Bug 1051442 (CVE-2017-11750)

Summary: VUL-2: CVE-2017-11750: ImageMagick: ReadOneJNGImage in coders/png.c allows to cause DoS
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: jsegitz, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/189314/
Whiteboard: CVSSv3:SUSE:CVE-2017-11750:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv2:SUSE:CVE-2017-11750:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv3:RedHat:CVE-2017-11750:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv2:NVD:CVE-2017-11750:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Reproducer

Description Johannes Segitz 2017-07-31 09:28:33 UTC 
Created attachment 734529 [details]
Reproducer

CVE-2017-11750

The ReadOneJNGImage function in coders/png.c in ImageMagick 6.9.9-4 and 7.0.6-4
allows remote attackers to cause a denial of service (NULL pointer dereference)
via a crafted file.

valgrind convert SEGV-0x000000000000_output_aai_1501399328.45 output.aai

For us this is a memory leak, not a NULL pointer dereference.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11750
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11750
https://github.com/ImageMagick/ImageMagick/issues/632
Comment 1 Marcus Meissner 2017-09-29 06:07:23 UTC 
controlled abort via NULL ptr dereference. also quite new, probably not even affectiung us. deferable.
Comment 2 Petr Gajdos 2018-01-10 10:41:26 UTC 
https://github.com/ImageMagick/ImageMagick/commit/253d56027765dcbd8d6bc2bbd7d59aa41dab60e7

See upstream bug though:

"
A CVE will have to say bug was introduced in 6.9.9.4 and 7.0.6-4, fixed in 6.9.9-5 and 7.0.6-5.
"

"
I introduced this bug recently in
IM7: commit 8cc53f1
IM6: commit 3cba1bb
"

I will try to look at the leak mentioned in comment 0, but this is no longer CVE-2017-11750.
Comment 3 Petr Gajdos 2018-01-10 11:35:55 UTC 
Please note somewhere 'we are not affected by CVE-2017-11750'.
Comment 4 Johannes Segitz 2018-01-10 12:11:50 UTC 
adjusted our tracking, will be reflected on the CVE pages
Comment 5 Petr Gajdos 2018-01-14 21:41:08 UTC 
12/ImageMagick

BEFORE

$ valgrind -q --leak-check=full convert SEGV-0x000000000000_output_aai_1501399328.45 output.aai
convert: corrupt image `SEGV-0x000000000000_output_aai_1501399328.45' @ error/png.c/ReadOneJNGImage/4248.
convert: no images defined `output.aai' @ error/convert.c/ConvertImageCommand/3149.
==31846== 16,792 bytes in 1 blocks are definitely lost in loss record 22 of 23
==31846==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31846==    by 0x841E5B1: ???
==31846==    by 0x841FDF5: ???
==31846==    by 0x4EBFE1A: ReadImage (constitute.c:601)
==31846==    by 0x4EC0EDA: ReadImages (constitute.c:907)
==31846==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==31846==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==31846==    by 0x400836: ConvertMain (convert.c:81)
==31846==    by 0x400836: main (convert.c:92)
==31846== 
==31846== 23,240 (13,232 direct, 10,008 indirect) bytes in 1 blocks are definitely lost in loss record 23 of 23
==31846==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31846==    by 0x4F4C9AC: AcquireImage (image.c:164)
==31846==    by 0x841E5D4: ???
==31846==    by 0x841FDF5: ???
==31846==    by 0x4EBFE1A: ReadImage (constitute.c:601)
==31846==    by 0x4EC0EDA: ReadImages (constitute.c:907)
==31846==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==31846==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==31846==    by 0x400836: ConvertMain (convert.c:81)
==31846==    by 0x400836: main (convert.c:92)
==31846== 
$

AFTER

$ valgrind -q --leak-check=full convert SEGV-0x000000000000_output_aai_1501399328.45 output.aai
convert: insufficient image data in file `SEGV-0x000000000000_output_aai_1501399328.45' @ error/png.c/ReadOneJNGImage/4309.
convert: no images defined `output.aai' @ error/convert.c/ConvertImageCommand/3149.
$
Comment 9 Petr Gajdos 2018-01-16 07:47:52 UTC 
11/ImageMagick

