Bugzilla – Bug 1050135
VUL-1: CVE-2017-11534: GraphicsMagick, ImageMagick: Memory Leak in the lite_font_map() in coders/wmf.c
Last modified: 2018-02-09 14:36:17 UTC
Created attachment 733509 [details] Reproducer CVE-2017-11534 When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a Memory Leak in the lite_font_map() function in coders/wmf.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11534 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11534 https://github.com/ImageMagick/ImageMagick/issues/564
leaks a "ps_name" string sized entity.
BEFORE 12/ImageMagick $ valgrind -q --leak-check=full convert memory-leak_output_art_lite_font_map output.art ERROR: player.c (470): libwmf: wmf with bizarre record size; bailing... ERROR: player.c (471): please send it to us at http://www.wvware.com/ maximum record size = 672189549 record size = 4115708906 convert: failed to scan file `memory-leak_output_art_lite_font_map' @ error/wmf.c/ReadWMFImage/2705. convert: no images defined `output.art' @ error/convert.c/ConvertImageCommand/3149. ==26592== 64 bytes in 1 blocks are definitely lost in loss record 46 of 95 ==26592== at 0x4C2B6A0: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26592== by 0x4C2B7B7: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26592== by 0x4FBA4B7: AcquireSemaphoreMemory (semaphore.c:151) ==26592== by 0x4FBA4B7: AllocateSemaphoreInfo (semaphore.c:197) ==26592== by 0x4F22ADA: GetExceptionInfo (exception.c:428) ==26592== by 0x841AE14: ??? ==26592== by 0x8629757: ??? ==26592== by 0x862F192: ??? ==26592== by 0x8636B6E: ??? ==26592== by 0x841B2E8: ??? ==26592== by 0x4EBF2BA: ReadImage (constitute.c:601) ==26592== by 0x4EC037A: ReadImages (constitute.c:907) ==26592== by 0x5319BAE: ConvertImageCommand (convert.c:617) ==26592== ==26592== 120 (56 direct, 64 indirect) bytes in 1 blocks are definitely lost in loss record 62 of 95 ==26592== at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26592== by 0x4F3EEA2: NewLinkedList (hashmap.c:1367) ==26592== by 0x4F22AD1: GetExceptionInfo (exception.c:427) ==26592== by 0x841AE14: ??? ==26592== by 0x8629757: ??? ==26592== by 0x862F192: ??? ==26592== by 0x8636B6E: ??? ==26592== by 0x841B2E8: ??? ==26592== by 0x4EBF2BA: ReadImage (constitute.c:601) ==26592== by 0x4EC037A: ReadImages (constitute.c:907) ==26592== by 0x5319BAE: ConvertImageCommand (convert.c:617) ==26592== by 0x5385C72: MagickCommandGenesis (mogrify.c:166) ==26592== ==26592== 720 bytes in 1 blocks are definitely lost in loss record 83 of 95 ==26592== at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26592== by 0x4EFC5B7: CloneDrawInfo (draw.c:252) ==26592== by 0x841B239: ??? ==26592== by 0x4EBF2BA: ReadImage (constitute.c:601) ==26592== by 0x4EC037A: ReadImages (constitute.c:907) ==26592== by 0x5319BAE: ConvertImageCommand (convert.c:617) ==26592== by 0x5385C72: MagickCommandGenesis (mogrify.c:166) ==26592== by 0x400906: ConvertMain (convert.c:81) ==26592== by 0x400906: main (convert.c:92) ==26592== ==26592== 4,101 bytes in 1 blocks are definitely lost in loss record 90 of 95 ==26592== at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26592== by 0x4FD138E: AcquireString (string.c:132) ==26592== by 0x4FD1734: CloneString (string.c:279) ==26592== by 0x841AEE1: ??? ==26592== by 0x8629757: ??? ==26592== by 0x862F192: ??? ==26592== by 0x8636B6E: ??? ==26592== by 0x841B2E8: ??? ==26592== by 0x4EBF2BA: ReadImage (constitute.c:601) ==26592== by 0x4EC037A: ReadImages (constitute.c:907) ==26592== by 0x5319BAE: ConvertImageCommand (convert.c:617) ==26592== by 0x5385C72: MagickCommandGenesis (mogrify.c:166) ==26592== $ 11/ImageMagick $ valgrind -q --leak-check=full convert memory-leak_output_art_lite_font_map