Bug 1067184 – VUL-0: CVE-2017-16545: GraphicsMagick: The ReadWPGImage function in coders/wpg.c in validation problems could lead to denial of service

Bug 1067184 - (CVE-2017-16545) VUL-0: CVE-2017-16545: GraphicsMagick: The ReadWPGImage function in coders/wpg.c in validation problems could lead to denial of service

(CVE-2017-16545)
Summary:	VUL-0: CVE-2017-16545: GraphicsMagick: The ReadWPGImage function in coders/wp...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/194525/
Whiteboard:	CVSSv2:NVD:CVE-2017-16545:6.8:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-11-08 13:55 UTC by Victor Pereira
Modified:	2018-02-12 08:44 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2017-11-08 13:55:18 UTC

CVE-2017-16545

The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 does not
properly validate colormapped images, which allows remote attackers to cause a
denial of service (ImportIndexQuantumType invalid write and application crash)
or possibly have unspecified other impact via a malformed WPG image.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16545
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16545.html
http://www.cvedetails.com/cve/CVE-2017-16545/
https://sourceforge.net/p/graphicsmagick/bugs/519/
http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0

Comment 1 Petr Gajdos 2017-11-22 14:13:07 UTC

BEFORE

GraphicsMagick 
--------------

42.2, 42.3
$ valgrind gm identify -verbose gm_npd
gm: magick/import.c:361: ImportIndexQuantumType: Assertion `indexes != (IndexPacket *) ((void *)0)' failed.
gm identify: abort due to signal 6 (SIGABRT) "Abort"...
==19133== 
==19133== Process terminating with default action of signal 6 (SIGABRT)
==19133==    at 0x54578D7: raise (in /lib64/libc-2.22.so)
==19133==    by 0x5458D78: abort (in /lib64/libc-2.22.so)
==19133==    by 0x4F02987: MagickPanicSignalHandler (magick.c:840)
==19133==    by 0x5216B0F: ??? (in /lib64/libpthread-2.22.so)
==19133==    by 0x54578D6: raise (in /lib64/libc-2.22.so)
==19133==    by 0x5458CA9: abort (in /lib64/libc-2.22.so)
==19133==    by 0x5450865: __assert_fail_base (in /lib64/libc-2.22.so)
==19133==    by 0x5450911: __assert_fail (in /lib64/libc-2.22.so)
==19133==    by 0x4EFECF8: ImportIndexQuantumType (import.c:361)
==19133==    by 0x4EFECF8: ImportViewPixelArea (import.c:3593)
==19133==    by 0x79CEB08: InsertRow (wpg.c:277)
==19133==    by 0x79D03B7: UnpackWPGRaster (wpg.c:421)
==19133==    by 0x79D03B7: ReadWPGImage (wpg.c:1132)
==19133==    by 0x4EC0F07: ReadImage (constitute.c:1607)
$

11
[..]
  Type: grayscale
==15712== 
==15712== Invalid read of size 1
==15712==    at 0x4EE4866: GetImageDepth (image.c:2840)
==15712==    by 0x4EE8E83: DescribeImage (image.c:1632)
==15712==    by 0x4E86B32: IdentifyImageCommand (command.c:7214)
==15712==    by 0x4E73673: MagickCommand (command.c:7654)
==15712==    by 0x4E737EE: GMCommand (command.c:15278)
==15712==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==15712==  Address 0x7ca57ef is 0 bytes after a block of size 255 alloc'd
==15712==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==15712==    by 0x4EE477B: GetImageDepth (image.c:2750)
==15712==    by 0x4EE8E83: DescribeImage (image.c:1632)
==15712==    by 0x4E86B32: IdentifyImageCommand (command.c:7214)
==15712==    by 0x4E73673: MagickCommand (command.c:7654)
==15712==    by 0x4E737EE: GMCommand (command.c:15278)
==15712==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==15712== 
==15712== Invalid read of size 1
==15712==    at 0x4EE486B: GetImageDepth (image.c:2840)
==15712==    by 0x4EE8E83: DescribeImage (image.c:1632)
==15712==    by 0x4E86B32: IdentifyImageCommand (command.c:7214)
==15712==    by 0x4E73673: MagickCommand (command.c:7654)
==15712==    by 0x4E737EE: GMCommand (command.c:15278)
==15712==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==15712==  Address 0x7ca57ef is 0 bytes after a block of size 255 alloc'd
==15712==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==15712==    by 0x4EE477B: GetImageDepth (image.c:2750)
==15712==    by 0x4EE8E83: DescribeImage (image.c:1632)
==15712==    by 0x4E86B32: IdentifyImageCommand (command.c:7214)
==15712==    by 0x4E73673: MagickCommand (command.c:7654)
==15712==    by 0x4E737EE: GMCommand (command.c:15278)
==15712==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==15712== 
==15712== More than 10000000 total errors detected.  I'm not reporting any more.
==15712== Final error counts will be inaccurate.  Go fix your program!
==15712== Rerun with --error-limit=no to disable this cutoff.  Note
==15712== that errors may occur in your program without prior warning from
==15712== Valgrind, because errors are no longer being displayed.
==15712== 
  Depth: 8 bits-per-pixel component
[..]

