Re: dla-needed/imagemagick entry

2019-05-12 Thread Hugo Lefeuvre
Hi Markus,

> I'm fine with uploading tomorrow. Just send me your debdiff and I will
> incorporate your changes.

You can find the debdiff for CVE-2019-9956, CVE-2019-11598, CVE-2019-11597
and CVE-2019-10650 in attachement, along with appropriate DLA text entries.

I briefly thought of adding fixes for other recent CVEs, but given the
pain it was to backport CVE-2019-11598 and CVE-2019-11597 (multiple issues
in the patches, required extensive testing), I though it would maybe be
better to avoid very large uploads and keep them for future DLAs.

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru imagemagick-6.8.9.9/debian/changelog 
imagemagick-6.8.9.9/debian/changelog
--- imagemagick-6.8.9.9/debian/changelog2018-11-11 17:03:02.0 
+0100
+++ imagemagick-6.8.9.9/debian/changelog2019-05-05 13:46:47.0 
+0200
@@ -1,3 +1,17 @@
+imagemagick (8:6.8.9.9-5+deb8u16) jessie-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2019-9956: stack-based buffer overflow in PopHexPixel, allows DoS or
+remote code execution (Closes: #925395).
+  * CVE-2019-11598: heap-based buffer over-read in WritePNMImage, allows DoS
+or information disclosure (Closes: #928206).
+  * CVE-2019-11597: heap-based buffer over-read in WriteTIFFImage, allows Dos
+or information disclosure (Closes: #928207).
+  * CVE-2019-10650: heap-based buffer over-read in WriteTIFFImage, allows DoS
+or information disclosure (Closes: #926091).
+
+ -- Hugo Lefeuvre   Sun, 05 May 2019 13:46:47 +0200
+
 imagemagick (8:6.8.9.9-5+deb8u15) jessie-security; urgency=high
 
   * Non-maintainer upload by the LTS Team. 
diff -Nru imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch 
imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch
--- imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch 1970-01-01 
01:00:00.0 +0100
+++ imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch 2019-05-05 
13:46:47.0 +0200
@@ -0,0 +1,22 @@
+Subject: fix stack buffer overflow in PopHexPixel
+Author: Cristy 
+Origin: upstream, 
https://github.com/ImageMagick/ImageMagick6/commit/90401e430840c5ff31ad870f4370bbda1318ac94
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925395
+--- a/coders/ps.c  2019-05-05 13:46:32.0 +0200
 b/coders/ps.c  2019-05-11 08:03:04.238884795 +0200
+@@ -2206,8 +2206,13 @@
+   p++;
+ }
+ q=PopHexPixel(hex_digits,(size_t) index,q);
+-q=PopHexPixel(hex_digits,(size_t)
+-  MagickMin(length,0xff),q);
++q=PopHexPixel(hex_digits,(size_t) MagickMin(length,0xff),q);
++if ((q-pixels+6) >= 80)
++  {
++*q++='\n';
++(void) WriteBlob(image,q-pixels,pixels);
++q=pixels;
++  }
+ if (image->previous == (Image *) NULL)
+   {
+ status=SetImageProgress(image,SaveImageTag,
diff -Nru imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch 
imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch
--- imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch
1970-01-01 01:00:00.0 +0100
+++ imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch
2019-05-05 13:46:47.0 +0200
@@ -0,0 +1,19 @@
+Subject: fix heap-buffer-overflow in WriteTIFFImage
+Author: Cristy 
+Origin: upstream, 
https://github.com/ImageMagick/ImageMagick6/commit/4800ae0dabdb3012f82820af946060c3ca9fdb87
+  
https://github.com/ImageMagick/ImageMagick6/commit/d8d844c6f23f4d90d8fe893fe9225dd78fc1e6ef
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926091
+--- a/coders/tiff.c2019-05-11 08:11:49.834745216 +0200
 b/coders/tiff.c2019-05-11 08:15:36.645306260 +0200
+@@ -2946,6 +2946,11 @@
+   (void) TIFFSetErrorHandler(error_handler);
+   return(MagickFalse);
+ }
++  if (image->exception.severity > ErrorException)
++{
++  TIFFClose(tiff);
++  return(MagickFalse);
++}
+   scene=0;
+   debug=IsEventLogging();
+   (void) debug;
diff -Nru imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch 
imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch
--- imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch
1970-01-01 01:00:00.0 +0100
+++ imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch
2019-05-05 13:46:47.0 +0200
@@ -0,0 +1,97 @@
+Subject: fix heap-buffer-overflow in SetGrayscaleImage()
+ This patch addresses a heap-buffer-overflow in SetGrayscaleImage(),
+ known as CVE-2019-11598.
+ .
+ The original upstream patch also included a few minor modifications
+ addressing potential overflow issues. Those 

Re: dla-needed/imagemagick entry

2019-05-12 Thread Hugo Lefeuvre
> Great! I have found potential issues in upstream's patch for CVE-2019-11598
> and would maybe wait a little bit for his answer (more info in dla-needed).
> 
> If he takes too long, we can just as well remove this patch from the update
> and mark it postponed until upstream addresses these issues.

