Bug 1084062 - (CVE-2017-18220) VUL-0: CVE-2017-18220: GraphicsMagick: The ReadOneJNGImage and ReadJNGImage functions in coders/png.c in GraphicsMagick1.3.26 allow remote attackers to cause a denial of service (magick/blob.cCloseBlob use-after-free) or possi
(CVE-2017-18220)
VUL-0: CVE-2017-18220: GraphicsMagick: The ReadOneJNGImage and ReadJNGImage f...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/201242/
CVSSv3:SUSE:CVE-2017-18220:4.8:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-06 07:19 UTC by Marcus Meissner
Modified: 2018-05-18 15:47 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
gm_heap_use_after_free_in_CloseBlob (162 bytes, application/octet-stream)
2018-03-06 07:22 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-03-06 07:19:42 UTC
CVE-2017-18220

The ReadOneJNGImage and ReadJNGImage functions in coders/png.c in GraphicsMagick
1.3.26 allow remote attackers to cause a denial of service (magick/blob.c
CloseBlob use-after-free) or possibly have unspecified other impact via a
crafted file, a related issue to CVE-2017-11403.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18220
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18220
https://sourceforge.net/p/graphicsmagick/bugs/438/
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/98721124e51f
Comment 1 Marcus Meissner 2018-03-06 07:22:48 UTC
Created attachment 762781 [details]
gm_heap_use_after_free_in_CloseBlob

QA REPRODUCER:

valgrind identify gm_heap_use_after_free_in_CloseBlob

should not report lines like:
==29484== Invalid read of size 8
==29484==    at 0x4E6FA47: CloseBlob (in /usr/lib64/libGraphicsMagick.so.2.0.5)
Comment 2 Marcus Meissner 2018-03-06 07:23:58 UTC
ImageMagick does not detect the image type, so does not fail.

GraphicsMagick on Leap and newer report an file not found error, but without any valgrind indicators.

Only SLE11 IM seems affected.
Comment 3 Petr Gajdos 2018-03-06 12:47:19 UTC
12/ImageMagick

$ valgrind -q identify allocation_failure_in_ReadOnePNGImage
identify: IHDR: CRC error `allocation_failure_in_ReadOnePNGImage' @ warning/png.c/MagickPNGWarningHandler/1828.
identify: Image height exceeds user limit in IHDR `allocation_failure_in_ReadOnePNGImage' @ warning/png.c/MagickPNGWarningHandler/1828.
identify: Invalid IHDR data `allocation_failure_in_ReadOnePNGImage' @ error/png.c/MagickPNGErrorHandler/1802.
$

11/ImageMagick
Comment 4 Petr Gajdos 2018-03-06 14:17:32 UTC
BEFORE

42.3/GraphicsMagick

$ valgrind -q gm identify mng:gm_heap_use_after_free_in_CloseBlob
gm identify: Unable to open file (/tmp/gmMOcMaT) [No such file or directory].
gm identify: Request did not return an image.
$

11/GraphicsMagick

$ valgrind -q gm identify mng:gm_heap_use_after_free_in_CloseBlob
gm identify: Unexpected end-of-file (/tmp/gmrrTOKq).
$

11/ImageMagick

$ valgrind -q identify mng:gm_heap_use_after_free_in_CloseBlob
$
[interesting, nothing is printed]

12/ImageMagick

$ valgrind -q identify mng:gm_heap_use_after_free_in_CloseBlob
identify: no decode delegate for this image format `/tmp/magick-565eS8T-6R03K07' @ error/constitute.c/ReadImage/555.
$

[no issues observed]

PATCH

in comment 0

42.3/GraphicsMagick: part of png.c-update.patch, will add to rpm changelog
11/GraphicsMagick:   part of png.c-update.patch, will add to rpm changelog
*/ImageMagick: I do not see it manifesting there
Comment 5 Petr Gajdos 2018-03-06 14:18:28 UTC
Will submit rpm changelog change for 42.3/GraphicsMagick and 11/GraphicsMagick.
Comment 6 Petr Gajdos 2018-03-10 12:38:50 UTC
(In reply to Petr Gajdos from comment #4)
> */ImageMagick: I do not see it manifesting there

I think the reason could be: In GraphicsMagick, there is:

  mng_info->image=image;
  image=ReadOneJNGImage(mng_info,image_info,exception);
  if (image == (Image *) NULL || image->columns == 0 || image->rows == 0)
    {
      if (logging)
        (void) LogMagickEvent(CoderEvent,GetMagickModule(),
            "exit ReadJNGImage() with error");
      if (image != (Image *) NULL)
        {
          DestroyImageList(image);
          image=(Image *) NULL;
        }
      if (mng_info->image != (Image *) NULL)
        {
          DestroyImageList(mng_info->image);
          mng_info->image=(Image *) NULL;
        }
      MngInfoFreeStruct(mng_info,&have_mng_structure);
      return((Image *)NULL);
    }

In ReadOneJNG() there was before the patch:

  image=mng_info->image;
...
      ThrowReaderException(..);

In case ThrowReaderException() was called, then image get freed and NULL returned from ReadOneJNGImage(). However, image address is the same as mng_info->image and therefore mng_info->image points to released memory. Inside the if condition is assumed that mng_info->image is not freed though.

Such code is not present in ImageMagick (mng_info->image is not freed).
Comment 7 Petr Gajdos 2018-03-10 12:50:14 UTC
I believe all fixed.
Comment 8 Swamp Workflow Management 2018-03-12 12:44:12 UTC
This is an autogenerated message for OBS integration:
This bug (1084062) was mentioned in
https://build.opensuse.org/request/show/585295 42.3 / GraphicsMagick
Comment 9 Swamp Workflow Management 2018-03-14 11:20:33 UTC
This is an autogenerated message for OBS integration:
This bug (1084062) was mentioned in
https://build.opensuse.org/request/show/586755 42.3 / GraphicsMagick
Comment 10 Swamp Workflow Management 2018-03-18 14:09:02 UTC
openSUSE-SU-2018:0733-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1058630,1059735,1066168,1066170,1082283,1082291,1084060,1084062,1085233
CVE References: CVE-2017-14314,CVE-2017-14505,CVE-2017-15016,CVE-2017-15017,CVE-2017-16352,CVE-2017-16353,CVE-2017-18219,CVE-2017-18220,CVE-2017-18230
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-79.1
Comment 11 Swamp Workflow Management 2018-04-03 19:12:31 UTC
SUSE-SU-2018:0864-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1050087,1058630,1059735,1066168,1066170,1082283,1082291,1082348,1084060,1084062,1085233
CVE References: CVE-2017-11524,CVE-2017-12691,CVE-2017-12693,CVE-2017-14314,CVE-2017-14343,CVE-2017-14505,CVE-2017-15016,CVE-2017-15017,CVE-2017-16352,CVE-2017-16353,CVE-2017-18219,CVE-2017-18220,CVE-2017-18230
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.44.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.44.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.44.1
Comment 12 Marcus Meissner 2018-05-18 15:47:11 UTC
released