Bug 1051847 – VUL-1: CVE-2017-12140: ImageMagick: ReadDCMImage in coders\dcm.c has a ninteger signedness error leading to excessive memory consumption

Bug 1051847 - (CVE-2017-12140) VUL-1: CVE-2017-12140: ImageMagick: ReadDCMImage in coders\dcm.c has a ninteger signedness error leading to excessive memory consumption

(CVE-2017-12140)
Summary:	VUL-1: CVE-2017-12140: ImageMagick: ReadDCMImage in coders\dcm.c has a ninteg...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/189455/
Whiteboard:	CVSSv2:SUSE:CVE-2017-12140:5.0:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-08-02 11:34 UTC by Johannes Segitz
Modified:	2018-02-09 15:03 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Reproducer (237 bytes, application/dicom) 2017-08-02 11:34 UTC, Johannes Segitz	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2017-08-02 11:34:17 UTC

Created attachment 734923 [details]
Reproducer

CVE-2017-12140

The ReadDCMImage function in coders\dcm.c in ImageMagick 7.0.6-1 has an
integer signedness error leading to excessive memory consumption via a
crafted DCM file.

identify memory_exhaustion_in_ReadDCMImage

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12140

Comment 1 Marcus Meissner 2017-09-29 06:09:00 UTC

https://github.com/ImageMagick/ImageMagick/issues/533

attacker controlled size large memory alloc DoS

Comment 2 Petr Gajdos 2017-12-05 09:09:23 UTC

I do not see 'excessive memory consumption'.

BEFORE

12/ImageMagick:

$ valgrind -q identify memory_exhaustion_in_ReadDCMImage
==5757== Argument 'size' of function malloc has a fishy (possibly negative) value: -1212696710
==5757==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==5757==    by 0x84361BA: ReadDCMImage (dcm.c:3076)
==5757==    by 0x4EBFCAA: ReadImage (constitute.c:601)
==5757==    by 0x4FD1578: ReadStream (stream.c:974)
==5757==    by 0x4EBF7F0: PingImage (constitute.c:278)
==5757==    by 0x4EBFA2A: PingImages (constitute.c:373)
==5757==    by 0x535850B: IdentifyImageCommand (identify.c:322)
==5757==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==5757==    by 0x400891: IdentifyMain (identify.c:80)
==5757==    by 0x400891: main (identify.c:93)
==5757==
identify: memory allocation failed `memory_exhaustion_in_ReadDCMImage' @ error/dcm.c/ReadDCMImage/3080.
$

11/ImageMagick:

$ valgrind -q identify memory_exhaustion_in_ReadDCMImage
count=89 quantum=1 length=-1212696711 group=65535
identify: Insufficient image data in file `memory_exhaustion_in_ReadDCMImage'.
$

11/GraphicsMagick:

$ valgrind -q gm identify memory_exhaustion_in_ReadDCMImage
gm identify: Unexpected end-of-file (memory_exhaustion_in_ReadDCMImage).
$

42.3/GraphicsMagick:
$ valgrind -q gm identify memory_exhaustion_in_ReadDCMImage
==5847== Argument 'size' of function malloc has a fishy (possibly negative) value: -1212696710
==5847==    at 0x4C29160: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==5847==    by 0x79EA7E7: DCM_ReadElement (dcm.c:3654)
==5847==    by 0x79EBC27: ReadDCMImage (dcm.c:4664)
==5847==    by 0x4EC0EF7: ReadImage (constitute.c:1607)
==5847==    by 0x4EC1D11: PingImage (constitute.c:1370)
==5847==    by 0x4E8DF3C: IdentifyImageCommand (command.c:8375)
==5847==    by 0x4E8F884: MagickCommand (command.c:8865)
==5847==    by 0x4E9099D: GMCommandSingle (command.c:17379)
==5847==    by 0x4EB40AD: GMCommand (command.c:17432)
==5847==    by 0x54426E4: (below main) (in /lib64/libc-2.22.so)
==5847==
gm identify: Memory allocation failed (memory_exhaustion_in_ReadDCMImage).
gm identify: Request did not return an image.
$

home:pgajdos:magick/GraphicsMagick:

$ valgrind -q gm identify memory_exhaustion_in_ReadDCMImage
==11283== Argument 'size' of function malloc has a fishy (possibly negative) value: -1212696710
==11283==    at 0x4C2E08F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==11283==    by 0x4F3FFF0: MagickMalloc (memory.c:156)
==11283==    by 0x4F4012B: MagickMallocArray (memory.c:347)
==11283==    by 0x7AEE852: DCM_ReadElement (dcm.c:3654)
==11283==    by 0x7AF14E2: ReadDCMImage (dcm.c:4672)
==11283==    by 0x4EE393D: ReadImage (constitute.c:1607)
==11283==    by 0x4EE2F69: PingImage (constitute.c:1370)
==11283==    by 0x4EB73D7: IdentifyImageCommand (command.c:8379)
==11283==    by 0x4EB89AE: MagickCommand (command.c:8872)
==11283==    by 0x4ED2695: GMCommandSingle (command.c:17393)
==11283==    by 0x4ED27C9: GMCommand (command.c:17446)
==11283==    by 0x108799: main (gm.c:61)
==11283==
gm identify: Memory allocation failed (memory_exhaustion_in_ReadDCMImage).
gm identify: Request did not return an image.
$

