CVE-2020-10938/graphicsmagick and additional upstream change

To: debian-lts@lists.debian.org, team@security.debian.org
Subject: CVE-2020-10938/graphicsmagick and additional upstream change
From: Roberto C. Sánchez <roberto@debian.org>
Date: Mon, 30 Mar 2020 10:26:35 -0400
Message-id: <[🔎] 20200330142635.GG22572@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org, team@security.debian.org

Hello all,

I'd like to ask for some feedback on the situation of CVE-2020-10938
which affects graphicsmagick.  I have include both the LTS list and the
security team in the 'To' field as the vulnerability affects all
versions of graphicsmagick and it makes sense that the same approach
regarding this issue be applied across all Debian releases.

The specific issue is that the upstream changeset [0] includes two
functional changes, as described by the changelog entry:

	* magick/compress.c (HuffmanDecodeImage): Fix signed overflow on
	range check which leads to heap overflow in 32-bit
	applications. Requires a relatively large file input to trigger.
	Problem reported to the graphicsmagick-security mail address by
	Justin Tripp on 2019-11-13.
	(Ascii85Tuple): Fix thread safety issue by requiring caller to
	pass in tuple buffer as an argument and having callers allocate
	tuple buffer on the stack.

The first change is the one associated with CVE-2020-10938.  The second
change, however, is not.  I have contacted the upstream author and he
has informed me that he made both changes in the interest of maintaining
the overall quality and security of the code and that the CVE was only
assigned after the changes had been committed.  He also noted that some
people would likely consider the thread safety issue to have security
implications.

That said, there are two possible approaches:

 1. Remove the part of the change set which addresses the thread safety
    issue, leaving only the part that pertains to CVE-2020-10938.  This
    is an easy and straightforward operation.
 2. Leave the change set intact with both functional changes, and:
    a. mention only CVE-2020-10938 in debian/changelog and the
       associated advisories
    b. mention CVE-2020-10938 and the thread safety issue as a separate
       concern without an associated CVE

I am in favor of including both changes, but I am not certain about
whether it is better to mention both in the changelog and advisories or
whether it is better to only mention CVE-2020-10938.  I lean slightly
toward mentioning both CVE-2020-10938 and the thread safety issue, but
if that is not a good idea I can be easily persuaded.

Regards,

-Roberto

[0] http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/95abc2b694ce

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: CVE-2020-10938/graphicsmagick and additional upstream change
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Next by Date: Re: CVE-2020-10938/graphicsmagick and additional upstream change
Previous by thread: [REQUEST FOR TESTING] libmtp 1.1.8-1+deb8u1
Next by thread: Re: CVE-2020-10938/graphicsmagick and additional upstream change
Index(es):
- Date
- Thread