Bug 965853 (CVE-2016-2317)

Summary:	VUL-1: CVE-2016-2317,CVE-2016-2318: GraphicsMagick: Multiple vulnerabilities when parsing and processing SVG files
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Sebastian Krahmer <krahmer>
Component:	Incidents	Assignee:	Petr Gajdos <pgajdos>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P4 - Low	CC:	meissner, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:	CVSSv2:RedHat:CVE-2016-2317:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2016-2317:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-2318:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2016-2318:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	Reproducers

Description Sebastian Krahmer 2016-02-09 13:19:39 UTC

Via OSS-sec:

Date: Tue, 9 Feb 2016
From: Gustavo Grieco
To: oss-security
Subject: [oss-security] CVE requests: Multiple vulnerabilities in GraphicsMagick parsing and
        processing SVG files



We recently tested the last release of GraphicsMagick (1.3.23) with our
tool and found some vulnerabilities that allows to read or write outside
memory bounds (heap, stack) as well as some null-pointer derreferences to
cause DoS. All these bugs are related with the parsing and processing of
SVG files. Upstream is notified and working to fix them but in the meantime
be carefull if you process untrusted SVG files using GraphicsMagick.

Here is the summary of vulnerabilities we found. Reproducers are attached.

/home/vagrant/repos/GraphicsMagick-1.3.23/utilities/gm convert -resize
128x128 aaphrbkwwe.svg.-1114777018469422437 bmp:/dev/null
=================================================================
==25335==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7fffeff75da0 at pc 0x0000005a892c bp 0x7fffffff2250 sp 0x7fffffff2248
WRITE of size 8 at 0x7fffeff75da0 thread T0
    #0 0x5a892b in TracePoint magick/render.c:5125
    #1 0x5a56a6 in TraceEllipse magick/render.c:4721
    #2 0x5a94f1 in TraceRoundRectangle magick/render.c:5191
    #3 0x59742c in DrawImage magick/render.c:2868
    #4 0x88bb1d in ReadMVGImage coders/mvg.c:195
    #5 0x498e61 in ReadImage magick/constitute.c:1607
    #6 0x94ee83 in ReadSVGImage coders/svg.c:2752
    #7 0x498e61 in ReadImage magick/constitute.c:1607
    #8 0x42690f in ConvertImageCommand magick/command.c:4348
    #9 0x442a31 in MagickCommand magick/command.c:8862
    #10 0x47ca6e in GMCommandSingle magick/command.c:17338
    #11 0x47cd2a in GMCommand magick/command.c:17391
    #12 0x40c9a5 in main utilities/gm.c:61
    #13 0x7ffff3739ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #14 0x40c8b8
(/home/vagrant/repos/GraphicsMagick-1.3.23/utilities/gm+0x40c8b8)

/home/vagrant/repos/GraphicsMagick-1.3.23/utilities/gm convert -resize
128x128 aaphrbkwwe.svg.-632425326915265752 bmp:/dev/null
=================================================================
==26846==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffff8005 at pc 0x00000060ba3b bp 0x7fffffff7680 sp 0x7fffffff7678
WRITE of size 1 at 0x7fffffff8005 thread T0
    #0 0x60ba3a in GetToken magick/utility.c:2638
    #1 0x93a981 in GetUserSpaceCoordinateValue coders/svg.c:236
    #2 0x93ea73 in SVGStartElement coders/svg.c:765
    #3 0x7ffff518ca74 in xmlParseStartTag
(/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x41a74)
    #4 0x7ffff5199f92  (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4ef92)
    #5 0x7ffff519af9d in xmlParseChunk
(/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4ff9d)
    #6 0x94ea5d in ReadSVGImage coders/svg.c:2724
    #7 0x498e61 in ReadImage magick/constitute.c:1607
    #8 0x42690f in ConvertImageCommand magick/command.c:4348
    #9 0x442a31 in MagickCommand magick/command.c:8862
    #10 0x47ca6e in GMCommandSingle magick/command.c:17338
    #11 0x47cd2a in GMCommand magick/command.c:17391
    #12 0x40c9a5 in main utilities/gm.c:61
    #13 0x7ffff3739ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #14 0x40c8b8
(/home/vagrant/repos/GraphicsMagick-1.3.23/utilities/gm+0x40c8b8)

Address 0x7fffffff8005 is located in stack of thread T0 at offset 2149 in
frame
    #0 0x93a5dd in GetUserSpaceCoordinateValue coders/svg.c:210

  This frame has 2 object(s):
    [32, 40) 'p'
    [96, 2149) 'token' <== Memory access at offset 2149 overflows this
variable

