Bug 1054757 (CVE-2017-12983)

Summary: VUL-0: CVE-2017-12983: GraphicsMagick,ImageMagick: Heap-based buffer overflow in the ReadSFWImage function in coders/sfw.c inImageMagick 7.0.6-8 allows remote attackers to cause a denial of service(application crash) or possibly have unsp
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/190851/
Whiteboard: CVSSv3:SUSE:CVE-2017-12983:7.5:(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSSv2:SUSE:CVE-2017-12983:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2017-12983:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:RedHat:CVE-2017-12983:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: heap-buffer-overflow_ReadSFWImage.txt

Description Marcus Meissner 2017-08-21 13:16:16 UTC 
CVE-2017-12983

Heap-based buffer overflow in the ReadSFWImage function in coders/sfw.c in
ImageMagick 7.0.6-8 allows remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a crafted
file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12983
https://github.com/ImageMagick/ImageMagick/issues/682
Comment 1 Marcus Meissner 2017-08-21 13:23:13 UTC 
Created attachment 737542 [details]
heap-buffer-overflow_ReadSFWImage.txt

QA REPRODUCER:

convert heap-buffer-overflow_ReadSFWImage.txt foo.jpg

should not crash
Comment 2 Marcus Meissner 2017-08-21 13:24:39 UTC 
ImageMagick affected, SLE11 - Leap ... I guess everywhere.

GM has hardening:
gm: magick/blob.c:1265: GetBlobSize: Zusicherung »image->signature == 0xabacadabUL« nicht erfüllt.

but valgrind shows impact:

valgrind gm convert heap-buffer-overflow_ReadSFWImage.txt foo.jpg
==9438== Memcheck, a memory error detector
==9438== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==9438== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==9438== Command: gm convert heap-buffer-overflow_ReadSFWImage.txt foo.jpg
==9438== 
==9438== Invalid read of size 8
==9438==    at 0x4E6EE65: GetBlobSize (in /usr/lib64/libGraphicsMagick.so.2.0.5)
==9438==    by 0x84A93A7: ??? (in /usr/lib64/GraphicsMagick-1.2.5/modules-Q8/coders/sfw.so)
==9438==    by 0x4EA850C: ReadImage (in /usr/lib64/libGraphicsMagick.so.2.0.5)
==9438==    by 0x4E94F1D: ConvertImageCommand (in /usr/lib64/libGraphicsMagick.so.2.0.5)
==9438==    by 0x4E7B733: MagickCommand (in /usr/lib64/libGraphicsMagick.so.2.0.5)
==9438==    by 0x4E7B8AE: GMCommand (in /usr/lib64/libGraphicsMagick.so.2.0.5)
==9438==    by 0x7714C35: (below main) (in /lib64/libc-2.11.3.so)
==9438==  Address 0x7ceabb0 is 6,832 bytes inside a block of size 6,840 free'd
==9438==    at 0x4C2952A: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9438==    by 0x4EFB241: MagickFree (in /usr/lib64/libGraphicsMagick.so.2.0.5)
==9438==    by 0x84A939F: ??? (in /usr/lib64/GraphicsMagick-1.2.5/modules-Q8/coders/sfw.so)
==9438==    by 0x4EA850C: ReadImage (in /usr/lib64/libGraphicsMagick.so.2.0.5)
==9438==    by 0x4E94F1D: ConvertImageCommand (in /usr/lib64/libGraphicsMagick.so.2.0.5)
==9438==    by 0x4E7B733: MagickCommand (in /usr/lib64/libGraphicsMagick.so.2.0.5)
==9438==    by 0x4E7B8AE: GMCommand (in /usr/lib64/libGraphicsMagick.so.2.0.5)
==9438==    by 0x7714C35: (below main) (in /lib64/libc-2.11.3.so)
==9438== 
gm: magick/blob.c:1265: GetBlobSize: Zusicherung »image->signature == 0xabacadabUL« nicht erfüllt.
Comment 3 Petr Gajdos 2017-11-01 16:06:16 UTC 
BEFORE

