Bug 1112399 – VUL-1: CVE-2017-14997: GraphicsMagick,ImageMagick: Integer underflow in ReadPICTImage in coders/pict.c.

Bug 1112399 - (CVE-2017-14997) VUL-1: CVE-2017-14997: GraphicsMagick,ImageMagick: Integer underflow in ReadPICTImage in coders/pict.c.

(CVE-2017-14997)
Summary:	VUL-1: CVE-2017-14997: GraphicsMagick,ImageMagick: Integer underflow in ReadP...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/216977/
Whiteboard:	CVSSv2:NVD:CVE-2017-14997:7.1:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-10-18 13:40 UTC by Robert Frohl
Modified:	2019-07-09 07:02 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2018-10-18 13:40:56 UTC

CVE-2017-14997

GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service
(excessive memory allocation) because of an integer underflow in ReadPICTImage
in coders/pict.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14997
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14997

Comment 1 Robert Frohl 2018-10-18 13:44:06 UTC

Hi Petr,
the patch can be found here:
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=0683f8724200

My investigation suggests that the following codestreams are affected:
- SUSE:SLE-11:Update/GraphicsMagick
- SUSE:SLE-11:Update/ImageMagick
- SUSE:SLE-12:Update/ImageMagick

Already fixed:
- SUSE:SLE-15:Update/ImageMagick

Comment 3 Petr Gajdos 2018-10-22 08:25:32 UTC

https://sourceforge.net/p/graphicsmagick/bugs/511/

Upstream bug with reproducer.

Comment 4 Petr Gajdos 2018-10-22 13:17:21 UTC

BEFORE

15.0/GraphicsMagick

$ valgrind -q gm identify -ping crash_098
gm identify: Unexpected end-of-file (crash_098).
gm identify: Request did not return an image.
$

42.3/GraphicsMagick

$ valgrind -q gm identify -ping crash_098
==28613== Argument 'size' of function malloc has a fishy (possibly negative) value: -1
==28613==    at 0x4C2A110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==28613==    by 0x79D19FF: ReadPICTImage (pict.c:1277)
==28613==    by 0x4EBFB57: ReadImage (constitute.c:1607)
==28613==    by 0x4EC0971: PingImage (constitute.c:1370)
==28613==    by 0x4E8EF1C: IdentifyImageCommand (command.c:8375)
==28613==    by 0x4E90864: MagickCommand (command.c:8868)
==28613==    by 0x4E9197D: GMCommandSingle (command.c:17376)
==28613==    by 0x4EB2D0D: GMCommand (command.c:17429)
==28613==    by 0x5441724: (below main) (in /lib64/libc-2.22.so)
==28613== 
gm identify: Unexpected end-of-file (crash_098).
gm identify: Request did not return an image.
$

11/ImageMagick,GraphicsMagick

$ valgrind -q gm identify -ping crash_098
==10807== Warning: silly arg (-1) to malloc()
==10807== Warning: silly arg (-1) to malloc()
==10807== Warning: silly arg (-1) to malloc()
gm identify: Unexpected end-of-file (crash_098).
$

12/ImageMagick

$ valgrind -q identify -ping crash_098
==27554== Argument 'size' of function malloc has a fishy (possibly negative) value: -1
==27554==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27554==    by 0x841D2BB: ReadPICTImage (pict.c:1349)
==27554==    by 0x4EBFDCA: ReadImage (constitute.c:601)
==27554==    by 0x4FD1D68: ReadStream (stream.c:974)
==27554==    by 0x4EBF910: PingImage (constitute.c:278)
==27554==    by 0x4EBFB4A: PingImages (constitute.c:373)
==27554==    by 0x535850B: IdentifyImageCommand (identify.c:322)
==27554==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==27554==    by 0x400891: IdentifyMain (identify.c:80)
==27554==    by 0x400891: main (identify.c:93)
==27554== 
identify: insufficient image data in file `crash_098' @ error/pict.c/ReadPICTImage/1497.
$

15/ImageMagick

$ valgrind -q identify -ping crash_098
crash_098 PICT 12336x12336 12336x12336+0+0 8-bit sRGB 1819B 15.800u 0:15.789
$


PATCH

GraphicsMagick: referenced in comment 0
ImageMagick:
https://github.com/ImageMagick/ImageMagick/commit/70293c7830e9b0a13221f42e08bfcccbf3081096

In agreement with comment 1, I consider affected: 42.3/GraphicsMagick, 11/GraphicsMagick, 11/ImageMagick and 12/ImageMagick


AFTER

42.3/GraphicsMagick

$ valgrind -q gm identify -ping crash_098
gm identify: Unexpected end-of-file (crash_098).
gm identify: Request did not return an image.
$

11/GraphicsMagick

$ valgrind -q gm identify -ping crash_098
gm identify: Unexpected end-of-file (crash_098).
$

11/ImageMagick

$ valgrind -q identify -ping crash_098
identify: Insufficient image data in file `crash_098'.
$

12/ImageMagick

$ valgrind -q identify -ping crash_098
identify: insufficient image data in file `crash_098' @ error/pict.c/ReadPICTImage/1505.
$

Comment 5 Petr Gajdos 2018-10-22 13:17:45 UTC

Will submit for 42.3,11/GraphicsMagick and 11,12/ImageMagick.

Comment 6 Petr Gajdos 2018-10-23 08:26:42 UTC

Packages submitted.

Comment 8 Swamp Workflow Management 2018-10-23 09:00:10 UTC

This is an autogenerated message for OBS integration:
This bug (1112399) was mentioned in
https://build.opensuse.org/request/show/643897 42.3 / GraphicsMagick

Comment 12 Swamp Workflow Management 2018-10-25 19:18:04 UTC

SUSE-SU-2018:3465-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1107609,1112399
CVE References: CVE-2017-14997,CVE-2018-16644
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.85.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.85.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.85.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.85.1

Comment 13 Swamp Workflow Management 2018-10-26 12:40:33 UTC

openSUSE-SU-2018:3479-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1112392,1112399
CVE References: CVE-2017-10794,CVE-2017-14997
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-114.1

Comment 14 Swamp Workflow Management 2018-10-26 22:28:08 UTC

openSUSE-SU-2018:3524-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1107609,1112399
CVE References: CVE-2017-14997,CVE-2018-16644
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-76.1

Comment 17 Swamp Workflow Management 2018-11-19 14:12:04 UTC

SUSE-SU-2018:3808-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1050129,1050635,1107609,1112399
CVE References: CVE-2017-11532,CVE-2017-11639,CVE-2017-14997,CVE-2018-16644
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.79.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.79.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.79.1

Comment 21 Swamp Workflow Management 2019-01-03 20:09:35 UTC

SUSE-SU-2019:13923-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042911,1052754,1078433,1112392,1112399,1113064,1119822,1119823
CVE References: CVE-2017-10794,CVE-2017-12663,CVE-2017-14997,CVE-2017-9405,CVE-2018-18544,CVE-2018-20184,CVE-2018-20185,CVE-2018-6405
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.78.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.78.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.78.1

Comment 22 Marcus Meissner 2019-07-09 07:02:28 UTC

released