Upstream fixed these issues yesterday, I will update my work and send it to
you. Thanks!

Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature


Re: dla-needed/imagemagick entry

2019-05-11 Thread Hugo Lefeuvre
> > I have prepared an update addressing CVE-2019-9956, CVE-2019-10650,
> > CVE-2019-11598 and CVE-2019-11597. I'm currently testing it. Still OK to
> > upload during the week-end?
> 
> I'm fine with uploading tomorrow. Just send me your debdiff and I will
> incorporate your changes.

Great! I have found potential issues in upstream's patch for CVE-2019-11598
and would maybe wait a little bit for his answer (more info in dla-needed).

If he takes too long, we can just as well remove this patch from the update
and mark it postponed until upstream addresses these issues.

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature


Re: dla-needed/imagemagick entry

2019-05-11 Thread Markus Koschany
Hi Hugo,

Am 11.05.19 um 09:16 schrieb Hugo Lefeuvre:
> Hi Markus,
> 
>>> Good idea. I plan to work on CVE-2019-9956, CVE-2019-10650 and possibly
>>> CVE-2019-11598. Do you think an upload ~ next week-end would be feasible
>>> for you?
>>
>> Sure, that should be feasible.
> 
> I have prepared an update addressing CVE-2019-9956, CVE-2019-10650,
> CVE-2019-11598 and CVE-2019-11597. I'm currently testing it. Still OK to
> upload during the week-end?

I'm fine with uploading tomorrow. Just send me your debdiff and I will
incorporate your changes.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Re: dla-needed/imagemagick entry

2019-05-11 Thread Hugo Lefeuvre
Hi Markus,

> > Good idea. I plan to work on CVE-2019-9956, CVE-2019-10650 and possibly
> > CVE-2019-11598. Do you think an upload ~ next week-end would be feasible
> > for you?
> 
> Sure, that should be feasible.

I have prepared an update addressing CVE-2019-9956, CVE-2019-10650,
CVE-2019-11598 and CVE-2019-11597. I'm currently testing it. Still OK to
upload during the week-end?

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature


Re: dla-needed/imagemagick entry

2019-05-05 Thread Markus Koschany

Am 05.05.19 um 15:01 schrieb Hugo Lefeuvre:
[...]
> Good idea. I plan to work on CVE-2019-9956, CVE-2019-10650 and possibly
> CVE-2019-11598. Do you think an upload ~ next week-end would be feasible
> for you?
> 
> cheers,
> Hugo

Sure, that should be feasible.

Cheers,

Markus



signature.asc
Description: OpenPGP digital signature


Re: dla-needed/imagemagick entry

2019-05-05 Thread Hugo Lefeuvre
Hi Markus,

> We contacted the security team directly without CCing the lts mailing
> list. However they didn't reply to us.

OK, Roberto forwarded the discussion to me.

> > I think the security team opted for targeted fixes in the imagemagick case,
> > at least for CVE-2019-9956 (claims remote code execution) and
> > CVE-2019-10650, which appear to be the most important ones.
> > 
> > I'd also like to fix CVE-2019-11598, but that would be pretty much it. The
> > rest can be ignored, IMO.
> > 
> > Backporting targeted fixes should be feasible, even if the code changed
> > quite a bit. I'm not sure upgrading to a whole upstream release is worth
> > it.
> > 
> > Any comments?
> 
> I was about to claim imagemagick in the next days and wanted to do some
> targeted fixes. My idea was to forward port the fixes we did in Wheezy
> and to fix everything else that seems in need of fixing. I haven't
> determined the severity of all no-dsa CVE yet. We could combine our work
> like I did with Mike and libav.

Good idea. I plan to work on CVE-2019-9956, CVE-2019-10650 and possibly
CVE-2019-11598. Do you think an upload ~ next week-end would be feasible
for you?

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature


Re: dla-needed/imagemagick entry

2019-05-05 Thread Hugo Lefeuvre
Hi Roberto,

> > Did you CC debian-lts? I can't find the e-mail you're referring to :)
> > 
> I did not.  In a few minutes I will bounce you the message from that
> discussion (there are 5 or 6).  I won't bounce them to the list, though,
> as I suspect they will get flagged as spam.

