Bug 1112399 (CVE-2017-14997)

Summary: VUL-1: CVE-2017-14997: GraphicsMagick,ImageMagick: Integer underflow in ReadPICTImage in coders/pict.c.
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/216977/
Whiteboard: CVSSv2:NVD:CVE-2017-14997:7.1:(AV:N/AC:M/Au:N/C:N/I:N/A:C) CVSSv3:SUSE:CVE-2017-14997:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:NVD:CVE-2017-14997:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2018-10-18 13:40:56 UTC
CVE-2017-14997

GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service
(excessive memory allocation) because of an integer underflow in ReadPICTImage
in coders/pict.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14997
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14997
Comment 1 Robert Frohl 2018-10-18 13:44:06 UTC
Hi Petr,
the patch can be found here:
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=0683f8724200

My investigation suggests that the following codestreams are affected:
- SUSE:SLE-11:Update/GraphicsMagick
- SUSE:SLE-11:Update/ImageMagick
- SUSE:SLE-12:Update/ImageMagick

Already fixed:
- SUSE:SLE-15:Update/ImageMagick
Comment 3 Petr Gajdos 2018-10-22 08:25:32 UTC
https://sourceforge.net/p/graphicsmagick/bugs/511/

Upstream bug with reproducer.
Comment 4 Petr Gajdos 2018-10-22 13:17:21 UTC
BEFORE

15.0/GraphicsMagick

$ valgrind -q gm identify -ping crash_098
gm identify: Unexpected end-of-file (crash_098).
gm identify: Request did not return an image.
$

42.3/GraphicsMagick

$ valgrind -q gm identify -ping crash_098
==28613== Argument 'size' of function malloc has a fishy (possibly negative) value: -1
==28613==    at 0x4C2A110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==28613==    by 0x79D19FF: ReadPICTImage (pict.c:1277)
==28613==    by 0x4EBFB57: ReadImage (constitute.c:1607)
==28613==    by 0x4EC0971: PingImage (constitute.c:1370)
==28613==    by 0x4E8EF1C: IdentifyImageCommand (command.c:8375)
==28613==    by 0x4E90864: MagickCommand (command.c:8868)
==28613==    by 0x4E9197D: GMCommandSingle (command.c:17376)
==28613==    by 0x4EB2D0D: GMCommand (command.c:17429)
==28613==    by 0x5441724: (below main) (in /lib64/libc-2.22.so)
==28613== 
gm identify: Unexpected end-of-file (crash_098).
gm identify: Request did not return an image.
$

11/ImageMagick,GraphicsMagick

$ valgrind -q gm identify -ping crash_098
==10807== Warning: silly arg (-1) to malloc()
==10807== Warning: silly arg (-1) to malloc()
==10807== Warning: silly arg (-1) to malloc()
gm identify: Unexpected end-of-file (crash_098).
$

12/ImageMagick

$ valgrind -q identify -ping crash_098
==27554== Argument 'size' of function malloc has a fishy (possibly negative) value: -1
==27554==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27554==    by 0x841D2BB: ReadPICTImage (pict.c:1349)
==27554==    by 0x4EBFDCA: ReadImage (constitute.c:601)
==27554==    by 0x4FD1D68: ReadStream (stream.c:974)
==27554==    by 0x4EBF910: PingImage (constitute.c:278)
==27554==    by 0x4EBFB4A: PingImages (constitute.c:373)
==27554==    by 0x535850B: IdentifyImageCommand (identify.c:322)
==27554==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==27554==    by 0x400891: IdentifyMain (identify.c:80)
==27554==    by 0x400891: main (identify.c:93)
==27554== 
identify: insufficient image data in file `crash_098' @ error/pict.c/ReadPICTImage/1497.
$

15/ImageMagick

$ valgrind -q identify -ping crash_098
crash_098 PICT 12336x12336 12336x12336+0+0 8-bit sRGB 1819B 15.800u 0:15.789
$


PATCH

GraphicsMagick: referenced in comment 0
ImageMagick:
https://github.com/ImageMagick/ImageMagick/commit/70293c7830e9b0a13221f42e08bfcccbf3081096

In agreement with comment 1, I consider affected: 42.3/GraphicsMagick, 11/GraphicsMagick, 11/ImageMagick and 12/ImageMagick


AFTER

42.3/GraphicsMagick

$ valgrind -q gm identify -ping crash_098
gm identify: Unexpected end-of-file (crash_098).
gm identify: Request did not return an image.
$

11/GraphicsMagick

$ valgrind -q gm identify -ping crash_098
gm identify: Unexpected end-of-file (crash_098).
$

11/ImageMagick

$ valgrind -q identify -ping crash_098
identify: Insufficient image data in file `crash_098'.
$

12/ImageMagick

$ valgrind -q identify -ping crash_098
identify: insufficient image data in file `crash_098' @ error/pict.c/ReadPICTImage/1505.
$
Comment 5 Petr Gajdos 2018-10-22 13:17:45 UTC
Will submit for 42.3,11/GraphicsMagick and 11,12/ImageMagick.
Comment 6 Petr Gajdos 2018-10-23 08:26:42 UTC
Packages submitted.
Comment 8 Swamp Workflow Management 2018-10-23 09:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (1112399) was mentioned in
https://build.opensuse.org/request/show/643897 42.3 / GraphicsMagick
Comment 12 Swamp Workflow Management 2018-10-25 19:18:04 UTC
SUSE-SU-2018:3465-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1107609,1112399
CVE References: CVE-2017-14997,CVE-2018-16644
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.85.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.85.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.85.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.85.1
Comment 13 Swamp Workflow Management 2018-10-26 12:40:33 UTC
openSUSE-SU-2018:3479-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1112392,1112399
CVE References: CVE-2017-10794,CVE-2017-14997
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-114.1
Comment 14 Swamp Workflow Management 2018-10-26 22:28:08 UTC
openSUSE-SU-2018:3524-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1107609,1112399
CVE References: CVE-2017-14997,CVE-2018-16644
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-76.1
Comment 17 Swamp Workflow Management 2018-11-19 14:12:04 UTC
SUSE-SU-2018:3808-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1050129,1050635,1107609,1112399
CVE References: CVE-2017-11532,CVE-2017-11639,CVE-2017-14997,CVE-2018-16644
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.79.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.79.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.79.1
Comment 21 Swamp Workflow Management 2019-01-03 20:09:35 UTC
SUSE-SU-2019:13923-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042911,1052754,1078433,1112392,1112399,1113064,1119822,1119823
CVE References: CVE-2017-10794,CVE-2017-12663,CVE-2017-14997,CVE-2017-9405,CVE-2018-18544,CVE-2018-20184,CVE-2018-20185,CVE-2018-6405
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.78.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.78.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.78.1
Comment 22 Marcus Meissner 2019-07-09 07:02:28 UTC
released