First Last Prev Next    This bug is not in your last search results.
Bug 1001221 - VUL-0: CVE-2016-7101: ImageMagick,GraphicsMagick: SGI Coder Out-Of-Bounds Read Vulnerability
VUL-0: CVE-2016-7101: ImageMagick,GraphicsMagick: SGI Coder Out-Of-Bounds Rea...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-7101:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-26 15:42 UTC by Mikhail Kasimov
Modified: 2017-09-01 09:03 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
CVE-2016-7101.sgi (12 bytes, application/octet-stream)
2016-09-27 06:03 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-09-26 15:42:16 UTC 
References: http://seclists.org/oss-sec/2016/q3/616

===============
Hi.

This is PeiwenChen of Tencent's Xuanwu Lab & RayZhong of Tencent's Keen Lab.
During our research, we found an Out-Of-Bounds write vulnerability in
 ImageMagick's SGI coder.

When ImageMagick is identifying SGI format image, we can craft a sgi file
with big value of row. It will read a certain number of times which is
controllable by value of row, It cause an Out-Of-Bounds Read.

The ImageMagick team has fixed the vulnerability we reported.


Upstream fix:
https://github.com/ImageMagick/ImageMagick/commit/7afcf9f71043df15508e46f079387bd4689a738d
https://github.com/ImageMagick/ImageMagick/commit/8f8959033e4e59418d6506b345829af1f7a71127

Debian Bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836776


Attached is a proof of concept and backtrace.

$ hexdump PoC.sgi
0000000 da01 0100 0000 fffe 0200 0400
000000c

$ convert PoC.sgi


Program received signal SIGSEGV, Segmentation fault.
[------------------------registers------------------------]
RAX: 0x0
RBX: 0x1
RCX: 0xf939
RDX: 0x6031b0 --> 0x0
RSI: 0x7ffff7fe8090 --> 0x1
RDI: 0x7ffff7dcef98 --> 0x1
RBP: 0xdfbc
RSP: 0x7fffffff5e60 --> 0xffffffff54535254
RIP: 0x7ffff74eae8b (<IdentifyImageGray+795>: movss  xmm0,DWORD PTR [r15+rax*4])
R8 : 0x744850 --> 0x0
R9 : 0x1
R10: 0x69a000 --> 0x0
R11: 0x1
R12: 0x641600 --> 0x600000000
R13: 0x6535f0 --> 0x1700000001
R14: 0x603178 --> 0x6031b0 --> 0x0

R15: 0x765000                          <== end address of heap

[---------------------------code---------------------------]
   0x7ffff74eae7d <IdentifyImageGray+781>: inc    BYTE PTR [rdx+rcx*1]
   0x7ffff74eae80 <IdentifyImageGray+784>: mov    DWORD PTR [rax],0x5177
   0x7ffff74eae86 <IdentifyImageGray+790>: mov    rax,QWORD PTR [rsp+0x30]
=> 0x7ffff74eae8b <IdentifyImageGray+795>: movss  xmm0,DWORD PTR [r15+rax*4]
   0x7ffff74eae91 <IdentifyImageGray+801>: movaps XMMWORD PTR [rsp+0x40],xmm0
   0x7ffff74eae96 <IdentifyImageGray+806>: mov    rax,QWORD PTR [rsp+0x28]
   0x7ffff74eae9b <IdentifyImageGray+811>: movss  xmm4,DWORD PTR [r15+rax*4]
   0x7ffff74eaea1 <IdentifyImageGray+817>: subss  xmm0,xmm4
[---------------------------stack---------------------------]
00:0000| rsp 0x7fffffff5e60 --> 0xffffffff54535254
01:0008|     0x7fffffff5e68 --> 0x0
02:0016|     0x7fffffff5e70 --> 0x63d600 --> 0x6535f0 --> 0x1700000001
03:0024|     0x7fffffff5e78 --> 0x614160 --> 0x1a9
04:0032|     0x7fffffff5e80 --> 0x0
05:0040|     0x7fffffff5e88 --> 0x1
06:0048|     0x7fffffff5e90 --> 0x0
07:0056|     0x7fffffff5e98 --> 0xfeff
[-----------------------------------------------------------]
Legend: stack, code, data, heap, rodata, value
Stopped reason: SIGSEGV
0x00007ffff74eae8b in IsPixelMonochrome (image=<optimized out>, pixel=<optimized out>) at ./MagickCore/pixel-accessor.h:561
561   red_green=(MagickRealType) pixel[image->channel_map[RedPixelChannel].offset]-