BEFORE

$ valgrind -q --leak-check=full convert SEGV-0x000000000000_output_aai_1501399328.45 output.aai
==10963== Invalid read of size 4
==10963==    at 0x4F08F71: IsImageObject (image.c:2386)
==10963==    by 0x9F10B8C: ReadJNGImage (png.c:3716)
==10963==    by 0x4E94D87: ReadImage (constitute.c:441)
==10963==    by 0x5292BC3: ConvertImageCommand (convert.c:565)
==10963==    by 0x400F73: main (convert.c:122)
==10963==  Address 0x8d307f8 is 12,976 bytes inside a block of size 13,192 free'd
==10963==    at 0x4C243AF: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==10963==    by 0x4F1E6FE: RelinquishMagickMemory (memory.c:645)
==10963==    by 0x4F16F47: DestroyImageList (list.c:452)
==10963==    by 0x9F0F103: ReadOneJNGImage (png.c:3235)
==10963==    by 0x9F1094D: ReadJNGImage (png.c:3712)
==10963==    by 0x4E94D87: ReadImage (constitute.c:441)
==10963==    by 0x5292BC3: ConvertImageCommand (convert.c:565)
==10963==    by 0x400F73: main (convert.c:122)
==10963== 
==10963== Invalid read of size 8
==10963==    at 0x4F08F88: IsImageObject (image.c:2389)
==10963==    by 0x9F10B8C: ReadJNGImage (png.c:3716)
==10963==    by 0x4E94D87: ReadImage (constitute.c:441)
==10963==    by 0x5292BC3: ConvertImageCommand (convert.c:565)
==10963==    by 0x400F73: main (convert.c:122)
==10963==  Address 0x8d30860 is 13,080 bytes inside a block of size 13,192 free'd
==10963==    at 0x4C243AF: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==10963==    by 0x4F1E6FE: RelinquishMagickMemory (memory.c:645)
==10963==    by 0x4F16F47: DestroyImageList (list.c:452)
==10963==    by 0x9F0F103: ReadOneJNGImage (png.c:3235)
==10963==    by 0x9F1094D: ReadJNGImage (png.c:3712)
==10963==    by 0x4E94D87: ReadImage (constitute.c:441)
==10963==    by 0x5292BC3: ConvertImageCommand (convert.c:565)
==10963==    by 0x400F73: main (convert.c:122)
convert: Corrupt image `SEGV-0x000000000000_output_aai_1501399328.45'.
convert: missing an image filename `output.aai'.
==10963== 
==10963== Syscall param unlink(pathname) points to unaddressable byte(s)
==10963==    at 0x8442807: unlink (in /lib64/libc-2.9.so)
==10963==    by 0x83DD0B8: remove (in /lib64/libc-2.9.so)
==10963==    by 0x4F58158: DestroyTemporaryResources (resource.c:292)
==10963==    by 0x4F67033: DestroySplayTree (splay-tree.c:723)
==10963==    by 0x4F58D80: DestroyMagickResources (resource.c:464)
==10963==    by 0x4F1DF84: MagickCoreTerminus (magick.c:1241)
==10963==    by 0x401088: main (convert.c:141)
==10963==  Address 0x90641f0 is 0 bytes inside a block of size 21 free'd
==10963==    at 0x4C243AF: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==10963==    by 0x4F1E6FE: RelinquishMagickMemory (memory.c:645)
==10963==    by 0x4F67001: DestroySplayTree (splay-tree.c:719)
==10963==    by 0x4F58D80: DestroyMagickResources (resource.c:464)
==10963==    by 0x4F1DF84: MagickCoreTerminus (magick.c:1241)
==10963==    by 0x401088: main (convert.c:141)
==10963== 
==10963== 
==10963== 41,520 (13,192 direct, 28,328 indirect) bytes in 1 blocks are definitely lost in loss record 6 of 7
==10963==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==10963==    by 0x4F0B420: AcquireImage (image.c:152)
==10963==    by 0x9F0F2BB: ???
==10963==    by 0x9F1094D: ???
==10963==    by 0x4E94D87: ReadImage (constitute.c:441)
==10963==    by 0x5292BC3: ConvertImageCommand (convert.c:565)
==10963==    by 0x400F73: main (convert.c:122)
$

AFTER

$ valgrind -q --leak-check=full convert SEGV-0x000000000000_output_aai_1501399328.45 output.aai
convert: Insufficient image data in file `SEGV-0x000000000000_output_aai_1501399328.45'.
convert: missing an image filename `output.aai'.
$
Comment 10 Petr Gajdos 2018-01-16 11:21:10 UTC 
42.x/GraphicsMagick

BEFORE

$ valgrind -q --leak-check=full gm convert SEGV-0x000000000000_output_aai_1501399328.45 output.aai
gm convert: Corrupt image (SEGV-0x000000000000_output_aai_1501399328.45).
==1849== 67,781 bytes in 1 blocks are definitely lost in loss record 12 of 12
==1849==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1849==    by 0x79D9CBE: ???
==1849==    by 0x79DBB2D: ???
==1849==    by 0x4EBEB77: ReadImage (constitute.c:1607)
==1849==    by 0x4E9F037: ConvertImageCommand (command.c:4348)
==1849==    by 0x4E8F884: MagickCommand (command.c:8868)
==1849==    by 0x4E9099D: GMCommandSingle (command.c:17376)
==1849==    by 0x4EB1D2D: GMCommand (command.c:17429)
==1849==    by 0x54406E4: (below main) (in /lib64/libc-2.22.so)
==1849== 
$

