First Last Prev Next    This bug is not in your last search results.
Bug 1052249 - (CVE-2017-12428) VUL-2: CVE-2017-12428: GraphicsMagick, ImageMagick: Memory leak in ReadWMFImage in coders/wmf.c, which allows attackers to cause DoS
(CVE-2017-12428)
VUL-2: CVE-2017-12428: GraphicsMagick, ImageMagick: Memory leak in ReadWMFIma...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/189602/
CVSSv2:SUSE:CVE-2017-12428:5.0:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-04 12:24 UTC by Johannes Segitz
Modified: 2020-07-26 22:03 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Reproducer (5 bytes, application/octet-stream)
2017-08-04 12:24 UTC, Johannes Segitz 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-08-04 12:24:40 UTC 
Created attachment 735279 [details]
Reproducer

CVE-2017-12428

In ImageMagick 7.0.6-1, a memory leak vulnerability was found in the
function ReadWMFImage in coders/wmf.c, which allows attackers to cause
a denial of service in CloneDrawInfo in draw.c.

valgrind --leak-check=full identify memory_leak_in_CloneDrawInfo

Reproducer doesn't trigger, vulnerable code is present.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12428
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12428
Comment 1 Marcus Meissner 2017-09-27 12:28:17 UTC 
https://github.com/ImageMagick/ImageMagick/issues/544
Comment 2 Marcus Meissner 2017-09-27 12:29:57 UTC 
leaks only DrawInfo, a fixed size struct. defer.
Comment 3 Petr Gajdos 2017-10-24 11:40:50 UTC 
ImageMagick
-----------

BEFORE

12
$ valgrind -q --leak-check=full identify memory_leak_in_CloneDrawInfo
identify: failed to scan file `memory_leak_in_CloneDrawInfo' @ error/wmf.c/ReadWMFImage/2705.
==26431== 720 bytes in 1 blocks are definitely lost in loss record 10 of 10
==26431==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26431==    by 0x4EFC5B7: CloneDrawInfo (draw.c:252)
==26431==    by 0x841B239: ???
==26431==    by 0x4EBF2BA: ReadImage (constitute.c:601)
==26431==    by 0x4FD0B68: ReadStream (stream.c:974)
==26431==    by 0x4EBEE00: PingImage (constitute.c:278)
==26431==    by 0x4EBF03A: PingImages (constitute.c:373)
==26431==    by 0x535852B: IdentifyImageCommand (identify.c:322)
==26431==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==26431==    by 0x400971: IdentifyMain (identify.c:80)
==26431==    by 0x400971: main (identify.c:93)
==26431== 
$

11
$ valgrind -q --leak-check=full identify memory_leak_in_CloneDrawInfo 
identify: Failed to scan file `memory_leak_in_CloneDrawInfo'.
$

11 not affected: there is no ddata->draw_info and there's (another) CloneDrawInfo() matched by DestroyDrawInfo() on local variable.

PATCH
https://github.com/ImageMagick/ImageMagick/commit/f37d26336bf13737db45e556c25fc098f8a8b277
+ former commits

AFTER

12

$ valgrind -q --leak-check=full identify memory_leak_in_CloneDrawInfo
identify: failed to scan file `memory_leak_in_CloneDrawInfo' @ error/wmf.c/ReadWMFImage/2725.
$

GraphicsMagick
--------------

BEFORE

42.3, 42.2
$ valgrind -q --leak-check=full gm identify memory_leak_in_CloneDrawInfo
gm identify: Failed to scan file (memory_leak_in_CloneDrawInfo).
gm identify: Request did not return an image.
$

CloneDrawInfo() appears to be always followed by  ipa_device_close(API)->DestroyDrawInfo().

11

Not affected for the same reason as 11/ImageMagick.


Summary:
Only 12/ImageMagick affected.
Comment 4 Petr Gajdos 2017-10-25 12:28:17 UTC 
I believe all fixed.
Comment 7 Swamp Workflow Management 2017-11-08 11:18:17 UTC 
SUSE-SU-2017:2949-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1049379,1050135,1052249,1052253,1052545,1054924,1055219,1055430,1061873
CVE References: CVE-2016-7530,CVE-2017-11446,CVE-2017-11534,CVE-2017-12428,CVE-2017-12431,CVE-2017-12433,CVE-2017-13133,CVE-2017-13139,CVE-2017-15033
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.12.1
Comment 8 Swamp Workflow Management 2017-11-12 17:12:04 UTC 
openSUSE-SU-2017:2999-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1049379,1050135,1052249,1052253,1052545,1054924,1055219,1055430,1061873
CVE References: CVE-2016-7530,CVE-2017-11446,CVE-2017-11534,CVE-2017-12428,CVE-2017-12431,CVE-2017-12433,CVE-2017-13133,CVE-2017-13139,CVE-2017-15033
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-37.1
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.9.1
Comment 9 Marcus Meissner 2018-02-09 15:22:12 UTC 
released
First Last Prev Next    This bug is not in your last search results.