/home/vagrant/repos/GraphicsMagick-1.3.23/utilities/gm convert -resize
128x128 aaphrbkwwe.svg.-7101924735921376511 bmp:/dev/null
ASAN:SIGSEGV
=================================================================
==26861==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x00000059866b bp 0x7fffffff7b80 sp 0x7fffffff2530 T0)
    #0 0x59866a in DrawImage magick/render.c:2999
    #1 0x88bb1d in ReadMVGImage coders/mvg.c:195
    #2 0x498e61 in ReadImage magick/constitute.c:1607
    #3 0x94ee83 in ReadSVGImage coders/svg.c:2752
    #4 0x498e61 in ReadImage magick/constitute.c:1607
    #5 0x42690f in ConvertImageCommand magick/command.c:4348
    #6 0x442a31 in MagickCommand magick/command.c:8862
    #7 0x47ca6e in GMCommandSingle magick/command.c:17338
    #8 0x47cd2a in GMCommand magick/command.c:17391
    #9 0x40c9a5 in main utilities/gm.c:61
    #10 0x7ffff3739ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #11 0x40c8b8
(/home/vagrant/repos/GraphicsMagick-1.3.23/utilities/gm+0x40c8b8)

/home/vagrant/repos/GraphicsMagick-1.3.23/utilities/gm convert -resize
128x128 aaphrbkwwe.svg.4071333061660627683 bmp:/dev/null
ASAN:SIGSEGV
=================================================================
==26881==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x000000945794 bp 0x7fffffff9540 sp 0x7fffffff8070 T0)
    #0 0x945793 in SVGStartElement coders/svg.c:1757
    #1 0x7ffff518ca74 in xmlParseStartTag
(/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x41a74)
    #2 0x7ffff5199f92  (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4ef92)
    #3 0x7ffff519af9d in xmlParseChunk
(/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4ff9d)
    #4 0x94ea5d in ReadSVGImage coders/svg.c:2724
    #5 0x498e61 in ReadImage magick/constitute.c:1607
    #6 0x42690f in ConvertImageCommand magick/command.c:4348
    #7 0x442a31 in MagickCommand magick/command.c:8862
    #8 0x47ca6e in GMCommandSingle magick/command.c:17338
    #9 0x47cd2a in GMCommand magick/command.c:17391
    #10 0x40c9a5 in main utilities/gm.c:61
    #11 0x7ffff3739ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #12 0x40c8b8
(/home/vagrant/repos/GraphicsMagick-1.3.23/utilities/gm+0x40c8b8)


/home/vagrant/repos/GraphicsMagick-1.3.23/utilities/gm convert -resize
128x128 aaphrbkwwe.svg.4495884156523242589 bmp:/dev/null
=================================================================
==26893==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60700000da50 at pc 0x00000093c005 bp 0x7fffffff8000 sp 0x7fffffff7ff8
WRITE of size 8 at 0x60700000da50 thread T0
    #0 0x93c004 in GetTransformTokens coders/svg.c:361
    #1 0x9455f2 in SVGStartElement coders/svg.c:1748
    #2 0x7ffff518ca74 in xmlParseStartTag
(/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x41a74)
    #3 0x7ffff5199f92  (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4ef92)
    #4 0x7ffff519af9d in xmlParseChunk
(/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4ff9d)
    #5 0x94ea5d in ReadSVGImage coders/svg.c:2724
    #6 0x498e61 in ReadImage magick/constitute.c:1607
    #7 0x42690f in ConvertImageCommand magick/command.c:4348
    #8 0x442a31 in MagickCommand magick/command.c:8862
    #9 0x47ca6e in GMCommandSingle magick/command.c:17338
    #10 0x47cd2a in GMCommand magick/command.c:17391
    #11 0x40c9a5 in main utilities/gm.c:61
    #12 0x7ffff3739ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #13 0x40c8b8
(/home/vagrant/repos/GraphicsMagick-1.3.23/utilities/gm+0x40c8b8)

