Bug 1048936 (CVE-2017-11352)

Summary: VUL-0: CVE-2017-11352: GraphicsMagick,ImageMagick: A crafted RLE image can trigger a crash because of incorrect EOF handling in coders/rle.c
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Petr Gajdos <pgajdos>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/188571/
Whiteboard: CVSSv2:SUSE:CVE-2017-11352:7.1:(AV:N/AC:M/Au:N/C:N/I:N/A:C) CVSSv3:SUSE:CVE-2017-11352:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-11352:4.0:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2017-9144:4.0:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv2:NVD:CVE-2017-11352:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2017-07-17 10:59:04 UTC
CVE-2017-11352

In ImageMagick before 7.0.5-10, a crafted RLE image can trigger a crash
because of incorrect EOF handling in coders/rle.c. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2017-9144.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11352
http://seclists.org/oss-sec/2017/q3/172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11352
https://github.com/ImageMagick/ImageMagick/commit/7f1f01b695e869c410ee10e2176f8fd764f09373
https://github.com/ImageMagick/ImageMagick/commit/86cb33143c5b21912187403860a7c26761a3cd23
Comment 1 Marcus Meissner 2017-09-27 14:53:40 UTC
hm. the operand=EOF (-1) can be misused later to a integer overflow,
and EOF(-1) is even casted to size_t.
Comment 3 Petr Gajdos 2017-12-05 17:31:24 UTC
This is my upstream report and I am almost sure I ported it correctly. See CVE-2017-9144, bug 1040332.