1203212 – (CVE-2021-3574) VUL-1: CVE-2021-3574: ImageMagick: memory leaks with convert command

Bug 1203212 (CVE-2021-3574) - VUL-1: CVE-2021-3574: ImageMagick: memory leaks with convert command

Summary: VUL-1: CVE-2021-3574: ImageMagick: memory leaks with convert command

Status:	RESOLVED FIXED

Alias:	CVE-2021-3574

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/340942/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-3574:3.3:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-09-07 12:31 UTC by Carlos López
Modified:	2024-07-08 13:54 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-09-07 12:31:09 UTC

rh#2124540

A vulnerability was found in ImageMagick-7.0.11-5, where executing a crafted file with the convert command, ASAN detects memory leaks.

https://github.com/ImageMagick/ImageMagick6/commit/cd7f9fb7751b0d59d5a74b12d971155caad5a792
https://github.com/ImageMagick/ImageMagick/commit/c6ad94fbb7b280f39c2fbbdc1c140e51b1b466e9
https://github.com/ImageMagick/ImageMagick/issues/3540

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2124540
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3574
https://www.cve.org/CVERecord?id=CVE-2021-3574
https://github.com/ImageMagick/ImageMagick6/commit/cd7f9fb7751b0d59d5a74b12d971155caad5a792
https://github.com/ImageMagick/ImageMagick/commit/c6ad94fbb7b280f39c2fbbdc1c140e51b1b466e9
https://github.com/ImageMagick/ImageMagick/issues/3540

Comment 1 Carlos López 2022-09-07 12:33:17 UTC

This is barely a security issue by the looks of it. Anyhow, the patch could be backported to:
- SUSE:SLE-15:Update
- SUSE:SLE-15-SP2:Update

Unsure about SUSE:SLE-11:Update and SUSE:SLE-12:Update, since there is no longer an available reproducer.

Already fixed in SUSE:SLE-15-SP4:Update and Factory.

Comment 2 Petr Gajdos 2022-09-08 10:21:07 UTC

In my opinion, we are not affected by this CVE at all. The check leading to interrupt of the function on the wrong place is not there at all. Yeah, we can add the check, but I agree with adding it only in 15 (ImageMagick 7).

Comment 3 Carlos López 2022-09-08 10:43:29 UTC

(In reply to Petr Gajdos from comment #2)
> In my opinion, we are not affected by this CVE at all. The check leading to
> interrupt of the function on the wrong place is not there at all. Yeah, we
> can add the check, but I agree with adding it only in 15 (ImageMagick 7).

Makes sense

Comment 4 Petr Gajdos 2022-09-08 10:50:58 UTC

Packages submitted for 15sp2,15/ImageMagick.

I believe all fixed.

Comment 6 Swamp Workflow Management 2022-10-07 22:20:17 UTC

SUSE-SU-2022:3552-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1203212
CVE References: CVE-2021-3574
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ImageMagick-7.0.7.34-150200.10.39.1
openSUSE Leap 15.3 (src):    ImageMagick-7.0.7.34-150200.10.39.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    ImageMagick-7.0.7.34-150200.10.39.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    ImageMagick-7.0.7.34-150200.10.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Andrea Mattiazzo 2024-07-08 13:54:58 UTC

All done, closing.