First Last Prev Next    This bug is not in your last search results.
Bug 1055050 - (CVE-2017-13063) VUL-0: CVE-2017-13063: GraphicsMagick: GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability inthe function GetStyleTokens in coders/svg.c:314:12.
(CVE-2017-13063)
VUL-0: CVE-2017-13063: GraphicsMagick: GraphicsMagick 1.3.26 has a heap-based...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/190883/
CVSSv3:SUSE:CVE-2017-13063:9.8:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-22 15:03 UTC by Marcus Meissner
Modified: 2018-02-12 08:26 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
gm_heap_buffer_overflow_in_GetStyleTokens (268 bytes, application/octet-stream)
2017-08-22 15:03 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-08-22 15:03:04 UTC 
CVE-2017-13063

GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability in
the function GetStyleTokens in coders/svg.c:314:12.

http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a
https://sourceforge.net/p/graphicsmagick/bugs/434/
Comment 1 Marcus Meissner 2017-08-22 15:03:42 UTC 
Created attachment 737812 [details]
gm_heap_buffer_overflow_in_GetStyleTokens

QA REPRODUCER:

valgrind gm identify gm_heap_buffer_overflow_in_GetStyleTokens

should not report invalid writes
Comment 2 Marcus Meissner 2017-08-22 15:04:03 UTC 
affects SLE11, also Leap. (SLE11 needs valgrind, Leap seems to crash directly)

ImageMagick seems not affected.
Comment 3 Petr Gajdos 2017-10-20 09:15:52 UTC 
42.3, 42.2
$ gm identify gm_heap_buffer_overflow_in_GetStyleTokens 
*** Error in `gm': free(): invalid pointer: 0x0000555fc9394910 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x721af)[0x7f68577571af]
/lib64/libc.so.6(+0x77706)[0x7f685775c706]
/usr/lib64/GraphicsMagick-1.3.25/modules-Q16/coders/svg.so(+0x6825)[0x7f68556d8825]
/usr/lib64/libxml2.so.2(xmlParseStartTag+0x425)[0x7f68553adbc5]
/usr/lib64/libxml2.so.2(+0x52f9c)[0x7f68553b9f9c]
/usr/lib64/libxml2.so.2(xmlParseChunk+0x2de)[0x7f68553baf7e]
/usr/lib64/GraphicsMagick-1.3.25/modules-Q16/coders/svg.so(+0x85ec)[0x7f68556da5ec]
/usr/lib64/libGraphicsMagick-Q16.so.3(ReadImage+0x1d8)[0x7f6857d30f08]
/usr/lib64/libGraphicsMagick-Q16.so.3(PingImage+0x42)[0x7f6857d31d22]
/usr/lib64/libGraphicsMagick-Q16.so.3(IdentifyImageCommand+0x4ed)[0x7f6857cfdf4d]
/usr/lib64/libGraphicsMagick-Q16.so.3(MagickCommand+0x155)[0x7f6857cff895]
/usr/lib64/libGraphicsMagick-Q16.so.3(+0x5b9ae)[0x7f6857d009ae]
/usr/lib64/libGraphicsMagick-Q16.so.3(GMCommand+0x2e)[0x7f6857d240be]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f68577056e5]
gm(+0x729)[0x555fc8824729]
======= Memory map: ========
gm identify: abort due to signal 6 (SIGABRT) "Abort"...
Aborted (core dumped)
$

