Bug 1059778 - (CVE-2017-14607) VUL-0: CVE-2017-14607: ImageMagick: In ImageMagick 7.0.7-4 Q16, an out of bounds read flaw related to ReadTIFFImagehas been reported in coders/tiff.c. An attacker could possibly exploit this flawto disclose potentially sensitive memory or
(CVE-2017-14607)
VUL-0: CVE-2017-14607: ImageMagick: In ImageMagick 7.0.7-4 Q16, an out of bou...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/192249/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-21 13:48 UTC by Victor Pereira
Modified: 2017-12-22 23:40 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-09-21 13:48:22 UTC
CVE-2017-14607

In ImageMagick 7.0.7-4 Q16, an out of bounds read flaw related to ReadTIFFImage
has been reported in coders/tiff.c. An attacker could possibly exploit this flaw
to disclose potentially sensitive memory or cause an application crash.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14607
https://github.com/ImageMagick/ImageMagick/issues/765
Comment 3 Petr Gajdos 2017-11-28 10:45:19 UTC
BEFORE

12/ImageMagick:

valgrind convert crash-ImageMagic-ReadTIFFImage-heap-overflow /dev/null
==20821== Memcheck, a memory error detector
==20821== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==20821== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==20821== Command: convert crash-ImageMagic-ReadTIFFImage-heap-overflow /dev/null
==20821== 
==20821== Conditional jump or move depends on uninitialised value(s)
==20821==    at 0x4FA7803: PerceptibleReciprocal (pixel-private.h:87)
==20821==    by 0x4FA7803: ImportQuantumPixels (quantum-import.c:3562)
==20821==    by 0x84208FB: ReadTIFFImage (tiff.c:1558)
==20821==    by 0x4EBFE05: ReadImage (constitute.c:601)
==20821==    by 0x4EC037A: ReadImages (constitute.c:907)
==20821==    by 0x5319BAE: ConvertImageCommand (convert.c:617)
==20821==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==20821==    by 0x400906: ConvertMain (convert.c:81)
==20821==    by 0x400906: main (convert.c:92)
==20821== 
==20821== Conditional jump or move depends on uninitialised value(s)
==20821==    at 0x4FA7732: ClampToQuantum (quantum.h:92)
==20821==    by 0x4FA7732: ImportQuantumPixels (quantum-import.c:3563)
==20821==    by 0x84208FB: ReadTIFFImage (tiff.c:1558)
==20821==    by 0x4EBFE05: ReadImage (constitute.c:601)
==20821==    by 0x4EC037A: ReadImages (constitute.c:907)
==20821==    by 0x5319BAE: ConvertImageCommand (convert.c:617)
==20821==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==20821==    by 0x400906: ConvertMain (convert.c:81)
==20821==    by 0x400906: main (convert.c:92)
==20821== 
==20821== Conditional jump or move depends on uninitialised value(s)
==20821==    at 0x4FA7740: ClampToQuantum (quantum.h:94)
==20821==    by 0x4FA7740: ImportQuantumPixels (quantum-import.c:3563)
==20821==    by 0x84208FB: ReadTIFFImage (tiff.c:1558)
==20821==    by 0x4EBFE05: ReadImage (constitute.c:601)
==20821==    by 0x4EC037A: ReadImages (constitute.c:907)
==20821==    by 0x5319BAE: ConvertImageCommand (convert.c:617)
==20821==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==20821==    by 0x400906: ConvertMain (convert.c:81)
==20821==    by 0x400906: main (convert.c:92)
==20821== 
==20821== Conditional jump or move depends on uninitialised value(s)
==20821==    at 0x4FA7760: ClampToQuantum (quantum.h:92)
==20821==    by 0x4FA7760: ImportQuantumPixels (quantum-import.c:3565)
==20821==    by 0x84208FB: ReadTIFFImage (tiff.c:1558)
