Bug 1056277 - (CVE-2017-13758) VUL-0: CVE-2017-13758: GraphicsMagick: In ImageMagick 7.0.6-10, there is a heap-based buffer overflow in theTracePoint() function in MagickCore/draw.c.
(CVE-2017-13758)
VUL-0: CVE-2017-13758: GraphicsMagick: In ImageMagick 7.0.6-10, there is a he...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/191219/
CVSSv2:SUSE:CVE-2017-13758:6.8:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-30 05:16 UTC by Marcus Meissner
Modified: 2018-12-16 15:59 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
im_hbo_TracePoint.svg (132 bytes, application/octet-stream)
2017-08-30 05:17 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-08-30 05:16:45 UTC
CVE-2017-13758

In ImageMagick 7.0.6-10, there is a heap-based buffer overflow in the
TracePoint() function in MagickCore/draw.c.

https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32583

 Post by fumfel ยป 2017-08-28T01:26:30-07:00
After some fuzz testing I found a crashing test case.

Git HEAD: b0323e6509f4530a228c8788db11a49ff9255b69

OS & Compiler: Ubuntu 16.04 x64 + Clang 4.0

Command:

Code: Select all

 convert im_hbo_TracePoint /dev/null

Faulting input: https://frankowicz.me/storage/crashes/i ... ePoint.svg

ASAN:

Code: Select all

==21950==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f17a55597f8 at pc 0x7f17b0db90f8 bp 0x7ffeddc90d50 sp 0x7ffeddc90d48
WRITE of size 8 at 0x7f17a55597f8 thread T0
    #0 0x7f17b0db90f7 in TracePoint XYZ/ImageMagick/MagickCore/draw.c:1667:30
    #1 0x7f17b0db90f7 in TraceEllipse XYZ/ImageMagick/MagickCore/draw.c:5393
    #2 0x7f17b0dab80b in TraceCircle XYZ/ImageMagick/MagickCore/draw.c:5351:3
    #3 0x7f17b0dab80b in DrawImage XYZ/ImageMagick/MagickCore/draw.c:3128
    #4 0x7f17b14e8692 in ReadMVGImage XYZ/ImageMagick/coders/mvg.c:221:10
    #5 0x7f17b0cdafa4 in ReadImage XYZ/ImageMagick/MagickCore/constitute.c:497:13
    #6 0x7f17b15f994a in ReadSVGImage XYZ/ImageMagick/coders/svg.c:3273:13
    #7 0x7f17b0cdafa4 in ReadImage XYZ/ImageMagick/MagickCore/constitute.c:497:13
    #8 0x7f17b0cde661 in ReadImages XYZ/ImageMagick/MagickCore/constitute.c:866:9
    #9 0x7f17b02e81d1 in ConvertImageCommand XYZ/ImageMagick/MagickWand/convert.c:641:18
    #10 0x7f17b04a4125 in MagickCommandGenesis XYZ/ImageMagick/MagickWand/mogrify.c:183:14
    #11 0x4ee3e9 in MagickMain XYZ/ImageMagick/utilities/magick.c:149:10
    #12 0x4ee3e9 in main XYZ/ImageMagick/utilities/magick.c:180
    #13 0x7f17abd0282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x41a338 in _start (/usr/local/bin/magick+0x41a338)

0x7f17a55597f8 is located 16 bytes to the right of 262120-byte region [0x7f17a5519800,0x7f17a55597e8)
allocated by thread T0 here:
    #0 0x4c103c in __interceptor_malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x7f17b0f5e9a4 in AcquireMagickMemory XYZ/ImageMagick/MagickCore/memory.c:464:10
    #2 0x7f17b0f5e9a4 in AcquireQuantumMemory XYZ/ImageMagick/MagickCore/memory.c:537
    #3 0x7f17b14e8692 in ReadMVGImage XYZ/ImageMagick/coders/mvg.c:221:10
    #4 0x7f17b0cdafa4 in ReadImage XYZ/ImageMagick/MagickCore/constitute.c:497:13
    #5 0x7f17b15f994a in ReadSVGImage XYZ/ImageMagick/coders/svg.c:3273:13
    #6 0x7f17b0cdafa4 in ReadImage XYZ/ImageMagick/MagickCore/constitute.c:497:13
    #7 0x7f17b0cde661 in ReadImages XYZ/ImageMagick/MagickCore/constitute.c:866:9
    #8 0x7f17b02e81d1 in ConvertImageCommand XYZ/ImageMagick/MagickWand/convert.c:641:18
    #9 0x7f17b04a4125 in MagickCommandGenesis XYZ/ImageMagick/MagickWand/mogrify.c:183:14
    #10 0x4ee3e9 in MagickMain XYZ/ImageMagick/utilities/magick.c:149:10
    #11 0x4ee3e9 in main XYZ/ImageMagick/utilities/magick.c:180
    #12 0x7f17abd0282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/ImageMagick/MagickCore/draw.c:1667:30 in TracePoint
Shadow bytes around the buggy address:
  0x0fe374aa32a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe374aa32b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe374aa32c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe374aa32d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe374aa32e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe374aa32f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa[fa]
  0x0fe374aa3300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe374aa3310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe374aa3320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe374aa3330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe374aa3340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21950==ABORTING

