Bug 982178 - (CVE-2016-5118) VUL-0: CVE-2016-5118: ImageMagick, GraphicsMagick: popen() shell vulnerability via filename
(CVE-2016-5118)
VUL-0: CVE-2016-5118: ImageMagick, GraphicsMagick: popen() shell vulnerabilit...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/169582/
CVSSv2:RedHat:CVE-2016-5118:6.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-30 08:55 UTC by Alexander Bergmann
Modified: 2019-08-16 17:17 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-05-30 08:55:46 UTC
CVE-2016-5118

> if the first character of the file specification is
> a '|', then the remainder of the filename is passed to the shell for
> execution using the POSIX popen(3C) function
>
> The simple solution to the problem is to disable the popen support
> (HAVE_POPEN) in GraphicsMagick's magick/blob.c as is done by the
> attached patch.

Use CVE-2016-5118.

> Previously supplied recommended patches for GraphicsMagick do
> successfully block this attack vector in SVG and MVG.

If there was a previous announcement of a vulnerability fix for a
subset of the exploitation methodologies, then a separate CVE ID is
also needed. The scope of CVE-2016-5118 is only the new "initial |
character" information announced in the
http://www.openwall.com/lists/oss-security/2016/05/29/7 post.

(For example, if there had previously been any type of announcement
that the

  xlink:href="|

substring was being blocked in the native SVG readers, then that can
have its own unique CVE ID.)


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5118
http://seclists.org/oss-sec/2016/q2/433
http://www.openwall.com/lists/oss-security/2016/05/29/7
Comment 1 Alexander Bergmann 2016-05-30 09:24:03 UTC
The funtionality can be demonstrated as follows:

  % rm -f hello.txt
  % convert '|echo Hello > hello.txt;' null:
  % ls hello.txt
  hello.txt

More details can be found in the original post.

http://seclists.org/oss-sec/2016/q2/432

disable-popen-filename.patch:

diff -r 33200fc645f6 magick/blob.c
--- a/magick/blob.c	Sat Nov 07 14:49:16 2015 -0600
+++ b/magick/blob.c	Sun May 29 14:12:57 2016 -0500
@@ -68,6 +68,7 @@
 */
 #define DefaultBlobQuantum  65541
 
+#undef HAVE_POPEN
 
 /*
   Enum declarations.
Comment 2 Alexander Bergmann 2016-05-30 12:06:55 UTC
RedHat Bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1340814
Comment 3 Petr Gajdos 2016-05-30 13:50:33 UTC
Same CVE number should be used for both ImageMagick and GraphicsMagick?
Comment 4 Petr Gajdos 2016-05-30 14:26:26 UTC
BEFORE:

see comment 0


AFTER:

$ rm -f hello.txt; gm convert '|echo Hello > hello.txt;' null:; cat hello.txt
gm convert: Unable to open file (|echo Hello > hello.txt;) [No such file or directory].
cat: hello.txt: No such file or directory
$
Comment 5 Bernhard Wiedemann 2016-05-30 15:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (982178) was mentioned in
https://build.opensuse.org/request/show/398980 Factory / GraphicsMagick
https://build.opensuse.org/request/show/398981 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/398982 42.1 / GraphicsMagick
Comment 7 Petr Gajdos 2016-05-30 15:39:52 UTC
BEFORE:

see comment 0

AFTER:

$ rm -f hello.txt; convert '|echo Hello > hello.txt;' null:; cat hello.txt
Magick: unable to open image `|echo Hello > hello.txt;': No such file or directory @ error/blob.c/OpenBlob/2705.
Magick: no decode delegate for this image format `TXT;' @ error/constitute.c/ReadImage/501.
Magick: no images defined `null:' @ error/convert.c/ConvertImageCommand/3257.
cat: hello.txt: No such file or directory
$
Comment 8 Swamp Workflow Management 2016-05-30 22:00:25 UTC
bugbot adjusting priority
Comment 9 Petr Gajdos 2016-05-31 08:40:50 UTC
Packages submitted.
Comment 10 Bernhard Wiedemann 2016-05-31 09:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (982178) was mentioned in
https://build.opensuse.org/request/show/399073 13.2 / ImageMagick
https://build.opensuse.org/request/show/399075 Factory / ImageMagick
Comment 12 Swamp Workflow Management 2016-06-08 10:07:32 UTC
openSUSE-SU-2016:1521-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 982178
CVE References: CVE-2016-5118
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-8.1
Comment 13 Swamp Workflow Management 2016-06-08 10:07:46 UTC
openSUSE-SU-2016:1522-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 982178
CVE References: CVE-2016-5118
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-6.1
Comment 14 Swamp Workflow Management 2016-06-09 06:54:25 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-06-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62808
Comment 15 Swamp Workflow Management 2016-06-09 10:07:46 UTC
openSUSE-SU-2016:1534-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 982178
CVE References: CVE-2016-5118
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-21.1
Comment 16 Swamp Workflow Management 2016-06-14 14:09:43 UTC
SUSE-SU-2016:1570-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 867943,982178
CVE References: CVE-2016-5118
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-25.1
SUSE Linux Enterprise Workstation Extension 12 (src):    ImageMagick-6.8.8.1-25.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-25.1
SUSE Linux Enterprise Software Development Kit 12 (src):    ImageMagick-6.8.8.1-25.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-25.1
SUSE Linux Enterprise Server 12 (src):    ImageMagick-6.8.8.1-25.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-25.1
SUSE Linux Enterprise Desktop 12 (src):    ImageMagick-6.8.8.1-25.1
Comment 17 Swamp Workflow Management 2016-06-17 15:13:06 UTC
SUSE-SU-2016:1610-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 982178
CVE References: CVE-2016-5118
Sources used:
SUSE OpenStack Cloud 5 (src):    ImageMagick-6.4.3.6-7.40.1
SUSE Manager Proxy 2.1 (src):    ImageMagick-6.4.3.6-7.40.1
SUSE Manager 2.1 (src):    ImageMagick-6.4.3.6-7.40.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.40.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.40.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    ImageMagick-6.4.3.6-7.40.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    ImageMagick-6.4.3.6-7.40.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.40.1
Comment 18 Swamp Workflow Management 2016-06-17 16:08:44 UTC
SUSE-SU-2016:1614-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 851064,965574,982178
CVE References: CVE-2013-4589,CVE-2015-8808,CVE-2016-5118
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.38.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.38.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.38.1
Comment 19 Marcus Meissner 2016-06-19 21:04:54 UTC
released.

needinfo on alex ... i think the same CVE should be used
Comment 20 Swamp Workflow Management 2016-06-22 13:08:26 UTC
openSUSE-SU-2016:1653-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 867943,982178
CVE References: CVE-2016-5118
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-12.1
Comment 22 Bernhard Wiedemann 2016-11-29 17:00:52 UTC
This is an autogenerated message for OBS integration:
This bug (982178) was mentioned in
https://build.opensuse.org/request/show/442718 42.2 / GraphicsMagick
Comment 23 Swamp Workflow Management 2016-12-08 17:12:54 UTC
openSUSE-SU-2016:3060-1: An update that fixes 31 vulnerabilities is now available.

Category: security (important)
Bug References: 1000399,1000434,1000689,1000698,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,1007245,1011130,982178,983521,983752,983794,983799,984145,984150,984166,984372,984375,984394,984400,984436
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9809,CVE-2014-9815,CVE-2014-9817,CVE-2014-9820,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9845,CVE-2014-9846,CVE-2014-9853,CVE-2016-5118,CVE-2016-6823,CVE-2016-7101,CVE-2016-7515,CVE-2016-7522,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862,CVE-2016-9556
Sources used:
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-3.1