(command run long)

That seem to be different issue. I will submit patch for that too.

ImageMagick
-----------

11
$ identify -verbose gm_npd
identify: magick/blob.c:583: DestroyBlob: Assertion `image->blob != (BlobInfo *) ((void *)0)' failed.
Aborted (core dumped)
$

(this was caused by incomplete ImageMagick-CVE-2016-7996,7997.patch, I will add neccessary changes to ImageMagick-CVE-2017-16545.patch)

12

$ identify -verbose gm_npd
[hang or run long]

devel
$ identify -verbose gm_npd
identify: unable to decompress image `gm_npd' @ error/wpg.c/ReadWPGImage/1161.
$

PATCH



AFTER

GraphicsMagick
--------------

42.2, 42.3
$ gm identify -verbose gm_npd
gm identify: Unable to decompress image (gm_npd).
gm identify: Request did not return an image.
$

11 
$ gm identify -verbose gm_npd                     
gm identify: Unable to decompress image (gm_npd).
$ 

ImageMagick
-----------
11
$ valgrind -q identify -verbose gm_npd
identify: unable to decompress image `gm_npd'.
$

12
$ valgrind -q identify -verbose gm_npd 
identify: unable to decompress image `gm_npd' @ error/wpg.c/ReadWPGImage/1162.
$

Comment 2 Petr Gajdos 2017-11-22 14:13:52 UTC

Will submit for: 12/ImageMagick, 11/ImageMagick, 11/GraphicsMagick, 42.2/GraphicsMagick, 42.3/GraphicsMagick

Comment 3 Petr Gajdos 2017-11-24 12:25:02 UTC

I believe all fixed.

Comment 4 Bernhard Wiedemann 2017-11-24 12:50:15 UTC

This is an autogenerated message for OBS integration:
This bug (1067184) was mentioned in
https://build.opensuse.org/request/show/545153 42.3 / GraphicsMagick
https://build.opensuse.org/request/show/545154 42.2 / GraphicsMagick

Comment 7 Bernhard Wiedemann 2017-12-01 13:40:50 UTC

This is an autogenerated message for OBS integration:
This bug (1067184) was mentioned in
https://build.opensuse.org/request/show/547065 42.3 / GraphicsMagick
https://build.opensuse.org/request/show/547066 42.2 / GraphicsMagick

Comment 8 Swamp Workflow Management 2017-12-06 02:10:27 UTC

openSUSE-SU-2017:3223-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1050632,1056162,1058485,1058637,1067181,1067184,1067409
CVE References: CVE-2017-11640,CVE-2017-13737,CVE-2017-14341,CVE-2017-14342,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-44.1
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.44.1

Comment 9 Swamp Workflow Management 2017-12-20 17:12:53 UTC

SUSE-SU-2017:3378-1: An update that fixes 26 vulnerabilities is now available.

Category: security (important)
Bug References: 1048457,1049796,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052758,1052764,1054757,1055214,1056432,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060577,1066003,1067181,1067184
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14733,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1

Comment 10 Swamp Workflow Management 2017-12-20 17:40:28 UTC

SUSE-SU-2017:3388-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1

Comment 11 Swamp Workflow Management 2017-12-22 20:16:08 UTC

openSUSE-SU-2017:3420-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-40.1
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.12.1

Comment 12 Swamp Workflow Management 2017-12-27 14:10:07 UTC

SUSE-SU-2017:3435-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1050632,1052450,1054757,1055214,1056426,1056429,1057508,1058485,1058637,1066003,1067181,1067184,1067409
CVE References: CVE-2016-7996,CVE-2017-11640,CVE-2017-12587,CVE-2017-12983,CVE-2017-13134,CVE-2017-13776,CVE-2017-13777,CVE-2017-14165,CVE-2017-14341,CVE-2017-14342,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.19.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.19.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.19.1

Comment 13 Marcus Meissner 2018-02-12 08:44:04 UTC

released