Regards,
Kamil Frankowicz
Top
Comment 1 Marcus Meissner 2017-08-30 05:17:33 UTC
Created attachment 738762 [details]
im_hbo_TracePoint.svg

QA REPRODUCER:

ImageMagick:
convert im_hbo_TracePoint.svg /dev/null

GraphicsMagick:
gm im_hbo_TracePoint.svg
Comment 2 Marcus Meissner 2017-08-30 05:19:32 UTC
SLE11 GraphicsMagick: crashes

Leap and openSUSE GraphicsMagick: report:
gm convert: primitive arithmetic overflow (circle).
(not affected)

ImageMagick is tricky:

SLE11 IM: 

convert im_hbo_TracePoint.svg /dev/null 
convert: Memory allocation failed `im_hbo_TracePoint.svg'.
convert: missing an image filename `/dev/null'.

(not affected I would say)

SLE12 and Factory IM:
causes an assertion in the "inkscape" that SVG delegates too.

- not affected.
Comment 3 Marcus Meissner 2017-08-30 05:20:33 UTC
(that Imagemagick is not affected is probably due to the fact we do not use its internal svg renderer, but delegate)
Comment 5 Petr Gajdos 2018-05-25 14:19:05 UTC
12/ImageMagick
  
$ convert im_hbo_TracePoint.svg /dev/null
[hangs]

11/ImageMagick

$ valgrind -q convert im_hbo_TracePoint.svg /dev/null
convert: no image vector graphics `/dev/null'.
$

11/GraphicsMagick

$ gm convert im_hbo_TracePoint.svg null:
Segmentation fault (core dumped)
$

42.3/GraphicsMagick

$ valgrind -q gm convert im_hbo_TracePoint.svg null:
gm convert: primitive arithmetic overflow (circle).
$
Comment 6 Petr Gajdos 2018-05-25 14:37:34 UTC
12/ImageMagick

The hang is caused by wrong patch (bug 1047356 comment 4). ReadBlob() should return 0, but might return -1 in this version it seems. I will amend the patch. AFTER patch is amended but BEFORE the patch from comment 4:

$ valgrind -q convert im_hbo_TracePoint.svg /dev/null
$

The code is partially there, considering affected.

AFTER patch from comment 4:

$ valgrind -q convert im_hbo_TracePoint.svg /dev/null
$
[no change]
Comment 7 Petr Gajdos 2018-05-30 09:54:18 UTC
11/ImageMagick:

BEFORE
see comment 5


PATCH
see comment 4
Code is there, considering affected.

AFTER

$ valgrind -q convert im_hbo_TracePoint.svg /dev/null
convert: no image vector graphics `/dev/null'.
$
[no change]
Comment 9 Petr Gajdos 2018-05-30 13:19:29 UTC
11/GraphicsMagick

BEFORE

see comment 5


PATCH

http://hg.code.sf.net/p/graphicsmagick/code/diff/6071b5820215/magick/render.c


AFTER

$ gm convert im_hbo_TracePoint.svg null:
gm convert: Non-conforming drawing primitive definition (circle).
$
Comment 10 Petr Gajdos 2018-05-30 13:22:36 UTC
42.3/GraphicsMagick:

Have the fix already in.
Comment 11 Petr Gajdos 2018-05-30 13:23:43 UTC
Submitted for 12/ImageMagick, 11/ImageMagick and 11/GraphicsMagick.

I believe all fixed.
Comment 18 Swamp Workflow Management 2018-06-29 19:08:34 UTC
SUSE-SU-2018:1851-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047356,1056277,1087820,1094204,1094237,1095730,1095812,1095813
CVE References: CVE-2017-10928,CVE-2017-13758,CVE-2017-18271,CVE-2018-10804,CVE-2018-10805,CVE-2018-11251,CVE-2018-11655,CVE-2018-9133
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.65.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.65.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.65.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.65.1
Comment 19 Swamp Workflow Management 2018-06-30 13:09:07 UTC
openSUSE-SU-2018:1860-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047356,1056277,1087820,1094204,1094237,1095730,1095812,1095813
CVE References: CVE-2017-10928,CVE-2017-13758,CVE-2017-18271,CVE-2018-10804,CVE-2018-10805,CVE-2018-11251,CVE-2018-11655,CVE-2018-9133
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-64.1
Comment 22 Swamp Workflow Management 2018-08-16 19:15:27 UTC
SUSE-SU-2018:2390-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1056277,1094204,1095812,1102007
CVE References: CVE-2017-13758,CVE-2017-18271,CVE-2018-10805,CVE-2018-14435
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.61.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.61.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.61.1
Comment 23 Swamp Workflow Management 2018-08-21 10:12:30 UTC
SUSE-SU-2018:2465-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1056277,1094204,1094237,1095812,1098545,1098546,1102003,1102004,1102005,1102007
CVE References: CVE-2017-13758,CVE-2017-18271,CVE-2018-10805,CVE-2018-11251,CVE-2018-12599,CVE-2018-12600,CVE-2018-14434,CVE-2018-14435,CVE-2018-14436,CVE-2018-14437
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.56.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.56.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.56.1
Comment 24 Marcus Meissner 2018-10-04 06:15:13 UTC
released