Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 852947 (CVE-2021-20224, CVE-2022-0284, CVE-2022-1115, CVE-2022-2719, CVE-2022-32545, CVE-2022-32546, CVE-2022-32547)

Summary: <media-gfx/imagemagick-{6.9.12.58,7.1.0.37}: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 866431    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-18 19:11:55 UTC
CVE-2022-32545 (https://bugzilla.redhat.com/show_bug.cgi?id=2091811):
https://github.com/ImageMagick/ImageMagick/commit/9c9a84cec4ab28ee0b57c2b9266d6fbe68183512
https://github.com/ImageMagick/ImageMagick6/commit/450949ed017f009b399c937cf362f0058eacc5fa

A vulnerability was found in ImageMagick, causing an outside the range of representable values of type 'unsigned char' at coders/psd.c, when crafted or untrusted input is processed. This leads to a negative impact to application availability or other problems related to undefined behavior.

CVE-2022-32546 (https://github.com/ImageMagick/ImageMagick/commit/f221ea0fa3171f0f4fdf74ac9d81b203b9534c23):
https://bugzilla.redhat.com/show_bug.cgi?id=2091812
https://github.com/ImageMagick/ImageMagick6/commit/29c8abce0da56b536542f76a9ddfebdaab5b2943

A vulnerability was found in ImageMagick, causing an outside the range of representable values of type 'unsigned long' at coders/pcl.c, when crafted or untrusted input is processed. This leads to a negative impact to application availability or other problems related to undefined behavior.

CVE-2022-32547 (https://bugzilla.redhat.com/show_bug.cgi?id=2091813):
https://github.com/ImageMagick/ImageMagick6/commit/dc070da861a015d3c97488fdcca6063b44d47a7b
https://github.com/ImageMagick/ImageMagick/commit/eac8ce4d873f28bb6a46aa3a662fb196b49b95d0

In ImageMagick, there is load of misaligned address for type 'double', which requires 8 byte alignment and for type 'float', which requires 4 byte alignment at MagickCore/property.c. Whenever crafted or untrusted input is processed by ImageMagick, this causes a negative impact to application availability or other problems related to undefined behavior.

These seem to be fixed by 6.9.12-45 and 7.1.0-30, so please bump.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 22:55:51 UTC
CVE-2022-2719 (https://bugzilla.redhat.com/show_bug.cgi?id=2116537):

In ImageMagick, a crafted file could trigger an assertion failure when a call to WriteImages was made in MagickWand/operation.c, due to a NULL image list. This could potentially cause a denial of service. This was fixed in upstream ImageMagick version 7.1.0-30.

Patch: https://github.com/ImageMagick/ImageMagick/commit/716496e6df0add89e9679d6da9c0afca814cfe49

It's unclear to me whether 6.9 is affected.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-26 17:47:57 UTC
CVE-2021-20224:

An integer overflow issue was discovered in ImageMagick's ExportIndexQuantum() function in MagickCore/quantum-export.c. Function calls to GetPixelIndex() could result in values outside the range of representable for the 'unsigned char'. When ImageMagick processes a crafted pdf file, this could lead to an undefined behaviour or a crash.

7.x patch: https://github.com/ImageMagick/ImageMagick/commit/5af1dffa4b6ab984b5f13d1e91c95760d75f12a6
6.x patch: https://github.com/ImageMagick/ImageMagick6/commit/553054c1cb1e4e05ec86237afef76a32cd7c464d

In >7.0.10.57 and >6.9.11.57
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-29 16:38:17 UTC
CVE-2022-0284:

A heap-based-buffer-over-read flaw was found in ImageMagick's GetPixelAlpha() function of 'pixel-accessor.h'. This vulnerability is triggered when an attacker passes a specially crafted Tagged Image File Format (TIFF) image to convert it into a PICON file format. This issue can potentially lead to a denial of service and information disclosure.

Issue: https://github.com/ImageMagick/ImageMagick/issues/4729
Patch: https://github.com/ImageMagick/ImageMagick/commit/e50f19fd73c792ebe912df8ab83aa51a243a3da7

Not sure if v6 is affected?

CVE-2022-1115:

A heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel() function of quantum-private.h file. This vulnerability is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion, potentially leading to a denial of service.

Issue: https://github.com/ImageMagick/ImageMagick/issues/4974
Patches: https://github.com/ImageMagick/ImageMagick6/commit/1f860f52bd8d58737ad883072203391096b30b51
https://github.com/ImageMagick/ImageMagick/commit/c8718305f120293d8bf13724f12eed885d830b09
Comment 4 Larry the Git Cow gentoo-dev 2022-08-31 02:51:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=acd4cfe8e97a26fa5534a5468bfbdc4da4593362

commit acd4cfe8e97a26fa5534a5468bfbdc4da4593362
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-08-31 02:51:32 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-31 02:51:32 +0000

    media-gfx/imagemagick: drop 6.9.12.28, 6.9.12.58, 7.1.0.13, 7.1.0.43
    
    Bug: https://bugs.gentoo.org/852947
    Bug: https://bugs.gentoo.org/843833
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/imagemagick/Manifest                     |   4 -
 media-gfx/imagemagick/imagemagick-6.9.12.28.ebuild | 267 --------------------
 media-gfx/imagemagick/imagemagick-6.9.12.58.ebuild | 269 --------------------
 media-gfx/imagemagick/imagemagick-7.1.0.13.ebuild  | 274 --------------------
 media-gfx/imagemagick/imagemagick-7.1.0.43.ebuild  | 278 ---------------------
 5 files changed, 1092 deletions(-)
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2022-10-02 19:34:32 UTC
Nothing to do for me/us here anymore