Bug 1074120 - (CVE-2017-17884) VUL-0: CVE-2017-17884: ImageMagick: A Memory leak in the function WriteOnePNGImage could lead to a denial of service
(CVE-2017-17884)
VUL-0: CVE-2017-17884: ImageMagick: A Memory leak in the function WriteOnePNG...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/197262/
CVSSv3:RedHat:CVE-2017-17884:3.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-27 08:28 UTC by Victor Pereira
Modified: 2018-02-12 08:51 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-12-27 08:28:35 UTC
CVE-2017-17884

In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in
the function WriteOnePNGImage in coders/png.c, which allows attackers
to cause a denial of service via a crafted PNG image file.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17884
Comment 2 Petr Gajdos 2018-01-15 09:07:10 UTC
12/ImageMagick

valgrind --leak-check=full convert memory-leaks-CySdxTUBH3AFFf8fpXeyNzsjxMbxmLvm.svg~ ble.png

returns 57 errors both BEFORE and AFTER, but this does not involve PNG coder at all, as it even does not reach WritePNGImage().

Code is there, will submit a patch.
Comment 5 Petr Gajdos 2018-01-15 14:40:40 UTC
11/ImageMagick

Code is not there, considering not affected.
Comment 7 Petr Gajdos 2018-01-16 13:13:37 UTC
42.x/GraphicsMagick both BEFORE and AFTER, HG/GraphicsMagick:

$ valgrind -q --leak-check=full --track-origins=yes gm convert memory-leaks-CySdxTUBH3AFFf8fpXeyNzsjxMbxmLvm.svg~ ble.png
==4012== 104 bytes in 1 blocks are definitely lost in loss record 28 of 33
==4012==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==4012==    by 0x7E9FD2A: ???
==4012==    by 0x7EF3A88: ???
==4012==    by 0x5209C12: __pthread_once_slow (in /lib64/libpthread-2.22.so)
==4012==    by 0x7EA00EA: ???
==4012==    by 0x7E9FAD8: ???
==4012==    by 0x7E2DD6C: ???
==4012==    by 0x7BEE567: ???
==4012==    by 0x4EBEB77: ReadImage (constitute.c:1607)
==4012==    by 0x4E9F037: ConvertImageCommand (command.c:4348)
==4012==    by 0x4E8F884: MagickCommand (command.c:8868)
==4012==    by 0x4E9099D: GMCommandSingle (command.c:17376)
==4012== 
==4012== 782 (400 direct, 382 indirect) bytes in 1 blocks are definitely lost in loss record 31 of 33
==4012==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==4012==    by 0x7E27611: ???
==4012==    by 0x7E27BE8: ???
==4012==    by 0x7E58CBB: ???
==4012==    by 0x7E40453: ???
==4012==    by 0x7BEE6F1: ???
==4012==    by 0x4EBEB77: ReadImage (constitute.c:1607)
==4012==    by 0x4E9F037: ConvertImageCommand (command.c:4348)
==4012==    by 0x4E8F884: MagickCommand (command.c:8868)
==4012==    by 0x4E9099D: GMCommandSingle (command.c:17376)
==4012==    by 0x4EB1D2D: GMCommand (command.c:17429)
==4012==    by 0x54406E4: (below main) (in /lib64/libc-2.22.so)
==4012== 
==4012== 2,016 bytes in 7 blocks are possibly lost in loss record 32 of 33
==4012==    at 0x4C2B240: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==4012==    by 0x4011291: allocate_dtv (in /lib64/ld-2.22.so)
==4012==    by 0x4011AED: _dl_allocate_tls (in /lib64/ld-2.22.so)
==4012==    by 0x520C170: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.22.so)
==4012==    by 0x6B4D0A1: ??? (in /usr/lib64/libgomp.so.1.0.0)
==4012==    by 0x4F1ADC4: DrawPolygonPrimitive (render.c:3981)
==4012==    by 0x4F234EE: DrawPrimitive (render.c:4588)
==4012==    by 0x4F234EE: DrawImage (render.c:3424)
==4012==    by 0x838742F: ???
==4012==    by 0x4EBEB77: ReadImage (constitute.c:1607)
==4012==    by 0x7BEE9FB: ???
==4012==    by 0x4EBEB77: ReadImage (constitute.c:1607)
==4012==    by 0x4E9F037: ConvertImageCommand (command.c:4348)
==4012== 
$

Told upstream.
Comment 8 Petr Gajdos 2018-01-16 13:42:16 UTC
(In reply to Petr Gajdos from comment #5)
> 11/ImageMagick
> 
> Code is not there, considering not affected.

