First Last Prev Next    This bug is not in your last search results.
Bug 1050037 - (CVE-2017-11539) VUL-2: CVE-2017-11539: GraphicsMagick, ImageMagick: Memory Leak in ReadOnePNGImage()
(CVE-2017-11539)
VUL-2: CVE-2017-11539: GraphicsMagick, ImageMagick: Memory Leak in ReadOnePN...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/189017/
CVSSv3:SUSE:CVE-2017-11539:7.5:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-24 06:40 UTC by Johannes Segitz
Modified: 2018-02-09 23:37 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Reproducer (553 bytes, image/png)
2017-07-24 06:40 UTC, Johannes Segitz 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-07-24 06:40:05 UTC 
Created attachment 733419 [details]
Reproducer

CVE-2017-11539

When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a
Memory Leak in the ReadOnePNGImage() function in coders/png.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11539
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11539
https://github.com/ImageMagick/ImageMagick/issues/582
Comment 1 Marcus Meissner 2017-09-27 15:23:49 UTC 
minor memory leak. deferable.
Comment 3 Petr Gajdos 2018-01-14 21:30:53 UTC 
12/ImageMagick

BEFORE

$ valgrind -q --leak-check=full convert memory-leak_output_art_ReadOnePNGImage output.art
convert: gAMA: gamma value does not match sRGB `memory-leak_output_art_ReadOnePNGImage' @ warning/png.c/MagickPNGWarningHandler/1828.
convert: cHRM: invalid values `memory-leak_output_art_ReadOnePNGImage' @ warning/png.c/MagickPNGWarningHandler/1828.
convert: bad adaptive filter value `memory-leak_output_art_ReadOnePNGImage' @ error/png.c/MagickPNGErrorHandler/1802.
convert: corrupt image `memory-leak_output_art_ReadOnePNGImage' @ error/png.c/ReadPNGImage/4046.
convert: no images defined `output.art' @ error/convert.c/ConvertImageCommand/3149.
==20915== 4,512 (152 direct, 4,360 indirect) bytes in 1 blocks are definitely lost in loss record 13 of 13
==20915==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20915==    by 0x4F8C307: AcquireQuantumInfo (quantum.c:123)
==20915==    by 0x842F866: ???
==20915==    by 0x8430627: ???
==20915==    by 0x4EBFE1A: ReadImage (constitute.c:601)
==20915==    by 0x4EC0EDA: ReadImages (constitute.c:907)
==20915==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==20915==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==20915==    by 0x400836: ConvertMain (convert.c:81)
==20915==    by 0x400836: main (convert.c:92)
==20915== 
$

AFTER

$ valgrind -q --leak-check=full convert memory-leak_output_art_ReadOnePNGImage output.art
convert: gAMA: gamma value does not match sRGB `memory-leak_output_art_ReadOnePNGImage' @ warning/png.c/MagickPNGWarningHandler/1828.
convert: cHRM: invalid values `memory-leak_output_art_ReadOnePNGImage' @ warning/png.c/MagickPNGWarningHandler/1828.
convert: bad adaptive filter value `memory-leak_output_art_ReadOnePNGImage' @ error/png.c/MagickPNGErrorHandler/1802.
convert: no images defined `output.art' @ error/convert.c/ConvertImageCommand/3149.
$
Comment 7 Petr Gajdos 2018-01-16 07:29:42 UTC 
11/ImageMagick

BEFORE

$ valgrind -q --leak-check=full convert memory-leak_output_art_ReadOnePNGImage output.art
gamma = (3846543/100000)
convert: Ignoring incorrect gAMA value when sRGB is also present `memory-leak_output_art_ReadOnePNGImage'.
convert: Invalid cHRM white point `memory-leak_output_art_ReadOnePNGImage'.
convert: Ignoring bad adaptive filter type `memory-leak_output_art_ReadOnePNGImage'.
convert: incorrect data check `memory-leak_output_art_ReadOnePNGImage'.
convert: Corrupt image `memory-leak_output_art_ReadOnePNGImage'.
convert: missing an image filename `output.art'.
==10598== 
==10598== 192 bytes in 1 blocks are definitely lost in loss record 2 of 4
==10598==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==10598==    by 0x9F18FAD: ???
==10598==    by 0x9F19A19: ???
==10598==    by 0x4E94D87: ReadImage (constitute.c:441)
==10598==    by 0x5292BC3: ConvertImageCommand (convert.c:565)
==10598==    by 0x400F73: main (convert.c:122)
==10598== 
==10598== 
==10598== 345 (104 direct, 241 indirect) bytes in 1 blocks are definitely lost in loss record 3 of 4
==10598==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==10598==    by 0x4F3EE72: AcquireQuantumInfo (quantum.c:112)
==10598==    by 0x9F17CD6: ???
==10598==    by 0x9F19A19: ???
==10598==    by 0x4E94D87: ReadImage (constitute.c:441)
==10598==    by 0x5292BC3: ConvertImageCommand (convert.c:565)
==10598==    by 0x400F73: main (convert.c:122)
$