output.art ERROR: player.c (470): libwmf: wmf with bizarre record size; bailing... ERROR: player.c (471): please send it to us at http://www.wvware.com/ maximum record size = 672189549 record size = 4115708906 convert: Failed to scan file `memory-leak_output_art_lite_font_map'. convert: missing an image filename `output.art'. ==24684== ==24684== 64 bytes in 1 blocks are definitely lost in loss record 8 of 32 ==24684== at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==24684== by 0x4F05122: NewLinkedList (hashmap.c:1406) ==24684== by 0x4EF0535: GetExceptionInfo (exception.c:418) ==24684== by 0x9F0B9B8: ??? ==24684== by 0xA120006: ??? ==24684== by 0xA120A68: ??? ==24684== by 0xA1283B3: ??? ==24684== by 0x9F0A8BA: ??? ==24684== by 0x4E94D87: ReadImage (constitute.c:441) ==24684== by 0x5292BC3: ConvertImageCommand (convert.c:565) ==24684== by 0x400F73: main (convert.c:122) ==24684== ==24684== ==24684== 450 bytes in 20 blocks are definitely lost in loss record 19 of 32 ==24684== at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==24684== by 0x5EB3AB3: FcStrCopy (in /usr/lib64/libfontconfig.so.1.3.0) ==24684== by 0x5EB6FF4: (within /usr/lib64/libfontconfig.so.1.3.0) ==24684== by 0x86DF202: (within /lib64/libexpat.so.1.5.2) ==24684== by 0x86E0133: (within /lib64/libexpat.so.1.5.2) ==24684== by 0x86DAC79: XML_ParseBuffer (in /lib64/libexpat.so.1.5.2) ==24684== by 0x5EB5518: FcConfigParseAndLoad (in /usr/lib64/libfontconfig.so.1.3.0) ==24684== by 0x5EB57FD: FcConfigParseAndLoad (in /usr/lib64/libfontconfig.so.1.3.0) ==24684== by 0x5EB6C54: (within /usr/lib64/libfontconfig.so.1.3.0) ==24684== by 0x86DF202: (within /lib64/libexpat.so.1.5.2) ==24684== by 0x86E0133: (within /lib64/libexpat.so.1.5.2) ==24684== by 0x86E1CC9: (within /lib64/libexpat.so.1.5.2) ==24684== ==24684== ==24684== 3,168 (2,816 direct, 352 indirect) bytes in 11 blocks are definitely lost in loss record 24 of 32 ==24684== at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==24684== by 0x5EB10BA: (within /usr/lib64/libfontconfig.so.1.3.0) ==24684== by 0x5EB1AFC: (within /usr/lib64/libfontconfig.so.1.3.0) ==24684== by 0x5EB1C1C: (within /usr/lib64/libfontconfig.so.1.3.0) ==24684== by 0x5EB6BD0: (within /usr/lib64/libfontconfig.so.1.3.0) ==24684== by 0x86DF202: (within /lib64/libexpat.so.1.5.2) ==24684== by 0x86E0133: (within /lib64/libexpat.so.1.5.2) ==24684== by 0x86DAC79: XML_ParseBuffer (in /lib64/libexpat.so.1.5.2) ==24684== by 0x5EB5518: FcConfigParseAndLoad (in /usr/lib64/libfontconfig.so.1.3.0) ==24684== by 0x5EB57FD: FcConfigParseAndLoad (in /usr/lib64/libfontconfig.so.1.3.0) ==24684== by 0x5EB6C54: (within /usr/lib64/libfontconfig.so.1.3.0) ==24684== by 0x86DF202: (within /lib64/libexpat.so.1.5.2) ==24684== ==24684== ==24684== 4,101 bytes in 1 blocks are definitely lost in loss record 27 of 32 ==24684== at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==24684== by 0x4F6F8B9: AcquireString (string.c:123) ==24684== by 0x4F70357: CloneString (string.c:218) ==24684== by 0x9F0BAA8: ??? ==24684== by 0xA120006: ??? ==24684== by 0xA120A68: ??? ==24684== by 0xA1283B3: ??? ==24684== by 0x9F0A8BA: ??? ==24684== by 0x4E94D87: ReadImage (constitute.c:441) ==24684== by 0x5292BC3: ConvertImageCommand (convert.c:565) ==24684== by 0x400F73: main (convert.c:122) $ 42.3/GraphicsMagick $ valgrind -q --leak-check=full gm convert memory-leak_output_art_lite_font_map output.art ERROR: player.c (470): libwmf: wmf with bizarre record size; bailing... ERROR: player.c (471): please send it to us at http://www.wvware.com/ maximum record size = 672189549 record size = 4115708906 gm convert: Failed to scan file (memory-leak_output_art_lite_font_map) [No