ImageMagick
-----------

12

$ convert heap-buffer-overflow_ReadSFWImage.txt foo.jpg
*** Error in `convert': free(): invalid pointer: 0x0000000001e0cf90 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7271f)[0x7f3f11bb771f]
/lib64/libc.so.6(+0x77fc6)[0x7f3f11bbcfc6]
/usr/lib64/libMagickCore-6.Q16.so.1(RelinquishMagickMemory+0xf)[0x7f3f1254f7df]
/usr/lib64/ImageMagick-6.8.8/modules-Q16/coders/sfw.so(+0x196f)[0x7f3f0f2df96f]
/usr/lib64/libMagickCore-6.Q16.so.1(ReadImage+0x1ab)[0x7f3f124b32bb]
/usr/lib64/libMagickCore-6.Q16.so.1(ReadImages+0x15b)[0x7f3f124b437b]
/usr/lib64/libMagickWand-6.Q16.so.1(ConvertImageCommand+0x9af)[0x7f3f1214ebaf]
/usr/lib64/libMagickWand-6.Q16.so.1(MagickCommandGenesis+0x6d3)[0x7f3f121bac73]
convert[0x400907]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f3f11b66ac5]
convert[0x40095b]
======= Memory map: ========
Aborted (core dumped)
$

11

$ convert heap-buffer-overflow_ReadSFWImage.txt foo.jpg
Segmentation fault (core dumped)
$

GraphicsMagick
--------------

11

$ valgrind -q gm convert heap-buffer-overflow_ReadSFWImage.txt foo.jpg
==4738== Invalid read of size 8
==4738==    at 0x4E66E75: GetBlobSize (blob.c:1266)
==4738==    by 0x84553B7: ReadSFWImage (sfw.c:250)
==4738==    by 0x4EA044C: ReadImage (constitute.c:6000)
==4738==    by 0x4E8CE5D: ConvertImageCommand (command.c:3171)
==4738==    by 0x4E73673: MagickCommand (command.c:7654)
==4738==    by 0x4E737EE: GMCommand (command.c:15278)
==4738==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==4738==  Address 0x7c8f618 is 6,832 bytes inside a block of size 6,840 free'd
==4738==    at 0x4C243AF: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==4738==    by 0x4EF3151: MagickFree (memory.c:277)
==4738==    by 0x84553AF: ReadSFWImage (sfw.c:246)
==4738==    by 0x4EA044C: ReadImage (constitute.c:6000)
==4738==    by 0x4E8CE5D: ConvertImageCommand (command.c:3171)
==4738==    by 0x4E73673: MagickCommand (command.c:7654)
==4738==    by 0x4E737EE: GMCommand (command.c:15278)
==4738==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
gm: magick/blob.c:1266: GetBlobSize: Assertion `image->signature == 0xabacadabUL' failed.
$

