Bug 1891601 (CVE-2020-25663)

Summary: CVE-2020-25663 ImageMagick: use-after-free, heap-buffer-overflow triggered by GetPixelRed, GetPixelBlue in MagickCore/pixel-accessor.h
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, jhorak, mike, pahan, rhel8-maint, security-response-team, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ImageMagick 7.0.9-0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found during a call to ConformPixelInfo() in the SetImageAlphaChannel() routine of /MagickCore/channel.c. This issue causes a subsequent heap-use-after-free or heap-buffer-overflow READ when GetPixelRed() or GetPixelBlue()[1] is called. This flaw can occur when an attacker can submit a malicious image file to be processed by ImageMagick and could lead to a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-24 23:33:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1901245, 1901246, 1910555    
Bug Blocks: 1891602    

Description Guilherme de Almeida Suckevicz 2020-10-26 19:31:41 UTC 
In ImageMagick, there is a heap-use-after-free at MagickCore/pixel-accessor.h:378:10 in GetPixelRed.

Reference:
https://github.com/ImageMagick/ImageMagick/issues/1723
Comment 1 Todd Cullum 2020-10-28 19:20:46 UTC 
Upstream patch: https://github.com/ImageMagick/ImageMagick/commit/a47e7a994766b92b10d4a87df8c1c890c8b170f3

Seems to be the same for https://github.com/ImageMagick/ImageMagick/issues/1723 which is the same issue but with GetPixelBlue.
Comment 2 Todd Cullum 2020-10-28 20:18:57 UTC 
Flaw summary:

A call to ConformPixelInfo() in the SetImageAlphaChannel() routine of /MagickCore/channel.c caused a subsequent heap-use-after-free or heap-buffer-overflow READ when GetPixelRed() or GetPixelBlue()[1] was called. This could occur if an attacker is able to submit a malicious image file to be processed by ImageMagick and could lead to denial of service. It likely would not lead to anything further because the memory is used as pixel data and not e.g. a function pointer.

1. https://github.com/ImageMagick/ImageMagick/issues/1723#issuecomment-718275153
Comment 3 Todd Cullum 2020-10-28 21:13:31 UTC 
Acknowledgments:

Name: Suhwan Song (Seoul National University)
Comment 4 Todd Cullum 2020-10-29 19:07:25 UTC 
Statement:

This flaw is out of support scope for Red Hat Enterprise Linux 5, 6, and 7. Inkscape is not affected because it no longer uses a bundled ImageMagick in Red Hat Enterprise Linux 8. For more information regarding support scopes, please see https://access.redhat.com/support/policy/updates/errata .
Comment 5 Todd Cullum 2020-10-29 22:19:34 UTC 
*** Bug 1891988 has been marked as a duplicate of this bug. ***
Comment 6 Guilherme de Almeida Suckevicz 2020-11-24 19:10:57 UTC 
Created ImageMagick tracking bugs for this issue:

Affects: epel-8 [bug 1901245]
Affects: fedora-all [bug 1901246]
Comment 7 Product Security DevOps Team 2020-11-24 23:33:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25663
Comment 9 RaTasha Tillery-Smith 2021-02-09 18:00:08 UTC 
External References:

1. https://github.com/ImageMagick/ImageMagick/issues/1723#issuecomment-718275153