such file or directory]. $ 42.2/GraphicsMagick $ valgrind -q --leak-check=full gm convert memory-leak_output_art_lite_font_map output.art ERROR: player.c (470): libwmf: wmf with bizarre record size; bailing... ERROR: player.c (471): please send it to us at http://www.wvware.com/ maximum record size = 672189549 record size = 4115708906 gm convert: Failed to scan file (memory-leak_output_art_lite_font_map) [No such file or directory]. $ 11/GraphicsMagick $ valgrind -q --leak-check=full gm convert memory-leak_output_art_lite_font_map output.art ERROR: player.c (470): libwmf: wmf with bizarre record size; bailing... ERROR: player.c (471): please send it to us at http://www.wvware.com/ maximum record size = 672189549 record size = 4115708906 gm convert: Failed to scan file (memory-leak_output_art_lite_font_map). ==16314== ==16314== 2,065 bytes in 1 blocks are definitely lost in loss record 2 of 2 ==16314== at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==16314== by 0x4C25837: realloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==16314== by 0x4EF3101: MagickRealloc (memory.c:242) ==16314== by 0x4F26921: CloneString (utility.c:551) ==16314== by 0x822D7A3: ??? ==16314== by 0x8442006: ??? ==16314== by 0x8442A68: ??? ==16314== by 0x844A3B3: ??? ==16314== by 0x8230B5D: ??? ==16314== by 0x4EA044C: ReadImage (constitute.c:6000) ==16314== by 0x4E8CE5D: ConvertImageCommand (command.c:3171) ==16314== by 0x4E73673: MagickCommand (command.c:7654) $ PATCH ImageMagick-6 https://github.com/ImageMagick/ImageMagick/commit/3f21b17f06eacb40dab08738e0abf68fb0d58c90 ImageMagick-7 https://github.com/ImageMagick/ImageMagick/commit/2154275001219fbeed12119d4f0018929f5d0acf https://github.com/ImageMagick/ImageMagick/commit/2154275001219fbeed12119d4f0018929f5d0acf AFTER 12/ImageMagick $ valgrind -q --leak-check=full convert memory-leak_output_art_lite_font_map output.art ERROR: player.c (470): libwmf: wmf with bizarre record size; bailing... ERROR: player.c (471): please send it to us at http://www.wvware.com/ maximum record size = 672189549 record size = 4115708906 convert: failed to scan file `memory-leak_output_art_lite_font_map' @ error/wmf.c/ReadWMFImage/2725. convert: no images defined `output.art' @ error/convert.c/ConvertImageCommand/3149. ==5766== 64 bytes in 1 blocks are definitely lost in loss record 46 of 93 ==5766== at 0x4C2B6A0: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==5766== by 0x4C2B7B7: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==5766== by 0x4FBA4B7: AcquireSemaphoreMemory (semaphore.c:151) ==5766== by 0x4FBA4B7: AllocateSemaphoreInfo (semaphore.c:197) ==5766== by 0x4F22ADA: GetExceptionInfo (exception.c:428) ==5766== by 0x841ADD4: ??? ==5766== by 0x8629757: ??? ==5766== by 0x862F192: ??? ==5766== by 0x8636B6E: ??? ==5766== by 0x841B311: ??? ==5766== by 0x4EBF2BA: ReadImage (constitute.c:601) ==5766== by 0x4EC037A: ReadImages (constitute.c:907) ==5766== by 0x5319BAE: ConvertImageCommand (convert.c:617) ==5766== ==5766== 120 (56 direct, 64 indirect) bytes in 1 blocks are definitely lost in loss record 62 of 93 ==5766== at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==5766== by 0x4F3EEA2: NewLinkedList (hashmap.c:1367) ==5766== by 0x4F22AD1: GetExceptionInfo (exception.c:427) ==5766== by 0x841ADD4: ??? ==5766== by 0x8629757: ??? ==5766== by 0x862F192: ??? ==5766== by 0x8636B6E: ??? ==5766== by 0x841B311: ??? ==5766== by 0x4EBF2BA: ReadImage (constitute.c:601) ==5766== by 0x4EC037A: ReadImages (constitute.c:907) ==5766== by 0x5319BAE: ConvertImageCommand (convert.c:617) ==5766== by 0x5385C72: MagickCommandGenesis (mogrify.c:166) ==5766== $ Memory leaks related to CloneString() vanished. 