Bug 1057000 - (CVE-2017-14103) VUL-0: CVE-2017-14103: GraphicsMagick: The ReadJNGImage and ReadOneJNGImage functions in coders/png.c inGraphicsMagick 1.3.26 do not properly manage image pointers aftercertain error conditions, which allows remote attackers to conductus
(CVE-2017-14103)
VUL-0: CVE-2017-14103: GraphicsMagick: The ReadJNGImage and ReadOneJNGImage f...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/191386/
CVSSv2:SUSE:CVE-2017-14103:5.0:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-04 07:01 UTC by Marcus Meissner
Modified: 2018-02-09 23:36 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
00333-graphicsmagick-UAF-CloseBlob (298 bytes, application/octet-stream)
2017-09-04 07:05 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-09-04 07:01:53 UTC
CVE-2017-14103

The ReadJNGImage and ReadOneJNGImage functions in coders/png.c in
GraphicsMagick 1.3.26 do not properly manage image pointers after
certain error conditions, which allows remote attackers to conduct
use-after-free attacks via a crafted file, related to a ReadMNGImage
out-of-order CloseBlob call. NOTE: this vulnerability exists because of
an incomplete fix for CVE-2017-11403.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14103
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14103.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14103
http://www.cvedetails.com/cve/CVE-2017-14103/
Comment 1 Marcus Meissner 2017-09-04 07:03:02 UTC
the old one was bug 1049072
Comment 3 Marcus Meissner 2017-09-04 07:05:00 UTC
Created attachment 739258 [details]
00333-graphicsmagick-UAF-CloseBlob

QA REPRODUCER:

gm convert 00333-graphicsmagick-UAF-CloseBlob foo.jpg

should not assertion fail.
Comment 4 Petr Gajdos 2018-01-15 07:50:56 UTC
12/ImageMagick

BEFORE

$ time convert 00333-graphicsmagick-UAF-CloseBlob foo.jpg
convert: corrupt image `00333-graphicsmagick-UAF-CloseBlob' @ error/png.c/ReadOneJNGImage/4248.
convert: no images defined `foo.jpg' @ error/convert.c/ConvertImageCommand/3149.

real	0m1.065s
user	0m1.013s
sys	0m0.052s
$

AFTER

$ time convert 00333-graphicsmagick-UAF-CloseBlob foo.jpg
convert: negative or zero image size `00333-graphicsmagick-UAF-CloseBlob' @ error/png.c/ReadOneJNGImage/4363.
convert: no images defined `foo.jpg' @ error/convert.c/ConvertImageCommand/3149.

real	0m0.007s
user	0m0.002s
sys	0m0.005s
$

Could not reproduce assertation fault, but there is an improvement, considering affected (but question is, if by this CVE).
Comment 8 Petr Gajdos 2018-01-16 09:47:07 UTC
11/ImageMagick

BEFORE

$ time convert 00333-graphicsmagick-UAF-CloseBlob foo.jpg
convert: Corrupt image `00333-graphicsmagick-UAF-CloseBlob'.
convert: missing an image filename `foo.jpg'.

real	0m1.211s
user	0m1.147s
sys	0m0.064s
$

AFTER

$ time convert 00333-graphicsmagick-UAF-CloseBlob foo.jpg
convert: Negative or zero image size `00333-graphicsmagick-UAF-CloseBlob'.
convert: missing an image filename `foo.jpg'.

real	0m0.013s
user	0m0.013s
sys	0m0.000s
$
Comment 10 Petr Gajdos 2018-01-16 12:03:37 UTC
42.x/GraphicsMagick

BEFORE

$ valgrind -q --leak-check=full gm identify 00366-graphicsmagick_assertionfailure_pixel_cache_c
00366-graphicsmagick_assertionfailure_pixel_cache_c JNG 1x1+0+0 DirectClass 16-bit 275 0.000u 0m:0.000752s
$

AFTER

$ valgrind -q --leak-check=full gm identify 00366-graphicsmagick_assertionfailure_pixel_cache_c
00366-graphicsmagick_assertionfailure_pixel_cache_c JNG 1x1+0+0 DirectClass 16-bit 275 0.000u 0m:0.000758s
$

Considering not affected.
Comment 11 Petr Gajdos 2018-01-16 12:07:34 UTC
(In reply to Petr Gajdos from comment #10)
> 42.x/GraphicsMagick
> 
> BEFORE
> 
> $ valgrind -q --leak-check=full gm identify
> 00366-graphicsmagick_assertionfailure_pixel_cache_c
> 00366-graphicsmagick_assertionfailure_pixel_cache_c JNG 1x1+0+0 DirectClass
> 16-bit 275 0.000u 0m:0.000752s
> $
> 
> AFTER
> 
> $ valgrind -q --leak-check=full gm identify
> 00366-graphicsmagick_assertionfailure_pixel_cache_c
> 00366-graphicsmagick_assertionfailure_pixel_cache_c JNG 1x1+0+0 DirectClass
> 16-bit 275 0.000u 0m:0.000758s
> $
> 
> Considering not affected.