AFTER

$ valgrind -q --leak-check=full gm convert SEGV-0x000000000000_output_aai_1501399328.45 output.aai
gm convert: Insufficient image data in file (SEGV-0x000000000000_output_aai_1501399328.45).
$
Comment 13 Swamp Workflow Management 2018-01-16 14:30:16 UTC 
This is an autogenerated message for OBS integration:
This bug (1051442) was mentioned in
https://build.opensuse.org/request/show/566430 42.3 / GraphicsMagick
Comment 14 Swamp Workflow Management 2018-01-16 15:10:16 UTC 
This is an autogenerated message for OBS integration:
This bug (1051442) was mentioned in
https://build.opensuse.org/request/show/566436 42.2 / GraphicsMagick
Comment 15 Petr Gajdos 2018-01-19 15:47:02 UTC 
11/GraphicsMagick

BEFORE

$ valgrind -q --leak-check=full gm convert SEGV-0x000000000000_output_aai_1501399328.45 output.aai
gm convert: Corrupt image (SEGV-0x000000000000_output_aai_1501399328.45).
==26253== 
==26253== 11,256 (6,840 direct, 4,416 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5
==26253==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==26253==    by 0x4EEBEA6: AllocateImage (image.c:258)
==26253==    by 0x802C719: ???
==26253==    by 0x802DEB3: ???
==26253==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==26253==    by 0x4E8CBCF: ConvertImageCommand (command.c:3171)
==26253==    by 0x4E73683: MagickCommand (command.c:7657)
==26253==    by 0x4E737FE: GMCommand (command.c:15277)
==26253==    by 0x76E2585: (below main) (in /lib64/libc-2.9.so)
$

AFTER

$ valgrind -q --leak-check=full gm convert SEGV-0x000000000000_output_aai_1501399328.45 output.aai
gm convert: Insufficient image data in file (SEGV-0x000000000000_output_aai_1501399328.45).
$
Comment 16 Petr Gajdos 2018-01-22 11:45:42 UTC 
Submitted for: 12/ImageMagick, 11/ImageMagick, 11/GraphicsMagick and 42.x/GraphicsMagick
Comment 18 Petr Gajdos 2018-01-22 12:24:51 UTC 
I believe all fixed.
Comment 19 Swamp Workflow Management 2018-01-25 20:08:35 UTC 
openSUSE-SU-2018:0218-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1051442,1052708,1052717,1052777,1054600,1055374,1055455,1057000,1062752
CVE References: CVE-2017-11750,CVE-2017-12641,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-15218,CVE-2017-9261,CVE-2017-9262
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-60.1
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.63.1
Comment 22 Swamp Workflow Management 2018-02-02 14:09:51 UTC 
SUSE-SU-2018:0349-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055068,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1072901,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13059,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17681,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18008,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5246,CVE-2018-5685
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
Comment 23 Swamp Workflow Management 2018-02-02 14:15:31 UTC 
SUSE-SU-2018:0350-1: An update that solves 30 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5685
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
Comment 24 Swamp Workflow Management 2018-02-08 11:13:37 UTC 
openSUSE-SU-2018:0396-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055068,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1072901,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13059,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17681,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18008,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5246,CVE-2018-5685
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-52.1
Comment 25 Marcus Meissner 2018-02-09 14:57:25 UTC 
released
Comment 26 Swamp Workflow Management 2018-02-09 20:09:48 UTC 
SUSE-SU-2018:0413-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1047910,1050037,1050072,1050100,1051442,1052470,1052708,1052717,1052768,1052777,1052781,1054600,1055038,1055374,1055455,1055456,1057000,1060162,1062752,1067198,1073690,1074023,1074120,1074125,1074175,1075939
CVE References: CVE-2014-9811,CVE-2017-10995,CVE-2017-11102,CVE-2017-11505,CVE-2017-11526,CVE-2017-11539,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13065,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14174,CVE-2017-14649,CVE-2017-15218,CVE-2017-15238,CVE-2017-16669,CVE-2017-17501,CVE-2017-17504,CVE-2017-17782,CVE-2017-17879,CVE-2017-17884,CVE-2017-17915,CVE-2017-8352,CVE-2017-9261,CVE-2017-9262,CVE-2018-5685
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.33.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.33.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.33.1