Bug 1052777 – VUL-1: CVE-2017-12641: GraphicsMagick, ImageMagick: Memory leak in ReadOneJNGImage in coders\png.c

Bug 1052777 - (CVE-2017-12641) VUL-1: CVE-2017-12641: GraphicsMagick, ImageMagick: Memory leak in ReadOneJNGImage in coders\png.c

(CVE-2017-12641)
Summary:	VUL-1: CVE-2017-12641: GraphicsMagick, ImageMagick: Memory leak in ReadOneJNG...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/189732/
Whiteboard:	CVSSv2:SUSE:CVE-2017-12641:5.0:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-08-08 12:41 UTC by Johannes Segitz
Modified:	2018-02-12 08:21 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Reproducer (625 bytes, application/octet-stream) 2017-08-08 12:41 UTC, Johannes Segitz	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2017-08-08 12:41:33 UTC

Created attachment 735707 [details]
Reproducer

CVE-2017-12641

ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadOneJNGImage in
coders\png.c.

valgrind identify leak-ReadOneJNGImage
failing assert on SLE 11 IM, memory leak for IM on SLE 12 and GM on SLE 11

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12641
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12641.html
https://github.com/ImageMagick/ImageMagick/commit/3320955045e5a2a22c13a04fa9422bb809e75eda
https://github.com/ImageMagick/ImageMagick/issues/550

Comment 1 Marcus Meissner 2017-09-27 11:32:14 UTC

image sized leak

Comment 2 Petr Gajdos 2018-01-10 10:52:46 UTC

https://github.com/ImageMagick/ImageMagick/commit/3320955045e5a2a22c13a04fa9422bb809e75eda

comment from Bastien
https://github.com/ImageMagick/ImageMagick/commit/982d89a952e7d6840ec7851c364f489a50d805b7

Comment 3 Petr Gajdos 2018-01-10 10:54:05 UTC

Well the comment is
"
Hi, I suppose 982d89a#diff-06e0c72bb0a365a2fa4145b89e0a750a is also needed
"

Comment 4 Petr Gajdos 2018-01-15 07:04:11 UTC

12/ImageMagick

BEFORE

$ valgrind -q --leak-check=full identify leak-ReadOneJNGImage
identify: corrupt image `leak-ReadOneJNGImage' @ error/png.c/ReadOneJNGImage/4248.
==4173== 16,792 bytes in 1 blocks are definitely lost in loss record 22 of 23
==4173==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==4173==    by 0x841E5B1: ???
==4173==    by 0x841FDF5: ???
==4173==    by 0x4EBFE1A: ReadImage (constitute.c:601)
==4173==    by 0x4FD1658: ReadStream (stream.c:974)
==4173==    by 0x4EBF960: PingImage (constitute.c:278)
==4173==    by 0x4EBFB9A: PingImages (constitute.c:373)
==4173==    by 0x535850B: IdentifyImageCommand (identify.c:322)
==4173==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==4173==    by 0x400891: IdentifyMain (identify.c:80)
==4173==    by 0x400891: main (identify.c:93)
==4173== 
==4173== 23,240 (13,232 direct, 10,008 indirect) bytes in 1 blocks are definitely lost in loss record 23 of 23
==4173==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==4173==    by 0x4F4C9AC: AcquireImage (image.c:164)
==4173==    by 0x841E5D4: ???
==4173==    by 0x841FDF5: ???
==4173==    by 0x4EBFE1A: ReadImage (constitute.c:601)
==4173==    by 0x4FD1658: ReadStream (stream.c:974)
==4173==    by 0x4EBF960: PingImage (constitute.c:278)
==4173==    by 0x4EBFB9A: PingImages (constitute.c:373)
==4173==    by 0x535850B: IdentifyImageCommand (identify.c:322)
==4173==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==4173==    by 0x400891: IdentifyMain (identify.c:80)
==4173==    by 0x400891: main (identify.c:93)
==4173== 
$

AFTER

$ valgrind -q --leak-check=full identify leak-ReadOneJNGImage
identify: corrupt image `leak-ReadOneJNGImage' @ error/png.c/ReadOneJNGImage/4298.
$

Comment 8 Petr Gajdos 2018-01-16 08:58:08 UTC

11/ImageMagick

BEFORE

$ identify leak-ReadOneJNGImage 
identify: magick/blob.c:3766: WriteBlob: Assertion `image != (Image *) ((void *)0)' failed.
Aborted (core dumped)
$

AFTER

$ identify leak-ReadOneJNGImage 
identify: Corrupt image `leak-ReadOneJNGImage'.
$