==20821==    by 0x4EBFE05: ReadImage (constitute.c:601)
==20821==    by 0x4EC037A: ReadImages (constitute.c:907)
==20821==    by 0x5319BAE: ConvertImageCommand (convert.c:617)
==20821==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==20821==    by 0x400906: ConvertMain (convert.c:81)
==20821==    by 0x400906: main (convert.c:92)
==20821== 
==20821== Conditional jump or move depends on uninitialised value(s)
==20821==    at 0x4FA778D: ClampToQuantum (quantum.h:92)
==20821==    by 0x4FA778D: ImportQuantumPixels (quantum-import.c:3567)
==20821==    by 0x84208FB: ReadTIFFImage (tiff.c:1558)
==20821==    by 0x4EBFE05: ReadImage (constitute.c:601)
==20821==    by 0x4EC037A: ReadImages (constitute.c:907)
==20821==    by 0x5319BAE: ConvertImageCommand (convert.c:617)
==20821==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==20821==    by 0x400906: ConvertMain (convert.c:81)
==20821==    by 0x400906: main (convert.c:92)
==20821== 
==20821== Syscall param write(buf) points to uninitialised byte(s)
==20821==    at 0x58E9CB0: __write_nocancel (in /lib64/libc-2.19.so)
==20821==    by 0x5884992: _IO_file_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==20821==    by 0x5884052: new_do_write (in /lib64/libc-2.19.so)
==20821==    by 0x58857C4: _IO_do_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==20821==    by 0x588641E: _IO_switch_to_get_mode (in /lib64/libc-2.19.so)
==20821==    by 0x588416D: _IO_file_seekoff@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==20821==    by 0x5882DA6: fseeko (in /lib64/libc-2.19.so)
==20821==    by 0x4E8CCB6: SeekBlob (blob.c:3604)
==20821==    by 0x863FFF7: TIFFLinkDirectory (tif_dirwrite.c:2460)
==20821==    by 0x863FFF7: TIFFWriteDirectorySec.part.8 (tif_dirwrite.c:792)
==20821==    by 0x841D134: WriteTIFFImage (tiff.c:3583)
==20821==    by 0x4EC0C2B: WriteImage (constitute.c:1237)
==20821==    by 0x4EC1141: WriteImages (constitute.c:1394)
==20821==  Address 0x4029000 is not stack'd, malloc'd or (recently) free'd
==20821== 
TIFFWriteDirectoryTagData: IO error writing tag data.
convert: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/883.
convert: Incorrect count for "ColorMap"; tag ignored. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/883.
convert: Not enough data for scanline 4, expected a request for at most 24 bytes, got a request for 32 bytes. `DumpModeDecode' @ error/tiff.c/TIFFErrors/584.
convert: Invalid strip byte count 0, strip 1. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/584.
convert: Invalid strip byte count 0, strip 2. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/584.
convert: Invalid strip byte count 0, strip 3. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/584.
==20821== 
==20821== HEAP SUMMARY:
==20821==     in use at exit: 328 bytes in 9 blocks
==20821==   total heap usage: 4,699 allocs, 4,690 frees, 652,709 bytes allocated
==20821== 
==20821== LEAK SUMMARY:
==20821==    definitely lost: 0 bytes in 0 blocks
==20821==    indirectly lost: 0 bytes in 0 blocks
==20821==      possibly lost: 0 bytes in 0 blocks
==20821==    still reachable: 328 bytes in 9 blocks
==20821==         suppressed: 0 bytes in 0 blocks
==20821== Rerun with --leak-check=full to see details of leaked memory
==20821== 
==20821== For counts of detected and suppressed errors, rerun with: -v
==20821== Use --track-origins=yes to see where uninitialised values come from
==20821== ERROR SUMMARY: 636 errors from 6 contexts (suppressed: 0 from 0)

11/ImageMagick:

valgrind convert crash-ImageMagic-ReadTIFFImage-heap-overflow /dev/null
==20841== Memcheck, a memory error detector.
==20841== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==20841== Using LibVEX rev 1854, a library for dynamic binary translation.
==20841== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==20841== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==20841== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==20841== For more details, rerun with: -v
==20841== 
convert: crash-ImageMagic-ReadTIFFImage-heap-overflow: invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectory'.
convert: incorrect count for field "StripOffsets" (1, expecting 4); tag ignored. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: incorrect count for field "StripByteCounts" (1, expecting 4); tag ignored. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: incorrect count for field "ColorMap" (12, expecting 768); tag ignored. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: 0: Invalid strip byte count, strip 1. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: DumpModeDecode: Not enough data for scanline 4. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: DumpModeDecode: Not enough data for scanline 5. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: DumpModeDecode: Not enough data for scanline 6. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: DumpModeDecode: Not enough data for scanline 7. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: DumpModeDecode: Not enough data for scanline 8. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
==20841== 
==20841== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 2)
==20841== malloc/free: in use at exit: 32 bytes in 1 blocks.
==20841== malloc/free: 17,316 allocs, 17,315 frees, 154,930,056 bytes allocated.
==20841== For counts of detected errors, rerun with: -v
==20841== searching for pointers to 1 not-freed blocks.
==20841== checked 690,272 bytes.
==20841== 
==20841== LEAK SUMMARY:
==20841==    definitely lost: 0 bytes in 0 blocks.
==20841==      possibly lost: 0 bytes in 0 blocks.
==20841==    still reachable: 32 bytes in 1 blocks.
==20841==         suppressed: 0 bytes in 0 blocks.
==20841== Rerun with --leak-check=full to see details of leaked memory.

11/GraphicsMagick:

valgrind gm convert crash-ImageMagic-ReadTIFFImage-heap-overflow /dev/null
==20862== Memcheck, a memory error detector.
==20862== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==20862== Using LibVEX rev 1854, a library for dynamic binary translation.
==20862== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==20862== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==20862== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==20862== For more details, rerun with: -v
==20862== 
gm convert: DumpModeDecode: Not enough data for scanline 0. (crash-ImageMagic-ReadTIFFImage-heap-overflow).
==20862== 
==20862== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 15 from 3)
==20862== malloc/free: in use at exit: 32 bytes in 1 blocks.
==20862== malloc/free: 1,454 allocs, 1,453 frees, 369,531 bytes allocated.
==20862== For counts of detected errors, rerun with: -v
==20862== searching for pointers to 1 not-freed blocks.
==20862== checked 436,472 bytes.
==20862== 
==20862== LEAK SUMMARY:
==20862==    definitely lost: 0 bytes in 0 blocks.
==20862==      possibly lost: 0 bytes in 0 blocks.
==20862==    still reachable: 32 bytes in 1 blocks.
==20862==         suppressed: 0 bytes in 0 blocks.
==20862== Rerun with --leak-check=full to see details of leaked memory.

42.3/GraphicsMagick:

$ valgrind gm convert crash-ImageMagic-ReadTIFFImage-heap-overflow /dev/null
==20922== Memcheck, a memory error detector
==20922== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==20922== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==20922== Command: gm convert crash-ImageMagic-ReadTIFFImage-heap-overflow /dev/null
==20922== 
==20922== Syscall param write(buf) points to uninitialised byte(s)
==20922==    at 0x55002D0: __write_nocancel (in /lib64/libc-2.22.so)
==20922==    by 0x549683F: _IO_file_write@@GLIBC_2.2.5 (in /lib64/libc-2.22.so)
==20922==    by 0x5495E62: new_do_write (in /lib64/libc-2.22.so)
==20922==    by 0x54976A4: _IO_do_write@@GLIBC_2.2.5 (in /lib64/libc-2.22.so)
==20922==    by 0x549837E: _IO_switch_to_get_mode (in /lib64/libc-2.22.so)
==20922==    by 0x5495F69: _IO_file_seekoff@@GLIBC_2.2.5 (in /lib64/libc-2.22.so)
==20922==    by 0x5494844: fseeko (in /lib64/libc-2.22.so)
==20922==    by 0x4E7DE38: SeekBlob (blob.c:4230)
==20922==    by 0x7BF6017: ??? (in /usr/lib64/libtiff.so.5.2.6)
==20922==    by 0x79D393B: WriteTIFFImage (tiff.c:5551)
==20922==    by 0x4EC2020: WriteImage (constitute.c:2228)
==20922==    by 0x4EC264A: WriteImages (constitute.c:2371)
==20922==  Address 0x4029488 is in a rw- anonymous segment
==20922== 
==20922== 
==20922== HEAP SUMMARY:
==20922==     in use at exit: 544 bytes in 11 blocks
==20922==   total heap usage: 405 allocs, 394 frees, 164,674 bytes allocated
==20922== 
==20922== LEAK SUMMARY:
==20922==    definitely lost: 0 bytes in 0 blocks
==20922==    indirectly lost: 0 bytes in 0 blocks
==20922==      possibly lost: 0 bytes in 0 blocks
==20922==    still reachable: 544 bytes in 11 blocks
==20922==         suppressed: 0 bytes in 0 blocks
==20922== Rerun with --leak-check=full to see details of leaked memory
==20922== 
==20922== For counts of detected and suppressed errors, rerun with: -v
==20922== Use --track-origins=yes to see where uninitialised values come from
==20922== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

