Bug 1057723 - (CVE-2017-14174) VUL-1: CVE-2017-14174: ImageMagick: Missing end of file check in ReadPSDLayersInternal() could lead to denial of service
(CVE-2017-14174)
VUL-1: CVE-2017-14174: ImageMagick: Missing end of file check in ReadPSDLaye...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/191540/
CVSSv3:RedHat:CVE-2017-14174:3.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-08 06:31 UTC by Victor Pereira
Modified: 2018-02-12 08:34 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-09-08 06:31:10 UTC
CVE-2017-14174

In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSDLayersInternal() due
to lack of an EOF (End of File) check might cause huge CPU consumption. When a
crafted PSD file, which claims a large "length" field in the header but does not
contain sufficient backing data, is provided, the loop over "length" would
consume huge CPU resources, since there is no EOF check inside the loop.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14174
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14174.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14174
https://github.com/ImageMagick/ImageMagick/commit/04a567494786d5bb50894fc8bb8fea0cf496bea8
https://github.com/ImageMagick/ImageMagick/commit/f68a98a9d385838a1c73ec960a14102949940a64
https://github.com/ImageMagick/ImageMagick/issues/714
Comment 1 Marcus Meissner 2017-09-29 09:26:46 UTC
large but not endless CPU using loop.
Comment 2 Petr Gajdos 2017-12-12 12:10:44 UTC
42.2/GraphicsMagick and above does not have PSD decoder enabled.
Comment 3 Petr Gajdos 2017-12-13 10:08:33 UTC
BEFORE

valgrind does not see any memory issue.

12/ImageMagick

$ convert x_psd_poc.psd test.jpg
convert: insufficient image data in file `x_psd_poc.psd' @ error/psd.c/ReadPSDLayers/1406 `x_psd_poc.psd' @ error/psd.c/ReadPSDImage/1817.
convert: no images defined `test.jpg' @ error/convert.c/ConvertImageCommand/3149.
$

11/ImageMagickes

$ valgrind -q convert x_psd_poc.psd test.jpg
convert: Improper image header `x_psd_poc.psd'.
convert: missing an image filename `test.jpg'.
$

11/GraphicsMagick

$ valgrind -q gm convert x_psd_poc.psd test.jpg
gm convert: Improper image header (x_psd_poc.psd).
$

Only thing is, that for 12/ImageMagick, the command runs several seconds, and LONG under valgrind.

PATCH

see comment 0
https://github.com/ImageMagick/ImageMagick/commit/04a567494786d5bb50894fc8bb8fea0cf496bea8
is essential, using DiscardBlobBytes. I checked and 12/ImageMagick DiscardBlobBytes seem to be as good as head one. 11/*Magick does not have DiscardBlobBytes.

AFTER

12/ImageMagick

$ valgrind -q convert x_psd_poc.psd test.jpg
convert: unexpected end-of-file `x_psd_poc.psd' @ error/psd.c/ReadPSDLayers/1389 `x_psd_poc.psd' @ error/psd.c/ReadPSDImage/1811.
convert: no images defined `test.jpg' @ error/convert.c/ConvertImageCommand/3149.
$
[exits almost immediately]

11/ImageMagick

$ valgrind -q convert x_psd_poc.psd test.jpg           
convert: Improper image header `x_psd_poc.psd'.
convert: missing an image filename `test.jpg'.
$
[result the same, but as confirmed with gdb, program control does not reach patched code for this testcase]

11/GraphicsMagick

$ valgrind -q gm convert x_psd_poc.psd test.jpg          
gm convert: Improper image header (x_psd_poc.psd).
$
[result the same, but as confirmed with gdb, program control does not reach patched code for this testcase]
Comment 4 Petr Gajdos 2017-12-14 10:54:09 UTC
I believe all fixed.
Comment 6 Swamp Workflow Management 2018-01-04 14:10:50 UTC
SUSE-SU-2018:0017-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1052460,1055053,1055063,1056550,1057723,1058422,1063049,1063050
CVE References: CVE-2017-12563,CVE-2017-12691,CVE-2017-13061,CVE-2017-13062,CVE-2017-14042,CVE-2017-14174,CVE-2017-14343,CVE-2017-15277,CVE-2017-15281
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.20.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.20.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.20.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.20.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.20.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.20.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.20.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.20.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.20.1
Comment 7 Swamp Workflow Management 2018-01-05 17:08:52 UTC
openSUSE-SU-2018:0025-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1052460,1055053,1055063,1056550,1057723,1058422,1063049,1063050
CVE References: CVE-2017-12563,CVE-2017-12691,CVE-2017-13061,CVE-2017-13062,CVE-2017-14042,CVE-2017-14174,CVE-2017-14343,CVE-2017-15277,CVE-2017-15281
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-43.1
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.15.1
Comment 8 Swamp Workflow Management 2018-01-09 11:14:31 UTC
SUSE-SU-2018:0043-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1052460,1055053,1055063,1056550,1057723,1058422,1063049,1063050
CVE References: CVE-2017-12563,CVE-2017-12691,CVE-2017-13061,CVE-2017-13062,CVE-2017-14042,CVE-2017-14174,CVE-2017-14343,CVE-2017-15277,CVE-2017-15281
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.17.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.17.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.17.1
Comment 9 Swamp Workflow Management 2018-01-24 20:13:44 UTC
SUSE-SU-2018:0197-1: An update that fixes 23 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047044,1047054,1048457,1049373,1050129,1051412,1051847,1052252,1052460,1052758,1052764,1052771,1055063,1056550,1057723,1058082,1058422,1060577,1061587,1063050,1067177,1074969,1074975
CVE References: CVE-2017-10799,CVE-2017-10800,CVE-2017-11188,CVE-2017-11449,CVE-2017-11532,CVE-2017-12140,CVE-2017-12430,CVE-2017-12563,CVE-2017-12642,CVE-2017-12644,CVE-2017-12662,CVE-2017-12691,CVE-2017-13061,CVE-2017-14042,CVE-2017-14174,CVE-2017-14249,CVE-2017-14343,CVE-2017-14733,CVE-2017-14994,CVE-2017-15277,CVE-2017-16547,CVE-2017-18022,CVE-2018-5247
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.28.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.28.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.28.2
Comment 10 Marcus Meissner 2018-02-12 08:34:25 UTC
released