AFTER

$ valgrind -q --leak-check=full convert memory-leak_output_art_ReadOnePNGImage output.art
gamma = (3846543/100000)
convert: Ignoring incorrect gAMA value when sRGB is also present `memory-leak_output_art_ReadOnePNGImage'.
convert: Invalid cHRM white point `memory-leak_output_art_ReadOnePNGImage'.
convert: Ignoring bad adaptive filter type `memory-leak_output_art_ReadOnePNGImage'.
convert: incorrect data check `memory-leak_output_art_ReadOnePNGImage'.
convert: missing an image filename `output.art'.
==10717== 
==10717== 192 bytes in 1 blocks are definitely lost in loss record 2 of 2
==10717==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==10717==    by 0x9F17215: ???
==10717==    by 0x9F17F0D: ???
==10717==    by 0x4E94D87: ReadImage (constitute.c:441)
==10717==    by 0x5292BC3: ConvertImageCommand (convert.c:565)
==10717==    by 0x400F73: main (convert.c:122)
$
Comment 8 Petr Gajdos 2018-01-16 11:09:24 UTC 
42.x/GraphicsMagick

BEFORE

$ valgrind -q --leak-check=full gm convert memory-leak_output_art_ReadOnePNGImage output.art
gm convert: bad adaptive filter value (memory-leak_output_art_ReadOnePNGImage).
$

AFTER

$ valgrind -q --leak-check=full gm convert memory-leak_output_art_ReadOnePNGImage output.art
gm convert: bad adaptive filter value (memory-leak_output_art_ReadOnePNGImage).
$

Considering not affected.
Comment 11 Petr Gajdos 2018-01-19 12:20:05 UTC 
11/GraphicsMagick

BEFORE

$ valgrind -q --leak-check=full gm convert memory-leak_output_art_ReadOnePNGImage output.art
gamma = (3846543/100000)
gm convert: incorrect data check (memory-leak_output_art_ReadOnePNGImage).
==22810== 
==22810== 192 bytes in 1 blocks are definitely lost in loss record 2 of 2
==22810==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==22810==    by 0x8236B01: ???
==22810==    by 0x8238546: ???
==22810==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==22810==    by 0x4E8CBCF: ConvertImageCommand (command.c:3171)
==22810==    by 0x4E73683: MagickCommand (command.c:7657)
==22810==    by 0x4E737FE: GMCommand (command.c:15277)
==22810==    by 0x76E2585: (below main) (in /lib64/libc-2.9.so)
$

AFTER

$ valgrind -q --leak-check=full gm convert memory-leak_output_art_ReadOnePNGImage output.art
gamma = (3846543/100000)
gm convert: incorrect data check (memory-leak_output_art_ReadOnePNGImage).
$
Comment 12 Petr Gajdos 2018-01-22 11:40:05 UTC 
Submitted for: 12/ImageMagick, 11/ImageMagick and 11/GraphicsMagick
Comment 14 Petr Gajdos 2018-01-22 12:24:42 UTC 
I believe all fixed.
Comment 17 Swamp Workflow Management 2018-02-02 14:09:02 UTC 
SUSE-SU-2018:0349-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055068,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1072901,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13059,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17681,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18008,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5246,CVE-2018-5685
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
Comment 18 Swamp Workflow Management 2018-02-02 14:14:49 UTC 
SUSE-SU-2018:0350-1: An update that solves 30 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5685
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
Comment 19 Swamp Workflow Management 2018-02-08 11:12:52 UTC 
openSUSE-SU-2018:0396-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055068,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1072901,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13059,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17681,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18008,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5246,CVE-2018-5685
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-52.1
Comment 20 Marcus Meissner 2018-02-09 15:49:30 UTC 
released
Comment 21 Swamp Workflow Management 2018-02-09 20:09:26 UTC 
SUSE-SU-2018:0413-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1047910,1050037,1050072,1050100,1051442,1052470,1052708,1052717,1052768,1052777,1052781,1054600,1055038,1055374,1055455,1055456,1057000,1060162,1062752,1067198,1073690,1074023,1074120,1074125,1074175,1075939
CVE References: CVE-2014-9811,CVE-2017-10995,CVE-2017-11102,CVE-2017-11505,CVE-2017-11526,CVE-2017-11539,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13065,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14174,CVE-2017-14649,CVE-2017-15218,CVE-2017-15238,CVE-2017-16669,CVE-2017-17501,CVE-2017-17504,CVE-2017-17782,CVE-2017-17879,CVE-2017-17884,CVE-2017-17915,CVE-2017-8352,CVE-2017-9261,CVE-2017-9262,CVE-2018-5685
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.33.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.33.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.33.1
First Last Prev Next    This bug is not in your last search results.