devel/GraphicsMagick

$ valgrind gm convert crash-ImageMagic-ReadTIFFImage-heap-overflow /dev/null
==21072== Memcheck, a memory error detector
==21072== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==21072== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==21072== Command: gm convert crash-ImageMagic-ReadTIFFImage-heap-overflow /dev/null
==21072== 
==21072== Conditional jump or move depends on uninitialised value(s)
==21072==    at 0x7AD1F20: DisassociateAlphaRegion (tiff.c:1584)
==21072==    by 0x7AD5190: ReadTIFFImage (tiff.c:2598)
==21072==    by 0x4EE393D: ReadImage (constitute.c:1607)
==21072==    by 0x4EAA51C: ConvertImageCommand (command.c:4348)
==21072==    by 0x4EB89AE: MagickCommand (command.c:8872)
==21072==    by 0x4ED2695: GMCommandSingle (command.c:17393)
==21072==    by 0x4ED27C9: GMCommand (command.c:17446)
==21072==    by 0x108799: main (gm.c:61)
==21072== 
==21072== Conditional jump or move depends on uninitialised value(s)
==21072==    at 0x7AD1F74: DisassociateAlphaRegion (tiff.c:1588)
==21072==    by 0x7AD5190: ReadTIFFImage (tiff.c:2598)
==21072==    by 0x4EE393D: ReadImage (constitute.c:1607)
==21072==    by 0x4EAA51C: ConvertImageCommand (command.c:4348)
==21072==    by 0x4EB89AE: MagickCommand (command.c:8872)
==21072==    by 0x4ED2695: GMCommandSingle (command.c:17393)
==21072==    by 0x4ED27C9: GMCommand (command.c:17446)
==21072==    by 0x108799: main (gm.c:61)
==21072== 
==21072== Conditional jump or move depends on uninitialised value(s)
==21072==    at 0x7AD1F89: DisassociateAlphaRegion (tiff.c:1588)
==21072==    by 0x7AD5190: ReadTIFFImage (tiff.c:2598)
==21072==    by 0x4EE393D: ReadImage (constitute.c:1607)
==21072==    by 0x4EAA51C: ConvertImageCommand (command.c:4348)
==21072==    by 0x4EB89AE: MagickCommand (command.c:8872)
==21072==    by 0x4ED2695: GMCommandSingle (command.c:17393)
==21072==    by 0x4ED27C9: GMCommand (command.c:17446)
==21072==    by 0x108799: main (gm.c:61)
==21072== 
==21072== Conditional jump or move depends on uninitialised value(s)
==21072==    at 0x7AD1FCD: DisassociateAlphaRegion (tiff.c:1590)
==21072==    by 0x7AD5190: ReadTIFFImage (tiff.c:2598)
==21072==    by 0x4EE393D: ReadImage (constitute.c:1607)
==21072==    by 0x4EAA51C: ConvertImageCommand (command.c:4348)
==21072==    by 0x4EB89AE: MagickCommand (command.c:8872)
==21072==    by 0x4ED2695: GMCommandSingle (command.c:17393)
==21072==    by 0x4ED27C9: GMCommand (command.c:17446)
==21072==    by 0x108799: main (gm.c:61)
==21072== 
==21072== Conditional jump or move depends on uninitialised value(s)
==21072==    at 0x7AD1FE2: DisassociateAlphaRegion (tiff.c:1590)
==21072==    by 0x7AD5190: ReadTIFFImage (tiff.c:2598)
==21072==    by 0x4EE393D: ReadImage (constitute.c:1607)
==21072==    by 0x4EAA51C: ConvertImageCommand (command.c:4348)
==21072==    by 0x4EB89AE: MagickCommand (command.c:8872)
==21072==    by 0x4ED2695: GMCommandSingle (command.c:17393)
==21072==    by 0x4ED27C9: GMCommand (command.c:17446)
==21072==    by 0x108799: main (gm.c:61)
==21072== 
==21072== Conditional jump or move depends on uninitialised value(s)
==21072==    at 0x7AD2021: DisassociateAlphaRegion (tiff.c:1592)
==21072==    by 0x7AD5190: ReadTIFFImage (tiff.c:2598)
==21072==    by 0x4EE393D: ReadImage (constitute.c:1607)
==21072==    by 0x4EAA51C: ConvertImageCommand (command.c:4348)
==21072==    by 0x4EB89AE: MagickCommand (command.c:8872)
==21072==    by 0x4ED2695: GMCommandSingle (command.c:17393)
==21072==    by 0x4ED27C9: GMCommand (command.c:17446)
==21072==    by 0x108799: main (gm.c:61)
==21072== 
==21072== Conditional jump or move depends on uninitialised value(s)
==21072==    at 0x7AD2036: DisassociateAlphaRegion (tiff.c:1592)
==21072==    by 0x7AD5190: ReadTIFFImage (tiff.c:2598)
==21072==    by 0x4EE393D: ReadImage (constitute.c:1607)
==21072==    by 0x4EAA51C: ConvertImageCommand (command.c:4348)
==21072==    by 0x4EB89AE: MagickCommand (command.c:8872)
==21072==    by 0x4ED2695: GMCommandSingle (command.c:17393)
==21072==    by 0x4ED27C9: GMCommand (command.c:17446)
==21072==    by 0x108799: main (gm.c:61)
==21072== 
gm convert: Improper image header (crash-ImageMagic-ReadTIFFImage-heap-overflow).
==21072== 
==21072== HEAP SUMMARY:
==21072==     in use at exit: 544 bytes in 11 blocks
==21072==   total heap usage: 387 allocs, 376 frees, 141,383 bytes allocated
==21072== 
==21072== LEAK SUMMARY:
==21072==    definitely lost: 0 bytes in 0 blocks
==21072==    indirectly lost: 0 bytes in 0 blocks
==21072==      possibly lost: 0 bytes in 0 blocks
==21072==    still reachable: 544 bytes in 11 blocks
==21072==         suppressed: 0 bytes in 0 blocks
==21072== Rerun with --leak-check=full to see details of leaked memory
==21072== 
==21072== For counts of detected and suppressed errors, rerun with: -v
==21072== Use --track-origins=yes to see where uninitialised values come from
==21072== ERROR SUMMARY: 2016 errors from 7 contexts (suppressed: 0 from 0)

