Bug 1013376 - (CVE-2016-9773) VUL-0: CVE-2016-9773: ImageMagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h) (Incomplete fix for CVE-2016-9556)
(CVE-2016-9773)
VUL-0: CVE-2016-9773: ImageMagick: heap-based buffer overflow in IsPixelGray ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-9773:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-02 18:52 UTC by Mikhail Kasimov
Modified: 2017-06-20 06:59 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-12-02 18:52:57 UTC
Reference: [1] http://seclists.org/oss-sec/2016/q4/550

[1]:
========================================================================
Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap 
images.

A fuzz on an updated version which includes the fix for CVE-2016-9556, 
revealed that the issue is still present.

The complete ASan output:

# identify $FILE
==30875==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x610000007cc0 at pc 0x7f897b123267 bp 0x7fff44a4ba70 sp 0x7fff44a4ba68
READ of size 4 at 0x610000007cc0 thread T0
    #0 0x7f897b123266 in IsPixelGray /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/./MagickCore/pixel-
accessor.h:507:30
    #1 0x7f897b123266 in IdentifyImageGray /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/attribute.c:677
    #2 0x7f897b123e2d in IdentifyImageType /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/attribute.c:820:7
    #3 0x7f897b3ca308 in IdentifyImage /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/identify.c:527:8
    #4 0x7f897ab0e591 in IdentifyImageCommand /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickWand/identify.c:336:22
    #5 0x7f897ab85ee6 in MagickCommandGenesis /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickWand/mogrify.c:183:14
    #6 0x50a495 in MagickMain /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/utilities/magick.c:145:10
    #7 0x50a495 in main /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/utilities/magick.c:176
    #8 0x7f89797c061f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #9 0x419d28 in _init (/usr/bin/magick+0x419d28)

0x610000007cc0 is located 0 bytes to the right of 128-byte region 
[0x610000007c40,0x610000007cc0)
allocated by thread T0 here:
    #0 0x4d3685 in posix_memalign /tmp/portage/sys-devel/llvm-3.9.0-
r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:130
    #1 0x7f897b44a619 in AcquireAlignedMemory /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/memory.c:258:7
    #2 0x7f897b15840e in AcquireCacheNexusPixels /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/cache.c:4636:33
    #3 0x7f897b15840e in SetPixelCacheNexusPixels /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/cache.c:4748
    #4 0x7f897b14e891 in GetVirtualPixelsFromNexus /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/cache.c:2629:10
    #5 0x7f897b16d90e in GetCacheViewVirtualPixels /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/cache-
view.c:664:10
    #6 0x7f897b122878 in IdentifyImageGray /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/attribute.c:672:7
    #7 0x7f897b123e2d in IdentifyImageType /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/attribute.c:820:7
    #8 0x7f897b3ca308 in IdentifyImage /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/identify.c:527:8
    #9 0x7f897ab0e591 in IdentifyImageCommand /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickWand/identify.c:336:22
    #10 0x7f897ab85ee6 in MagickCommandGenesis /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickWand/mogrify.c:183:14
    #11 0x50a495 in MagickMain /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/utilities/magick.c:145:10
    #12 0x50a495 in main /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/utilities/magick.c:176
    #13 0x7f89797c061f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-
gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/./MagickCore/pixel-
accessor.h:507:30 in IsPixelGray
Shadow bytes around the buggy address:
  0x0c207fff8f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8f80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c207fff8f90: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c207fff8fa0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff8fb0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c207fff8fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff8fd0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c207fff8fe0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30875==ABORTING

Affected version:
7.0.3.8

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00090-imagemagick-heapoverflow-IsPixelGray

Timeline:
2016-12-01: bug re-discovered and reported to upstream
2016-12-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/12/01/imagemagick-heap-based-buffer-overflow-in-ispixelgray-pixel-accessor-h-incomplete-fix-for-cve-2016-9556

-- 
Agostino Sarubbo
Gentoo Linux Developer
========================================================================

[2] http://seclists.org/oss-sec/2016/q4/572

[2]:
========================================================================
The updated version which includes the fix for CVE-2016-9556 is 7.0.3.8 ( as 
stated under the affected version 'field'.

Anyway, upstream added a patch for this issue:
https://github.com/ImageMagick/ImageMagick/commit/4e8c2ed53fcb54a34b3a6185b2584f26cf6874a3

-- 
Agostino Sarubbo
Gentoo Linux Developer
========================================================================

[3] For CVE-2016-9556 see boo#1011130
Comment 1 Swamp Workflow Management 2016-12-02 23:01:24 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-12-12 15:15:05 UTC
BEFORE

ImageMagick
$ identify 00090-imagemagick-heapoverflow-IsPixelGray
00090-imagemagick-heapoverflow-IsPixelGray PCX 10x129 10x129+0+0 8-bit sRGB 496B 0.000u 0:00.000
$

GraphicsMagick

$ gm identify 00090-imagemagick-heapoverflow-IsPixelGray 
gm identify: Memory allocation failed (00090-imagemagick-heapoverflow-IsPixelGray) [Cannot allocate memory].
gm identify: Request did not return an image.
$

GraphicsMagick dropped ReadStream() between 11 and 42.1 version.

> https://github.com/ImageMagick/ImageMagick/commit/
> 4e8c2ed53fcb54a34b3a6185b2584f26cf6874a3

AFTER

No visible change.
Comment 3 Petr Gajdos 2016-12-13 12:11:49 UTC
(In reply to Petr Gajdos from comment #2)
> GraphicsMagick dropped ReadStream() between 11 and 42.1 version.

*between 11 and 13.2 version.
Comment 4 Bernhard Wiedemann 2016-12-13 19:00:33 UTC
This is an autogenerated message for OBS integration:
This bug (1013376) was mentioned in
https://build.opensuse.org/request/show/445642 13.2 / ImageMagick
Comment 6 Swamp Workflow Management 2016-12-22 14:09:14 UTC
openSUSE-SU-2016:3233-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1009318,1013376,1014159
CVE References: CVE-2016-8707,CVE-2016-8862,CVE-2016-8866,CVE-2016-9556,CVE-2016-9773
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-45.1
Comment 7 Swamp Workflow Management 2016-12-23 15:08:37 UTC
SUSE-SU-2016:3256-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1009318,1011130,1011136,1013376,1014159
CVE References: CVE-2016-7530,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.60.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.60.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.60.1
Comment 8 Swamp Workflow Management 2016-12-23 15:10:18 UTC
SUSE-SU-2016:3258-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1009318,1011130,1011136,1013376,1014159
CVE References: CVE-2014-9848,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
Comment 10 Swamp Workflow Management 2017-01-04 17:08:31 UTC
openSUSE-SU-2017:0023-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1009318,1011130,1011136,1013376,1014159
CVE References: CVE-2014-9848,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773
Sources used:
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-25.1
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-27.1
Comment 11 Marcus Meissner 2017-06-20 06:59:38 UTC
released