Bug 1757779 (CVE-2019-14980)

Summary: CVE-2019-14980 ImageMagick: use-after-free in magick/blob.c resulting in a denial of service
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, jhorak, mike, pahan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ImageMagick 6.9.10-42, ImageMagick 7.0.8-42 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 22:35:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1763761, 1764360    
Bug Blocks: 1757780    

Description Guilherme de Almeida Suckevicz 2019-10-02 12:43:08 UTC 
In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.

References:
https://github.com/ImageMagick/ImageMagick/commit/c5d012a46ae22be9444326aa37969a3f75daa3ba
https://github.com/ImageMagick/ImageMagick/compare/7.0.8-41...7.0.8-42
https://github.com/ImageMagick/ImageMagick6/commit/614a257295bdcdeda347086761062ac7658b6830
https://github.com/ImageMagick/ImageMagick6/issues/43
Comment 1 Guilherme de Almeida Suckevicz 2019-10-21 14:38:16 UTC 
Created ImageMagick tracking bugs for this issue:

Affects: fedora-all [bug 1763761]
Comment 3 Marco Benatto 2019-10-23 15:31:59 UTC 
Upstream commit for this issue:
https://github.com/ImageMagick/ImageMagick6/commit/614a257295bdcdeda347086761062ac7658b6830
Comment 5 Marco Benatto 2019-10-28 14:35:27 UTC 
There's an issue in ImageMagick versions before before 6.9.10-42. The DetachBlob() function is responsible for clean out blob_info structure, one if its steps is to unmap from memory any file related to blob's data using UnmapBlob() function. The UnamapBlob() will further call munmap() causing the region mapped into blob_info->data to be removed from process's address space, after the unmapping DetachBlob() doesn't set data pointer to NULL and returns it pointing to the old address. An attacker may leverage this both via a crafted file or API by triggering a User-after-free issue, leading to DoS, memory corruption or heap's data leak.
Comment 6 Michael Cronenworth 2019-10-28 14:44:49 UTC 
Please update your script to check the Fedora version prior to opening a bug.

Fedora ships 6.9.10-67 and was pushed October 4th. Prior to that Fedora had 6.9.10-65 that was shipped September 21st.
Comment 7 errata-xmlrpc 2020-03-31 19:32:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1180 https://access.redhat.com/errata/RHSA-2020:1180
Comment 8 Product Security DevOps Team 2020-03-31 22:35:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14980