/home/vagrant/repos/GraphicsMagick-1.3.23/utilities/gm convert -resize
128x128 aaphrbkwwe.svg.7960082311810466150 bmp:/dev/null
ASAN:SIGSEGV
=================================================================
==26901==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x0000005a396d bp 0x7fffffff1a80 sp 0x7fffffff18a0 T0)
    #0 0x5a396c in TraceArcPath magick/render.c:4550
    #1 0x5a6729 in TracePath magick/render.c:4852
    #2 0x597f23 in DrawImage magick/render.c:2945
    #3 0x88bb1d in ReadMVGImage coders/mvg.c:195
    #4 0x498e61 in ReadImage magick/constitute.c:1607
    #5 0x94ee83 in ReadSVGImage coders/svg.c:2752
    #6 0x498e61 in ReadImage magick/constitute.c:1607
    #7 0x42690f in ConvertImageCommand magick/command.c:4348
    #8 0x442a31 in MagickCommand magick/command.c:8862
    #9 0x47ca6e in GMCommandSingle magick/command.c:17338
    #10 0x47cd2a in GMCommand magick/command.c:17391
    #11 0x40c9a5 in main utilities/gm.c:61
    #12 0x7ffff3739ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #13 0x40c8b8
(/home/vagrant/repos/GraphicsMagick-1.3.23/utilities/gm+0x40c8b8)

Regards,
Gus.

Comment 1 Sebastian Krahmer 2016-02-09 13:24:12 UTC

Created attachment 664923 [details]
Reproducers

Reproducers from attachment

Comment 3 Sebastian Krahmer 2016-02-15 09:10:10 UTC

>AddressSanitizer: heap-buffer-overflow
>WRITE of size 8
>    #0 0x5a892b in TracePoint magick/render.c:5125
>
>AddressSanitizer: stack-buffer-overflow
>WRITE of size 1
>   #0 0x60ba3a in GetToken magick/utility.c:2638
>
>AddressSanitizer: heap-buffer-overflow on address
>WRITE of size 8
>    #0 0x93c004 in GetTransformTokens coders/svg.c:361

Use CVE-2016-2317 for this set of three issues.


>AddressSanitizer: SEGV on unknown address 0x000000000000
>    #0 0x59866a in DrawImage magick/render.c:2999
>
>AddressSanitizer: SEGV on unknown address 0x000000000000
>    #0 0x945793 in SVGStartElement coders/svg.c:1757
>
>AddressSanitizer: SEGV on unknown address 0x000000000000
>    #0 0x5a396c in TraceArcPath magick/render.c:4550

Use CVE-2016-2318 for this set of three issues.

Comment 7 Petr Gajdos 2016-02-17 08:53:22 UTC

Okay, lowering priority also.

Comment 8 Petr Gajdos 2016-06-23 07:46:58 UTC

Tested on 11:

$ gm convert 1.svg bleble.jpg
Segmentation fault (core dumped)
$ gm convert 2.svg bleble.jpg
Segmentation fault (core dumped)
$ gm convert 3.svg bleble.jpg
gm convert: Unable to open file (mdj) [No such file or directory].
$ gm convert 4.svg bleble.jpg
Segmentation fault (core dumped)
$ gm convert 5.svg bleble.jpg
Segmentation fault (core dumped)
$ gm convert 6.svg bleble.jpg
Segmentation fault (core dumped)
$

Comment 9 Petr Gajdos 2016-06-23 07:48:39 UTC

(I have renamed testcases alphabetical order -> natural number.)

Comment 10 Petr Gajdos 2016-06-23 07:52:18 UTC

Tested on factory:

$ gm convert 1.svg bleble.jpg
gm convert: invalid primitive argument (-7.8248073938802944in).
$ gm convert 2.svg bleble.jpg
gm convert: Extra content at the end of the document
.
$ gm convert 3.svg bleble.jpg
gm convert: invalid primitive argument (-2.453152686783691cm).
$ gm convert 4.svg bleble.jpg
gm convert: invalid primitive argument (-9.010965059851289mm).
$ gm convert 5.svg bleble.jpg
gm convert: invalid primitive argument (-67%).
$ gm convert 6.svg bleble.jpg
gm convert: Non-conforming drawing primitive definition (push).
$

Comment 11 Petr Gajdos 2016-06-23 07:54:48 UTC

Tested on 13.2:

$ gm convert 1.svg bleble.jpg
Segmentation fault (core dumped)
$ gm convert 2.svg bleble.jpg
Segmentation fault (core dumped)
$ gm convert 3.svg bleble.jpg
*** Error in `gm': free(): invalid pointer: 0x0000000000c72d10 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7278f)[0x7f5c9745d78f]
/lib64/libc.so.6(+0x77ffe)[0x7f5c97462ffe]
/usr/lib64/GraphicsMagick-1.3.20/modules-Q16/coders/svg.so(+0x5b25)[0x7f5c94fa4b25]
/usr/lib64/libxml2.so.2(xmlParseStartTag+0x425)[0x7f5c94c77b05]
/usr/lib64/libxml2.so.2(+0x531ac)[0x7f5c94c851ac]
/usr/lib64/libxml2.so.2(xmlParseChunk+0x2de)[0x7f5c94c8618e]
/usr/lib64/GraphicsMagick-1.3.20/modules-Q16/coders/svg.so(+0x8464)[0x7f5c94fa7464]
/usr/lib64/libGraphicsMagick-Q16.so.3(ReadImage+0x1d5)[0x7f5c97a3abb5]
/usr/lib64/libGraphicsMagick-Q16.so.3(ConvertImageCommand+0x238)[0x7f5c97a181f8]
/usr/lib64/libGraphicsMagick-Q16.so.3(MagickCommand+0x155)[0x7f5c97a076b5]
/usr/lib64/libGraphicsMagick-Q16.so.3(+0x597e6)[0x7f5c97a087e6]
/usr/lib64/libGraphicsMagick-Q16.so.3(GMCommand+0x2e)[0x7f5c97a2ddae]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f5c9740cb05]
gm[0x40063e]
======= Memory map: ========
Aborted (core dumped)
$ gm convert 4.svg bleble.jpg
Segmentation fault (core dumped)
$ gm convert 5.svg bleble.jpg
Segmentation fault (core dumped)
$ gm convert 6.svg bleble.jpg
Segmentation fault (core dumped)
$

Comment 12 Petr Gajdos 2016-06-23 07:55:24 UTC

Now to find the commits.

Comment 13 Petr Gajdos 2016-06-23 10:41:00 UTC

Probably:
CVE-2016-2317
http://hg.code.sf.net/p/graphicsmagick/code/rev/44ed8318ba6a
CVE-2016-2318
http://hg.code.sf.net/p/graphicsmagick/code/rev/52b59d2ef4a1
http://hg.code.sf.net/p/graphicsmagick/code/rev/1d46a279aca6

Comment 14 Petr Gajdos 2016-06-23 10:45:15 UTC

AFTER in 13.2

$ gm convert 1.svg in-love-security-team.jpg
gm convert: Negative or zero image size.
$ gm convert 2.svg in-love-security-team.jpg
gm convert: Extra content at the end of the document
.
$ gm convert 3.svg in-love-security-team.jpg
gm convert: Negative or zero image size.
$ gm convert 4.svg in-love-security-team.jpg
gm convert: Negative or zero image size.
$ gm convert 5.svg in-love-security-team.jpg
gm convert: Negative or zero image size.
$ gm convert 6.svg in-love-security-team.jpg
gm convert: Negative or zero image size.
$

Comment 15 Petr Gajdos 2016-06-23 11:54:49 UTC

AFTER huge but almost simple patching, 11 have:

$ gm convert 1.svg even-more-love-to-security-team.jpg
gm convert: Negative or zero image size.
$ gm convert 2.svg even-more-love-to-security-team.jpg
gm convert: Extra content at the end of the document
.
$ gm convert 3.svg even-more-love-to-security-team.jpg
gm convert: Negative or zero image size.
$ gm convert 4.svg even-more-love-to-security-team.jpg
gm convert: Negative or zero image size.
$ gm convert 5.svg even-more-love-to-security-team.jpg
gm convert: Negative or zero image size.
$ gm convert 6.svg even-more-love-to-security-team.jpg
gm convert: Negative or zero image size.
$

Comment 16 Petr Gajdos 2016-06-23 13:06:49 UTC

I believe all fixed.

Comment 17 Swamp Workflow Management 2016-07-01 15:08:06 UTC

openSUSE-SU-2016:1724-1: An update that fixes 37 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983234,983259,983309,983455,983521,983523,983533,983752,983794,983796,983799,983803,984028,984032,984035,984135,984142,984144,984145,984150,984166,984181,984193,984372,984373,984375,984379,984394,984398,984400,984408,984409,984433,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9840,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2015-8901,CVE-2015-8903,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-9.1

Comment 18 Swamp Workflow Management 2016-07-11 14:20:00 UTC

SUSE-SU-2016:1783-1: An update that fixes 37 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983234,983259,983309,983455,983521,983523,983533,983752,983794,983796,983799,983803,984028,984032,984035,984135,984142,984144,984145,984150,984166,984181,984193,984372,984373,984375,984379,984394,984398,984400,984408,984409,984433,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9840,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2015-8901,CVE-2015-8903,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.41.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.41.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.41.1

Comment 19 Swamp Workflow Management 2016-08-15 13:11:12 UTC

openSUSE-SU-2016:2073-1: An update that fixes 22 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983309,983455,983521,983523,983533,983752,983794,983799,984142,984145,984150,984166,984372,984375,984379,984394,984400,984408,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9809,CVE-2014-9815,CVE-2014-9817,CVE-2014-9819,CVE-2014-9820,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9845,CVE-2014-9846,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-11.1