Bug 1017324 - (CVE-2016-10068) VUL-0: CVE-2016-10068: ImageMagick: Fault in MSL interpreter
(CVE-2016-10068)
VUL-0: CVE-2016-10068: ImageMagick: Fault in MSL interpreter
Status: RESOLVED FIXED
: 1016593 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-10068:4.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-27 09:23 UTC by Johannes Segitz
Modified: 2017-05-19 06:43 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-12-27 23:03:17 UTC
bugbot adjusting priority
Comment 2 Johannes Segitz 2016-12-28 09:53:39 UTC
*** Bug 1016593 has been marked as a duplicate of this bug. ***
Comment 3 Petr Gajdos 2017-01-25 16:14:09 UTC
testcases can be found in upstream bug.

12/ImageMagick
~~~~~~~~~~~~~~
Note that, for correct testing, msl decoder need to be activated, that means

<policy domain="coder" rights="none" pattern="MSL" />

line in /etc/ImageMagick*/policy.xml need to be commented out. BEFORE I get crash for every testcase with the backtrace from the upstream bug, AFTER not:

$ for i in *test; do conjure -dimensions 10x10 $i; echo; done
017324: no images defined `get' @ error/msl.c/MSLStartElement/3277.
017324: attributes construct error
 `SAX error' @ fatal/msl.c/MSLError/7531.

017324: no images defined `resize' @ error/msl.c/MSLStartElement/5345.
017324: no images defined `get' @ error/msl.c/MSLStartElement/3277.

017324: no images defined `get' @ error/msl.c/MSLStartElement/3277.
017324: error parsing attribute name
 `SAX error' @ fatal/msl.c/MSLError/7531.

017324: no images defined `get' @ error/msl.c/MSLStartElement/3277.
017324: unrecognized element `resije' @ error/msl.c/MSLStartElement/5720.
017324: unrecognized element `resije' @ error/msl.c/MSLStartElement/7036.
017324: unrecognized element `resije' @ error/msl.c/MSLStartElement/7215.
017324: unrecognized element `resije' @ error/msl.c/MSLStartElement/7262.
017324: unrecognized element `resije' @ error/msl.c/MSLStartElement/7266.
017324: no images defined `get' @ error/msl.c/MSLStartElement/3277.

017324: unrecognized attribute `cize' @ error/msl.c/SetMSLAttributes/8111.
017324: no images defined `get' @ error/msl.c/MSLStartElement/3277.
017324: no images defined `resize' @ error/msl.c/MSLStartElement/5345.
017324: no images defined `get' @ error/msl.c/MSLStartElement/3277.

017324: no images defined `get' @ error/msl.c/MSLStartElement/3277.
017324: no images defined `resize' @ error/msl.c/MSLStartElement/5345.
017324: no images defined `get' @ error/msl.c/MSLStartElement/3277.

$

11/ImageMagick
~~~~~~~~~~~~~~
Similarly as for 12/ImageMagick, but the msl coder need to be activated another way; for example by

$ mv /usr/lib64/ImageMagick-6.4.3/modules-Q16/coders/vulnerable/msl.* /usr/lib64/ImageMagick-6.4.3/modules-Q16/coders

The result BEFORE and AFTER is the same and similar to AFTER for 12/ImageMagick; that suggests that 11/ImageMagick is not affected, but the code is there and the check will not harm.