11/ImageMagick $ valgrind -q --leak-check=full convert memory-leak_output_art_lite_font_map output.art ERROR: player.c (470): libwmf: wmf with bizarre record size; bailing... ERROR: player.c (471): please send it to us at http://www.wvware.com/ maximum record size = 672189549 record size = 4115708906 convert: Failed to scan file `memory-leak_output_art_lite_font_map'. convert: missing an image filename `output.art'. ==9609== ==9609== 64 bytes in 1 blocks are definitely lost in loss record 8 of 31 ==9609== at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==9609== by 0x4F05122: NewLinkedList (hashmap.c:1406) ==9609== by 0x4EF0535: GetExceptionInfo (exception.c:418) ==9609== by 0x9F0BB18: ??? ==9609== by 0xA120006: ??? ==9609== by 0xA120A68: ??? ==9609== by 0xA1283B3: ??? ==9609== by 0x9F0A91A: ??? ==9609== by 0x4E94D87: ReadImage (constitute.c:441) ==9609== by 0x5292BC3: ConvertImageCommand (convert.c:565) ==9609== by 0x400F73: main (convert.c:122) ==9609== ==9609== ==9609== 450 bytes in 20 blocks are definitely lost in loss record 19 of 31 ==9609== at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==9609== by 0x5EB3AB3: FcStrCopy (in /usr/lib64/libfontconfig.so.1.3.0) ==9609== by 0x5EB6FF4: (within /usr/lib64/libfontconfig.so.1.3.0) ==9609== by 0x86DF202: (within /lib64/libexpat.so.1.5.2) ==9609== by 0x86E0133: (within /lib64/libexpat.so.1.5.2) ==9609== by 0x86DAC79: XML_ParseBuffer (in /lib64/libexpat.so.1.5.2) ==9609== by 0x5EB5518: FcConfigParseAndLoad (in /usr/lib64/libfontconfig.so.1.3.0) ==9609== by 0x5EB57FD: FcConfigParseAndLoad (in /usr/lib64/libfontconfig.so.1.3.0) ==9609== by 0x5EB6C54: (within /usr/lib64/libfontconfig.so.1.3.0) ==9609== by 0x86DF202: (within /lib64/libexpat.so.1.5.2) ==9609== by 0x86E0133: (within /lib64/libexpat.so.1.5.2) ==9609== by 0x86E1CC9: (within /lib64/libexpat.so.1.5.2) ==9609== ==9609== ==9609== 3,168 (2,816 direct, 352 indirect) bytes in 11 blocks are definitely lost in loss record 24 of 31 ==9609== at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==9609== by 0x5EB10BA: (within /usr/lib64/libfontconfig.so.1.3.0) ==9609== by 0x5EB1AFC: (within /usr/lib64/libfontconfig.so.1.3.0) ==9609== by 0x5EB1C1C: (within /usr/lib64/libfontconfig.so.1.3.0) ==9609== by 0x5EB6BD0: (within /usr/lib64/libfontconfig.so.1.3.0) ==9609== by 0x86DF202: (within /lib64/libexpat.so.1.5.2) ==9609== by 0x86E0133: (within /lib64/libexpat.so.1.5.2) ==9609== by 0x86DAC79: XML_ParseBuffer (in /lib64/libexpat.so.1.5.2) ==9609== by 0x5EB5518: FcConfigParseAndLoad (in /usr/lib64/libfontconfig.so.1.3.0) ==9609== by 0x5EB57FD: FcConfigParseAndLoad (in /usr/lib64/libfontconfig.so.1.3.0) ==9609== by 0x5EB6C54: (within /usr/lib64/libfontconfig.so.1.3.0) ==9609== by 0x86DF202: (within /lib64/libexpat.so.1.5.2) $ Memory leaks related to CloneString() vanished. 11/GraphicsMagick: $ valgrind -q --leak-check=full gm convert memory-leak_output_art_lite_font_map output.art valgrind: warning (non-fatal): readlink("/proc/self/exe") failed. valgrind: continuing, however --trace-children=yes will not work. --16342:0:aspacem Valgrind: FATAL: can't open /proc/self/maps --16342:0:aspacem Exiting now. alef:/050135> mount /proc alef:/050135> valgrind -q --leak-check=full gm convert memory-leak_output_art_lite_font_map output.art ERROR: player.c (470): libwmf: wmf with bizarre record size; bailing... ERROR: player.c (471): please send it to us at http://www.wvware.com/ maximum record size = 672189549 record size = 4115708906 gm convert: Failed to scan file (memory-leak_output_art_lite_font_map). $ Memory leaks related to CloneString() vanished. Summary: Affected 11/GraphicsMagick, 11/ImageMagick, 12/ImageMagick
I believe all fixed.
