Bug 1036987 - (CVE-2017-8352) VUL-1: CVE-2017-8352: ImageMagick, GraphicsMagick: denial of service (memory leak) via a crafted file (ReadXWDImage func in xwd.c)
(CVE-2017-8352)
VUL-1: CVE-2017-8352: ImageMagick, GraphicsMagick: denial of service (memory ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2017-8352:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-30 20:34 UTC by Mikhail Kasimov
Modified: 2018-02-09 23:37 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2017-8352_memory-leak-in-ReadXWDImage-13_testcase (15.10 KB, image/x-xwindowdump)
2017-04-30 20:34 UTC, Mikhail Kasimov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-04-30 20:34:32 UTC
Created attachment 723261 [details]
CVE-2017-8352_memory-leak-in-ReadXWDImage-13_testcase

Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-8352
===================================================
Description

In ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c allows attackers to cause a denial of service (memory leak) via a crafted file.

Source:  MITRE      Last Modified:  04/30/2017
===================================================

Hyperlink

[1] https://github.com/ImageMagick/ImageMagick/issues/452

[2] Testcase: https://github.com/bestshow/p0cs/blob/master/memory-leak-in-ReadXWDImage-13.xwd

[3] https://github.com/ImageMagick/ImageMagick/commit/a8af58506e7411284a70c759970a5d115cd8657e (master)

[4] https://github.com/ImageMagick/ImageMagick/commit/2917930679a3543e52070668c3adb3d8c183d1f6 (ImageMagick-6)


(open-)SUSE: https://software.opensuse.org/package/ImageMagick

7.0.5.4 (TW, official repo)
6.8.8.1 (42.{1,2}, official repo)
Comment 1 Petr Gajdos 2017-05-11 13:14:16 UTC
With 12/ImageMagick:

BEFORE

$ valgrind --leak-check=full identify memory-leak-in-ReadXWDImage-13.xwd
[..]
==26915== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
$

AFTER

$ valgrind --leak-check=full identify memory-leak-in-ReadXWDImage-13.xwd
[..]
==12105== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
$

Similarly for 12/ImageMagick. I do not get leaks for GraphicsMagick.
Comment 2 Petr Gajdos 2017-05-12 09:58:07 UTC
(In reply to Petr Gajdos from comment #1)
> Similarly for 12/ImageMagick. I do not get leaks for GraphicsMagick.

This should have been 11/ImageMagick. 42.1/GraphicsMagick also needs the patch, in 42.2 it is solved via specialized ThrowXWDReaderException.

Therefore considering affected:

12/ImageMagick, 11/ImageMagick, 11/GraphicsMagick and 42.1/GraphicsMagick.
Comment 3 Petr Gajdos 2017-05-17 15:12:59 UTC
I believe all fixed.
Comment 8 Marcus Meissner 2017-06-06 09:31:07 UTC
I think the testcase triggers the leak in the part of the patch that you did not need to backport. (the freeing after SetImageExtent which is not present in SLE12 IM)
Comment 9 Petr Gajdos 2017-06-06 09:51:47 UTC
(In reply to Marcus Meissner from comment #8)
> I think the testcase triggers the leak in the part of the patch that you did
> not need to backport. (the freeing after SetImageExtent which is not present
> in SLE12 IM)

My testing in comment 1 differs from this assumption.

By the way, there should probably be:

*Similarly for 11/ImageMagick.*
Comment 11 Swamp Workflow Management 2017-06-06 16:13:20 UTC
SUSE-SU-2017:1489-1: An update that fixes 27 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028075,1033091,1034870,1034872,1034876,1036976,1036977,1036978,1036980,1036981,1036982,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1036991,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2017-6502,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8343,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8347,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8356,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
Comment 13 Swamp Workflow Management 2017-06-14 13:13:11 UTC
openSUSE-SU-2017:1560-1: An update that fixes 27 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028075,1033091,1034870,1034872,1034876,1036976,1036977,1036978,1036980,1036981,1036982,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1036991,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2017-6502,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8343,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8347,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8356,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.3.1
Comment 14 Swamp Workflow Management 2017-06-19 10:12:05 UTC
SUSE-SU-2017:1599-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033091,1034870,1034872,1034876,1036976,1036978,1036980,1036981,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2014-9846,CVE-2016-10050,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1
Comment 15 Swamp Workflow Management 2017-06-19 13:11:24 UTC
SUSE-SU-2017:1600-1: An update that fixes 17 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033091,1034876,1036978,1036980,1036981,1036984,1036985,1036986,1036987,1036988,1036990,1037527,1038000,1040025,1040304,1040332,984144
CVE References: CVE-2014-9847,CVE-2017-7606,CVE-2017-7941,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8355,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9142,CVE-2017-9144
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.77.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.77.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.77.1
Comment 16 Marcus Meissner 2017-06-20 08:02:24 UTC
released