Bugzilla – Bug 1056429
VUL-1: CVE-2017-13776: GraphicsMagick,ImageMagick: denial of service issue in ReadXBMImage() in a coders/xbm.c
Last modified: 2020-06-11 20:32:19 UTC
CVE-2017-13776 GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c "Read hex image data" version!=10 case that results in the reader not returning; it would cause large amounts of CPU and memory consumption although the crafted file itself does not request it. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13776
Upstream fix: http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5e
long but not endless CPU usage loop due to missing EOF check.
See bug 1057719 (ImageMagick).
Also testcase from ImageMagick upstream issue: https://github.com/ImageMagick/ImageMagick/issues/712 For 42.3 and 11: BEFORE $ gm convert x_xbm_poc.xbm test.jpg [cpu 100%] ^C $ AFTER $ gm convert x_xbm_poc.xbm test.jpg gm convert: Improper image header (x_xbm_poc.xbm). $
I believe all fixed.
This is an autogenerated message for OBS integration: This bug (1056429) was mentioned in https://build.opensuse.org/request/show/539605 42.2 / GraphicsMagick https://build.opensuse.org/request/show/539606 42.3 / GraphicsMagick
openSUSE-SU-2017:3020-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1054757,1055214,1056426,1056429,1057508,1066003 CVE References: CVE-2017-12983,CVE-2017-13134,CVE-2017-13776,CVE-2017-13777,CVE-2017-14165,CVE-2017-15930 Sources used: openSUSE Leap 42.3 (src): GraphicsMagick-1.3.25-39.1 openSUSE Leap 42.2 (src): GraphicsMagick-1.3.25-11.39.1
SUSE-SU-2017:3435-1: An update that fixes 14 vulnerabilities is now available. Category: security (important) Bug References: 1050632,1052450,1054757,1055214,1056426,1056429,1057508,1058485,1058637,1066003,1067181,1067184,1067409 CVE References: CVE-2016-7996,CVE-2017-11640,CVE-2017-12587,CVE-2017-12983,CVE-2017-13134,CVE-2017-13776,CVE-2017-13777,CVE-2017-14165,CVE-2017-14341,CVE-2017-14342,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669 Sources used: SUSE Studio Onsite 1.3 (src): GraphicsMagick-1.2.5-4.78.19.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): GraphicsMagick-1.2.5-4.78.19.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): GraphicsMagick-1.2.5-4.78.19.1
released