Comment 10 Petr Gajdos 2018-01-16 11:35:04 UTC

42.x/GraphicsMagick

BEFORE

$ valgrind -q --leak-check=full gm identify leak-ReadOneJNGImage
gm identify: Corrupt image (leak-ReadOneJNGImage).
gm identify: Request did not return an image.
==2046== 13,136 (6,864 direct, 6,272 indirect) bytes in 1 blocks are definitely lost in loss record 23 of 23
==2046==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2046==    by 0x4EEEE56: AllocateImage (image.c:336)
==2046==    by 0x79D9FAF: ???
==2046==    by 0x79DBB2D: ???
==2046==    by 0x4EBEB77: ReadImage (constitute.c:1607)
==2046==    by 0x4EBF991: PingImage (constitute.c:1370)
==2046==    by 0x4E8DF3C: IdentifyImageCommand (command.c:8375)
==2046==    by 0x4E8F884: MagickCommand (command.c:8868)
==2046==    by 0x4E9099D: GMCommandSingle (command.c:17376)
==2046==    by 0x4EB1D2D: GMCommand (command.c:17429)
==2046==    by 0x54406E4: (below main) (in /lib64/libc-2.22.so)
==2046== 
$

AFTER

$ valgrind -q --leak-check=full gm identify leak-ReadOneJNGImage
gm identify: Improper image header (leak-ReadOneJNGImage).
gm identify: Request did not return an image.
$

Comment 12 Swamp Workflow Management 2018-01-16 14:30:29 UTC

This is an autogenerated message for OBS integration:
This bug (1052777) was mentioned in
https://build.opensuse.org/request/show/566430 42.3 / GraphicsMagick

Comment 13 Swamp Workflow Management 2018-01-16 15:10:29 UTC

This is an autogenerated message for OBS integration:
This bug (1052777) was mentioned in
https://build.opensuse.org/request/show/566436 42.2 / GraphicsMagick

Comment 14 Petr Gajdos 2018-01-19 16:59:49 UTC

11/GraphicsMagick

BEFORE

$ valgrind -q --leak-check=full gm identify leak-ReadOneJNGImage
gm identify: Corrupt image (leak-ReadOneJNGImage).
==27108== 
==27108== 11,256 (6,840 direct, 4,416 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5
==27108==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==27108==    by 0x4EEBEA6: AllocateImage (image.c:258)
==27108==    by 0x802C719: ???
==27108==    by 0x802DEB3: ???
==27108==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==27108==    by 0x4EFC39D: ReadStream (pixel_cache.c:3653)
==27108==    by 0x4EA0FA8: PingImage (constitute.c:5770)
==27108==    by 0x4E86A87: IdentifyImageCommand (command.c:7204)
==27108==    by 0x4E73683: MagickCommand (command.c:7657)
==27108==    by 0x4E737FE: GMCommand (command.c:15277)
==27108==    by 0x76E2585: (below main) (in /lib64/libc-2.9.so)
$

AFTER

$ valgrind -q --leak-check=full gm identify leak-ReadOneJNGImage
gm identify: Improper image header (leak-ReadOneJNGImage).
$

Comment 15 Petr Gajdos 2018-01-22 11:50:54 UTC

Submitted for: 12/ImageMagick, 11/ImageMagick, 11/GraphicsMagick and 42.x/GraphicsMagick

Comment 17 Petr Gajdos 2018-01-22 12:24:45 UTC

I believe all fixed.

Comment 18 Swamp Workflow Management 2018-01-25 20:09:01 UTC

openSUSE-SU-2018:0218-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1051442,1052708,1052717,1052777,1054600,1055374,1055455,1057000,1062752
CVE References: CVE-2017-11750,CVE-2017-12641,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-15218,CVE-2017-9261,CVE-2017-9262
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-60.1
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.63.1

Comment 19 Swamp Workflow Management 2018-02-02 14:10:51 UTC

SUSE-SU-2018:0349-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055068,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1072901,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13059,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17681,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18008,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5246,CVE-2018-5685
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1

Comment 20 Swamp Workflow Management 2018-02-02 14:16:20 UTC

SUSE-SU-2018:0350-1: An update that solves 30 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5685
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2

Comment 21 Swamp Workflow Management 2018-02-08 11:14:36 UTC

openSUSE-SU-2018:0396-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055068,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1072901,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13059,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17681,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18008,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5246,CVE-2018-5685
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-52.1

Comment 22 Swamp Workflow Management 2018-02-09 20:10:30 UTC

SUSE-SU-2018:0413-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1047910,1050037,1050072,1050100,1051442,1052470,1052708,1052717,1052768,1052777,1052781,1054600,1055038,1055374,1055455,1055456,1057000,1060162,1062752,1067198,1073690,1074023,1074120,1074125,1074175,1075939
CVE References: CVE-2014-9811,CVE-2017-10995,CVE-2017-11102,CVE-2017-11505,CVE-2017-11526,CVE-2017-11539,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13065,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14174,CVE-2017-14649,CVE-2017-15218,CVE-2017-15238,CVE-2017-16669,CVE-2017-17501,CVE-2017-17504,CVE-2017-17782,CVE-2017-17879,CVE-2017-17884,CVE-2017-17915,CVE-2017-8352,CVE-2017-9261,CVE-2017-9262,CVE-2018-5685
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.33.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.33.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.33.1

Comment 23 Marcus Meissner 2018-02-12 08:21:53 UTC

released