PATCH

https://github.com/ImageMagick/ImageMagick/commit/cd665c3d05b46d1579c738a72214175ff50aec74

GraphicsMagick: code looks differently

AFTER

12/ImageMagick:

==4105== Memcheck, a memory error detector
==4105== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4105== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==4105== Command: convert crash-ImageMagic-ReadTIFFImage-heap-overflow /dev/null
==4105== 
==4105== Conditional jump or move depends on uninitialised value(s)
==4105==    at 0x4FA7803: PerceptibleReciprocal (pixel-private.h:87)
==4105==    by 0x4FA7803: ImportQuantumPixels (quantum-import.c:3562)
==4105==    by 0x842090B: ReadTIFFImage (tiff.c:1558)
==4105==    by 0x4EBFE05: ReadImage (constitute.c:601)
==4105==    by 0x4EC037A: ReadImages (constitute.c:907)
==4105==    by 0x5319BAE: ConvertImageCommand (convert.c:617)
==4105==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==4105==    by 0x400906: ConvertMain (convert.c:81)
==4105==    by 0x400906: main (convert.c:92)
==4105== 
==4105== Conditional jump or move depends on uninitialised value(s)
==4105==    at 0x4FA7732: ClampToQuantum (quantum.h:92)
==4105==    by 0x4FA7732: ImportQuantumPixels (quantum-import.c:3563)
==4105==    by 0x842090B: ReadTIFFImage (tiff.c:1558)
==4105==    by 0x4EBFE05: ReadImage (constitute.c:601)
==4105==    by 0x4EC037A: ReadImages (constitute.c:907)
==4105==    by 0x5319BAE: ConvertImageCommand (convert.c:617)
==4105==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==4105==    by 0x400906: ConvertMain (convert.c:81)
==4105==    by 0x400906: main (convert.c:92)
==4105== 
==4105== Conditional jump or move depends on uninitialised value(s)
==4105==    at 0x4FA7740: ClampToQuantum (quantum.h:94)
==4105==    by 0x4FA7740: ImportQuantumPixels (quantum-import.c:3563)
==4105==    by 0x842090B: ReadTIFFImage (tiff.c:1558)
==4105==    by 0x4EBFE05: ReadImage (constitute.c:601)
==4105==    by 0x4EC037A: ReadImages (constitute.c:907)
==4105==    by 0x5319BAE: ConvertImageCommand (convert.c:617)
==4105==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==4105==    by 0x400906: ConvertMain (convert.c:81)
==4105==    by 0x400906: main (convert.c:92)
==4105== 
==4105== Conditional jump or move depends on uninitialised value(s)
==4105==    at 0x4FA7760: ClampToQuantum (quantum.h:92)
==4105==    by 0x4FA7760: ImportQuantumPixels (quantum-import.c:3565)
==4105==    by 0x842090B: ReadTIFFImage (tiff.c:1558)
==4105==    by 0x4EBFE05: ReadImage (constitute.c:601)
==4105==    by 0x4EC037A: ReadImages (constitute.c:907)
==4105==    by 0x5319BAE: ConvertImageCommand (convert.c:617)
==4105==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==4105==    by 0x400906: ConvertMain (convert.c:81)
==4105==    by 0x400906: main (convert.c:92)
==4105== 
==4105== Conditional jump or move depends on uninitialised value(s)
==4105==    at 0x4FA778D: ClampToQuantum (quantum.h:92)
