Bug 1034872 – VUL-1: CVE-2017-7942: ImageMagick: remote attack to consume an amount of available memory via a crafted file (ReadAVSImage function in avs.c)

Bug 1034872 - (CVE-2017-7942) VUL-1: CVE-2017-7942: ImageMagick: remote attack to consume an amount of available memory via a crafted file (ReadAVSImage function in avs.c)

(CVE-2017-7942)
Summary:	VUL-1: CVE-2017-7942: ImageMagick: remote attack to consume an amount of avai...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2017-7942:2.6:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-04-19 08:52 UTC by Mikhail Kasimov
Modified:	2017-06-20 07:22 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
memory_leak__in_avs_CVE-2017-7942_testcase (28.37 KB, text/html) 2017-04-19 08:52 UTC, Mikhail Kasimov	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail Kasimov 2017-04-19 08:52:20 UTC

Created attachment 721717 [details]
memory_leak__in_avs_CVE-2017-7942_testcase

Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7942
====================================================
The ReadAVSImage function in avs.c in ImageMagick 7.0.5-4 allows remote attackers to consume an amount of available memory via a crafted file.

Source:  MITRE      Last Modified:  04/18/2017
====================================================

Hyperlink

[1] https://github.com/ImageMagick/ImageMagick/issues/429

[1]:
===================================================
testcase:
https://github.com/bestshow/p0cs/blob/master/memory-leak-in-avs.avs

https://github.com/ImageMagick/ImageMagick/commit/962282327f3a28ffb1138f3ad3fb0438b57ae6b1

https://github.com/ImageMagick/ImageMagick/commit/fd84a5e8028778fd88772775361a2ee2b4bb6c47
===================================================


(open-)SUSE:

https://software.opensuse.org/package/ImageMagick

7.0.5.4 (TW, official repo)
6.8.8.1 (42.{1,2}, official repo)

Comment 1 Marcus Meissner 2017-04-19 13:13:09 UTC

The code in ImageMagick in SLE12 does not use pixel_info.

So I would say "not affected" for SLE, both IM and GM.

Comment 2 Petr Gajdos 2017-04-25 07:32:46 UTC

(In reply to Marcus Meissner from comment #1)
> The code in ImageMagick in SLE12 does not use pixel_info.

True, but I would free memory held by 'pixels' instead. What do you think?

Comment 3 Petr Gajdos 2017-04-25 07:38:02 UTC

GraphicsMagick: they do not bail out directly, just set status = MagickFail and memory is freed later. In my opinion not affected.

Comment 4 Petr Gajdos 2017-04-25 08:35:21 UTC

Tested with 12/ImageMagick:

BEFORE

$ valgrind --leak-check=full identify memory-leak-in-avs.avs
[..]
==27580== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
$

AFTER

$ valgrind --leak-check=full identify memory-leak-in-avs.avs
[..]
==10987== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
$

Comment 5 Petr Gajdos 2017-04-25 15:00:55 UTC

Packages submitted.

Comment 6 Petr Gajdos 2017-04-25 15:04:13 UTC

Comment 7 Marcus Meissner 2017-04-25 15:07:59 UTC

I agree for GraphicsMagick.

Comment 9 Swamp Workflow Management 2017-06-06 16:11:42 UTC

SUSE-SU-2017:1489-1: An update that fixes 27 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028075,1033091,1034870,1034872,1034876,1036976,1036977,1036978,1036980,1036981,1036982,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1036991,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2017-6502,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8343,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8347,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8356,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-70.1

Comment 10 Swamp Workflow Management 2017-06-14 13:11:19 UTC

openSUSE-SU-2017:1560-1: An update that fixes 27 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028075,1033091,1034870,1034872,1034876,1036976,1036977,1036978,1036980,1036981,1036982,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1036991,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2017-6502,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8343,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8347,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8356,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.3.1

Comment 11 Swamp Workflow Management 2017-06-19 10:10:53 UTC

SUSE-SU-2017:1599-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033091,1034870,1034872,1034876,1036976,1036978,1036980,1036981,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2014-9846,CVE-2016-10050,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1

Comment 12 Marcus Meissner 2017-06-20 07:22:23 UTC

released