Bug 1055069 – VUL-2: CVE-2017-13058: ImageMagick: In ImageMagick 7.0.6-6, a memory leak vulnerability was found in thefunction WritePCXImage in coders/pcx.c, which allows attackers to causea denial of service via a crafted file.

Bug 1055069 - (CVE-2017-13058) VUL-2: CVE-2017-13058: ImageMagick: In ImageMagick 7.0.6-6, a memory leak vulnerability was found in thefunction WritePCXImage in coders/pcx.c, which allows attackers to causea denial of service via a crafted file.

(CVE-2017-13058)
Summary:	VUL-2: CVE-2017-13058: ImageMagick: In ImageMagick 7.0.6-6, a memory leak vul...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/190878/
Whiteboard:	CVSSv3:SUSE:CVE-2017-13058:5.3:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-08-22 16:02 UTC by Marcus Meissner
Modified:	2018-03-06 23:46 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
memory_leak_in_WritePCXImage (250 bytes, application/octet-stream) 2017-08-22 16:02 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2017-08-22 16:02:21 UTC

CVE-2017-13058

In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the
function WritePCXImage in coders/pcx.c, which allows attackers to cause
a denial of service via a crafted file.

https://github.com/ImageMagick/ImageMagick/issues/666

Comment 1 Marcus Meissner 2017-08-22 16:02:59 UTC

Created attachment 737831 [details]
memory_leak_in_WritePCXImage

QA REPRODUCER:

valgrind --leak-check=full identify memory_leak_in_WritePCXImage

should not report leaked memory.

Comment 2 Marcus Meissner 2017-09-27 10:50:20 UTC

minor fixed size leak per image.

Comment 3 Petr Gajdos 2018-02-06 16:14:29 UTC

BEFORE

12/ImageMagick

$ valgrind -q --leak-check=full convert memory_leak_in_WritePCXImage out.dcx
convert: unexpected end-of-file `memory_leak_in_WritePCXImage' @ error/pwp.c/ReadPWPImage/198.
convert: no images defined `out.dcx' @ error/convert.c/ConvertImageCommand/3149.
$
[no issues observed]

11/ImageMagick

$ valgrind -q --leak-check=full convert memory_leak_in_WritePCXImage out.dcx
convert: Unexpected end-of-file `memory_leak_in_WritePCXImage': No such file or directory.
==15812== 
==15812== 768 bytes in 1 blocks are definitely lost in loss record 2 of 3
==15812==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==15812==    by 0xA10E272: ???
==15812==    by 0x4E94145: WriteImage (constitute.c:955)
==15812==    by 0x4E9490A: WriteImages (constitute.c:1126)
==15812==    by 0x529339C: ConvertImageCommand (convert.c:2711)
==15812==    by 0x400F73: main (convert.c:122)
==15812== 
==15812== 
==15812== 8,192 bytes in 1 blocks are definitely lost in loss record 3 of 3
==15812==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==15812==    by 0xA10E0C2: ???
==15812==    by 0x4E94145: WriteImage (constitute.c:955)
==15812==    by 0x4E9490A: WriteImages (constitute.c:1126)
==15812==    by 0x529339C: ConvertImageCommand (convert.c:2711)
==15812==    by 0x400F73: main (convert.c:122)
$
[seems to be vulnerable]

11/GraphicsMagick

$ valgrind -q --leak-check=full gm convert memory_leak_in_WritePCXImage out.dcx
==15822== Use of uninitialised value of size 8
==15822==    at 0x4F23A28: LocaleNCompare (utility.c:3356)
==15822==    by 0x822C3CB: ReadPWPImage (pwp.c:177)
==15822==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==15822==    by 0x4E8CBCF: ConvertImageCommand (command.c:3171)
==15822==    by 0x4E73683: MagickCommand (command.c:7657)
==15822==    by 0x4E737FE: GMCommand (command.c:15277)
==15822==    by 0x76E2585: (below main) (in /lib64/libc-2.9.so)
gm convert: Request did not return an image.
$
[no leak]

