Bugzilla – Bug 1052252
VUL-1: CVE-2017-12430: GraphicsMagick, ImageMagick: Memory exhaustion in ReadMPCImage in coders/mpc.c, which allows attackers to cause DoS
Last modified: 2018-02-09 15:23:02 UTC
Created attachment 735283 [details] Reproducer CVE-2017-12430 In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in the function ReadMPCImage in coders/mpc.c, which allows attackers to cause a denial of service. Touches the same file as bnc#1052251 and touches the fix for this bug. Should be considered together valgrind --leak-check=full --show-leak-kinds=all identify memory_exhaustion_in_ReadMPCImage References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12430 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12430
https://github.com/ImageMagick/ImageMagick/issues/546 big attacker controlled memory allocation OOM DoS
(In reply to Johannes Segitz from comment #0) > valgrind --leak-check=full --show-leak-kinds=all identify > memory_exhaustion_in_ReadMPCImage These are leaks connected to loading modules, I guess this is not the leaks referred in the bug. You will get these errors even with: $ valgrind -q --leak-check=full --show-leak-kinds=all identify [...] ==15937== 7 bytes in 1 blocks are still reachable in loss record 1 of 8 ==15937== at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==15937== by 0x6C58D48: lt__malloc (in /usr/lib64/libltdl.so.7.3.0) ==15937== by 0x6C5ABD6: ??? (in /usr/lib64/libltdl.so.7.3.0) ==15937== by 0x6C5B8F1: lt_dlopenadvise (in /usr/lib64/libltdl.so.7.3.0) ==15937== by 0x6C58C87: lt_dlpreload_open (in /usr/lib64/libltdl.so.7.3.0) ==15937== by 0x4F5E9CB: InitializeModuleList (module.c:899) ==15937== by 0x4F5F271: ModuleComponentGenesis (module.c:1174) ==15937== by 0x4F5A8C9: MagickCoreGenesis (magick.c:1369) ==15937== by 0x40085D: IdentifyMain (identify.c:76) ==15937== by 0x40085D: main (identify.c:93) [...] $
I cannot exhibit the problem nowhere with valgrind. BEFORE 11,12/ImageMagick $ valgrind -q --leak-check=full identify memory_exhaustion_in_ReadMPCImage identify: insufficient image data in file `memory_exhaustion_in_ReadMPCImage' @ error/mpc.c/ReadMPCImage/868. $ [fails on line 868] 11/GraphicsMagick $ valgrind -q --leak-check=full gm identify memory_exhaustion_in_ReadMPCImage gm identify: Unexpected end-of-file (memory_exhaustion_in_ReadMPCImage). $ [returns after several secs, cpu 100% during that time] 42.3/GraphicsMagick $ valgrind -q --leak-check=full gm identify memory_exhaustion_in_ReadMPCImage gm identify: Memory allocation failed (memory_exhaustion_in_ReadMPCImage). gm identify: Request did not return an image. $ I have no proof 42.3,42.2/GraphicsMagick are affected, so for upstream version, as AllocateImageColormap() checks value of colors against MaxColormapSize. And the testcase fails sooner than it comes to colormap=MagickAllocateMemory(). Assuming not vulnerable. PATCH https://github.com/ImageMagick/ImageMagick/commit/98e5d0001cda195da0e8ea7650ab85c6f8333ff5 https://github.com/ImageMagick/ImageMagick/commit/f19ccf2548f0c4dd75d72b478504dd0178dc38cf For 11/GraphicsMagick, I will add the check against MaxColormapSize, too. AFTER 11,12/ImageMagick $ valgrind -q --leak-check=full identify memory_exhaustion_in_ReadMPCImage identify: insufficient image data in file `memory_exhaustion_in_ReadMPCImage' @ error/mpc.c/ReadMPCImage/851. $ [fails sooner, on line 851] 11/GraphicsMagick $ valgrind -q --leak-check=full gm identify memory_exhaustion_in_ReadMPCImage gm identify: Insufficient image data in file (memory_exhaustion_in_ReadMPCImage). $ [fails sooner and quicklier]
I believe all fixed.