Code is there.

11/ImageMagick

BEFORE

$ valgrind --leak-check=full convert memory-leaks-CySdxTUBH3AFFf8fpXeyNzsjxMbxmLvm.svg~ ble.png
[..]
==7964== LEAK SUMMARY:
==7964==    definitely lost: 14,316 bytes in 38 blocks.
==7964==    indirectly lost: 33,576 bytes in 265 blocks.
==7964==      possibly lost: 2,240 bytes in 7 blocks.
==7964==    still reachable: 248 bytes in 3 blocks.
==7964==         suppressed: 0 bytes in 0 blocks.
==7964== Reachable blocks (those to which a pointer was found) are not shown.
==7964== To see them, rerun with: --leak-check=full --show-reachable=yes


AFTER

$ valgrind --leak-check=full convert memory-leaks-CySdxTUBH3AFFf8fpXeyNzsjxMbxmLvm.svg~ ble.png
[..]
==7972== LEAK SUMMARY:
==7972==    definitely lost: 14,316 bytes in 38 blocks.
==7972==    indirectly lost: 33,576 bytes in 265 blocks.
==7972==      possibly lost: 2,240 bytes in 7 blocks.
==7972==    still reachable: 248 bytes in 3 blocks.
==7972==         suppressed: 0 bytes in 0 blocks.
==7972== Reachable blocks (those to which a pointer was found) are not shown.
==7972== To see them, rerun with: --leak-check=full --show-reachable=yes
$

valgrind does not show any improvement, though.
Comment 9 Petr Gajdos 2018-01-16 14:23:33 UTC
I get several leaks also for 7.0.7-11 and 6.9.9-33, noted in the original upstream report.
https://github.com/ImageMagick/ImageMagick/issues/902
Comment 11 Petr Gajdos 2018-01-19 19:50:07 UTC
11/GraphicsMagick

BEFORE

$ valgrind -q --leak-check=full gm convert memory-leaks-CySdxTUBH3AFFf8fpXeyNzsjxMbxmLvm.svg~ ble.png
==20931== Conditional jump or move depends on uninitialised value(s)
==20931==    at 0x6C4A118: ceil (in /lib64/libm-2.9.so)
==20931==    by 0x4F0DBB0: DrawImage (render.c:2752)
==20931==    by 0x8BFC27F: ReadMVGImage (mvg.c:186)
==20931==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==20931==    by 0x8698A5A: ReadSVGImage (svg.c:2821)
==20931==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==20931==    by 0x4E8CBCF: ConvertImageCommand (command.c:3171)
==20931==    by 0x4E73683: MagickCommand (command.c:7657)
==20931==    by 0x4E737FE: GMCommand (command.c:15277)
==20931==    by 0x76E2585: (below main) (in /lib64/libc-2.9.so)
==20931== 
==20931== Conditional jump or move depends on uninitialised value(s)
==20931==    at 0x6C4A146: ceil (in /lib64/libm-2.9.so)
==20931==    by 0x4F0DBB0: DrawImage (render.c:2752)
==20931==    by 0x8BFC27F: ReadMVGImage (mvg.c:186)
==20931==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==20931==    by 0x8698A5A: ReadSVGImage (svg.c:2821)
==20931==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==20931==    by 0x4E8CBCF: ConvertImageCommand (command.c:3171)
==20931==    by 0x4E73683: MagickCommand (command.c:7657)
==20931==    by 0x4E737FE: GMCommand (command.c:15277)
==20931==    by 0x76E2585: (below main) (in /lib64/libc-2.9.so)
==20931== 
==20931== Conditional jump or move depends on uninitialised value(s)
==20931==    at 0x6C4A18B: ceil (in /lib64/libm-2.9.so)