I got the output before and after updating. Obviously, the output is different with comment#2 on SLE11SP4. Please check it. Update ID: SUSE:Maintenance:5960:144877 Version: 6.4.3.6-7.78.5.2(before), 6.4.3.6-7.78.8.1(after) Package: ImageMagick # valgrind -q --leak-check=full convert memory-leak_output_art_lite_font_map output.art ERROR: player.c (470): libwmf: wmf with bizarre record size; bailing... ERROR: player.c (471): please send it to us at http://www.wvware.com/ maximum record size = 672189549 record size = 4115708906 convert: Delegate failed `"wmf2eps" -o "%o" "%i"'. convert: unable to open image `/tmp/magick-XXQIAiB4': No such file or directory. convert: unable to open file `/tmp/magick-XXQIAiB4': No such file or directory. convert: missing an image filename `output.art'.
this is the strace output: http://paste.suse.de/18739 (# strace -f convert memory-leak_output_art_lite_font_map output.art) If you want more infomation, free easy to ask me.
SUSE-SU-2017:2949-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 1049379,1050135,1052249,1052253,1052545,1054924,1055219,1055430,1061873 CVE References: CVE-2016-7530,CVE-2017-11446,CVE-2017-11534,CVE-2017-12428,CVE-2017-12431,CVE-2017-12433,CVE-2017-13133,CVE-2017-13139,CVE-2017-15033 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): ImageMagick-6.8.8.1-71.12.1 SUSE Linux Enterprise Workstation Extension 12-SP2 (src): ImageMagick-6.8.8.1-71.12.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): ImageMagick-6.8.8.1-71.12.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): ImageMagick-6.8.8.1-71.12.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): ImageMagick-6.8.8.1-71.12.1 SUSE Linux Enterprise Server 12-SP3 (src): ImageMagick-6.8.8.1-71.12.1 SUSE Linux Enterprise Server 12-SP2 (src): ImageMagick-6.8.8.1-71.12.1 SUSE Linux Enterprise Desktop 12-SP3 (src): ImageMagick-6.8.8.1-71.12.1 SUSE Linux Enterprise Desktop 12-SP2 (src): ImageMagick-6.8.8.1-71.12.1
openSUSE-SU-2017:2999-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 1049379,1050135,1052249,1052253,1052545,1054924,1055219,1055430,1061873 CVE References: CVE-2016-7530,CVE-2017-11446,CVE-2017-11534,CVE-2017-12428,CVE-2017-12431,CVE-2017-12433,CVE-2017-13133,CVE-2017-13139,CVE-2017-15033 Sources used: openSUSE Leap 42.3 (src): ImageMagick-6.8.8.1-37.1 openSUSE Leap 42.2 (src): ImageMagick-6.8.8.1-30.9.1
SUSE-SU-2017:3056-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1050135,1054596,1054598,1055042,1055050,1055430,1061873 CVE References: CVE-2017-11534,CVE-2017-12936,CVE-2017-12937,CVE-2017-13063,CVE-2017-13064,CVE-2017-13139,CVE-2017-15033 Sources used: SUSE Studio Onsite 1.3 (src): GraphicsMagick-1.2.5-4.78.16.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): GraphicsMagick-1.2.5-4.78.16.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): GraphicsMagick-1.2.5-4.78.16.1
Petr, could you please check commet 5. So far I was also unable to see CloneString() inside the valgrind output.
(In reply to Alexander Bergmann from comment #12) > Petr, could you please check commet 5. So far I was also unable to see > CloneString() inside the valgrind output. I do not know what I should to check. I was able to reproduce as I had written, if you can't I simply cannot do anything else for you. Try to comment all patches from CVE-2017-11534.patch (including) upwards and then retry. Given the number of Magick bugs, it might happen that this CVE is follow-up of some CVE in the same update.
SUSE-SU-2017:3168-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1050135,1055219,1055430,1061873 CVE References: CVE-2017-11534,CVE-2017-13133,CVE-2017-13139,CVE-2017-15033 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ImageMagick-6.4.3.6-7.78.8.1 SUSE Linux Enterprise Server 11-SP4 (src): ImageMagick-6.4.3.6-7.78.8.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ImageMagick-6.4.3.6-7.78.8.1
released