==4105==    by 0x4FA778D: ImportQuantumPixels (quantum-import.c:3567)
==4105==    by 0x842090B: ReadTIFFImage (tiff.c:1558)
==4105==    by 0x4EBFE05: ReadImage (constitute.c:601)
==4105==    by 0x4EC037A: ReadImages (constitute.c:907)
==4105==    by 0x5319BAE: ConvertImageCommand (convert.c:617)
==4105==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==4105==    by 0x400906: ConvertMain (convert.c:81)
==4105==    by 0x400906: main (convert.c:92)
==4105== 
==4105== Syscall param write(buf) points to uninitialised byte(s)
==4105==    at 0x58E9CB0: __write_nocancel (in /lib64/libc-2.19.so)
==4105==    by 0x5884992: _IO_file_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==4105==    by 0x5884052: new_do_write (in /lib64/libc-2.19.so)
==4105==    by 0x58857C4: _IO_do_write@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==4105==    by 0x588641E: _IO_switch_to_get_mode (in /lib64/libc-2.19.so)
==4105==    by 0x588416D: _IO_file_seekoff@@GLIBC_2.2.5 (in /lib64/libc-2.19.so)
==4105==    by 0x5882DA6: fseeko (in /lib64/libc-2.19.so)
==4105==    by 0x4E8CCB6: SeekBlob (blob.c:3604)
==4105==    by 0x863FFF7: ??? (in /usr/lib64/libtiff.so.5.2.6)
==4105==    by 0x841D134: WriteTIFFImage (tiff.c:3583)
==4105==    by 0x4EC0C2B: WriteImage (constitute.c:1237)
==4105==    by 0x4EC1141: WriteImages (constitute.c:1394)
==4105==  Address 0x4029000 is not stack'd, malloc'd or (recently) free'd
==4105== 
TIFFWriteDirectoryTagData: IO error writing tag data.
convert: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/883.
convert: Incorrect count for "ColorMap"; tag ignored. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/883.
convert: Not enough data for scanline 4, expected a request for at most 24 bytes, got a request for 32 bytes. `DumpModeDecode' @ error/tiff.c/TIFFErrors/584.
convert: Invalid strip byte count 0, strip 1. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/584.
convert: Invalid strip byte count 0, strip 2. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/584.
convert: Invalid strip byte count 0, strip 3. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/584.
==4105== 
==4105== HEAP SUMMARY:
==4105==     in use at exit: 328 bytes in 9 blocks
==4105==   total heap usage: 4,699 allocs, 4,690 frees, 655,781 bytes allocated
==4105== 
==4105== LEAK SUMMARY:
==4105==    definitely lost: 0 bytes in 0 blocks
==4105==    indirectly lost: 0 bytes in 0 blocks
==4105==      possibly lost: 0 bytes in 0 blocks
==4105==    still reachable: 328 bytes in 9 blocks
==4105==         suppressed: 0 bytes in 0 blocks
==4105== Rerun with --leak-check=full to see details of leaked memory
==4105== 
==4105== For counts of detected and suppressed errors, rerun with: -v
==4105== Use --track-origins=yes to see where uninitialised values come from
==4105== ERROR SUMMARY: 636 errors from 6 contexts (suppressed: 0 from 0)

