Bug 1049072 - (CVE-2017-11403) VUL-0: CVE-2017-11403: GraphicsMagick, ImageMagick: ReadMNGImage function in coders/png.c has an out-of-order CloseBlob call, resulting in a use-after-free via acrafted file
(CVE-2017-11403)
VUL-0: CVE-2017-11403: GraphicsMagick, ImageMagick: ReadMNGImage function in ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/188656/
CVSSv3:SUSE:CVE-2017-11403:8.1:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-18 06:01 UTC by Johannes Segitz
Modified: 2017-08-28 15:01 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
00301-graphicsmagick-UAF-CloseBlob (138 bytes, application/octet-stream)
2017-08-10 15:17 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-07-18 06:01:45 UTC
CVE-2017-11403

The ReadMNGImage function in coders/png.c has
an out-of-order CloseBlob call, resulting in a use-after-free via a
crafted file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11403
Comment 2 Petr Gajdos 2017-07-21 14:56:35 UTC
Affected: 42.2/GraphicsMagick, 11/GraphicsMagick, 11/ImageMagick, 12/ImageMagick

Tumbleweed's ImageMagick is not affected.
Comment 3 Petr Gajdos 2017-07-21 14:57:02 UTC
Packages submitted.
Comment 4 Bernhard Wiedemann 2017-07-21 16:00:34 UTC
This is an autogenerated message for OBS integration:
This bug (1049072) was mentioned in
https://build.opensuse.org/request/show/511886 42.2 / GraphicsMagick
Comment 6 Andreas Stieger 2017-07-21 21:05:10 UTC
(In reply to Petr Gajdos from comment #3)
> Packages submitted.

Please remember to include Leap 42.3 in your submissions, e.g. all packages shown with (for openSUSE) osc maintained.
Comment 7 Swamp Workflow Management 2017-07-28 01:07:19 UTC
openSUSE-SU-2017:1985-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1049072
CVE References: CVE-2017-11403
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-17.1
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.15.1
Comment 8 Shyukri Shyukriev 2017-08-09 16:39:39 UTC
Hello Petr,

It's still failing after the update:

BEFORE:                                                                                                                       
                                                                                                                              
 gm identify /tmp/SUSE:Maintenance:5072:137280/00301-graphicsmagick-UAF-CloseBlob                                                                                                                               
                                                                                                                        
gm: magick/blob.c:739: CloseBlob: Assertion `image->signature == 0xabacadabUL' failed.                                  
                                                                                                                        
AFTER:
                                                                                                                                                                                                                                          
gm identify /tmp/SUSE:Maintenance:5072:137280/00301-graphicsmagick-UAF-CloseBlob                                                                                                                         
                                                                                                                
gm: magick/blob.c:739: CloseBlob: Assertion `image->signature == 0xabacadabUL' failed.


Full log at http://qam.suse.de/testreports/SUSE:Maintenance:5072:137280/log
Comment 9 Marcus Meissner 2017-08-10 15:17:23 UTC
Created attachment 736091 [details]
00301-graphicsmagick-UAF-CloseBlob

QA REPRODUCER:

GraphicsMagick:

gm identify 00301-graphicsmagick-UAF-CloseBlob

or  ImageMagick
identify 00301-graphicsmagick-UAF-CloseBlob

should not crash or abort.
Comment 10 Marcus Meissner 2017-08-10 15:18:17 UTC
After it should not really report the assert() anymore, this means something is wrong.
Comment 11 Petr Gajdos 2017-08-11 07:09:50 UTC
security-team,

if there is something wrong, then please decline the update and reassign the bug to me. I have no time to work on it right now.
Comment 12 Petr Gajdos 2017-08-14 10:32:16 UTC
GraphicsMagick 1.3.26 still exposes the issue, master of mercurial repo does not.
Comment 13 Petr Gajdos 2017-08-14 12:28:09 UTC
In addition to commit referenced in comment 1,

http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188

is needed too, it seems.
Comment 14 Petr Gajdos 2017-08-14 12:29:57 UTC
Package re-submitted.
Comment 18 Swamp Workflow Management 2017-08-16 16:08:35 UTC
SUSE-SU-2017:2176-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1042826,1043289,1049072
CVE References: CVE-2017-11403,CVE-2017-9439,CVE-2017-9501
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.5.2
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.5.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.5.2
Comment 19 Swamp Workflow Management 2017-08-17 10:09:54 UTC
SUSE-SU-2017:2199-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1042812,1042826,1043289,1049072
CVE References: CVE-2017-11403,CVE-2017-9439,CVE-2017-9440,CVE-2017-9501
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.5.3
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.5.3
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.5.3
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.5.3
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.5.3
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.5.3
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.5.3
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.5.3
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.5.3
Comment 20 Swamp Workflow Management 2017-08-22 16:08:34 UTC
SUSE-SU-2017:2229-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1036985,1042826,1043289,1049072,1050611,1050674
CVE References: CVE-2017-11403,CVE-2017-11636,CVE-2017-11643,CVE-2017-8350,CVE-2017-9439,CVE-2017-9501
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.9.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.9.1
Comment 21 Marcus Meissner 2017-08-25 12:47:35 UTC
released
Comment 22 Swamp Workflow Management 2017-08-28 13:08:41 UTC
openSUSE-SU-2017:2271-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1042812,1042826,1043289,1049072
CVE References: CVE-2017-11403,CVE-2017-9439,CVE-2017-9440,CVE-2017-9501
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-34.1
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.6.1