PATCH

ImageMagick:
https://github.com/ImageMagick/ImageMagick/commit/6bf56fbe1fc551f198c3491ed58d56bb5efea23c

GraphicsMagick:
Affected even devel branch, adopting ImageMagick patch and will sent upstream. 11/ImageMagick considering affected also, as the code is there, too.

AFTER

12/ImageMagick:

$ valgrind -q identify memory_exhaustion_in_ReadDCMImage
identify: insufficient image data in file `memory_exhaustion_in_ReadDCMImage' @ error/dcm.c/ReadDCMImage/3075.
$

11/ImageMagick:

$ valgrind -q identify memory_exhaustion_in_ReadDCMImage
identify: Insufficient image data in file `memory_exhaustion_in_ReadDCMImage'.
$

11/GraphicsMagick:

$  valgrind -q gm identify memory_exhaustion_in_ReadDCMImage
gm identify: Insufficient image data in file (memory_exhaustion_in_ReadDCMImage).
$
[no change]

42.3/GraphicsMagick:

$ valgrind -q gm identify memory_exhaustion_in_ReadDCMImage
gm identify: Insufficient image data in file (memory_exhaustion_in_ReadDCMImage).
gm identify: Request did not return an image.
$

home:pgajdos:magick/GraphicsMagick:

$ valgrind -q gm identify memory_exhaustion_in_ReadDCMImage
gm identify: Insufficient image data in file (memory_exhaustion_in_ReadDCMImage).
gm identify: Request did not return an image.
$

Comment 3 Petr Gajdos 2017-12-05 09:10:38 UTC

Will submit for all versions: 11/ImageMagick, 12/ImageMagick, 11/GraphicsMagick, 42.2/GraphicsMagick and 42.3/GraphicsMagick

Comment 4 Petr Gajdos 2017-12-05 09:13:40 UTC

Note this CVE has a followup: CVE-2017-12644, bug 1052764.

Comment 5 Petr Gajdos 2017-12-06 09:50:56 UTC

I believe all fixed.

Comment 7 Bernhard Wiedemann 2017-12-06 11:50:09 UTC

This is an autogenerated message for OBS integration:
This bug (1051847) was mentioned in
https://build.opensuse.org/request/show/554772 42.3 / GraphicsMagick
https://build.opensuse.org/request/show/554773 42.2 / GraphicsMagick

Comment 8 Swamp Workflow Management 2017-12-12 17:10:02 UTC

openSUSE-SU-2017:3270-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1047054,1051847,1052758,1052764,1060577,1061587
CVE References: CVE-2017-10799,CVE-2017-12140,CVE-2017-12644,CVE-2017-12662,CVE-2017-14733,CVE-2017-14994
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-47.1
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.48.1

Comment 9 Swamp Workflow Management 2017-12-20 17:10:33 UTC

SUSE-SU-2017:3378-1: An update that fixes 26 vulnerabilities is now available.

Category: security (important)
Bug References: 1048457,1049796,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052758,1052764,1054757,1055214,1056432,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060577,1066003,1067181,1067184
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14733,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1

Comment 10 Swamp Workflow Management 2017-12-20 17:37:37 UTC

SUSE-SU-2017:3388-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1

Comment 11 Swamp Workflow Management 2017-12-22 20:13:13 UTC

openSUSE-SU-2017:3420-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-40.1
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.12.1

Comment 12 Swamp Workflow Management 2018-01-24 20:12:35 UTC

SUSE-SU-2018:0197-1: An update that fixes 23 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047044,1047054,1048457,1049373,1050129,1051412,1051847,1052252,1052460,1052758,1052764,1052771,1055063,1056550,1057723,1058082,1058422,1060577,1061587,1063050,1067177,1074969,1074975
CVE References: CVE-2017-10799,CVE-2017-10800,CVE-2017-11188,CVE-2017-11449,CVE-2017-11532,CVE-2017-12140,CVE-2017-12430,CVE-2017-12563,CVE-2017-12642,CVE-2017-12644,CVE-2017-12662,CVE-2017-12691,CVE-2017-13061,CVE-2017-14042,CVE-2017-14174,CVE-2017-14249,CVE-2017-14343,CVE-2017-14733,CVE-2017-14994,CVE-2017-15277,CVE-2017-16547,CVE-2017-18022,CVE-2018-5247
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.28.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.28.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.28.2

Comment 13 Marcus Meissner 2018-02-09 15:03:28 UTC

released