Bug 1000712 – VUL-0: CVE-2016-7538: ImageMagick: SIGABRT for corrupted pdb file

Bug 1000712 - (CVE-2016-7538) VUL-0: CVE-2016-7538: ImageMagick: SIGABRT for corrupted pdb file

(CVE-2016-7538)
Summary:	VUL-0: CVE-2016-7538: ImageMagick: SIGABRT for corrupted pdb file

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:RedHat:CVE-2016-7538:4.3:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-09-23 10:57 UTC by Johannes Segitz
Modified:	2016-12-22 12:25 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-09-23 10:57:58 UTC

AddressSanitizer: heap-buffer-overflow WRITE of size 65700

References:
https://bugs.debian.org/832793
https://bugs.launchpad.net/bugs/1556273
https://github.com/ImageMagick/ImageMagick/issues/148
https://github.com/ImageMagick/ImageMagick/commit/53c1dcd34bed85181b901bfce1a2322f85a59472

Comment 1 Swamp Workflow Management 2016-09-23 22:04:15 UTC

bugbot adjusting priority

Comment 2 Petr Gajdos 2016-10-10 09:11:26 UTC

With the testcase from Ubuntu bug, 13.2/GraphicsMagick and 11/GraphicsMagick exits with 'memory allocation failed' error.

42.1/GraphicsMagick seem to create something (100% CPU), but I have kill it after one minute. 11/ImageMagick creates resulting image after several seconds.

13.2/ImageMagick and 12/ImageMagick creates resulting image and exits immediately, but produces a lot of valgrind errors.

For 13.2/ImageMagick, I got even crash when I run the command after valgrind call.

Not sure how to manifest the issue reliably without asan.

Comment 3 Petr Gajdos 2016-10-10 09:18:37 UTC

The code is there just for 13.2/ImageMagick and 12/ImageMagick.

Comment 4 Petr Gajdos 2016-10-13 13:40:13 UTC

I believe all fixed.

Comment 5 Romanos Dodopoulos 2016-10-26 11:47:48 UTC

(In reply to Petr Gajdos from comment #2)
> 13.2/ImageMagick and 12/ImageMagick creates resulting image and exits
> immediately, but produces a lot of valgrind errors.
By 12 you mean SLE12 GA specifically?

I cannot reproduce it on SLE12 SP1:

> peter:/tmp/SUSE:Maintenance:3353:123045 # valgrind convert id_000206,sig_06,src_005821,op_havoc,rep_4 tmp.jpg
> ==3551== Memcheck, a memory error detector
> ==3551== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
> ==3551== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
> ==3551== Command: convert id_000206,sig_06,src_005821,op_havoc,rep_4 tmp.jpg
> ==3551== 
> ==3551== 
> ==3551== HEAP SUMMARY:
> ==3551==     in use at exit: 528 bytes in 11 blocks
> ==3551==   total heap usage: 2,749 allocs, 2,738 frees, 639,551 bytes allocated
> ==3551== 
> ==3551== LEAK SUMMARY:
> ==3551==    definitely lost: 0 bytes in 0 blocks
> ==3551==    indirectly lost: 0 bytes in 0 blocks
> ==3551==      possibly lost: 0 bytes in 0 blocks
> ==3551==    still reachable: 528 bytes in 11 blocks
> ==3551==         suppressed: 0 bytes in 0 blocks
> ==3551== Rerun with --leak-check=full to see details of leaked memory
> ==3551== 
> ==3551== For counts of detected and suppressed errors, rerun with: -v
> ==3551== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
> peter:/tmp/SUSE:Maintenance:3353:123045 # ls -al tmp.jpg
> -rw-r--r-- 1 root root 723 Oct 26 13:43 tmp.jpg

Comment 6 Swamp Workflow Management 2016-10-28 16:11:25 UTC

SUSE-SU-2016:2667-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-40.1

Comment 7 Swamp Workflow Management 2016-10-28 19:10:21 UTC

openSUSE-SU-2016:2671-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000703,1000704,1000706,1000707,1000708,1000709,1000710,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7536,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-34.1

Comment 8 Swamp Workflow Management 2016-11-10 16:17:41 UTC

openSUSE-SU-2016:2770-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-21.1

Comment 9 Marcus Meissner 2016-12-22 12:25:03 UTC

released