
Tags: security
Done: Mark H Weaver <mhw <at> netris.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47418 in the body.
You can then email your comments to 47418 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#47418; Package
guix.
(Fri, 26 Mar 2021 19:53:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Léo Le Bouter <lle-bout <at> zaclys.net>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Fri, 26 Mar 2021 19:53:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
CVE-2020-27829 18:15
A heap based buffer overflow in coders/tiff.c may result in program
crash and denial of service in ImageMagick before 7.0.10-45.
Upstream patch available at
https://github.com/ImageMagick/ImageMagick/commit/6ee5059cd3ac8d82714a1ab1321399b88539abf0
Not yet backported to 6.x series but applies more or less cleanly
(besides ChangeLog file).
A patch will follow, please review!
Thank you
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#47418; Package
guix.
(Fri, 26 Mar 2021 19:55:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 47418 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existing
graft.
---
gnu/local.mk | 1 +
gnu/packages/imagemagick.scm | 3 ++-
.../patches/imagemagick-CVE-2020-27829.patch | 23 +++++++++++++++++++
3 files changed, 26 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 40956598db..fe70238345 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1220,6 +1220,7 @@ dist_patch_DATA = \
%D%/packages/patches/id3lib-UTF16-writing-bug.patch \
%D%/packages/patches/idris-disable-test.patch \
%D%/packages/patches/ilmbase-fix-tests.patch \
+ %D%/packages/patches/imagemagick-CVE-2020-27829.patch \
%D%/packages/patches/inetutils-hurd.patch \
%D%/packages/patches/inkscape-poppler-0.76.patch \
%D%/packages/patches/intel-xed-fix-nondeterminism.patch \
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index a3562f2e13..1618a28596 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -143,7 +143,8 @@ text, lines, polygons, ellipses and Bézier curves.")
"6.9.12-2.tar.xz"))
(sha256
(base32
- "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa"))))
+ "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa"))
+ (patches (search-patches "imagemagick-CVE-2020-27829.patch"))))
(arguments
(substitute-keyword-arguments (package-arguments imagemagick)
((#:phases phases)
diff --git a/gnu/packages/patches/imagemagick-CVE-2020-27829.patch b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
new file mode 100644
index 0000000000..74debdc98e
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
@@ -0,0 +1,23 @@
+From 6ee5059cd3ac8d82714a1ab1321399b88539abf0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior <at> imagemagick.org>
+Date: Mon, 30 Nov 2020 16:27:26 +0000
+Subject: [PATCH] possible TIFF related-heap buffer overflow (alert & POC by
+ Hardik Shah)
+
+---
+ coders/tiff.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index e98f927abd..1eecf17aea 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1975,7 +1975,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+ extent+=image->columns*sizeof(uint32);
+ #endif
+ strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+- sizeof(*strip_pixels));
++ 2*sizeof(*strip_pixels));
+ if (strip_pixels == (unsigned char *) NULL)
+ ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+ (void) memset(strip_pixels,0,extent*sizeof(*strip_pixels));
--
2.31.0
Added tag(s) security.
Request was from
Léo Le Bouter <lle-bout <at> zaclys.net>
to
control <at> debbugs.gnu.org.
(Fri, 26 Mar 2021 20:56:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#47418; Package
guix.
(Fri, 26 Mar 2021 23:13:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 47418 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
This patch seems about right to me. However,
$ guix lint -c cve imagemagick
gnu/packages/imagemagick.scm:132:2: imagemagick <at> 6.9.12-2g: probably vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE-
2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020-
27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-27760,
CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020-
27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-13133,
CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019-
7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398, CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE-
2018-16750, CVE-2018-20467, CVE-2018-6405
Did we forget some bugs & patches, or is "guix lint" incorrect here?
Greetings,
Maxime
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#47418; Package
guix.
(Fri, 26 Mar 2021 23:17:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 47418 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, 2021-03-27 at 00:12 +0100, Maxime Devos wrote:
> This patch seems about right to me. However,
>
> $ guix lint -c cve imagemagick
> gnu/packages/imagemagick.scm:132:2: imagemagick <at> 6.9.12-2g: probably
> vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE-
> 2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-
> 25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020-
> 27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-
> 27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-
> 27760,
> CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-
> 2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020-
> 27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-
> 27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-
> 13133,
> CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-
> 2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019-
> 7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398,
> CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE-
> 2018-16750, CVE-2018-20467, CVE-2018-6405
>
> Did we forget some bugs & patches, or is "guix lint" incorrect here?
>
> Greetings,
> Maxime
To me, ImageMagick is lagging behind since a long while and we need to
upgrade to the latest version ASAP. Unfortunately we don't seem to be
able to do that since it has lots of dependents and backporting each
and every of these patches is just impossible, also there's way more in
the commit history without security labeling like CVE.
I don't want to deal with backporting things for ImageMagick to catch
up with the previous security fixes that no one cared to apply in due
time earlier. It's just too much.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#47418; Package
guix.
(Sat, 27 Mar 2021 13:30:03 GMT)
Full text and
rfc822 format available.
Message #19 received at 47418 <at> debbugs.gnu.org (full text, mbox):
Léo Le Bouter via Bug reports for GNU Guix <bug-guix <at> gnu.org> writes:
> * gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existing
> graft.
> ---
> gnu/local.mk | 1 +
> gnu/packages/imagemagick.scm | 3 ++-
> .../patches/imagemagick-CVE-2020-27829.patch | 23 +++++++++++++++++++
> 3 files changed, 26 insertions(+), 1 deletion(-)
> create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch
Your patch looks good to me, but I've just posted an alternative patch
set to 'guix-devel' which should enable us to keep ImageMagick
up-to-date without grafting, and which fixes this security flaw and
more.
https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html
It's not a big deal, but if you push your patch now, I would need to
rebase the patch set on top of it.
Mark
Information forwarded
to
bug-guix <at> gnu.org:
bug#47418; Package
guix.
(Sat, 27 Mar 2021 13:32:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 47418 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, 2021-03-27 at 09:27 -0400, Mark H Weaver wrote:
> Your patch looks good to me, but I've just posted an alternative
> patch
> set to 'guix-devel' which should enable us to keep ImageMagick
> up-to-date without grafting, and which fixes this security flaw and
> more.
>
> https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html
>
> It's not a big deal, but if you push your patch now, I would need to
> rebase the patch set on top of it.
>
> Mark
Thank you, let's get your better patch in then close this.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Mark H Weaver <mhw <at> netris.org>:
You have taken responsibility.
(Sun, 28 Mar 2021 00:17:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Léo Le Bouter <lle-bout <at> zaclys.net>:
bug acknowledged by developer.
(Sun, 28 Mar 2021 00:17:02 GMT)
Full text and
rfc822 format available.
Message #27 received at 47418-done <at> debbugs.gnu.org (full text, mbox):
Léo Le Bouter <lle-bout <at> zaclys.net> writes:
> Thank you, let's get your better patch in then close this.
I've now pushed those patches to 'master'. CVE-2020-27829 is fixed in
commit bfc69d5e7c45eac865e231643b58396580afb231, so I'm closing this bug
now.
Thanks!
Mark
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 25 Apr 2021 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 361 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.