Bug 1055050 - (CVE-2017-13063) VUL-0: CVE-2017-13063: GraphicsMagick: GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability inthe function GetStyleTokens in coders/svg.c:314:12.
(CVE-2017-13063)
VUL-0: CVE-2017-13063: GraphicsMagick: GraphicsMagick 1.3.26 has a heap-based...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/190883/
CVSSv3:SUSE:CVE-2017-13063:9.8:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-22 15:03 UTC by Marcus Meissner
Modified: 2018-02-12 08:26 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
gm_heap_buffer_overflow_in_GetStyleTokens (268 bytes, application/octet-stream)
2017-08-22 15:03 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-08-22 15:03:04 UTC
CVE-2017-13063

GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability in
the function GetStyleTokens in coders/svg.c:314:12.

http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a
https://sourceforge.net/p/graphicsmagick/bugs/434/
Comment 1 Marcus Meissner 2017-08-22 15:03:42 UTC
Created attachment 737812 [details]
gm_heap_buffer_overflow_in_GetStyleTokens

QA REPRODUCER:

valgrind gm identify gm_heap_buffer_overflow_in_GetStyleTokens

should not report invalid writes
Comment 2 Marcus Meissner 2017-08-22 15:04:03 UTC
affects SLE11, also Leap. (SLE11 needs valgrind, Leap seems to crash directly)

ImageMagick seems not affected.
Comment 3 Petr Gajdos 2017-10-20 09:15:52 UTC
42.3, 42.2
$ gm identify gm_heap_buffer_overflow_in_GetStyleTokens 
*** Error in `gm': free(): invalid pointer: 0x0000555fc9394910 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x721af)[0x7f68577571af]
/lib64/libc.so.6(+0x77706)[0x7f685775c706]
/usr/lib64/GraphicsMagick-1.3.25/modules-Q16/coders/svg.so(+0x6825)[0x7f68556d8825]
/usr/lib64/libxml2.so.2(xmlParseStartTag+0x425)[0x7f68553adbc5]
/usr/lib64/libxml2.so.2(+0x52f9c)[0x7f68553b9f9c]
/usr/lib64/libxml2.so.2(xmlParseChunk+0x2de)[0x7f68553baf7e]
/usr/lib64/GraphicsMagick-1.3.25/modules-Q16/coders/svg.so(+0x85ec)[0x7f68556da5ec]
/usr/lib64/libGraphicsMagick-Q16.so.3(ReadImage+0x1d8)[0x7f6857d30f08]
/usr/lib64/libGraphicsMagick-Q16.so.3(PingImage+0x42)[0x7f6857d31d22]
/usr/lib64/libGraphicsMagick-Q16.so.3(IdentifyImageCommand+0x4ed)[0x7f6857cfdf4d]
/usr/lib64/libGraphicsMagick-Q16.so.3(MagickCommand+0x155)[0x7f6857cff895]
/usr/lib64/libGraphicsMagick-Q16.so.3(+0x5b9ae)[0x7f6857d009ae]
/usr/lib64/libGraphicsMagick-Q16.so.3(GMCommand+0x2e)[0x7f6857d240be]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f68577056e5]
gm(+0x729)[0x555fc8824729]
======= Memory map: ========
gm identify: abort due to signal 6 (SIGABRT) "Abort"...
Aborted (core dumped)
$