11/ImageMagick

==3836== Memcheck, a memory error detector.
==3836== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==3836== Using LibVEX rev 1854, a library for dynamic binary translation.
==3836== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==3836== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==3836== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==3836== For more details, rerun with: -v
==3836== 
convert: crash-ImageMagic-ReadTIFFImage-heap-overflow: invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectory'.
convert: incorrect count for field "StripOffsets" (1, expecting 4); tag ignored. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: incorrect count for field "StripByteCounts" (1, expecting 4); tag ignored. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: incorrect count for field "ColorMap" (12, expecting 768); tag ignored. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: 0: Invalid strip byte count, strip 1. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: DumpModeDecode: Not enough data for scanline 4. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: DumpModeDecode: Not enough data for scanline 5. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: DumpModeDecode: Not enough data for scanline 6. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: DumpModeDecode: Not enough data for scanline 7. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
convert: DumpModeDecode: Not enough data for scanline 8. `crash-ImageMagic-ReadTIFFImage-heap-overflow'.
==3836== 
==3836== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 2)
==3836== malloc/free: in use at exit: 32 bytes in 1 blocks.
==3836== malloc/free: 17,316 allocs, 17,315 frees, 154,933,128 bytes allocated.
==3836== For counts of detected errors, rerun with: -v
==3836== searching for pointers to 1 not-freed blocks.
==3836== checked 690,272 bytes.
==3836== 
==3836== LEAK SUMMARY:
==3836==    definitely lost: 0 bytes in 0 blocks.
==3836==      possibly lost: 0 bytes in 0 blocks.
==3836==    still reachable: 32 bytes in 1 blocks.
==3836==         suppressed: 0 bytes in 0 blocks.
==3836== Rerun with --leak-check=full to see details of leaked memory.
Comment 4 Petr Gajdos 2017-11-28 10:52:31 UTC
Summary: 
I looked into it a bit because of comment 2. For 11/ImageMagick and 12/ImageMagick, the code seem to be there (now), so considering affected and will submit. However, the test case does not give a proof that the issue is present BEFORE and fixed AFTER.

I do not see the same code in GraphicsMagick. There are valgrind errors, but given above, it seem to be another issue than CVE-2017-14607.
Comment 5 Petr Gajdos 2017-12-01 11:36:08 UTC
Will submit for:
11/ImageMagick
12/ImageMagick
Comment 6 Petr Gajdos 2017-12-01 11:41:36 UTC
I believe all fixed.
Comment 9 Swamp Workflow Management 2017-12-20 17:12:22 UTC
SUSE-SU-2017:3378-1: An update that fixes 26 vulnerabilities is now available.

Category: security (important)
Bug References: 1048457,1049796,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052758,1052764,1054757,1055214,1056432,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060577,1066003,1067181,1067184
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14733,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
Comment 10 Swamp Workflow Management 2017-12-20 17:39:32 UTC
SUSE-SU-2017:3388-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
Comment 11 Andreas Stieger 2017-12-22 15:58:05 UTC
done
Comment 12 Swamp Workflow Management 2017-12-22 20:15:17 UTC
openSUSE-SU-2017:3420-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-40.1
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.12.1