GraphicsMagick
~~~~~~~~~~~~~~
Segfaults for three of the testcases. The backtrace seem to be slightly different, though. And the reason is different too -- looking at the code, there is in the msl.c:

      /* init the values */
      width=msl_info->image[n]->columns;
      height=msl_info->image[n]->rows;
      x=0;
      y=0;
          if (msl_info->image[n] == (Image *) NULL)
            {
              ThrowException(msl_info->exception,...
              break;
            }

So the code is first looking at the member of msl_info->image[n] and later is checking it for 0. After moving the 'init the values' after the check, there is no segfault. GraphicsMagick upstream was notified.

For the original commit assigned to this CVE holds the same opinion as for 11/ImageMagick.
Comment 4 Petr Gajdos 2017-01-26 07:18:11 UTC
Short version:

Affected: GraphicsMagick, ImageMagick
Comment 5 Petr Gajdos 2017-01-27 11:04:59 UTC
Packages submitted, I believe all fixed.
Comment 7 Bernhard Wiedemann 2017-01-27 13:04:31 UTC
This is an autogenerated message for OBS integration:
This bug (1017324) was mentioned in
https://build.opensuse.org/request/show/452917 42.2 / GraphicsMagick
https://build.opensuse.org/request/show/452918 42.1 / GraphicsMagick
Comment 8 Swamp Workflow Management 2017-02-06 14:09:15 UTC
openSUSE-SU-2017:0391-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017310,1017312,1017313,1017314,1017318,1017321,1017322,1017324,1017325,1017326,1020443,1020448
CVE References: CVE-2016-10048,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10069,CVE-2016-10070,CVE-2016-10146,CVE-2017-5511
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-26.1
Comment 9 Swamp Workflow Management 2017-02-06 14:14:08 UTC
openSUSE-SU-2017:0399-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017310,1017312,1017313,1017314,1017324,1017326,1020443,1020448
CVE References: CVE-2016-10048,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10068,CVE-2016-10070,CVE-2016-10146,CVE-2017-5511
Sources used:
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-9.1
Comment 10 Swamp Workflow Management 2017-02-20 14:12:17 UTC
SUSE-SU-2017:0518-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017310,1017311,1017312,1017313,1017318,1017321,1017322,1017324,1017326,1020443,1020448
CVE References: CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10059,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10070,CVE-2016-10146,CVE-2017-5511
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.62.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.62.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.62.1
Comment 11 Swamp Workflow Management 2017-02-21 14:09:57 UTC
SUSE-SU-2017:0529-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017308,1017310,1017311,1017312,1017313,1017314,1017318,1017319,1017320,1017321,1017322,1017324,1017325,1017326,1017421,1020433,1020435,1020436,1020439,1020441,1020443,1020446,1020448
CVE References: CVE-2016-10046,CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10060,CVE-2016-10061,CVE-2016-10062,CVE-2016-10063,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10069,CVE-2016-10070,CVE-2016-10071,CVE-2016-10144,CVE-2016-10145,CVE-2016-10146,CVE-2017-5506,CVE-2017-5507,CVE-2017-5508,CVE-2017-5510,CVE-2017-5511
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
Comment 12 Swamp Workflow Management 2017-03-01 20:11:13 UTC
SUSE-SU-2017:0586-1: An update that fixes 21 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017308,1017310,1017311,1017312,1017313,1017314,1017318,1017319,1017320,1017321,1017322,1017324,1017326,1017421,1020433,1020435,1020436,1020439,1020441,1020443,1020448
CVE References: CVE-2016-10046,CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10060,CVE-2016-10063,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10070,CVE-2016-10071,CVE-2016-10144,CVE-2016-10145,CVE-2016-10146,CVE-2017-5506,CVE-2017-5507,CVE-2017-5508,CVE-2017-5511
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.65.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.65.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.65.1
Comment 13 Swamp Workflow Management 2017-03-02 14:10:03 UTC
openSUSE-SU-2017:0587-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017308,1017310,1017311,1017312,1017313,1017314,1017318,1017319,1017320,1017321,1017322,1017324,1017325,1017326,1017421,1020433,1020435,1020436,1020439,1020441,1020443,1020446,1020448
CVE References: CVE-2016-10046,CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10060,CVE-2016-10061,CVE-2016-10062,CVE-2016-10063,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10069,CVE-2016-10070,CVE-2016-10071,CVE-2016-10144,CVE-2016-10145,CVE-2016-10146,CVE-2017-5506,CVE-2017-5507,CVE-2017-5508,CVE-2017-5510,CVE-2017-5511
Sources used:
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-28.1
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-30.1
Comment 14 Matthias Gerstner 2017-03-06 09:42:27 UTC
All codestreams released. openSUSE comes from SLE. Closing.