Bug 1056431 (CVE-2017-13775)

Summary: VUL-1: CVE-2017-13775: GraphicsMagick, ImageMagick: denial of service issue in ReadJNXImage() in coders/jnx.c
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, astieger, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/191250/
Whiteboard: CVSSv2:SUSE:CVE-2017-13775:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv3:SUSE:CVE-2017-13775:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2017-13775:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv2:NVD:CVE-2017-13775:7.1:(AV:N/AC:M/Au:N/C:N/I:N/A:C)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2017-08-30 13:40:39 UTC
CVE-2017-13775

GraphicsMagick 1.3.26 has a denial of service issue in ReadJNXImage()
in coders/jnx.c whereby large amounts of CPU and memory resources may
be consumed although the file itself does not support the requests.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13775
Comment 1 Alexander Bergmann 2017-08-30 13:40:56 UTC
Upstream fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/b037d79b6ccd
Comment 2 Marcus Meissner 2017-09-29 08:50:02 UTC
CPU and memory usage DOS, but will recover after a while.
Comment 3 Petr Gajdos 2017-10-20 08:04:42 UTC
This bug is primarily GraphicsMagick's.
Comment 4 Petr Gajdos 2017-10-20 08:06:41 UTC
Not sure if ImageMagick is affected. Found just
https://github.com/ImageMagick/ImageMagick/issues/712
where CVE-2017-13775 is mentioned, but that is all. Asked shqking at gmail for explanation.
Comment 5 Petr Gajdos 2017-10-20 08:07:36 UTC
GraphicsMagick: just leap 42.3 ships jnx.c.
Comment 6 Petr Gajdos 2017-10-20 08:09:31 UTC
Package submitted to 42.3, keeping opened for ImageMagick.
Comment 7 Petr Gajdos 2017-10-20 08:11:15 UTC
11/ImageMagick is not affected (does not ship jnx.c)
Comment 8 Petr Gajdos 2017-10-20 08:32:47 UTC
(In reply to Petr Gajdos from comment #4)
> Not sure if ImageMagick is affected. Found just
> https://github.com/ImageMagick/ImageMagick/issues/712
> where CVE-2017-13775 is mentioned, but that is all. Asked shqking at gmail
> for explanation.

On Fri, Oct 20, 2017 at 04:29:28PM +0800, shqking wrote:
> Hi,
> I have tested that.
> ImageMagick is NOT effected by CVE-2017-13775.
> 
> You can get CVE-2017-13775 test case here.
> https://github.com/shqking/graphicsmagick-poc
> 
> Thanks,
> -Hao Sun
Comment 9 Petr Gajdos 2017-10-20 08:34:01 UTC
Package submtitted to 42.3, reassigning.
Comment 10 Bernhard Wiedemann 2017-10-20 10:00:49 UTC
This is an autogenerated message for OBS integration:
This bug (1056431) was mentioned in
https://build.opensuse.org/request/show/535379 42.3 / GraphicsMagick
Comment 11 Bernhard Wiedemann 2017-10-20 12:01:17 UTC
This is an autogenerated message for OBS integration:
This bug (1056431) was mentioned in
https://build.opensuse.org/request/show/535451 42.3 / GraphicsMagick
Comment 12 Bernhard Wiedemann 2017-10-25 14:02:47 UTC
This is an autogenerated message for OBS integration:
This bug (1056431) was mentioned in
https://build.opensuse.org/request/show/536525 42.3 / GraphicsMagick
Comment 13 Andreas Stieger 2017-10-27 18:35:25 UTC
done
Comment 14 Swamp Workflow Management 2017-10-27 22:18:16 UTC
openSUSE-SU-2017:2894-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1054596,1054598,1055042,1055050,1055430,1056431
CVE References: CVE-2017-12936,CVE-2017-12937,CVE-2017-13063,CVE-2017-13064,CVE-2017-13139,CVE-2017-13775
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-34.1
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.34.1