42.2, 42.3

$ valgrind -q gm convert heap-buffer-overflow_ReadSFWImage.txt foo.jpg
==4746== Invalid write of size 2
==4746==    at 0x80463A5: memcpy (string3.h:53)
==4746==    by 0x80463A5: ReadSFWImage (sfw.c:283)
==4746==    by 0x4EC0F07: ReadImage (constitute.c:1607)
==4746==    by 0x4E9F047: ConvertImageCommand (command.c:4348)
==4746==    by 0x4E8F894: MagickCommand (command.c:8865)
==4746==    by 0x4E909AD: GMCommandSingle (command.c:17379)
==4746==    by 0x4EB40BD: GMCommand (command.c:17432)
==4746==    by 0x54436E4: (below main) (in /lib64/libc-2.22.so)
==4746==  Address 0x75eb33f is 31 bytes inside a block of size 32 alloc'd
==4746==    at 0x4C29160: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==4746==    by 0x80461B8: ReadSFWImage (sfw.c:258)
==4746==    by 0x4EC0F07: ReadImage (constitute.c:1607)
==4746==    by 0x4E9F047: ConvertImageCommand (command.c:4348)
==4746==    by 0x4E8F894: MagickCommand (command.c:8865)
==4746==    by 0x4E909AD: GMCommandSingle (command.c:17379)
==4746==    by 0x4EB40BD: GMCommand (command.c:17432)
==4746==    by 0x54436E4: (below main) (in /lib64/libc-2.22.so)
==4746== 
==4746== Invalid write of size 1
==4746==    at 0x80463B1: memcpy (string3.h:53)
==4746==    by 0x80463B1: ReadSFWImage (sfw.c:283)
==4746==    by 0x4EC0F07: ReadImage (constitute.c:1607)
==4746==    by 0x4E9F047: ConvertImageCommand (command.c:4348)
==4746==    by 0x4E8F894: MagickCommand (command.c:8865)
==4746==    by 0x4E909AD: GMCommandSingle (command.c:17379)
==4746==    by 0x4EB40BD: GMCommand (command.c:17432)
==4746==    by 0x54436E4: (below main) (in /lib64/libc-2.22.so)
==4746==  Address 0x75eb341 is 1 bytes after a block of size 32 alloc'd
==4746==    at 0x4C29160: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==4746==    by 0x80461B8: ReadSFWImage (sfw.c:258)
==4746==    by 0x4EC0F07: ReadImage (constitute.c:1607)
==4746==    by 0x4E9F047: ConvertImageCommand (command.c:4348)
==4746==    by 0x4E8F894: MagickCommand (command.c:8865)
==4746==    by 0x4E909AD: GMCommandSingle (command.c:17379)
==4746==    by 0x4EB40BD: GMCommand (command.c:17432)
==4746==    by 0x54436E4: (below main) (in /lib64/libc-2.22.so)
==4746== 
gm convert: Improper image header (heap-buffer-overflow_ReadSFWImage.txt).
$

PATCH

https://github.com/ImageMagick/ImageMagick/commit/26078285f49c361ad8ddc8e14bd1d4aab7ed5682
Comment 4 Petr Gajdos 2017-11-02 18:43:19 UTC 
AFTER

ImageMagick
-----------

12

$ convert heap-buffer-overflow_ReadSFWImage.txt foo.jpg
convert: memory allocation failed `heap-buffer-overflow_ReadSFWImage.txt' @ error/sfw.c/ReadSFWImage/292.
convert: no images defined `foo.jpg' @ error/convert.c/ConvertImageCommand/3149.
$

11

Segfaults even after patching.
Comment 5 Petr Gajdos 2017-11-02 18:57:26 UTC 
(In reply to Petr Gajdos from comment #4)
> 11
> 
> Segfaults even after patching.

    if ((offset+4) > (buffer+count-1))
      {
        buffer=(unsigned char *) RelinquishMagickMemory(buffer);
        ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
      }

check also needed to make testcase happy.
Comment 6 Petr Gajdos 2017-11-02 19:51:36 UTC 
GraphicsMagick's head in hg repository suffers with the same issue, reported to upstream.
Comment 7 Petr Gajdos 2017-11-03 09:03:32 UTC 
(In reply to Marcus Meissner from comment #2)
> but valgrind shows impact:
> 
> valgrind gm convert heap-buffer-overflow_ReadSFWImage.txt foo.jpg
> ==9438== Memcheck, a memory error detector
> ==9438== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
> ==9438== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
> ==9438== Command: gm convert heap-buffer-overflow_ReadSFWImage.txt foo.jpg
> ==9438== 
> ==9438== Invalid read of size 8
> ==9438==    at 0x4E6EE65: GetBlobSize (in
> /usr/lib64/libGraphicsMagick.so.2.0.5)
> ==9438==    by 0x84A93A7: ??? (in
> /usr/lib64/GraphicsMagick-1.2.5/modules-Q8/coders/sfw.so)
> ==9438==    by 0x4EA850C: ReadImage (in
> /usr/lib64/libGraphicsMagick.so.2.0.5)
> ==9438==    by 0x4E94F1D: ConvertImageCommand (in
> /usr/lib64/libGraphicsMagick.so.2.0.5)
> ==9438==    by 0x4E7B733: MagickCommand (in
> /usr/lib64/libGraphicsMagick.so.2.0.5)
> ==9438==    by 0x4E7B8AE: GMCommand (in
> /usr/lib64/libGraphicsMagick.so.2.0.5)
> ==9438==    by 0x7714C35: (below main) (in /lib64/libc-2.11.3.so)
> ==9438==  Address 0x7ceabb0 is 6,832 bytes inside a block of size 6,840
> free'd
> ==9438==    at 0x4C2952A: free (in
> /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==9438==    by 0x4EFB241: MagickFree (in
> /usr/lib64/libGraphicsMagick.so.2.0.5)
> ==9438==    by 0x84A939F: ??? (in
> /usr/lib64/GraphicsMagick-1.2.5/modules-Q8/coders/sfw.so)
> ==9438==    by 0x4EA850C: ReadImage (in
> /usr/lib64/libGraphicsMagick.so.2.0.5)
> ==9438==    by 0x4E94F1D: ConvertImageCommand (in
> /usr/lib64/libGraphicsMagick.so.2.0.5)
> ==9438==    by 0x4E7B733: MagickCommand (in
> /usr/lib64/libGraphicsMagick.so.2.0.5)
> ==9438==    by 0x4E7B8AE: GMCommand (in
> /usr/lib64/libGraphicsMagick.so.2.0.5)


