First Last Prev Next    This bug is not in your last search results.
Bug 1000701 - (CVE-2016-7525) VUL-0: CVE-2016-7525: ImageMagick: Heap buffer overflow in psd file coder
(CVE-2016-7525)
VUL-0: CVE-2016-7525: ImageMagick: Heap buffer overflow in psd file coder
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-7525:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-23 10:56 UTC by Johannes Segitz
Modified: 2016-12-22 12:21 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-09-23 22:02:40 UTC 
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-10-07 07:04:47 UTC 
13.2/ImageMagick, 12/ImageMagick:

$ convert test-32 test.bmp
convert: invalid colormap index `test-32' @ error/colormap-private.h/ConstrainColormapIndex/34.
$

$ valgrind convert test-32 test.bmp
==10825== ERROR SUMMARY: 5328 errors from 8 contexts (suppressed: 0 from 0)
$

11/ImageMagick:
$ convert test-32 test.bmp
Segmentation fault (core dumped)
$

--------

GraphicsMagick: no error reported, no valgrind errors.
Comment 3 Petr Gajdos 2016-10-07 07:41:44 UTC 
GraphicsMagick: considering not affected. There is no GetPSDRowSize() nor ReadPSDChannel*().

13.2/ImageMagick, 12/ImageMagick: 
$ convert test-32 test.bmp
000701: invalid colormap index `test-32' @ error/colormap-private.h/ConstrainColormapIndex/34.
$

$ valgrind convert test-32 test.bmp
[...]
==24471== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
$

11/ImageMagick: I failed to find the code similarly to GraphicsMagick; segfaults happens with following backtrace:

#0  0x00007ffff3f00686 in ReadPSDImage (image_info=0xa532b0, exception=0x603060) at coders/psd.c:1370
#1  0x00007ffff7a21d68 in ReadImage (image_info=0xa4f110, exception=0x603060) at magick/constitute.c:441
#2  0x00007ffff76f1b83 in ConvertImageCommand (image_info=0xa4f110, argc=3, argv=0x605e20, metadata=0x0, exception=0x603060)
    at wand/convert.c:560
#3  0x0000000000400f74 in main (argc=3, argv=0x7fffffffe948) at utilities/convert.c:122

(gdb) p x        
$7 = 3
(gdb) p indexes[3]
Cannot access memory at address 0x6
(gdb) p indexes[2]
Cannot access memory at address 0x4
(gdb) p indexes[1]
Cannot access memory at address 0x2
(gdb) p indexes[0]
Cannot access memory at address 0x0

Let's see whether another patches resolve this issue.
Comment 4 Petr Gajdos 2016-10-12 07:44:01 UTC 
The segfault for 11/ImageMagick still persists; it is not caused by any of our security patch.
Comment 5 Petr Gajdos 2016-10-13 07:09:59 UTC 
After compiling without optimalizations I get:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3db8fbc in ReadPSDImage (image_info=0xa532b0, exception=0x603060) at coders/psd.c:1382
1382	                    *q=image->colormap[(long) indexes[x]];

(gdb) p x
$26 = 3
(gdb) p indexes[3]
$27 = 63488
(gdb)

but the higher bound for colormap array seem to be 352 for this image.
Comment 6 Petr Gajdos 2016-10-13 13:21:23 UTC 
So here is way out I am proposing.

The situation is, that there is no place in 11/ImageMagick where we could apply the git commit assigned to this CVE, really. 11/ImageMagick segfaults on the testcase nonetheless, but I dare to consider that is another problem then this CVE.

@@ -1369,10 +1379,13 @@ static Image *ReadPSDImage(const ImageIn
                     else
                       indexes[x]=(IndexPacket) ScaleQuantumToShort((Quantum)
                         pixel);
-                    *q=image->colormap[(long) indexes[x]];
-                    q->red=image->colormap[(long) indexes[x]].red;
-                    q->green=image->colormap[(long) indexes[x]].green;
-                    q->blue=image->colormap[(long) indexes[x]].blue;
+                    if (indexes[x] < image->colors)
+                    {
+                      *q=image->colormap[(long) indexes[x]];
+                      q->red=image->colormap[(long) indexes[x]].red;
+                      q->green=image->colormap[(long) indexes[x]].green;
+                      q->blue=image->colormap[(long) indexes[x]].blue;
+                    }
                   }
                 break;
               }

Not that I would call this a fix, but the crash went away and even valgrind errors vanished. I tried also one random psd to convert to bmp before and after the patch and it seems that there's no fundamental break as it produces bmp with the same md5.
Comment 7 Petr Gajdos 2016-10-13 13:39:58 UTC 
I believe all fixed.
Comment 8 Swamp Workflow Management 2016-10-28 16:10:04 UTC 
SUSE-SU-2016:2667-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
Comment 9 Swamp Workflow Management 2016-10-28 19:09:08 UTC 
openSUSE-SU-2016:2671-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000703,1000704,1000706,1000707,1000708,1000709,1000710,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7536,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-34.1
Comment 10 Swamp Workflow Management 2016-11-10 16:16:23 UTC 
openSUSE-SU-2016:2770-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-21.1
Comment 11 Swamp Workflow Management 2016-12-01 17:10:26 UTC 
SUSE-SU-2016:2964-1: An update that fixes 34 vulnerabilities is now available.

Category: security (important)
Bug References: 1000399,1000434,1000436,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000698,1000699,1000700,1000701,1000703,1000704,1000707,1000709,1000711,1000713,1000714,1001066,1001221,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1007245
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-5687,CVE-2016-6823,CVE-2016-7101,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7533,CVE-2016-7535,CVE-2016-7537,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
Comment 12 Marcus Meissner 2016-12-22 12:21:25 UTC 
released
First Last Prev Next    This bug is not in your last search results.