Bug 985442 - (CVE-2016-5688) VUL-0: CVE-2016-5688: GraphicsMagick,ImageMagick: Re: Various invalid memory reads in ImageMagick WPG
(CVE-2016-5688)
VUL-0: CVE-2016-5688: GraphicsMagick,ImageMagick: Re: Various invalid memory ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/170273/
CVSSv2:SUSE:CVE-2016-5688:6.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-17 14:42 UTC by Marcus Meissner
Modified: 2016-12-22 12:09 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
imagemagick-heapoverflow-SetPixelIndex.wpg (958 bytes, application/octet-stream)
2016-06-17 14:53 UTC, Marcus Meissner
Details
imagemagick-invalid-write-ScaleCharToQuantum.wpg (870 bytes, application/octet-stream)
2016-06-17 14:55 UTC, Marcus Meissner
Details
imagemagick-invalid-write-SetPixelIndex.wpg (1.06 KB, application/octet-stream)
2016-06-17 15:00 UTC, Marcus Meissner
Details
valgrind convert imagemagick-invalid-write-SetPixelIndex.wpg foo.jpg x86_64 (11.87 KB, text/plain)
2016-07-08 13:47 UTC, Ondřej Súkup
Details
valgrind convert imagemagick-invalid-write-SetPixelIndex.wpg foo.jpg s390x (4.78 KB, text/plain)
2016-07-08 13:47 UTC, Ondřej Súkup
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-17 14:42:12 UTC
http://seclists.org/oss-sec/2016/q2/564



    Several bugs in the WPG parser could lead to a heap overflow and random
    invalid memory writes. These bugs only seem to appear when a memory
    limit is set.

    Sample for heap write overflow in SetPixelIndex

    Sample for unclear invalid write in ScaleCharToQuantum

    Sample for unclear invalid write in SetPixelIndex

    https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7
    https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f


As far as we can tell, this can be thought of as a single issue in
which some type of input validation (associated with a SetImageExtent
return-value check) occurred in the wrong place, and was accompanied
by incorrect error handling. The various write-access observations
would then be consequences of this.

Use CVE-2016-5688 for this entire report about the WPG parser.
Comment 1 Marcus Meissner 2016-06-17 14:46:15 UTC
QA REPRODUCER:

https://crashes.fuzzing-project.org/imagemagick-heapoverflow-SetPixelIndex.wpg

Sample for heap write overflow in SetPixelIndex

https://crashes.fuzzing-project.org/imagemagick-invalid-write-ScaleCharToQuantum.wpg

Sample for unclear invalid write in ScaleCharToQuantum

https://crashes.fuzzing-project.org/imagemagick-invalid-write-SetPixelIndex.wpg

Sample for unclear invalid write in SetPixelIndex


(currently not downloadable)
Comment 2 Marcus Meissner 2016-06-17 14:50:18 UTC
all IM and GM need the first patch

second patch does not look affecting SLE11 IM, SLE11 GM ... SLE12 IM probably affected.
Comment 3 Marcus Meissner 2016-06-17 14:53:35 UTC
Created attachment 681222 [details]
imagemagick-heapoverflow-SetPixelIndex.wpg

QA REPRODUCER:

convert imagemagick-heapoverflow-SetPixelIndex.wpg foo.jpg
Comment 4 Marcus Meissner 2016-06-17 14:55:42 UTC
Created attachment 681223 [details]
imagemagick-invalid-write-ScaleCharToQuantum.wpg

QA REPRODUCER:

convert imagemagick-invalid-write-ScaleCharToQuantum.wpg foo.jpg
Comment 5 Marcus Meissner 2016-06-17 15:00:16 UTC
Created attachment 681227 [details]
imagemagick-invalid-write-SetPixelIndex.wpg

QA REPRODUCER: 

convert imagemagick-invalid-write-SetPixelIndex.wpg foo.jpg
Comment 6 Swamp Workflow Management 2016-06-17 22:00:45 UTC
bugbot adjusting priority
Comment 7 Petr Gajdos 2016-06-23 12:37:44 UTC
Fixed everywhere.
Comment 8 Petr Gajdos 2016-06-23 13:07:08 UTC
I believe all fixed.
Comment 9 Swamp Workflow Management 2016-07-01 15:13:28 UTC
openSUSE-SU-2016:1724-1: An update that fixes 37 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983234,983259,983309,983455,983521,983523,983533,983752,983794,983796,983799,983803,984028,984032,984035,984135,984142,984144,984145,984150,984166,984181,984193,984372,984373,984375,984379,984394,984398,984400,984408,984409,984433,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9840,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2015-8901,CVE-2015-8903,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-9.1
Comment 10 Swamp Workflow Management 2016-07-06 19:14:07 UTC
openSUSE-SU-2016:1748-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-26.1
Comment 14 Ondřej Súkup 2016-07-08 13:47:27 UTC
Created attachment 683535 [details]
valgrind convert imagemagick-invalid-write-SetPixelIndex.wpg foo.jpg x86_64
Comment 15 Ondřej Súkup 2016-07-08 13:47:55 UTC
Created attachment 683536 [details]
valgrind convert imagemagick-invalid-write-SetPixelIndex.wpg foo.jpg s390x
Comment 16 Ondřej Súkup 2016-07-08 13:48:46 UTC
looks as partially fixed, valgrind results from x86_64 and s390x attached
Comment 17 Swamp Workflow Management 2016-07-11 14:18:10 UTC
SUSE-SU-2016:1782-1: An update that fixes 57 vulnerabilities is now available.

