Bug 1056429 - (CVE-2017-13776) VUL-1: CVE-2017-13776: GraphicsMagick,ImageMagick: denial of service issue in ReadXBMImage() in a coders/xbm.c
(CVE-2017-13776)
VUL-1: CVE-2017-13776: GraphicsMagick,ImageMagick: denial of service issue in...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/191251/
CVSSv2:SUSE:CVE-2017-13776:5.0:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-30 13:35 UTC by Alexander Bergmann
Modified: 2020-06-11 20:32 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-08-30 13:35:45 UTC
CVE-2017-13776

GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage()
in a coders/xbm.c "Read hex image data" version!=10 case that results
in the reader not returning; it would cause large amounts of CPU and
memory consumption although the crafted file itself does not request
it.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13776
Comment 1 Alexander Bergmann 2017-08-30 13:36:28 UTC
Upstream fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5e
Comment 2 Marcus Meissner 2017-09-29 08:21:02 UTC
long but not endless CPU usage loop due to missing EOF check.
Comment 3 Petr Gajdos 2017-11-07 12:03:58 UTC
See bug 1057719 (ImageMagick).
Comment 4 Petr Gajdos 2017-11-07 12:33:18 UTC
Also testcase from ImageMagick upstream issue:

https://github.com/ImageMagick/ImageMagick/issues/712

For 42.3 and 11:

BEFORE

$ gm convert x_xbm_poc.xbm test.jpg
[cpu 100%] 
^C
$

AFTER

$ gm convert x_xbm_poc.xbm test.jpg
gm convert: Improper image header (x_xbm_poc.xbm).
$
Comment 5 Petr Gajdos 2017-11-07 15:58:36 UTC
I believe all fixed.
Comment 7 Bernhard Wiedemann 2017-11-07 17:00:50 UTC
This is an autogenerated message for OBS integration:
This bug (1056429) was mentioned in
https://build.opensuse.org/request/show/539605 42.2 / GraphicsMagick
https://build.opensuse.org/request/show/539606 42.3 / GraphicsMagick
Comment 8 Swamp Workflow Management 2017-11-15 14:08:42 UTC
openSUSE-SU-2017:3020-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1054757,1055214,1056426,1056429,1057508,1066003
CVE References: CVE-2017-12983,CVE-2017-13134,CVE-2017-13776,CVE-2017-13777,CVE-2017-14165,CVE-2017-15930
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-39.1
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.39.1
Comment 11 Swamp Workflow Management 2017-12-27 14:09:22 UTC
SUSE-SU-2017:3435-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1050632,1052450,1054757,1055214,1056426,1056429,1057508,1058485,1058637,1066003,1067181,1067184,1067409
CVE References: CVE-2016-7996,CVE-2017-11640,CVE-2017-12587,CVE-2017-12983,CVE-2017-13134,CVE-2017-13776,CVE-2017-13777,CVE-2017-14165,CVE-2017-14341,CVE-2017-14342,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.19.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.19.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.19.1
Comment 12 Marcus Meissner 2018-02-12 08:31:42 UTC
released