42.3/GraphicsMagick

$ valgrind -q --leak-check=full gm convert memory_leak_in_WritePCXImage out.dcx
==15829== Use of uninitialised value of size 8
==15829==    at 0x4F3DC1E: LocaleNCompare (utility.c:3520)
==15829==    by 0x7BD12E8: ReadPWPImage (pwp.c:177)
==15829==    by 0x4EBEB77: ReadImage (constitute.c:1607)
==15829==    by 0x4E9F037: ConvertImageCommand (command.c:4348)
==15829==    by 0x4E8F884: MagickCommand (command.c:8868)
==15829==    by 0x4E9099D: GMCommandSingle (command.c:17376)
==15829==    by 0x4EB1D2D: GMCommand (command.c:17429)
==15829==    by 0x54406E4: (below main) (in /lib64/libc-2.22.so)
==15829== 
gm convert: Request did not return an image.
$
[no leak]

PATCH

https://github.com/ImageMagick/ImageMagick/commit/36d552245454f88aff5afddec29b9121b3d9b38f

*/ImageMagick: needs the free of page_table
11/GraphicsMagick: needs the free of page_table
42.3/GraphicsMagick: ThrowPCXWriterException()

AFTER

12/ImageMagick

$ valgrind -q --leak-check=full convert memory_leak_in_WritePCXImage out.dcx
convert: unexpected end-of-file `memory_leak_in_WritePCXImage' @ error/pwp.c/ReadPWPImage/198.
convert: no images defined `out.dcx' @ error/convert.c/ConvertImageCommand/3149.
$
[no change]

11/ImageMagick

$ valgrind -q --leak-check=full convert memory_leak_in_WritePCXImage out.dcx
convert: Unexpected end-of-file `memory_leak_in_WritePCXImage': No such file or directory.
$
[fixed]

11/GraphicsMagick

$ valgrind -q --leak-check=full gm convert memory_leak_in_WritePCXImage out.dcx
==12593== Use of uninitialised value of size 8
==12593==    at 0x4F23A28: LocaleNCompare (utility.c:3356)
==12593==    by 0x822D3CB: ReadPWPImage (pwp.c:177)
==12593==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==12593==    by 0x4E8CBCF: ConvertImageCommand (command.c:3171)
==12593==    by 0x4E73683: MagickCommand (command.c:7657)
==12593==    by 0x4E737FE: GMCommand (command.c:15277)
==12593==    by 0x76E2585: (below main) (in /lib64/libc-2.9.so)
gm convert: Request did not return an image.
$
[no change]

42.3/GraphicsMagick

$ valgrind -q --leak-check=full gm convert memory_leak_in_WritePCXImage out.dcx
==12604== Use of uninitialised value of size 8
==12604==    at 0x4F3DC1E: LocaleNCompare (utility.c:3520)
==12604==    by 0x7BD12E8: ReadPWPImage (pwp.c:177)
==12604==    by 0x4EBEB77: ReadImage (constitute.c:1607)
==12604==    by 0x4E9F037: ConvertImageCommand (command.c:4348)
==12604==    by 0x4E8F884: MagickCommand (command.c:8868)
==12604==    by 0x4E9099D: GMCommandSingle (command.c:17376)
==12604==    by 0x4EB1D2D: GMCommand (command.c:17429)
==12604==    by 0x54406E4: (below main) (in /lib64/libc-2.22.so)
==12604== 
gm convert: Request did not return an image.
$
[no change]

Comment 4 Petr Gajdos 2018-02-06 16:16:53 UTC

Will submit for: 12/ImageMagick, 11/ImageMagick and 11/GraphicsMagick

Comment 5 Petr Gajdos 2018-02-09 16:02:08 UTC

I believe all fixed.