SUSE-SU-2018:0055-1: An update that fixes 10 vulnerabilities is now available. Category: security (moderate) Bug References: 1042948,1049373,1051412,1052252,1052771,1058082,1072902,1074122,1074425,1074610 CVE References: CVE-2017-1000445,CVE-2017-1000476,CVE-2017-11449,CVE-2017-11751,CVE-2017-12430,CVE-2017-12642,CVE-2017-14249,CVE-2017-17680,CVE-2017-17882,CVE-2017-9409 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): ImageMagick-6.8.8.1-71.23.1 SUSE Linux Enterprise Workstation Extension 12-SP2 (src): ImageMagick-6.8.8.1-71.23.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): ImageMagick-6.8.8.1-71.23.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): ImageMagick-6.8.8.1-71.23.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): ImageMagick-6.8.8.1-71.23.1 SUSE Linux Enterprise Server 12-SP3 (src): ImageMagick-6.8.8.1-71.23.1 SUSE Linux Enterprise Server 12-SP2 (src): ImageMagick-6.8.8.1-71.23.1 SUSE Linux Enterprise Desktop 12-SP3 (src): ImageMagick-6.8.8.1-71.23.1 SUSE Linux Enterprise Desktop 12-SP2 (src): ImageMagick-6.8.8.1-71.23.1
openSUSE-SU-2018:0092-1: An update that fixes 10 vulnerabilities is now available. Category: security (moderate) Bug References: 1042948,1049373,1051412,1052252,1052771,1058082,1072902,1074122,1074425,1074610 CVE References: CVE-2017-1000445,CVE-2017-1000476,CVE-2017-11449,CVE-2017-11751,CVE-2017-12430,CVE-2017-12642,CVE-2017-14249,CVE-2017-17680,CVE-2017-17882,CVE-2017-9409 Sources used: openSUSE Leap 42.3 (src): ImageMagick-6.8.8.1-46.1 openSUSE Leap 42.2 (src): ImageMagick-6.8.8.1-30.18.1
SUSE-SU-2018:0132-1: An update that fixes 31 vulnerabilities is now available. Category: security (moderate) Bug References: 1042948,1047044,1047898,1049373,1050120,1050606,1051412,1051446,1052252,1052468,1052550,1052710,1052720,1052731,1052732,1052771,1055065,1055323,1055434,1055855,1058082,1058640,1059751,1072902,1074122,1074123,1074425,1074610,1074969,1074973,1074975 CVE References: CVE-2017-1000445,CVE-2017-1000476,CVE-2017-10800,CVE-2017-11141,CVE-2017-11449,CVE-2017-11529,CVE-2017-11644,CVE-2017-11724,CVE-2017-11751,CVE-2017-12430,CVE-2017-12434,CVE-2017-12564,CVE-2017-12642,CVE-2017-12667,CVE-2017-12670,CVE-2017-12672,CVE-2017-12675,CVE-2017-13060,CVE-2017-13146,CVE-2017-13648,CVE-2017-13658,CVE-2017-14249,CVE-2017-14326,CVE-2017-14533,CVE-2017-17680,CVE-2017-17881,CVE-2017-17882,CVE-2017-18022,CVE-2017-9409,CVE-2018-5246,CVE-2018-5247 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ImageMagick-6.4.3.6-7.78.22.1 SUSE Linux Enterprise Server 11-SP4 (src): ImageMagick-6.4.3.6-7.78.22.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ImageMagick-6.4.3.6-7.78.22.1
SUSE-SU-2018:0197-1: An update that fixes 23 vulnerabilities is now available. Category: security (moderate) Bug References: 1047044,1047054,1048457,1049373,1050129,1051412,1051847,1052252,1052460,1052758,1052764,1052771,1055063,1056550,1057723,1058082,1058422,1060577,1061587,1063050,1067177,1074969,1074975 CVE References: CVE-2017-10799,CVE-2017-10800,CVE-2017-11188,CVE-2017-11449,CVE-2017-11532,CVE-2017-12140,CVE-2017-12430,CVE-2017-12563,CVE-2017-12642,CVE-2017-12644,CVE-2017-12662,CVE-2017-12691,CVE-2017-13061,CVE-2017-14042,CVE-2017-14174,CVE-2017-14249,CVE-2017-14343,CVE-2017-14733,CVE-2017-14994,CVE-2017-15277,CVE-2017-16547,CVE-2017-18022,CVE-2018-5247 Sources used: SUSE Studio Onsite 1.3 (src): GraphicsMagick-1.2.5-4.78.28.2 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): GraphicsMagick-1.2.5-4.78.28.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): GraphicsMagick-1.2.5-4.78.28.2
released