Bug 1072901 – VUL-1: CVE-2017-17681: GraphicsMagick,ImageMagick: In ImageMagick 7.0.7-12 Q16, an infinite loop vulnerability was found in thefunction ReadPSDChannelZip in coders/psd.c, which allows attackers to cause adenial of service (CPU exhaustion)

Bug 1072901 - (CVE-2017-17681) VUL-1: CVE-2017-17681: GraphicsMagick,ImageMagick: In ImageMagick 7.0.7-12 Q16, an infinite loop vulnerability was found in thefunction ReadPSDChannelZip in coders/psd.c, which allows attackers to cause adenial of service (CPU exhaustion)

(CVE-2017-17681)
Summary:	VUL-1: CVE-2017-17681: GraphicsMagick,ImageMagick: In ImageMagick 7.0.7-12 Q1...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/196655/
Whiteboard:	CVSSv2:SUSE:CVE-2017-17681:5.0:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-12-14 14:52 UTC by Marcus Meissner
Modified:	2020-06-11 20:32 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
ReadPSDChannelZip2-cpu-exhaustion (1.00 KB, application/octet-stream) 2017-12-14 14:54 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2017-12-14 14:52:48 UTC

CVE-2017-17681

In ImageMagick 7.0.7-12 Q16, an infinite loop vulnerability was found in the
function ReadPSDChannelZip in coders/psd.c, which allows attackers to cause a
denial of service (CPU exhaustion) via a crafted psd image file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17681
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17681
https://github.com/ImageMagick/ImageMagick/issues/869

Comment 1 Marcus Meissner 2017-12-14 14:54:35 UTC

Created attachment 753071 [details]
ReadPSDChannelZip2-cpu-exhaustion

QA REPRODUCER:

ImageMagick:
convert ReadPSDChannelZip2-cpu-exhaustion /dev/null  

GraphicsMagick:
gm convert ReadPSDChannelZip2-cpu-exhaustion /dev/null  


should not run very very lng.

Comment 2 Marcus Meissner 2017-12-14 14:55:14 UTC

SLE11 GM: immediately returns.
SLE11 IM: crashes with bad free list???? (even worse than a hang)

SLE12 IM: affected

Comment 3 Petr Gajdos 2018-01-26 13:19:36 UTC

(In reply to Marcus Meissner from comment #2)
> SLE11 IM: crashes with bad free list???? (even worse than a hang)

I do not get it, perhaps fixed by previous update:

-------------------------------------------------------------------
Tue Dec 12 11:22:44 UTC 2017 - pgajdos@suse.com

- security update (psd.c):
  * CVE-2017-15281 [bsc#1063049]
    + ImageMagick-CVE-2017-15281.patch
  * CVE-2017-13061 [bsc#1055063]
    + ImageMagick-CVE-2017-13061.patch
  * CVE-2017-12563 [bsc#1052460]
    + ImageMagick-CVE-2017-12563.patch
  * CVE-2017-14174 [bsc#1057723]
    + ImageMagick-CVE-2017-14174.patch

Comment 4 Petr Gajdos 2018-01-26 13:57:09 UTC

BEFORE

12/ImageMagick

$ convert ReadPSDChannelZip2-cpu-exhaustion /dev/null
[hang or run long, 100% cpu, low memory]

11/ImageMagick

$ valgrind -q convert ReadPSDChannelZip2-cpu-exhaustion /dev/null
$

11/GraphicsMagick

$ valgrind -q gm convert ReadPSDChannelZip2-cpu-exhaustion /dev/null
$

42.x/GraphicsMagick

$ valgrind -q gm convert ReadPSDChannelZip2-cpu-exhaustion /dev/null
gm convert: No decode delegate for this image format (ReadPSDChannelZip2-cpu-exhaustion).
$

HG/GraphicsMagick

$ valgrind -q gm convert ReadPSDChannelZip2-cpu-exhaustion /dev/null
gm convert: No decode delegate for this image format (ReadPSDChannelZip2-cpu-exhaustion).
$

PATCH

https://github.com/ImageMagick/ImageMagick/commit/edf1b9408492b97cd08111a0a9cb123f6391dc5b
https://github.com/ImageMagick/ImageMagick/commit/8f5fc37f47fa9a6c4942686c2a3ffa77610842c6
https://github.com/ImageMagick/ImageMagick/commit/a7024c8d54ca462418626c163c7f0e638d2ea72
https://github.com/ImageMagick/ImageMagick/commit/cae42160e5ab6de4b2a9433267e143ce295ae957

GraphicsMagick and 11/ImageMagick does not have the code at all.

AFTER

12/ImageMagick

$ convert ReadPSDChannelZip2-cpu-exhaustion /dev/null
$
[exits immediately]

Comment 5 Petr Gajdos 2018-01-26 13:57:48 UTC

Will submit for: 12/ImageMagick

Comment 6 Petr Gajdos 2018-01-26 15:16:48 UTC

I believe all fixed.

Comment 8 Swamp Workflow Management 2018-02-02 14:12:34 UTC

SUSE-SU-2018:0349-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055068,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1072901,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13059,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17681,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18008,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5246,CVE-2018-5685
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1

Comment 9 Marcus Meissner 2018-02-08 07:51:32 UTC

released

Comment 10 Swamp Workflow Management 2018-02-08 11:16:20 UTC

openSUSE-SU-2018:0396-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055068,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1072901,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13059,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17681,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18008,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5246,CVE-2018-5685
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-52.1