Comment 9 Swamp Workflow Management 2018-02-20 14:10:29 UTC

SUSE-SU-2018:0486-1: An update that fixes 24 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1048110,1049374,1049375,1050048,1050617,1050669,1052207,1052248,1052251,1052254,1052472,1052688,1052711,1052747,1052750,1052761,1055069,1055229,1058009,1074119,1076182,1078433
CVE References: CVE-2017-11166,CVE-2017-11448,CVE-2017-11450,CVE-2017-11537,CVE-2017-11637,CVE-2017-11638,CVE-2017-11642,CVE-2017-12418,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12654,CVE-2017-12664,CVE-2017-12665,CVE-2017-12668,CVE-2017-12674,CVE-2017-13058,CVE-2017-13131,CVE-2017-14224,CVE-2017-17885,CVE-2017-18028,CVE-2017-9407,CVE-2018-6405
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.34.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.34.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.34.1

Comment 10 Swamp Workflow Management 2018-02-22 14:09:55 UTC

SUSE-SU-2018:0524-1: An update that fixes 20 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1047900,1049374,1049375,1050617,1050669,1052248,1052251,1052254,1052472,1052688,1055069,1055229,1058009,1072934,1073081,1074307,1076182,1078433
CVE References: CVE-2017-11140,CVE-2017-11448,CVE-2017-11450,CVE-2017-11637,CVE-2017-11638,CVE-2017-11642,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12668,CVE-2017-13058,CVE-2017-13131,CVE-2017-14224,CVE-2017-17502,CVE-2017-17503,CVE-2017-17912,CVE-2017-18028,CVE-2017-9407,CVE-2018-6405
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.38.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.38.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.38.1

Comment 11 Swamp Workflow Management 2018-03-01 20:17:53 UTC

SUSE-SU-2018:0581-1: An update that fixes 35 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1042911,1048110,1048272,1049374,1049375,1050048,1050119,1050122,1050126,1050132,1050617,1052207,1052248,1052251,1052254,1052472,1052688,1052711,1052747,1052750,1052754,1052761,1055069,1055229,1056768,1057163,1058009,1072898,1074119,1074170,1075821,1076182,1078433
CVE References: CVE-2017-11166,CVE-2017-11170,CVE-2017-11448,CVE-2017-11450,CVE-2017-11528,CVE-2017-11530,CVE-2017-11531,CVE-2017-11533,CVE-2017-11537,CVE-2017-11638,CVE-2017-11642,CVE-2017-12418,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12654,CVE-2017-12663,CVE-2017-12664,CVE-2017-12665,CVE-2017-12668,CVE-2017-12674,CVE-2017-13058,CVE-2017-13131,CVE-2017-14060,CVE-2017-14139,CVE-2017-14224,CVE-2017-17682,CVE-2017-17885,CVE-2017-17934,CVE-2017-18028,CVE-2017-9405,CVE-2017-9407,CVE-2018-5357,CVE-2018-6405
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1

Comment 12 Andreas Stieger 2018-03-06 19:44:29 UTC

Releasing for Leap, showing as done otherwise

Comment 13 Swamp Workflow Management 2018-03-06 23:16:31 UTC

openSUSE-SU-2018:0621-1: An update that fixes 35 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1042911,1048110,1048272,1049374,1049375,1050048,1050119,1050122,1050126,1050132,1050617,1052207,1052248,1052251,1052254,1052472,1052688,1052711,1052747,1052750,1052754,1052761,1055069,1055229,1056768,1057163,1058009,1072898,1074119,1074170,1075821,1076182,1078433
CVE References: CVE-2017-11166,CVE-2017-11170,CVE-2017-11448,CVE-2017-11450,CVE-2017-11528,CVE-2017-11530,CVE-2017-11531,CVE-2017-11533,CVE-2017-11537,CVE-2017-11638,CVE-2017-11642,CVE-2017-12418,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12654,CVE-2017-12663,CVE-2017-12664,CVE-2017-12665,CVE-2017-12668,CVE-2017-12674,CVE-2017-13058,CVE-2017-13131,CVE-2017-14060,CVE-2017-14139,CVE-2017-14224,CVE-2017-17682,CVE-2017-17885,CVE-2017-17934,CVE-2017-18028,CVE-2017-9405,CVE-2017-9407,CVE-2018-5357,CVE-2018-6405
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-55.1