Bug 1036978 - (CVE-2017-8344) VUL-1: CVE-2017-8344: ImageMagick, GraphicsMagick: denial of service (memory leak) via a crafted file (ReadPCXImage func in pcx.c)
(CVE-2017-8344)
VUL-1: CVE-2017-8344: ImageMagick, GraphicsMagick: denial of service (memory ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2017-8344:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-30 19:57 UTC by Mikhail Kasimov
Modified: 2017-06-21 22:40 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2017-8344_memory-leak-in-ReadPCXImage-7_testcase (4.90 KB, application/octet-stream)
2017-04-30 19:57 UTC, Mikhail Kasimov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-04-30 19:57:02 UTC
Created attachment 723252 [details]
CVE-2017-8344_memory-leak-in-ReadPCXImage-7_testcase

Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-8344
====================================================
Description

In ImageMagick 7.0.5-5, the ReadPCXImage function in pcx.c allows attackers to cause a denial of service (memory leak) via a crafted file.

Source:  MITRE      Last Modified:  04/30/2017
====================================================

Hyperlink

[1] https://github.com/ImageMagick/ImageMagick/issues/446

[2] Testcase: https://github.com/bestshow/p0cs/blob/master/memory-leak-in-ReadPCXImage-7.dcx

[3] https://github.com/ImageMagick/ImageMagick/commit/eca0f9c2f3a2d533b7d45451e220fa8ab1dc868c (master)

[4] https://github.com/ImageMagick/ImageMagick/commit/4c6289b2f39a47a430ce27b61d3e3967201e77e8 (ImageMagick-6)



(open-)SUSE: https://software.opensuse.org/package/ImageMagick

7.0.5.4 (TW, official repo)
6.8.8.1 (42.{1,2}, official repo)
Comment 1 Petr Gajdos 2017-05-02 13:26:51 UTC
Tested on 12/ImageMagick:

BEFORE

$ valgrind --leak-check=full identify memory-leak-in-ReadPCXImage-7.dcx
[..]
ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
$

AFTER

$ valgrind --leak-check=full identify memory-leak-in-ReadPCXImage-7.dcx
[..]
ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
$

11/ImageMagick also shows one leak error in valgrind for me, nevertheless this is not fixed by patch for this bug. Similarly for GraphicsMagick with more leak errors.

42.2/GraphicsMagick and 42.1/GraphicsMagick seem to have this fixed. 11/GraphicsMagick need to be fixed.

Considering affected:
12/ImageMagick, 11/ImageMagick and 11/Graphicsmagick
Comment 2 Petr Gajdos 2017-05-17 15:13:00 UTC
I believe all fixed.
Comment 6 Marcus Meissner 2017-06-02 13:20:34 UTC
Petr, in SLE11 GM the patch GraphicsMagick-CVE-2017-8344.patch is not applied.

I will fix the incident manually.
Comment 7 Marcus Meissner 2017-06-06 09:51:17 UTC
Petr, the patch included in 11 GraphicsMagic was not applied (and just enabling it does not apply) ... it does not seem to be backported.
Comment 8 Petr Gajdos 2017-06-06 10:18:04 UTC
Corrected in current submission.

For 11/GraphicsMagick I get now:

BEFORE

==1329== 192 bytes in 1 blocks are definitely lost in loss record 2 of 5
==1329==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==1329==    by 0x80299D5: ???
==1329==    by 0x4EA044C: ReadImage (constitute.c:6000)
==1329==    by 0x4EFC60D: ReadStream (pixel_cache.c:3648)
==1329==    by 0x4EA1228: PingImage (constitute.c:5770)
==1329==    by 0x4E86D17: IdentifyImageCommand (command.c:7204)
==1329==    by 0x4E73673: MagickCommand (command.c:7654)
==1329==    by 0x4E737EE: GMCommand (command.c:15278)
==1329==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==1329== 
==1329== 
==1329== 768 bytes in 1 blocks are definitely lost in loss record 3 of 5
==1329==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==1329==    by 0x80296F1: ???
==1329==    by 0x4EA044C: ReadImage (constitute.c:6000)
==1329==    by 0x4EFC60D: ReadStream (pixel_cache.c:3648)
==1329==    by 0x4EA1228: PingImage (constitute.c:5770)
==1329==    by 0x4E86D17: IdentifyImageCommand (command.c:7204)
==1329==    by 0x4E73673: MagickCommand (command.c:7654)
==1329==    by 0x4E737EE: GMCommand (command.c:15278)
==1329==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==1329== 
==1329== 
==1329== 8,192 bytes in 1 blocks are definitely lost in loss record 4 of 5
==1329==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==1329==    by 0x802A127: ???
==1329==    by 0x4EA044C: ReadImage (constitute.c:6000)
==1329==    by 0x4EFC60D: ReadStream (pixel_cache.c:3648)
==1329==    by 0x4EA1228: PingImage (constitute.c:5770)
==1329==    by 0x4E86D17: IdentifyImageCommand (command.c:7204)
==1329==    by 0x4E73673: MagickCommand (command.c:7654)
==1329==    by 0x4E737EE: GMCommand (command.c:15278)
==1329==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==1329== 
==1329== 
==1329== 98,325 bytes in 1 blocks are definitely lost in loss record 5 of 5
==1329==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==1329==    by 0x80298EE: ???
==1329==    by 0x4EA044C: ReadImage (constitute.c:6000)
==1329==    by 0x4EFC60D: ReadStream (pixel_cache.c:3648)
==1329==    by 0x4EA1228: PingImage (constitute.c:5770)
==1329==    by 0x4E86D17: IdentifyImageCommand (command.c:7204)
==1329==    by 0x4E73673: MagickCommand (command.c:7654)
==1329==    by 0x4E737EE: GMCommand (command.c:15278)
==1329==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)


AFTER

==6217== 768 bytes in 1 blocks are definitely lost in loss record 2 of 2
==6217==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==6217==    by 0x80296F1: ???
==6217==    by 0x4EA044C: ReadImage (constitute.c:6000)
==6217==    by 0x4EFC60D: ReadStream (pixel_cache.c:3648)
==6217==    by 0x4EA1228: PingImage (constitute.c:5770)
==6217==    by 0x4E86D17: IdentifyImageCommand (command.c:7204)
==6217==    by 0x4E73673: MagickCommand (command.c:7654)
==6217==    by 0x4E737EE: GMCommand (command.c:15278)
==6217==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
Comment 10 Swamp Workflow Management 2017-06-06 16:12:15 UTC
SUSE-SU-2017:1489-1: An update that fixes 27 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028075,1033091,1034870,1034872,1034876,1036976,1036977,1036978,1036980,1036981,1036982,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1036991,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2017-6502,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8343,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8347,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8356,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
Comment 12 Swamp Workflow Management 2017-06-14 13:11:57 UTC
openSUSE-SU-2017:1560-1: An update that fixes 27 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028075,1033091,1034870,1034872,1034876,1036976,1036977,1036978,1036980,1036981,1036982,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1036991,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2017-6502,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8343,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8347,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8356,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.3.1
Comment 13 Swamp Workflow Management 2017-06-19 10:11:14 UTC
SUSE-SU-2017:1599-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033091,1034870,1034872,1034876,1036976,1036978,1036980,1036981,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2014-9846,CVE-2016-10050,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1
Comment 14 Swamp Workflow Management 2017-06-19 13:10:42 UTC
SUSE-SU-2017:1600-1: An update that fixes 17 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033091,1034876,1036978,1036980,1036981,1036984,1036985,1036986,1036987,1036988,1036990,1037527,1038000,1040025,1040304,1040332,984144
CVE References: CVE-2014-9847,CVE-2017-7606,CVE-2017-7941,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8355,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9142,CVE-2017-9144
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.77.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.77.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.77.1
Comment 15 Marcus Meissner 2017-06-20 07:27:35 UTC
released