Thanks for the prompt answer!

> > NOTE: 20181227: We should address the many open issues in imagemagick
> > either by patching them separetely as we did in Wheezy or by updating
> > to a new upstream version like the security team did with Graphicsmagick
> > in Stretch. (apo)
> > 
> > I think the security team opted for targeted fixes in the imagemagick case,
> > at least for CVE-2019-9956 (claims remote code execution) and
> > CVE-2019-10650, which appear to be the most important ones.
> > 
> > I'd also like to fix CVE-2019-11598, but that would be pretty much it. The
> > rest can be ignored, IMO.
> > 
> > Backporting targeted fixes should be feasible, even if the code changed
> > quite a bit. I'm not sure upgrading to a whole upstream release is worth
> > it.
> > 
> > Any comments?
> > 
> That all makes sense.  I did not do any work on backporting fixes, apart
> from making an attempt to build the latest upstream from sid in jessie.
> Since the backport idea did not go anywhere, you should be able to pick
> up from where the current state is in jessie.

Great, I will coordinate with Markus to provide targeted fixes then.

Thanks!

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature


Re: dla-needed/imagemagick entry

2019-05-05 Thread Markus Koschany
Hi,

Am 05.05.19 um 14:34 schrieb Hugo Lefeuvre:
> Hi Markus and Roberto,
> 
> I just had a look at imagemagick in jessie and did some quick triage.
> 
> I saw the following notes in dla-needed:
> 
> NOTE: 20190408: Still waiting on security team response to inquiries
> from (apo) and (roberto)
> 
> Did you CC debian-lts? I can't find the e-mail you're referring to :)
> 
> NOTE: 20181227: We should address the many open issues in imagemagick
> either by patching them separetely as we did in Wheezy or by updating
> to a new upstream version like the security team did with Graphicsmagick
> in Stretch. (apo)

We contacted the security team directly without CCing the lts mailing
list. However they didn't reply to us.

> I think the security team opted for targeted fixes in the imagemagick case,
> at least for CVE-2019-9956 (claims remote code execution) and
> CVE-2019-10650, which appear to be the most important ones.
> 
> I'd also like to fix CVE-2019-11598, but that would be pretty much it. The
> rest can be ignored, IMO.
> 
> Backporting targeted fixes should be feasible, even if the code changed
> quite a bit. I'm not sure upgrading to a whole upstream release is worth
> it.
> 
> Any comments?

I was about to claim imagemagick in the next days and wanted to do some
targeted fixes. My idea was to forward port the fixes we did in Wheezy
and to fix everything else that seems in need of fixing. I haven't
determined the severity of all no-dsa CVE yet. We could combine our work
like I did with Mike and libav.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature


Re: dla-needed/imagemagick entry

2019-05-05 Thread Roberto C . Sánchez
Hi Hugo,

On Sun, May 05, 2019 at 02:34:34PM +0200, Hugo Lefeuvre wrote:
> Hi Markus and Roberto,
> 
> I just had a look at imagemagick in jessie and did some quick triage.
> 
> I saw the following notes in dla-needed:
> 
> NOTE: 20190408: Still waiting on security team response to inquiries
> from (apo) and (roberto)
> 
> Did you CC debian-lts? I can't find the e-mail you're referring to :)
> 
I did not.  In a few minutes I will bounce you the message from that
discussion (there are 5 or 6).  I won't bounce them to the list, though,
as I suspect they will get flagged as spam.

> NOTE: 20181227: We should address the many open issues in imagemagick
> either by patching them separetely as we did in Wheezy or by updating
> to a new upstream version like the security team did with Graphicsmagick
> in Stretch. (apo)
> 
> I think the security team opted for targeted fixes in the imagemagick case,
> at least for CVE-2019-9956 (claims remote code execution) and
> CVE-2019-10650, which appear to be the most important ones.
> 
> I'd also like to fix CVE-2019-11598, but that would be pretty much it. The
> rest can be ignored, IMO.
> 
> Backporting targeted fixes should be feasible, even if the code changed
> quite a bit. I'm not sure upgrading to a whole upstream release is worth
> it.
> 
> Any comments?
> 
That all makes sense.  I did not do any work on backporting fixes, apart
from making an attempt to build the latest upstream from sid in jessie.
Since the backport idea did not go anywhere, you should be able to pick
up from where the current state is in jessie.

Regards,

-Roberto

-- 
Roberto C. Sánchez