Bug 1036987 (CVE-2017-8352)

Summary: VUL-1: CVE-2017-8352: ImageMagick, GraphicsMagick: denial of service (memory leak) via a crafted file (ReadXWDImage func in xwd.c)
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jsegitz, pgajdos, vpereira
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2017-8352:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-8352:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2017-8352:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: CVE-2017-8352_memory-leak-in-ReadXWDImage-13_testcase

Description Mikhail Kasimov 2017-04-30 20:34:32 UTC
Created attachment 723261 [details]
CVE-2017-8352_memory-leak-in-ReadXWDImage-13_testcase

Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-8352
===================================================
Description

In ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c allows attackers to cause a denial of service (memory leak) via a crafted file.

Source:  MITRE      Last Modified:  04/30/2017
===================================================

Hyperlink

[1] https://github.com/ImageMagick/ImageMagick/issues/452

[2] Testcase: https://github.com/bestshow/p0cs/blob/master/memory-leak-in-ReadXWDImage-13.xwd

[3] https://github.com/ImageMagick/ImageMagick/commit/a8af58506e7411284a70c759970a5d115cd8657e (master)

[4] https://github.com/ImageMagick/ImageMagick/commit/2917930679a3543e52070668c3adb3d8c183d1f6 (ImageMagick-6)


(open-)SUSE: https://software.opensuse.org/package/ImageMagick

7.0.5.4 (TW, official repo)
6.8.8.1 (42.{1,2}, official repo)
Comment 1 Petr Gajdos 2017-05-11 13:14:16 UTC
With 12/ImageMagick:

BEFORE

$ valgrind --leak-check=full identify memory-leak-in-ReadXWDImage-13.xwd
[..]
==26915== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
$

AFTER

$ valgrind --leak-check=full identify memory-leak-in-ReadXWDImage-13.xwd
[..]
==12105== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
$

Similarly for 12/ImageMagick. I do not get leaks for GraphicsMagick.
Comment 2 Petr Gajdos 2017-05-12 09:58:07 UTC
(In reply to Petr Gajdos from comment #1)
> Similarly for 12/ImageMagick. I do not get leaks for GraphicsMagick.

This should have been 11/ImageMagick. 42.1/GraphicsMagick also needs the patch, in 42.2 it is solved via specialized ThrowXWDReaderException.

Therefore considering affected:

12/ImageMagick, 11/ImageMagick, 11/GraphicsMagick and 42.1/GraphicsMagick.
Comment 3 Petr Gajdos 2017-05-17 15:12:59 UTC
I believe all fixed.
Comment 8 Marcus Meissner 2017-06-06 09:31:07 UTC
I think the testcase triggers the leak in the part of the patch that you did not need to backport. (the freeing after SetImageExtent which is not present in SLE12 IM)
Comment 9 Petr Gajdos 2017-06-06 09:51:47 UTC
(In reply to Marcus Meissner from comment #8)
> I think the testcase triggers the leak in the part of the patch that you did
> not need to backport. (the freeing after SetImageExtent which is not present
> in SLE12 IM)

My testing in comment 1 differs from this assumption.

By the way, there should probably be:

*Similarly for 11/ImageMagick.*
Comment 11 Swamp Workflow Management 2017-06-06 16:13:20 UTC
SUSE-SU-2017:1489-1: An update that fixes 27 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028075,1033091,1034870,1034872,1034876,1036976,1036977,1036978,1036980,1036981,1036982,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1036991,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2017-6502,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8343,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8347,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8356,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
Comment 13 Swamp Workflow Management 2017-06-14 13:13:11 UTC
openSUSE-SU-2017:1560-1: An update that fixes 27 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028075,1033091,1034870,1034872,1034876,1036976,1036977,1036978,1036980,1036981,1036982,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1036991,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2017-6502,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8343,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8347,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8356,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.3.1
Comment 14 Swamp Workflow Management 2017-06-19 10:12:05 UTC
SUSE-SU-2017:1599-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033091,1034870,1034872,1034876,1036976,1036978,1036980,1036981,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2014-9846,CVE-2016-10050,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1
Comment 15 Swamp Workflow Management 2017-06-19 13:11:24 UTC
SUSE-SU-2017:1600-1: An update that fixes 17 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033091,1034876,1036978,1036980,1036981,1036984,1036985,1036986,1036987,1036988,1036990,1037527,1038000,1040025,1040304,1040332,984144
CVE References: CVE-2014-9847,CVE-2017-7606,CVE-2017-7941,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8355,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9142,CVE-2017-9144
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.77.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.77.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.77.1
Comment 16 Marcus Meissner 2017-06-20 08:02:24 UTC
released