Bug 1052761 – VUL-1: CVE-2017-12654: GraphicsMagick, ImageMagick: Memory leak in ReadPICTImage in coders/pict.c allows for DoS

Bug 1052761 - (CVE-2017-12654) VUL-1: CVE-2017-12654: GraphicsMagick, ImageMagick: Memory leak in ReadPICTImage in coders/pict.c allows for DoS

(CVE-2017-12654)
Summary:	VUL-1: CVE-2017-12654: GraphicsMagick, ImageMagick: Memory leak in ReadPICTIm...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/189763/
Whiteboard:	CVSSv2:SUSE:CVE-2017-12654:5.0:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-08-08 11:49 UTC by Johannes Segitz
Modified:	2020-06-11 20:32 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Reproducer (760 bytes, image/x-pict) 2017-08-08 11:49 UTC, Johannes Segitz	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2017-08-08 11:49:03 UTC

Created attachment 735696 [details]
Reproducer

CVE-2017-12654

The ReadPICTImage function in coders/pict.c in ImageMagick 7.0.6-3 allows
attackers to cause a denial of service (memory leak) via a crafted file.

valgrind identify memory_leak_in_ReadPICTImage_2.pict
doesn't trigger for GM but code looks vulnerable

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12654
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12654
https://github.com/ImageMagick/ImageMagick/issues/620

Comment 1 Petr Gajdos 2018-01-30 13:39:21 UTC

BEFORE

12/ImageMagick

$ valgrind -q --leak-check=full identify memory_leak_in_ReadPICTImage_2.pict
identify: improper image header `memory_leak_in_ReadPICTImage_2.pict' @ error/pict.c/ReadPICTImage/1103.
==3421== 23,240 (13,232 direct, 10,008 indirect) bytes in 1 blocks are definitely lost in loss record 21 of 21
==3421==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==3421==    by 0x4F47DE8: CloneImage (image.c:808)
==3421==    by 0x841D0B1: ???
==3421==    by 0x4EBFE1A: ReadImage (constitute.c:601)
==3421==    by 0x4FD1638: ReadStream (stream.c:974)
==3421==    by 0x4EBF960: PingImage (constitute.c:278)
==3421==    by 0x4EBFB9A: PingImages (constitute.c:373)
==3421==    by 0x535850B: IdentifyImageCommand (identify.c:322)
==3421==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==3421==    by 0x400891: IdentifyMain (identify.c:80)
==3421==    by 0x400891: main (identify.c:93)
==3421== 
$

11/ImageMagick

$ valgrind -q --leak-check=full identify memory_leak_in_ReadPICTImage_2.pict
identify: Improper image header `memory_leak_in_ReadPICTImage_2.pict'.
==3429== 
==3429== 2,128 bytes in 7 blocks are possibly lost in loss record 6 of 9
==3429==    at 0x4C23484: calloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==3429==    by 0x4010AEE: _dl_allocate_tls (in /lib64/ld-2.9.so)
==3429==    by 0x6B7774A: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.9.so)
==3429==    by 0x696CF35: (within /usr/lib64/libgomp.so.1.0.0)
==3429==    by 0x4F0E3E1: SetImageBackgroundColor (image.c:342)
==3429==    by 0x9F0D4BE: ???
==3429==    by 0x4E94D87: ReadImage (constitute.c:441)
==3429==    by 0x52D0C14: IdentifyImageCommand (identify.c:297)
==3429==    by 0x400DA7: main (identify.c:101)
==3429== 
==3429== 
==3429== 41,648 (13,192 direct, 28,456 indirect) bytes in 1 blocks are definitely lost in loss record 8 of 9
==3429==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==3429==    by 0x4F0A0CC: CloneImage (image.c:1108)
==3429==    by 0x9F0BF45: ???
==3429==    by 0x4E94D87: ReadImage (constitute.c:441)
==3429==    by 0x52D0C14: IdentifyImageCommand (identify.c:297)
==3429==    by 0x400DA7: main (identify.c:101)
$

11/GraphicsMagick

$ valgrind -q --leak-check=full gm identify memory_leak_in_ReadPICTImage_2.pict
gm identify: Improper image header (memory_leak_in_ReadPICTImage_2.pict).
$

42.3/GraphicsMagick

$ valgrind -q --leak-check=full gm identify memory_leak_in_ReadPICTImage_2.pict
gm identify: Improper image header (memory_leak_in_ReadPICTImage_2.pict).
gm identify: Request did not return an image.
$

PATCH

ImageMagick:
https://github.com/ImageMagick/ImageMagick/commit/ffcb8f8e2248fde38a2cb30aeb48403d2b3471cc

GraphicsMagick (11, 42.3, HG):
ReadPixmap() does not validate image, therefore does not return; there is ValidateImage() called instead. I think GraphicsMagick is not affected at all.

