Bug 1055214 - (CVE-2017-13134) VUL-0: CVE-2017-13134: GraphicsMagick,ImageMagick: In ImageMagick 7.0.6-6, a heap-based buffer over-read was found in thefunction SFWScan in coders/sfw.c, which allows attackers to cause adenial of service via a crafted file.
(CVE-2017-13134)
VUL-0: CVE-2017-13134: GraphicsMagick,ImageMagick: In ImageMagick 7.0.6-6, a ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/190909/
CVSSv2:SUSE:CVE-2017-13134:5.0:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-23 10:01 UTC by Marcus Meissner
Modified: 2018-02-12 08:27 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
heap_buffer_overflow_in_SFWScan (1.50 KB, application/octet-stream)
2017-08-23 10:02 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-08-23 10:01:08 UTC
CVE-2017-13134

In ImageMagick 7.0.6-6, a heap-based buffer over-read was found in the
function SFWScan in coders/sfw.c, which allows attackers to cause a
denial of service via a crafted file.


https://github.com/ImageMagick/ImageMagick/issues/670
Comment 1 Marcus Meissner 2017-08-23 10:02:04 UTC
Created attachment 737959 [details]
heap_buffer_overflow_in_SFWScan

QA REPRODUCER:

valgrind identify heap_buffer_overflow_in_SFWScan

for imagemagick

valgrind gm identify heap_buffer_overflow_in_SFWScan

for graphicsmagick

should not show invalid reads.
Comment 2 Marcus Meissner 2017-08-23 10:03:06 UTC
its not crashing, so mostly an information leak due to the overread.
Comment 3 Petr Gajdos 2017-11-06 15:14:28 UTC
BEFORE

12/ImageMagick

$ valgrind -q identify heap_buffer_overflow_in_SFWScan 
==1191== Conditional jump or move depends on uninitialised value(s)
==1191==    at 0x84185F7: SFWScan (sfw.c:134)
==1191==    by 0x84185F7: ReadSFWImage (sfw.c:272)
==1191==    by 0x4EBF2BA: ReadImage (constitute.c:601)
==1191==    by 0x4FD0B68: ReadStream (stream.c:974)
==1191==    by 0x4EBEE00: PingImage (constitute.c:278)
==1191==    by 0x4EBF03A: PingImages (constitute.c:373)
==1191==    by 0x535852B: IdentifyImageCommand (identify.c:322)
==1191==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==1191==    by 0x400971: IdentifyMain (identify.c:80)
==1191==    by 0x400971: main (identify.c:93)
==1191== 
identify: improper image header `heap_buffer_overflow_in_SFWScan' @ error/sfw.c/ReadSFWImage/277.
$

11/ImageMagick
$ valgrind -q identify heap_buffer_overflow_in_SFWScan 
==12171== Conditional jump or move depends on uninitialised value(s)
==12171==    at 0x9F086FB: ReadSFWImage (sfw.c:136)
==12171==    by 0x4E94D87: ReadImage (constitute.c:441)
==12171==    by 0x52D0C14: IdentifyImageCommand (identify.c:297)
==12171==    by 0x400DA7: main (identify.c:101)
identify: Improper image header `heap_buffer_overflow_in_SFWScan'.
$

GraphicsMagick

$ valgrind -q gm identify heap_buffer_overflow_in_SFWScan
==2638== Conditional jump or move depends on uninitialised value(s)
==2638==    at 0x79CC359: SFWScan (sfw.c:128)
==2638==    by 0x79CC359: ReadSFWImage (sfw.c:271)
==2638==    by 0x4EC0F07: ReadImage (constitute.c:1607)
==2638==    by 0x4EC1D21: PingImage (constitute.c:1370)
==2638==    by 0x4E8DF4C: IdentifyImageCommand (command.c:8375)
==2638==    by 0x4E8F894: MagickCommand (command.c:8865)
==2638==    by 0x4E909AD: GMCommandSingle (command.c:17379)
==2638==    by 0x4EB40BD: GMCommand (command.c:17432)
==2638==    by 0x54436E4: (below main) (in /lib64/libc-2.22.so)
==2638== 
gm identify: Improper image header (heap_buffer_overflow_in_SFWScan).
gm identify: Request did not return an image.
$

PATCH

https://github.com/ImageMagick/ImageMagick/commit/1b234b4fe2ec864b2d5af898a31c06c9736da904

AFTER

ImageMagick

$ valgrind -q identify heap_buffer_overflow_in_SFWScan 
identify: improper image header `heap_buffer_overflow_in_SFWScan' @ error/sfw.c/ReadSFWImage/276.
$

GraphicsMagick
Comment 4 Petr Gajdos 2017-11-07 15:58:34 UTC
I believe all fixed.
Comment 6 Bernhard Wiedemann 2017-11-07 17:00:44 UTC
This is an autogenerated message for OBS integration:
This bug (1055214) was mentioned in
https://build.opensuse.org/request/show/539605 42.2 / GraphicsMagick
https://build.opensuse.org/request/show/539606 42.3 / GraphicsMagick
Comment 7 Swamp Workflow Management 2017-11-15 14:08:28 UTC
openSUSE-SU-2017:3020-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1054757,1055214,1056426,1056429,1057508,1066003
CVE References: CVE-2017-12983,CVE-2017-13134,CVE-2017-13776,CVE-2017-13777,CVE-2017-14165,CVE-2017-15930
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-39.1
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.39.1
Comment 10 Swamp Workflow Management 2017-12-20 17:11:25 UTC
SUSE-SU-2017:3378-1: An update that fixes 26 vulnerabilities is now available.

Category: security (important)
Bug References: 1048457,1049796,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052758,1052764,1054757,1055214,1056432,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060577,1066003,1067181,1067184
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14733,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
Comment 11 Swamp Workflow Management 2017-12-20 17:38:32 UTC
SUSE-SU-2017:3388-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
Comment 12 Swamp Workflow Management 2017-12-22 20:14:10 UTC
openSUSE-SU-2017:3420-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-40.1
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.12.1
Comment 13 Swamp Workflow Management 2017-12-27 14:09:08 UTC
SUSE-SU-2017:3435-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1050632,1052450,1054757,1055214,1056426,1056429,1057508,1058485,1058637,1066003,1067181,1067184,1067409
CVE References: CVE-2016-7996,CVE-2017-11640,CVE-2017-12587,CVE-2017-12983,CVE-2017-13134,CVE-2017-13776,CVE-2017-13777,CVE-2017-14165,CVE-2017-14341,CVE-2017-14342,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.19.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.19.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.19.1
Comment 14 Marcus Meissner 2018-02-12 08:27:16 UTC
released