Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 721328 (CVE-2020-12672) - <media-gfx/graphicsmagick-1.3.35-r1: Multiple vulnerabilities (CVE-2020-12672)
Summary: <media-gfx/graphicsmagick-1.3.35-r1: Multiple vulnerabilities (CVE-2020-12672)
Status: RESOLVED FIXED
Alias: CVE-2020-12672
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-06 20:32 UTC by GLSAMaker/CVETool Bot
Modified: 2022-09-29 14:51 UTC (History)
1 user (show)

See Also:
Package list:
media-gfx/graphicsmagick-1.3.35-r1
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-05-06 20:32:21 UTC
CVE-2020-12672 (https://nvd.nist.gov/vuln/detail/CVE-2020-12672):
  GraphicsMagick through 1.3.35 has a heap-based buffer overflow in
  ReadMNGImage in coders/png.c.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-07 16:59:31 UTC
Patch for CVE-2020-12672: http://hg.code.sf.net/p/graphicsmagick/code/rev/50395430a371

Note that there are more issues (unrelated):
* http://hg.code.sf.net/p/graphicsmagick/code/rev/83b4d2b4b873

"Terminate reading when a pixel cache resource limit is hit rather than moving on to heap buffer overflow.  Fixes oss-fuzz 20045, 20318, 21956"

* http://hg.code.sf.net/p/graphicsmagick/code/rev/b0aa53a5f970

"Heap-buffer-overflow in ImportGrayQuantumType" and oss-fuzz, "Heap-buffer-overflow in InsertRow" which are both from the samecause.
Comment 2 Larry the Git Cow gentoo-dev 2020-06-17 01:29:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba6698e39be1eeb5fb0c06a89e8dcf239b5a19f2

commit ba6698e39be1eeb5fb0c06a89e8dcf239b5a19f2
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-06-08 07:40:04 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-17 01:26:26 +0000

    media-gfx/graphicsmagick: Security bump
    
    Patches the following:
    
    - CVE-2020-12672
    * oss-fuzz
    ** 20045
    ** 20318
    ** 21956
    ** 23042
    
    Bug: https://bugs.gentoo.org/721328
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Closes: https://github.com/gentoo/gentoo/pull/16126
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 .../graphicsmagick-1.3.35-CVE-2020-12672.patch     |  67 ++++++++++
 ...smagick-1.3.35-oss-fuzz-20045-20318-21956.patch |  38 ++++++
 .../graphicsmagick-1.3.35-oss-fuzz-23042.patch     |  42 +++++++
 .../graphicsmagick/graphicsmagick-1.3.35-r1.ebuild | 135 +++++++++++++++++++++
 4 files changed, 282 insertions(+)
Comment 3 Rolf Eike Beer archtester 2020-06-18 06:49:04 UTC
sparc stable
Comment 4 Rolf Eike Beer archtester 2020-06-19 15:58:05 UTC
hppa stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-06-20 13:49:49 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-21 17:05:47 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-21 17:10:45 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-22 06:57:30 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Larry the Git Cow gentoo-dev 2020-07-16 01:06:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d49866d88da06c77112cd72428cde187d5917c75

commit d49866d88da06c77112cd72428cde187d5917c75
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-16 00:25:06 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-16 01:01:31 +0000

    media-gfx/graphicsmagick: security cleanup
    
    Bug: https://bugs.gentoo.org/721328
    Package-Manager: Portage-2.3.99, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 .../graphicsmagick/graphicsmagick-1.3.35.ebuild    | 132 ---------------------
 1 file changed, 132 deletions(-)
Comment 10 NATTkA bot gentoo-dev 2021-02-02 23:52:59 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-04-01 20:13:12 UTC
Unable to check for sanity:

> no match for package: media-gfx/graphicsmagick-1.3.35-r1
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-28 23:17:28 UTC
GLSA request filed
Comment 13 Larry the Git Cow gentoo-dev 2022-09-29 14:48:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=fb22bd14741ad3acda080e6d1e9e232492931833

commit fb22bd14741ad3acda080e6d1e9e232492931833
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-29 14:22:18 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-29 14:48:00 +0000

    [ GLSA 202209-19 ] GraphicsMagick: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/721328
    Bug: https://bugs.gentoo.org/836283
    Bug: https://bugs.gentoo.org/873367
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-19.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 14:51:18 UTC
GLSA released, all done!