$ valgrind gm identify gm_heap_buffer_overflow_in_GetStyleTokens
==4518== Memcheck, a memory error detector.
==4518== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==4518== Using LibVEX rev 1854, a library for dynamic binary translation.
==4518== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==4518== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==4518== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==4518== For more details, rerun with: -v
==4518== 
==4518== Invalid write of size 8
==4518==    at 0x8030FDA: SVGStartElement (svg.c:291)
==4518==    by 0x827FE99: xmlParseStartTag (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x8285A0C: xmlParseChunk (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x80326D8: ReadSVGImage (svg.c:2758)
==4518==    by 0x4EA044C: ReadImage (constitute.c:6000)
==4518==    by 0x4EFC60D: ReadStream (pixel_cache.c:3648)
==4518==    by 0x4EA1228: PingImage (constitute.c:5770)
==4518==    by 0x4E86D17: IdentifyImageCommand (command.c:7204)
==4518==    by 0x4E73673: MagickCommand (command.c:7654)
==4518==    by 0x4E737EE: GMCommand (command.c:15278)
==4518==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==4518==  Address 0x7c9bb28 is 0 bytes after a block of size 32 alloc'd
==4518==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==4518==    by 0x8030F18: SVGStartElement (svg.c:267)
==4518==    by 0x827FE99: xmlParseStartTag (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x8285A0C: xmlParseChunk (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x80326D8: ReadSVGImage (svg.c:2758)
==4518==    by 0x4EA044C: ReadImage (constitute.c:6000)
==4518==    by 0x4EFC60D: ReadStream (pixel_cache.c:3648)
==4518==    by 0x4EA1228: PingImage (constitute.c:5770)
==4518==    by 0x4E86D17: IdentifyImageCommand (command.c:7204)
==4518==    by 0x4E73673: MagickCommand (command.c:7654)
==4518==    by 0x4E737EE: GMCommand (command.c:15278)
==4518==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==4518== 
==4518== Invalid read of size 8
==4518==    at 0x8031143: SVGStartElement (svg.c:1716)
==4518==    by 0x827FE99: xmlParseStartTag (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x8285A0C: xmlParseChunk (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x80326D8: ReadSVGImage (svg.c:2758)
==4518==    by 0x4EA044C: ReadImage (constitute.c:6000)
==4518==    by 0x4EFC60D: ReadStream (pixel_cache.c:3648)
==4518==    by 0x4EA1228: PingImage (constitute.c:5770)
==4518==    by 0x4E86D17: IdentifyImageCommand (command.c:7204)
==4518==    by 0x4E73673: MagickCommand (command.c:7654)
==4518==    by 0x4E737EE: GMCommand (command.c:15278)
==4518==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==4518==  Address 0x7c9bb28 is 0 bytes after a block of size 32 alloc'd
==4518==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==4518==    by 0x8030F18: SVGStartElement (svg.c:267)
==4518==    by 0x827FE99: xmlParseStartTag (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x8285A0C: xmlParseChunk (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x80326D8: ReadSVGImage (svg.c:2758)
==4518==    by 0x4EA044C: ReadImage (constitute.c:6000)
==4518==    by 0x4EFC60D: ReadStream (pixel_cache.c:3648)
==4518==    by 0x4EA1228: PingImage (constitute.c:5770)
==4518==    by 0x4E86D17: IdentifyImageCommand (command.c:7204)
==4518==    by 0x4E73673: MagickCommand (command.c:7654)
==4518==    by 0x4E737EE: GMCommand (command.c:15278)
==4518==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
gm identify: Negative or zero image size.
==4518== 
==4518== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 13 from 3)
==4518== malloc/free: in use at exit: 918 bytes in 19 blocks.
==4518== malloc/free: 1,531 allocs, 1,512 frees, 436,647 bytes allocated.
==4518== For counts of detected errors, rerun with: -v
==4518== searching for pointers to 19 not-freed blocks.
==4518== checked 436,456 bytes.
==4518== 
==4518== LEAK SUMMARY:
==4518==    definitely lost: 886 bytes in 18 blocks.
==4518==      possibly lost: 0 bytes in 0 blocks.
==4518==    still reachable: 32 bytes in 1 blocks.
==4518==         suppressed: 0 bytes in 0 blocks.
==4518== Rerun with --leak-check=full to see details of leaked memory.
$
Comment 4 Petr Gajdos 2017-10-20 09:17:22 UTC 
Patch applied against tumbleweed/GraphicsMagick-1.3.26 cure the issue. This is not the case of 42.3/GraphicsMagick-1.3.25 though.
Comment 5 Petr Gajdos 2017-10-20 09:24:47 UTC 
However, there are just cosmetic changes in GetStyleTokens() between 1.3.25 and 1.3.26.
Comment 6 Petr Gajdos 2017-10-20 09:36:13 UTC 
Correction, this bug seem to be fixed by the assigned upstream commit (just bug 1055042 is not).
Comment 7 Petr Gajdos 2017-10-20 11:48:09 UTC 
AFTER

42.2, 42.3

$ gm identify gm_heap_buffer_overflow_in_GetStyleTokens
gm identify: invalid primitive argument ().
gm identify: Request did not return an image.
$

11

$ valgrind gm identify gm_heap_buffer_overflow_in_GetStyleTokens
[..]
==32168== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 13 from 3)
[..]
$
Comment 8 Petr Gajdos 2017-10-20 11:51:37 UTC 
Packages submitted.
Comment 9 Bernhard Wiedemann 2017-10-20 12:00:58 UTC 
This is an autogenerated message for OBS integration:
This bug (1055050) was mentioned in
https://build.opensuse.org/request/show/535451 42.3 / GraphicsMagick
https://build.opensuse.org/request/show/535452 42.2 / GraphicsMagick
Comment 11 Bernhard Wiedemann 2017-10-25 14:02:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1055050) was mentioned in
https://build.opensuse.org/request/show/536525 42.3 / GraphicsMagick
https://build.opensuse.org/request/show/536526 42.2 / GraphicsMagick
Comment 13 Swamp Workflow Management 2017-10-27 22:18:00 UTC 
openSUSE-SU-2017:2894-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1054596,1054598,1055042,1055050,1055430,1056431
CVE References: CVE-2017-12936,CVE-2017-12937,CVE-2017-13063,CVE-2017-13064,CVE-2017-13139,CVE-2017-13775
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-34.1
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.34.1
Comment 15 Swamp Workflow Management 2017-11-23 20:08:20 UTC 
SUSE-SU-2017:3056-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1050135,1054596,1054598,1055042,1055050,1055430,1061873
CVE References: CVE-2017-11534,CVE-2017-12936,CVE-2017-12937,CVE-2017-13063,CVE-2017-13064,CVE-2017-13139,CVE-2017-15033
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.16.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.16.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.16.1
Comment 16 Marcus Meissner 2018-02-12 08:26:01 UTC 
released
First Last Prev Next    This bug is not in your last search results.