$ valgrind gm identify gm_heap_buffer_overflow_in_GetStyleTokens
==4518== Memcheck, a memory error detector.
==4518== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==4518== Using LibVEX rev 1854, a library for dynamic binary translation.
==4518== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==4518== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==4518== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==4518== For more details, rerun with: -v
==4518== 
==4518== Invalid write of size 8
==4518==    at 0x8030FDA: SVGStartElement (svg.c:291)
==4518==    by 0x827FE99: xmlParseStartTag (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x8285A0C: xmlParseChunk (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x80326D8: ReadSVGImage (svg.c:2758)
==4518==    by 0x4EA044C: ReadImage (constitute.c:6000)
==4518==    by 0x4EFC60D: ReadStream (pixel_cache.c:3648)
==4518==    by 0x4EA1228: PingImage (constitute.c:5770)
==4518==    by 0x4E86D17: IdentifyImageCommand (command.c:7204)
==4518==    by 0x4E73673: MagickCommand (command.c:7654)
==4518==    by 0x4E737EE: GMCommand (command.c:15278)
==4518==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==4518==  Address 0x7c9bb28 is 0 bytes after a block of size 32 alloc'd
==4518==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==4518==    by 0x8030F18: SVGStartElement (svg.c:267)
==4518==    by 0x827FE99: xmlParseStartTag (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x8285A0C: xmlParseChunk (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x80326D8: ReadSVGImage (svg.c:2758)
==4518==    by 0x4EA044C: ReadImage (constitute.c:6000)
==4518==    by 0x4EFC60D: ReadStream (pixel_cache.c:3648)
==4518==    by 0x4EA1228: PingImage (constitute.c:5770)
==4518==    by 0x4E86D17: IdentifyImageCommand (command.c:7204)
==4518==    by 0x4E73673: MagickCommand (command.c:7654)
==4518==    by 0x4E737EE: GMCommand (command.c:15278)
==4518==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==4518== 
==4518== Invalid read of size 8
==4518==    at 0x8031143: SVGStartElement (svg.c:1716)
==4518==    by 0x827FE99: xmlParseStartTag (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x8285A0C: xmlParseChunk (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x80326D8: ReadSVGImage (svg.c:2758)
==4518==    by 0x4EA044C: ReadImage (constitute.c:6000)
==4518==    by 0x4EFC60D: ReadStream (pixel_cache.c:3648)
==4518==    by 0x4EA1228: PingImage (constitute.c:5770)
==4518==    by 0x4E86D17: IdentifyImageCommand (command.c:7204)
==4518==    by 0x4E73673: MagickCommand (command.c:7654)
==4518==    by 0x4E737EE: GMCommand (command.c:15278)
==4518==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==4518==  Address 0x7c9bb28 is 0 bytes after a block of size 32 alloc'd
==4518==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==4518==    by 0x8030F18: SVGStartElement (svg.c:267)
==4518==    by 0x827FE99: xmlParseStartTag (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x8285A0C: xmlParseChunk (in /usr/lib64/libxml2.so.2.7.1)
==4518==    by 0x80326D8: ReadSVGImage (svg.c:2758)
==4518==    by 0x4EA044C: ReadImage (constitute.c:6000)
==4518==    by 0x4EFC60D: ReadStream (pixel_cache.c:3648)
==4518==    by 0x4EA1228: PingImage (constitute.c:5770)
==4518==    by 0x4E86D17: IdentifyImageCommand (command.c:7204)
==4518==    by 0x4E73673: MagickCommand (command.c:7654)
==4518==    by 0x4E737EE: GMCommand (command.c:15278)
==4518==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
gm identify: Negative or zero image size.
==4518== 
==4518== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 13 from 3)
==4518== malloc/free: in use at exit: 918 bytes in 19 blocks.
==4518== malloc/free: 1,531 allocs, 1,512 frees, 436,647 bytes allocated.
==4518== For counts of detected errors, rerun with: -v
==4518== searching for pointers to 19 not-freed blocks.
==4518== checked 436,456 bytes.
==4518== 
==4518== LEAK SUMMARY:
==4518==    definitely lost: 886 bytes in 18 blocks.
==4518==      possibly lost: 0 bytes in 0 blocks.
==4518==    still reachable: 32 bytes in 1 blocks.
==4518==         suppressed: 0 bytes in 0 blocks.
==4518== Rerun with --leak-check=full to see details of leaked memory.
$
Comment 4 Petr Gajdos 2017-10-20 09:17:22 UTC
Patch applied against tumbleweed/GraphicsMagick-1.3.26 cure the issue. This is not the case of 42.3/GraphicsMagick-1.3.25 though.
Comment 5 Petr Gajdos 2017-10-20 09:24:47 UTC
However, there are just cosmetic changes in GetStyleTokens() between 1.3.25 and 1.3.26.
Comment 6 Petr Gajdos 2017-10-20 09:36:13 UTC
Correction, this bug seem to be fixed by the assigned upstream commit (just bug 1055042 is not).
Comment 7 Petr Gajdos 2017-10-20 11:48:09 UTC
AFTER

42.2, 42.3

$ gm identify gm_heap_buffer_overflow_in_GetStyleTokens
gm identify: invalid primitive argument ().
gm identify: Request did not return an image.
$

11

$ valgrind gm identify gm_heap_buffer_overflow_in_GetStyleTokens
[..]
==32168== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 13 from 3)
[..]
$
Comment 8 Petr Gajdos 2017-10-20 11:51:37 UTC
Packages submitted.
Comment 9 Bernhard Wiedemann 2017-10-20 12:00:58 UTC
This is an autogenerated message for OBS integration:
This bug (1055050) was mentioned in
https://build.opensuse.org/request/show/535451 42.3 / GraphicsMagick
https://build.opensuse.org/request/show/535452 42.2 / GraphicsMagick
Comment 11 Bernhard Wiedemann 2017-10-25 14:02:10 UTC
This is an autogenerated message for OBS integration:
This bug (1055050) was mentioned in
https://build.opensuse.org/request/show/536525 42.3 / GraphicsMagick
https://build.opensuse.org/request/show/536526 42.2 / GraphicsMagick
Comment 13 Swamp Workflow Management 2017-10-27 22:18:00 UTC
openSUSE-SU-2017:2894-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1054596,1054598,1055042,1055050,1055430,1056431
CVE References: CVE-2017-12936,CVE-2017-12937,CVE-2017-13063,CVE-2017-13064,CVE-2017-13139,CVE-2017-13775
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-34.1
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.34.1
Comment 15 Swamp Workflow Management 2017-11-23 20:08:20 UTC
SUSE-SU-2017:3056-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1050135,1054596,1054598,1055042,1055050,1055430,1061873
CVE References: CVE-2017-11534,CVE-2017-12936,CVE-2017-12937,CVE-2017-13063,CVE-2017-13064,CVE-2017-13139,CVE-2017-15033
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.16.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.16.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.16.1
Comment 16 Marcus Meissner 2018-02-12 08:26:01 UTC
released