Category: security (important)
Bug References: 983234,983253,983259,983292,983305,983308,983521,983523,983533,983739,983746,983752,983774,983794,983796,983799,983803,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984150,984160,984166,984181,984184,984185,984186,984187,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984408,984409,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9842,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9849,CVE-2014-9851,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.45.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.45.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.45.1
Comment 18 Swamp Workflow Management 2016-07-11 14:26:34 UTC
SUSE-SU-2016:1783-1: An update that fixes 37 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983234,983259,983309,983455,983521,983523,983533,983752,983794,983796,983799,983803,984028,984032,984035,984135,984142,984144,984145,984150,984166,984181,984193,984372,984373,984375,984379,984394,984398,984400,984408,984409,984433,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9840,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2015-8901,CVE-2015-8903,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.41.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.41.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.41.1
Comment 19 Swamp Workflow Management 2016-07-11 14:37:58 UTC
SUSE-SU-2016:1784-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
Comment 20 Swamp Workflow Management 2016-07-20 10:21:05 UTC
openSUSE-SU-2016:1833-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-15.1
Comment 21 Marcus Meissner 2016-08-01 14:48:04 UTC
considering fixed and released
Comment 22 Swamp Workflow Management 2016-08-15 13:14:19 UTC
openSUSE-SU-2016:2073-1: An update that fixes 22 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983309,983455,983521,983523,983533,983752,983794,983799,984142,984145,984150,984166,984372,984375,984379,984394,984400,984408,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9809,CVE-2014-9815,CVE-2014-9817,CVE-2014-9819,CVE-2014-9820,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9845,CVE-2014-9846,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-11.1
Comment 23 Petr Gajdos 2016-09-29 10:25:39 UTC
While trying to test cases for bsc#1000436, I noticed that a regression to the wpg coder was introduced during the big update to all versions of GraphicsMagick:

$ gm convert test-686 test.jpg
gm: symbol lookup error: /usr/lib64/GraphicsMagick-1.3.21/modules-Q16/coders/wpg.so: undefined symbol: SetImageExtent
$

Patch for CVE-2016-5688 is causing it. This seems to be true for all 11/42.1/13.2. What is the process now?

Unfortunately, after quick search, I have no idea so far what is GraphicsMagick counterpart to SetImageExtent, if any.
Comment 24 Petr Gajdos 2016-09-29 10:45:16 UTC
GraphicsMagick Mercurial repository does not seem to have the patch.
Comment 25 Petr Gajdos 2016-09-29 11:22:28 UTC
Sent mail to GraphicsMagick upstream to clarify.
Comment 26 Marcus Meissner 2016-09-29 15:01:40 UTC
we need to adjust the patch not to call an undefined function :/ 

              image->columns=Bitmap2Header1.Width;
              image->rows=Bitmap2Header1.Heigth;  

              status=SetImageExtent(image,image->columns,image->rows);
              if (status == MagickFalse)
                break;

what SetImageExtent does in ImageMagick SLE11 is setting image->columns and image->rows and flushing the pixel cache.

As GM does not have this cache this fix might not be needed.

I would fix this in the next update.
Comment 27 Petr Gajdos 2016-10-13 13:40:03 UTC
I believe all fixed.
Comment 28 Bernhard Wiedemann 2016-10-13 14:02:35 UTC
This is an autogenerated message for OBS integration:
This bug (985442) was mentioned in
https://build.opensuse.org/request/show/434745 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/434747 42.1 / GraphicsMagick
Comment 30 Bernhard Wiedemann 2016-10-18 14:02:59 UTC
This is an autogenerated message for OBS integration:
This bug (985442) was mentioned in
https://build.opensuse.org/request/show/435916 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/435919 42.1 / GraphicsMagick
Comment 32 Swamp Workflow Management 2016-10-26 12:11:04 UTC
openSUSE-SU-2016:2641-1: An update that fixes 28 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000702,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,985442,999673
CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-12.1
Comment 33 Marcus Meissner 2016-12-22 12:09:51 UTC
released