Nevertheless that is another issue, use after free. I had fixed it too for 11/GraphicsMagick, it is already not present in newer GraphicsMagicks.
Comment 8 Petr Gajdos 2017-11-03 09:11:52 UTC 
Summary, affected:
12/ImageMagick, 11/ImageMagick, 11/GraphicsMagick, 42.2/GraphicsMagick, 43.3/GraphicsMagick
Comment 9 Petr Gajdos 2017-11-03 09:13:57 UTC 
I believe all fixed.
Comment 11 Bernhard Wiedemann 2017-11-03 11:00:35 UTC 
This is an autogenerated message for OBS integration:
This bug (1054757) was mentioned in
https://build.opensuse.org/request/show/538611 42.3 / GraphicsMagick
https://build.opensuse.org/request/show/538612 42.2 / GraphicsMagick
Comment 13 Bernhard Wiedemann 2017-11-07 17:00:40 UTC 
This is an autogenerated message for OBS integration:
This bug (1054757) was mentioned in
https://build.opensuse.org/request/show/539605 42.2 / GraphicsMagick
https://build.opensuse.org/request/show/539606 42.3 / GraphicsMagick
Comment 14 Swamp Workflow Management 2017-11-15 14:08:17 UTC 
openSUSE-SU-2017:3020-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1054757,1055214,1056426,1056429,1057508,1066003
CVE References: CVE-2017-12983,CVE-2017-13134,CVE-2017-13776,CVE-2017-13777,CVE-2017-14165,CVE-2017-15930
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-39.1
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.39.1
Comment 16 Swamp Workflow Management 2017-12-20 17:11:17 UTC 
SUSE-SU-2017:3378-1: An update that fixes 26 vulnerabilities is now available.

Category: security (important)
Bug References: 1048457,1049796,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052758,1052764,1054757,1055214,1056432,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060577,1066003,1067181,1067184
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14733,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
Comment 17 Swamp Workflow Management 2017-12-20 17:38:25 UTC 
SUSE-SU-2017:3388-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
Comment 18 Swamp Workflow Management 2017-12-22 20:14:02 UTC 
openSUSE-SU-2017:3420-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-40.1
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.12.1
Comment 19 Swamp Workflow Management 2017-12-27 14:08:58 UTC 
SUSE-SU-2017:3435-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1050632,1052450,1054757,1055214,1056426,1056429,1057508,1058485,1058637,1066003,1067181,1067184,1067409
CVE References: CVE-2016-7996,CVE-2017-11640,CVE-2017-12587,CVE-2017-12983,CVE-2017-13134,CVE-2017-13776,CVE-2017-13777,CVE-2017-14165,CVE-2017-14341,CVE-2017-14342,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.19.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.19.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.19.1
Comment 20 Marcus Meissner 2018-02-12 08:24:42 UTC 
released