Bad window. It should have been:

42.x/GraphicsMagick

BEFORE

$ gm convert 00333-graphicsmagick-UAF-CloseBlob /dev/null
gm: magick/blob.c:860: CloseBlob: Assertion `image->signature == 0xabacadabUL' failed.
gm convert: abort due to signal 6 (SIGABRT) "Abort"...
Aborted (core dumped)
$

AFTER

$ gm convert 00333-graphicsmagick-UAF-CloseBlob /dev/null
gm convert: Insufficient image data in file (00333-graphicsmagick-UAF-CloseBlob).
$
Comment 13 Swamp Workflow Management 2018-01-16 14:30:48 UTC
This is an autogenerated message for OBS integration:
This bug (1057000) was mentioned in
https://build.opensuse.org/request/show/566430 42.3 / GraphicsMagick
Comment 14 Swamp Workflow Management 2018-01-16 15:10:45 UTC
This is an autogenerated message for OBS integration:
This bug (1057000) was mentioned in
https://build.opensuse.org/request/show/566436 42.2 / GraphicsMagick
Comment 15 Petr Gajdos 2018-01-17 07:28:10 UTC
11/GraphicsMagick

Code is there, this is follow up of CVE-2017-11102, bug 1047910.
Comment 16 Petr Gajdos 2018-01-19 17:30:35 UTC
11/GraphicsMagick

BEFORE

$ gm convert 00333-graphicsmagick-UAF-CloseBlob foo.jpg
[hangs or run long]

AFTER

$ gm convert 00333-graphicsmagick-UAF-CloseBlob foo.jpg
gm convert: Insufficient image data in file (00333-graphicsmagick-UAF-CloseBlob).
$
Comment 17 Petr Gajdos 2018-01-22 11:58:07 UTC
Submitted for: 12/ImageMagick, 11/ImageMagick, 11/GraphicsMagick and 42.x/GraphicsMagick
Comment 19 Petr Gajdos 2018-01-22 12:24:43 UTC
I believe all fixed.
Comment 20 Swamp Workflow Management 2018-01-25 20:09:34 UTC
openSUSE-SU-2018:0218-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1051442,1052708,1052717,1052777,1054600,1055374,1055455,1057000,1062752
CVE References: CVE-2017-11750,CVE-2017-12641,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-15218,CVE-2017-9261,CVE-2017-9262
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-60.1
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.63.1
Comment 21 Swamp Workflow Management 2018-02-02 14:11:52 UTC
SUSE-SU-2018:0349-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055068,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1072901,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13059,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17681,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18008,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5246,CVE-2018-5685
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
Comment 22 Swamp Workflow Management 2018-02-02 14:17:09 UTC
SUSE-SU-2018:0350-1: An update that solves 30 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5685
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
Comment 23 Swamp Workflow Management 2018-02-08 11:15:38 UTC
openSUSE-SU-2018:0396-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055068,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1072901,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13059,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17681,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18008,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5246,CVE-2018-5685
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-52.1
Comment 24 Marcus Meissner 2018-02-09 15:48:32 UTC
released
Comment 25 Swamp Workflow Management 2018-02-09 20:11:30 UTC
SUSE-SU-2018:0413-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1047910,1050037,1050072,1050100,1051442,1052470,1052708,1052717,1052768,1052777,1052781,1054600,1055038,1055374,1055455,1055456,1057000,1060162,1062752,1067198,1073690,1074023,1074120,1074125,1074175,1075939
CVE References: CVE-2014-9811,CVE-2017-10995,CVE-2017-11102,CVE-2017-11505,CVE-2017-11526,CVE-2017-11539,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13065,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14174,CVE-2017-14649,CVE-2017-15218,CVE-2017-15238,CVE-2017-16669,CVE-2017-17501,CVE-2017-17504,CVE-2017-17782,CVE-2017-17879,CVE-2017-17884,CVE-2017-17915,CVE-2017-8352,CVE-2017-9261,CVE-2017-9262,CVE-2018-5685
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.33.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.33.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.33.1