First Last Prev Next    This bug is not in your last search results.
Bug 1085236 - (CVE-2017-18229) VUL-1: CVE-2017-18229: GraphicsMagick,ImageMagick: An issue was discovered in GraphicsMagick 1.3.26. An allocation failurevulnerability was found in the function ReadTIFFImage in coders/tiff.c, whichallows attackers to cause a denial of s
(CVE-2017-18229)
VUL-1: CVE-2017-18229: GraphicsMagick,ImageMagick: An issue was discovered in...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/201789/
CVSSv3:SUSE:CVE-2017-18229:4.0:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-14 08:37 UTC by Marcus Meissner
Modified: 2019-05-01 14:12 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
allocation_failure_in_ReadTIFFImage_2433 (390 bytes, application/octet-stream)
2018-03-14 08:40 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-03-14 08:37:06 UTC 
CVE-2017-18229

An issue was discovered in GraphicsMagick 1.3.26. An allocation failure
vulnerability was found in the function ReadTIFFImage in coders/tiff.c, which
allows attackers to cause a denial of service via a crafted file, because file
size is not properly used to restrict scanline, strip, and tile allocations.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18229
https://sourceforge.net/p/graphicsmagick/bugs/461/
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/752c0b41fa32
Comment 1 Marcus Meissner 2018-03-14 08:40:46 UTC 
Created attachment 763596 [details]
allocation_failure_in_ReadTIFFImage_2433

QA REPRODUCER:

valgrind gm convert allocation_failure_in_ReadTIFFImage_2433 foo.jpg

(I am not getting any crashes or so using this. Might be fixed?)
Comment 2 Marcus Meissner 2018-03-14 08:41:56 UTC 
QA REPRODUCER (ImageMagick):

valgrind convert allocation_failure_in_ReadTIFFImage_2433 foo.jpg

this blows up on Leap/SLE12 with large allocations and lots of valgrind errors.
Comment 3 Petr Gajdos 2018-04-24 10:36:17 UTC 
42.3/GraphicsMagick

$ valgrind -q --leak-check=full gm convert allocation_failure_in_ReadTIFFImage_2433 /dev/null
gm convert: Insufficient image data in file (allocation_failure_in_ReadTIFFImage_2433).
$

11/GraphicsMagick

$ valgrind -q --leak-check=full gm convert allocation_failure_in_ReadTIFFImage_2433 /dev/null
gm convert: allocation_failure_in_ReadTIFFImage_2433: cannot handle zero strip size. (TIFFReadDirectory).
$

11/ImageMagick

$ valgrind -q --leak-check=full convert allocation_failure_in_ReadTIFFImage_2433 /dev/null
convert: Integer overflow in TIFFVStripSize. `allocation_failure_in_ReadTIFFImage_2433'.
convert: allocation_failure_in_ReadTIFFImage_2433: cannot handle zero strip size. `TIFFReadDirectory'.
convert: missing an image filename `/dev/null'.
$

12/ImageMagick

$ valgrind -q --leak-check=full convert allocation_failure_in_ReadTIFFImage_2433 /dev/null
convert: Ignoring ColorMap because BitsPerSample=12290>24. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/883.
convert: insufficient image data in file `allocation_failure_in_ReadTIFFImage_2433' @ error/tiff.c/ReadTIFFImage/1351.
convert: no images defined `/dev/null' @ error/convert.c/ConvertImageCommand/3149.
$

6.9.9.40/ImageMagick

$ valgrind -q --leak-check=full convert allocation_failure_in_ReadTIFFImage_2433 /dev/null
convert: Ignoring ColorMap because BitsPerSample=12290>24. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/912.
convert: image depth not supported `allocation_failure_in_ReadTIFFImage_2433' @ error/image.c/SetImageExtent/2705.
convert: no images defined `/dev/null' @ error/convert.c/ConvertImageCommand/3258.
$
Comment 4 Petr Gajdos 2018-04-24 15:08:18 UTC 
This was fixed as CVE-2017-18028 (bug 1076182). I will fix changelog entries and name of patches in GraphicsMagick. Therefore, note that this is GraphicsMagick only.
Comment 5 Petr Gajdos 2018-04-24 15:20:31 UTC 
Submitted for: 42.3/GraphicsMagick and 11/GraphicsMagick.
Comment 6 Swamp Workflow Management 2018-04-24 15:50:14 UTC 
This is an autogenerated message for OBS integration:
This bug (1085236) was mentioned in
https://build.opensuse.org/request/show/600681 42.3 / GraphicsMagick
Comment 8 Swamp Workflow Management 2018-04-25 09:50:18 UTC 
This is an autogenerated message for OBS integration:
This bug (1085236) was mentioned in
https://build.opensuse.org/request/show/600838 42.3 / GraphicsMagick
Comment 10 Swamp Workflow Management 2018-04-30 09:10:16 UTC 
This is an autogenerated message for OBS integration:
This bug (1085236) was mentioned in
https://build.opensuse.org/request/show/602464 42.3 / GraphicsMagick
Comment 11 Swamp Workflow Management 2018-05-02 10:13:36 UTC 
openSUSE-SU-2018:1123-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1050623,1055010,1080522,1085236,1086773,1087027,1087037,1089781
CVE References: CVE-2017-11641,CVE-2017-13066,CVE-2017-18229,CVE-2017-18251,CVE-2017-18254,CVE-2018-10177,CVE-2018-6799,CVE-2018-9018
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-87.1
Comment 12 Swamp Workflow Management 2018-05-08 13:07:55 UTC 
SUSE-SU-2018:1163-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1050623,1055010,1085236,1089781
CVE References: CVE-2017-11641,CVE-2017-13066,CVE-2017-18229,CVE-2018-10177
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.52.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.52.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.52.1
Comment 13 Marcus Meissner 2018-05-08 14:55:35 UTC 
released
First Last Prev Next    This bug is not in your last search results.