Bug 1052553 – VUL-1: CVE-2017-12435: GraphicsMagick, ImageMagick: Memory exhaustion in ReadSUNImage in coders/sun.c, which allows attackers to cause DoS

Bug 1052553 - (CVE-2017-12435) VUL-1: CVE-2017-12435: GraphicsMagick, ImageMagick: Memory exhaustion in ReadSUNImage in coders/sun.c, which allows attackers to cause DoS

(CVE-2017-12435)
Summary:	VUL-1: CVE-2017-12435: GraphicsMagick, ImageMagick: Memory exhaustion in Read...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/189609/
Whiteboard:	CVSSv2:SUSE:CVE-2017-12435:7.8:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-08-07 10:47 UTC by Johannes Segitz
Modified:	2020-06-08 15:09 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Reproducer (32 bytes, image/x-sun-raster) 2017-08-07 10:47 UTC, Johannes Segitz	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2017-08-07 10:47:10 UTC

Created attachment 735492 [details]
Reproducer

CVE-2017-12435

In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in the
function ReadSUNImage in coders/sun.c, which allows attackers to cause a denial
of service.

identify memory_exhaustion_in_ReadSUNImage

VUL-0 because this makes my system unresponsive in a matter of seconds. Please include in already requested update

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12435
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12435.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12435
https://github.com/ImageMagick/ImageMagick/issues/543

Comment 1 Petr Gajdos 2017-11-01 11:56:56 UTC

I cannot reproduce the memory exhaustion.

BEFORE

ImageMagick
-----------

12

$ identify memory_exhaustion_in_ReadSUNImage
052553: unexpected end-of-file `memory_exhaustion_in_ReadSUNImage' @ error/sun.c/ReadSUNImage/395.
$

(exits in a second)

11

$ identify memory_exhaustion_in_ReadSUNImage                 
identify: unable to read image data `memory_exhaustion_in_ReadSUNImage'.
$

GraphicsMagick
--------------

42.3, 42.2, 11
$  gm identify memory_exhaustion_in_ReadSUNImage 
gm identify: Improper image header (memory_exhaustion_in_ReadSUNImage).
$

Anyway, I think it is subject of bug #1057508.


PATCH

https://github.com/ImageMagick/ImageMagick/commit/44cb8dfd4cbe6fc475c863a5946cff64e34c2088

AFTER

ImageMagick
-----------

11,12

$ identify memory_exhaustion_in_ReadSUNImage 
identify: Insufficient image data in file `memory_exhaustion_in_ReadSUNImage'.
$

Comment 2 Petr Gajdos 2017-11-01 13:12:39 UTC

(In reply to Petr Gajdos from comment #1)
> 42.3, 42.2, 11
> $  gm identify memory_exhaustion_in_ReadSUNImage 
> gm identify: Improper image header (memory_exhaustion_in_ReadSUNImage).
> $

And following check on invalid maplength seem to be sufficient:

    if ((sun_info.magic | sun_info.width | sun_info.height | sun_info.depth |
         sun_info.type | sun_info.maptype | sun_info.maplength) & (1U << 31))
      ThrowReaderException(CorruptImageError,ImproperImageHeader,image);

Comment 3 Petr Gajdos 2017-11-03 09:14:28 UTC

I believe all fixed.

Comment 6 Swamp Workflow Management 2017-12-20 17:10:48 UTC

SUSE-SU-2017:3378-1: An update that fixes 26 vulnerabilities is now available.

Category: security (important)
Bug References: 1048457,1049796,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052758,1052764,1054757,1055214,1056432,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060577,1066003,1067181,1067184
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14733,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1

Comment 7 Swamp Workflow Management 2017-12-20 17:37:51 UTC

SUSE-SU-2017:3388-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1

Comment 8 Swamp Workflow Management 2017-12-22 20:13:27 UTC

openSUSE-SU-2017:3420-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-40.1
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.12.1

Comment 9 Marcus Meissner 2018-02-09 15:31:52 UTC

released