==20931==    by 0x4F0DBB0: DrawImage (render.c:2752)
==20931==    by 0x8BFC27F: ReadMVGImage (mvg.c:186)
==20931==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==20931==    by 0x8698A5A: ReadSVGImage (svg.c:2821)
==20931==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==20931==    by 0x4E8CBCF: ConvertImageCommand (command.c:3171)
==20931==    by 0x4E73683: MagickCommand (command.c:7657)
==20931==    by 0x4E737FE: GMCommand (command.c:15277)
==20931==    by 0x76E2585: (below main) (in /lib64/libc-2.9.so)
==20931== 
==20931== Conditional jump or move depends on uninitialised value(s)
==20931==    at 0x4F0DBE7: DrawImage (render.c:2752)
==20931==    by 0x8BFC27F: ReadMVGImage (mvg.c:186)
==20931==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==20931==    by 0x8698A5A: ReadSVGImage (svg.c:2821)
==20931==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==20931==    by 0x4E8CBCF: ConvertImageCommand (command.c:3171)
==20931==    by 0x4E73683: MagickCommand (command.c:7657)
==20931==    by 0x4E737FE: GMCommand (command.c:15277)
==20931==    by 0x76E2585: (below main) (in /lib64/libc-2.9.so)
==20931== 
==20931== Conditional jump or move depends on uninitialised value(s)
==20931==    at 0x4F0DC08: DrawImage (render.c:2753)
==20931==    by 0x8BFC27F: ReadMVGImage (mvg.c:186)
==20931==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==20931==    by 0x8698A5A: ReadSVGImage (svg.c:2821)
==20931==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==20931==    by 0x4E8CBCF: ConvertImageCommand (command.c:3171)
==20931==    by 0x4E73683: MagickCommand (command.c:7657)
==20931==    by 0x4E737FE: GMCommand (command.c:15277)
==20931==    by 0x76E2585: (below main) (in /lib64/libc-2.9.so)
==20931== 
==20931== 
==20931== 104 bytes in 1 blocks are definitely lost in loss record 3 of 5
==20931==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==20931==    by 0x894959A: ???
==20931==    by 0x89A3CE6: ???
==20931==    by 0x88D38DF: ???
==20931==    by 0x88D3B3B: ???
==20931==    by 0x88D8035: ???
==20931==    by 0x86987C0: ???
==20931==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==20931==    by 0x4E8CBCF: ConvertImageCommand (command.c:3171)
==20931==    by 0x4E73683: MagickCommand (command.c:7657)
==20931==    by 0x4E737FE: GMCommand (command.c:15277)
==20931==    by 0x76E2585: (below main) (in /lib64/libc-2.9.so)
==20931== 
==20931== 
==20931== 782 (400 direct, 382 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5
==20931==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==20931==    by 0x88CF81F: ???
==20931==    by 0x88CFEB4: ???
==20931==    by 0x88FE38A: ???
==20931==    by 0x88D8024: ???
==20931==    by 0x86987C0: ???
==20931==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==20931==    by 0x4E8CBCF: ConvertImageCommand (command.c:3171)
==20931==    by 0x4E73683: MagickCommand (command.c:7657)
==20931==    by 0x4E737FE: GMCommand (command.c:15277)
==20931==    by 0x76E2585: (below main) (in /lib64/libc-2.9.so)
$

