[Pkg-gmagick-im-team] Bug#1070340: Fwd: Bug CVE-2023-34151: Please add this doc here

Mon Jun 24 10:45:32 BST 2024

Hi!

Later in this comment I wrote description of way how to reproduce
CVE-2023-34151 in recent imagemagick from Debian Bookworm.

Rouca, plese, let me know, is it enough to start investigating of the problem?

Goto page https://app.vagrantup.com/debian (mentioned here
https://wiki.debian.org/Teams/Cloud/VagrantBaseBoxes) and find the
latest bookworm image.
For now it is https://app.vagrantup.com/debian/boxes/bookworm64/versions/12.20240503.1.

Create a Vagrantfile. Something like this:

# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
  config.vm.box = "debian/bookworm64"
  config.vm.box_url =
"https://app.vagrantup.com/debian/boxes/bookworm64/versions/12.20240503.1/providers/virtualbox/unknown/vagrant.box"
  config.vm.provider "virtualbox" do |v|
    v.cpus = 4
    v.memory = 4096
  end
end

Number of CPUs and memory depends on available resources on the host machine.

In my case for some reasons it was impossible for me to download image
using vagrant, so I downloaded it by wget:
wget https://app.vagrantup.com/debian/boxes/bookworm64/versions/12.20240503.1/providers/virtualbox/unknown/vagrant.box

Then added manually:
vagrant box add --name="debian/bookworm64 12.20240503.1" vagrant.box

And then created Vagrantfile:
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
  config.vm.box = "debian/bookworm64 12.20240503.1"
  config.vm.provider "virtualbox" do |v|
    v.cpus = 4
    v.memory = 4096
  end
end

Run VM:
vagrant up

And login into it:
vagrant ssh

Update apt cache:
sudo apt update

Upgrade packages:
sudo apt upgrade

My upgrade logs you can see here:
https://pastila.nl/?0077368d/4cae0de35fb23d588f6396b10a636541#RKclXYVIqKzf+F7DVI+eZw==

Reboot VM to be sure all updates are properly applied and activated
(new kernel, fox example). And login into VM again.

Install build deps for imagemagick:
sudo apt build-dep imagemagick

My install build deps logs are here:
https://pastila.nl/?0003cd4a/6035ab75de7090a94ed980ba416f89e1#blX3XanLb3+nivO4q9rnCg==

Download sources of imagemagick:
apt-get source imagemagick

My logs of sources download are here:
https://pastila.nl/?0004c766/e890d59367daa72a9beb1f4098a3cd67#/F40TRjcilEcYaoB7EdO7A==

In my case it was 8:6.9.11.60+dfsg-1.6+deb12u1 version of imagemagick.

Notice, that is the same version as mentioned is listed on page about
CVE-2023-34151 in Debian Bookworm, where it is shown as fixed for this
version:
https://security-tracker.debian.org/tracker/CVE-2023-34151

Now I will show that it is not fixed properly.

Goto into folder with sources (cd imagemagick-6.9.11.60+dfsg) and
configure it with sanitizers as described in issue about that CVE in
upstrem:
https://github.com/ImageMagick/ImageMagick/issues/6341
./configure CFLAGS='-g
-fsanitize=address,undefined,float-cast-overflow
-fsanitize-recover=address,undefined,float-cast-overflow'
LDFLAGS='-fsanitize=address,undefined,float-cast-overflow -lasan
-lubsan'

My configure log you can see here:
https://pastila.nl/?0002f9fa/82b03b8d0b9dd10ab2c77440b9493792#K9AQSIijCBz587U2FFlnWA==

And then make:
make -j4

Number of processes depends on number of CPUs in virtual machine (4 in my case).

This is my build log:
https://pastila.nl/?00057c79/3d9f90769d9006fc957753a33d01a0e0#y5IrEC8oEd6MJ2MOW+ezEQ==

Then download file samples.zip mentioned in issue 6341:
wget https://github.com/ImageMagick/ImageMagick/files/11497437/samples.zip

Install unzip:
sudo apt install unzip

Unzip the archive:
unzip samples.zip

Run sample as described in issue 6341 on ImageMagick's github (it was
slightly adopted to use shell wrapper created on build):
./magick.sh identify mvg:piechart.mvg

As result we getting an error:
coders/mvg.c:180:33: runtime error: 5e+26 is outside the range of
representable values of type 'long unsigned int'
identify: must specify image size `piechart.mvg' @ error/mvg.c/ReadMVGImage/186.

It is the same, as described in issue 6341 on ImageMagick's github.

This error was also reproduced in upstream version of ImageMagick, see here:
https://github.com/ImageMagick/ImageMagick/issues/6341#issuecomment-2063607226

And upstream developers finally fixed it:
https://github.com/ImageMagick/ImageMagick/issues/6341#issuecomment-2072595608

The also backported fix into ImageMagick6:
https://github.com/ImageMagick/ImageMagick/issues/6341#issuecomment-2108156142

I tried to create a patch suitable for Debian. I had succeed with
patch for Debian Buster, see earlier:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070340#15

Unfortunately, I couldn't create such patch for Debian Bookworm. As I
remember, there were conflicts when I tried to apply patch for
imagemagick in Debian Buster, mentioned earlier, to Debian Bookworm.
Help of more qualified people needed.

Thanks,
Sergei.

сб, 22 июн. 2024 г. в 15:39, Bastien Roucariès <rouca at debian.org>:
>
> Hi,
>
> Could you post as plain texte the document you put in a google doc and the image used as attached document ?
>
> It will help other to reproduce
>
> Thanks
>
> rouca