AFTER

12/ImageMagick

$ valgrind -q --leak-check=full identify memory_leak_in_ReadPICTImage_2.pict
identify: improper image header `memory_leak_in_ReadPICTImage_2.pict' @ error/pict.c/ReadPICTImage/1110.
$
[leak vanished]

11/ImageMagick

$ valgrind -q --leak-check=full identify memory_leak_in_ReadPICTImage_2.pict
identify: Improper image header `memory_leak_in_ReadPICTImage_2.pict'.
==22138== 
==22138== 2,128 bytes in 7 blocks are possibly lost in loss record 3 of 3
==22138==    at 0x4C23484: calloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==22138==    by 0x4010AEE: _dl_allocate_tls (in /lib64/ld-2.9.so)
==22138==    by 0x6B7774A: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.9.so)
==22138==    by 0x696CF35: (within /usr/lib64/libgomp.so.1.0.0)
==22138==    by 0x4F0E3E1: SetImageBackgroundColor (image.c:342)
==22138==    by 0x9F0D309: ???
==22138==    by 0x4E94D87: ReadImage (constitute.c:441)
==22138==    by 0x52D0C14: IdentifyImageCommand (identify.c:297)
==22138==    by 0x400DA7: main (identify.c:101)
$
[relevant leak vanished]

Comment 2 Petr Gajdos 2018-01-30 13:40:04 UTC

Will submit for: 11/ImageMagick and 12/ImageMagick.

Comment 3 Petr Gajdos 2018-02-02 09:31:08 UTC

I believe all fixed.

Comment 4 Swamp Workflow Management 2018-02-20 14:10:19 UTC

SUSE-SU-2018:0486-1: An update that fixes 24 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1048110,1049374,1049375,1050048,1050617,1050669,1052207,1052248,1052251,1052254,1052472,1052688,1052711,1052747,1052750,1052761,1055069,1055229,1058009,1074119,1076182,1078433
CVE References: CVE-2017-11166,CVE-2017-11448,CVE-2017-11450,CVE-2017-11537,CVE-2017-11637,CVE-2017-11638,CVE-2017-11642,CVE-2017-12418,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12654,CVE-2017-12664,CVE-2017-12665,CVE-2017-12668,CVE-2017-12674,CVE-2017-13058,CVE-2017-13131,CVE-2017-14224,CVE-2017-17885,CVE-2017-18028,CVE-2017-9407,CVE-2018-6405
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.34.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.34.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.34.1

Comment 5 Swamp Workflow Management 2018-03-01 20:17:46 UTC

SUSE-SU-2018:0581-1: An update that fixes 35 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1042911,1048110,1048272,1049374,1049375,1050048,1050119,1050122,1050126,1050132,1050617,1052207,1052248,1052251,1052254,1052472,1052688,1052711,1052747,1052750,1052754,1052761,1055069,1055229,1056768,1057163,1058009,1072898,1074119,1074170,1075821,1076182,1078433
CVE References: CVE-2017-11166,CVE-2017-11170,CVE-2017-11448,CVE-2017-11450,CVE-2017-11528,CVE-2017-11530,CVE-2017-11531,CVE-2017-11533,CVE-2017-11537,CVE-2017-11638,CVE-2017-11642,CVE-2017-12418,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12654,CVE-2017-12663,CVE-2017-12664,CVE-2017-12665,CVE-2017-12668,CVE-2017-12674,CVE-2017-13058,CVE-2017-13131,CVE-2017-14060,CVE-2017-14139,CVE-2017-14224,CVE-2017-17682,CVE-2017-17885,CVE-2017-17934,CVE-2017-18028,CVE-2017-9405,CVE-2017-9407,CVE-2018-5357,CVE-2018-6405
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1

Comment 6 Swamp Workflow Management 2018-03-06 23:16:24 UTC

openSUSE-SU-2018:0621-1: An update that fixes 35 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1042911,1048110,1048272,1049374,1049375,1050048,1050119,1050122,1050126,1050132,1050617,1052207,1052248,1052251,1052254,1052472,1052688,1052711,1052747,1052750,1052754,1052761,1055069,1055229,1056768,1057163,1058009,1072898,1074119,1074170,1075821,1076182,1078433
CVE References: CVE-2017-11166,CVE-2017-11170,CVE-2017-11448,CVE-2017-11450,CVE-2017-11528,CVE-2017-11530,CVE-2017-11531,CVE-2017-11533,CVE-2017-11537,CVE-2017-11638,CVE-2017-11642,CVE-2017-12418,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12654,CVE-2017-12663,CVE-2017-12664,CVE-2017-12665,CVE-2017-12668,CVE-2017-12674,CVE-2017-13058,CVE-2017-13131,CVE-2017-14060,CVE-2017-14139,CVE-2017-14224,CVE-2017-17682,CVE-2017-17885,CVE-2017-17934,CVE-2017-18028,CVE-2017-9405,CVE-2017-9407,CVE-2018-5357,CVE-2018-6405
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-55.1

Comment 7 Marcus Meissner 2018-05-18 15:37:39 UTC

released