gdb-peda$ bt
#0  0x00007ffff74eae8b in IsPixelMonochrome (image=<optimized out>, pixel=<optimized out>) at ./MagickCore/pixel-accessor.h:561
#1  IdentifyImageGray (image=<optimized out>, exception=<optimized out>) at MagickCore/attribute.c:683
#2  0x00007ffff74ebb7a in IdentifyImageType (image=0x6535f0, exception=0x614160) at MagickCore/attribute.c:821
#3  0x00007ffff7647d39 in IdentifyImage (image=0x6535f0, file=<optimized out>, verbose=<optimized out>, exception=0x614160) at MagickCore/identify.c:494
#4  0x00007ffff71024a6 in IdentifyImageCommand (image_info=<optimized out>, argc=<optimized out>, argv=<optimized out>, metadata=<optimized out>, exception=<optimized out>) at MagickWand/identify.c:336
#5  0x00007ffff7153e53 in MagickCommandGenesis (image_info=<optimized out>, command=<optimized out>, argc=<optimized out>, argv=<optimized out>, metadata=<optimized out>, exception=<optimized out>) at MagickWand/mogrify.c:183
#6  0x0000000000401cae in MagickMain (argc=<optimized out>, argv=<optimized out>) at utilities/magick.c:145
#7  main (argc=<optimized out>, argv=<optimized out>, argv@entry=0x7fffffffeb48) at utilities/magick.c:176
#8  0x00007ffff5a3b830 in __libc_start_main (main=0x4015f0 <main>, argc=0x2, argv=0x7fffffffeb48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffeb38) at ../csu/libc-start.c:291
#9  0x0000000000401519 in _start ()


gdb-peda$ vmmap
Start              End                Perm Name
0x00400000         0x00403000         r-xp /usr/local/bin/magick
0x00602000         0x00603000         r--p /usr/local/bin/magick
0x00603000         0x00604000         rw-p /usr/local/bin/magick
0x00604000         0x00765000         rw-p [heap]
0x00007ffff553f000 0x00007ffff5817000 r--p /usr/lib/locale/locale-archive


Regards,
Peiwen Chen
Tencent's Xuanwu Lab
===============
Comment 1 Swamp Workflow Management 2016-09-26 22:02:07 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-09-27 06:03:14 UTC 
Created attachment 694429 [details]
CVE-2016-7101.sgi

QA REPRODUCER:

convert CVE-2016-7101.sgi foo.jpg

should not crash
Comment 3 Marcus Meissner 2016-09-27 06:03:34 UTC 
(Does not crash for me on leap 42.2)
Comment 4 Petr Gajdos 2016-10-11 09:36:47 UTC 
I do not see crash or valgrind errors nowhere for both ImageMagick and GraphicsMagick.
Comment 5 Petr Gajdos 2016-10-11 10:20:06 UTC 
All supported versions of ImageMagick and GraphicsMagick code need the checks.
Comment 6 Petr Gajdos 2016-10-11 10:20:50 UTC 
However, the testcase leads to 'improper image header' error both BEFORE and AFTER.
Comment 7 Petr Gajdos 2016-10-13 13:39:52 UTC 
I believe all fixed.
Comment 8 Swamp Workflow Management 2016-10-26 12:09:32 UTC 
openSUSE-SU-2016:2641-1: An update that fixes 28 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000702,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,985442,999673
CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-12.1
Comment 9 Swamp Workflow Management 2016-10-26 12:18:29 UTC 
openSUSE-SU-2016:2644-1: An update that fixes 23 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000689,1000693,1000695,1000698,1000700,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,999673
CVE References: CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-14.1
Comment 10 Swamp Workflow Management 2016-10-28 16:12:08 UTC 
SUSE-SU-2016:2667-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
Comment 11 Swamp Workflow Management 2016-10-28 19:11:13 UTC 
openSUSE-SU-2016:2671-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000703,1000704,1000706,1000707,1000708,1000709,1000710,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7536,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-34.1
Comment 12 Swamp Workflow Management 2016-11-04 14:09:53 UTC 
SUSE-SU-2016:2724-1: An update that fixes 26 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,999673
CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.46.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.46.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.46.1
Comment 13 Swamp Workflow Management 2016-11-10 16:18:27 UTC 
openSUSE-SU-2016:2770-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-21.1
Comment 14 Swamp Workflow Management 2016-12-01 17:11:54 UTC 
SUSE-SU-2016:2964-1: An update that fixes 34 vulnerabilities is now available.

Category: security (important)
Bug References: 1000399,1000434,1000436,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000698,1000699,1000700,1000701,1000703,1000704,1000707,1000709,1000711,1000713,1000714,1001066,1001221,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1007245
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-5687,CVE-2016-6823,CVE-2016-7101,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7533,CVE-2016-7535,CVE-2016-7537,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
Comment 15 Swamp Workflow Management 2016-12-08 17:11:05 UTC 
openSUSE-SU-2016:3060-1: An update that fixes 31 vulnerabilities is now available.

Category: security (important)
Bug References: 1000399,1000434,1000689,1000698,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,1007245,1011130,982178,983521,983752,983794,983799,984145,984150,984166,984372,984375,984394,984400,984436
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9809,CVE-2014-9815,CVE-2014-9817,CVE-2014-9820,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9845,CVE-2014-9846,CVE-2014-9853,CVE-2016-5118,CVE-2016-6823,CVE-2016-7101,CVE-2016-7515,CVE-2016-7522,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862,CVE-2016-9556
Sources used:
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-3.1
Comment 16 Marcus Meissner 2016-12-22 10:58:28 UTC 
released
Comment 17 Petr Gajdos 2017-09-01 09:03:07 UTC 
GraphicsMagick does not have checks, sent notification upstream.
First Last Prev Next    This bug is not in your last search results.