Bug 1708570 (CVE-2019-11037)

Summary: CVE-2019-11037 php-imagick: out-of-bounds write to memory in ImagickKernel::fromMatrix() leading to possible crash and DoS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, bleanhar, ccoleman, dedgar, eparis, fedora, jgoulding, jokerman, mchappel, pahan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php-imagick 3.4.4RC1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:55:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1708571    
Bug Blocks: 1708572    

Description Marian Rehak 2019-05-10 08:53:00 UTC 
An out-of-bounds write to memory has been found in PHP imagick extension versions between 3.3.0 - 3.4.4 in function ImagickKernel::fromMatrix() leading to possible crash and DoS.

Upstream bug:

https://bugs.php.net/bug.php?id=77791
Comment 1 Marian Rehak 2019-05-10 08:53:36 UTC 
Created php-pecl-imagick tracking bugs for this issue:

Affects: fedora-all [bug 1708571]
Comment 2 Sam Fowler 2019-05-12 23:44:23 UTC 
Upstream Patch:

https://github.com/mkoppanen/imagick/commit/7187b37250b87edb75160c7beda980f2fa308f5d
Comment 3 Sam Fowler 2019-05-12 23:55:20 UTC 
Introduced by:

https://github.com/mkoppanen/imagick/commit/a3cc177f8ed38937960e27765816e2f7a6de7391
Comment 4 Sam Fowler 2019-05-12 23:55:22 UTC 
Statement:

This vulnerability does not affect the php55-php-pecl-imagick package shipped in OpenShift Container Platform 3.4 as it does not contain the vulnerable code. The vulnerable source file, imagickkernel_class.c, was added to php-imagick in version 3.3.0. OpenShift Container Platform ships version 3.1.2 and does not contain this source file.