AFTER

$ valgrind -q --leak-check=full gm convert memory-leaks-CySdxTUBH3AFFf8fpXeyNzsjxMbxmLvm.svg~ /dev/null
==20865== Conditional jump or move depends on uninitialised value(s)
==20865==    at 0x7D0336E: sqrt (in /lib64/libm-2.9.so)
==20865==    by 0x4F83172: DrawImage (render.c:2751)
==20865==    by 0x5048FB4: ReadMVGImage (mvg.c:186)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x5098DE2: ReadSVGImage (svg.c:2821)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x4EB8483: ConvertImageCommand (command.c:3171)
==20865==    by 0x4EC6510: MagickCommand (command.c:7657)
==20865==    by 0x4EDD66D: GMCommand (command.c:15277)
==20865==    by 0x4007A6: main (gm.c:61)
==20865== 
==20865== Conditional jump or move depends on uninitialised value(s)
==20865==    at 0x7D0337E: sqrt (in /lib64/libm-2.9.so)
==20865==    by 0x4F83172: DrawImage (render.c:2751)
==20865==    by 0x5048FB4: ReadMVGImage (mvg.c:186)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x5098DE2: ReadSVGImage (svg.c:2821)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x4EB8483: ConvertImageCommand (command.c:3171)
==20865==    by 0x4EC6510: MagickCommand (command.c:7657)
==20865==    by 0x4EDD66D: GMCommand (command.c:15277)
==20865==    by 0x4007A6: main (gm.c:61)
==20865== 
==20865== Conditional jump or move depends on uninitialised value(s)
==20865==    at 0x7CFC118: ceil (in /lib64/libm-2.9.so)
==20865==    by 0x4F83193: DrawImage (render.c:2752)
==20865==    by 0x5048FB4: ReadMVGImage (mvg.c:186)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x5098DE2: ReadSVGImage (svg.c:2821)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x4EB8483: ConvertImageCommand (command.c:3171)
==20865==    by 0x4EC6510: MagickCommand (command.c:7657)
==20865==    by 0x4EDD66D: GMCommand (command.c:15277)
==20865==    by 0x4007A6: main (gm.c:61)
==20865== 
==20865== Conditional jump or move depends on uninitialised value(s)
==20865==    at 0x7CFC146: ceil (in /lib64/libm-2.9.so)
==20865==    by 0x4F83193: DrawImage (render.c:2752)
==20865==    by 0x5048FB4: ReadMVGImage (mvg.c:186)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x5098DE2: ReadSVGImage (svg.c:2821)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x4EB8483: ConvertImageCommand (command.c:3171)
==20865==    by 0x4EC6510: MagickCommand (command.c:7657)
==20865==    by 0x4EDD66D: GMCommand (command.c:15277)
==20865==    by 0x4007A6: main (gm.c:61)
==20865== 
==20865== Conditional jump or move depends on uninitialised value(s)
==20865==    at 0x7CFC18B: ceil (in /lib64/libm-2.9.so)
==20865==    by 0x4F83193: DrawImage (render.c:2752)
==20865==    by 0x5048FB4: ReadMVGImage (mvg.c:186)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x5098DE2: ReadSVGImage (svg.c:2821)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x4EB8483: ConvertImageCommand (command.c:3171)
==20865==    by 0x4EC6510: MagickCommand (command.c:7657)
==20865==    by 0x4EDD66D: GMCommand (command.c:15277)
==20865==    by 0x4007A6: main (gm.c:61)
==20865== 
==20865== Conditional jump or move depends on uninitialised value(s)
==20865==    at 0x4F831D0: DrawImage (render.c:2752)
==20865==    by 0x5048FB4: ReadMVGImage (mvg.c:186)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x5098DE2: ReadSVGImage (svg.c:2821)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x4EB8483: ConvertImageCommand (command.c:3171)
==20865==    by 0x4EC6510: MagickCommand (command.c:7657)
==20865==    by 0x4EDD66D: GMCommand (command.c:15277)
==20865==    by 0x4007A6: main (gm.c:61)
==20865== 
==20865== Conditional jump or move depends on uninitialised value(s)
==20865==    at 0x4F8323F: DrawImage (render.c:2753)
==20865==    by 0x5048FB4: ReadMVGImage (mvg.c:186)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x5098DE2: ReadSVGImage (svg.c:2821)
==20865==    by 0x4EFF7A0: ReadImage (constitute.c:6000)
==20865==    by 0x4EB8483: ConvertImageCommand (command.c:3171)
==20865==    by 0x4EC6510: MagickCommand (command.c:7657)
==20865==    by 0x4EDD66D: GMCommand (command.c:15277)
==20865==    by 0x4007A6: main (gm.c:61)
$
[leaks vanished]
Comment 12 Petr Gajdos 2018-01-19 20:41:08 UTC
42.x/GraphicsMagick:

Now I get:

BEFORE

$ valgrind -q --leak-check=full gm convert memory-leaks-CySdxTUBH3AFFf8fpXeyNzsjxMbxmLvm.svg~ /dev/null
==6947== 104 bytes in 1 blocks are definitely lost in loss record 28 of 33
==6947==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6947==    by 0x7C83D2A: ???
==6947==    by 0x7CD7A88: ???
==6947==    by 0x5209C12: __pthread_once_slow (in /lib64/libpthread-2.22.so)
==6947==    by 0x7C840EA: ???
==6947==    by 0x7C83AD8: ???
==6947==    by 0x7C11D6C: ???
==6947==    by 0x79D2567: ???
==6947==    by 0x4EBEB77: ReadImage (constitute.c:1607)
==6947==    by 0x4E9F037: ConvertImageCommand (command.c:4348)
==6947==    by 0x4E8F884: MagickCommand (command.c:8868)
==6947==    by 0x4E9099D: GMCommandSingle (command.c:17376)
==6947== 
==6947== 782 (400 direct, 382 indirect) bytes in 1 blocks are definitely lost in loss record 31 of 33
==6947==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6947==    by 0x7C0B611: ???
==6947==    by 0x7C0BBE8: ???
==6947==    by 0x7C3CCBB: ???
==6947==    by 0x7C24453: ???
==6947==    by 0x79D26F1: ???
==6947==    by 0x4EBEB77: ReadImage (constitute.c:1607)
==6947==    by 0x4E9F037: ConvertImageCommand (command.c:4348)
==6947==    by 0x4E8F884: MagickCommand (command.c:8868)
==6947==    by 0x4E9099D: GMCommandSingle (command.c:17376)
==6947==    by 0x4EB1D2D: GMCommand (command.c:17429)
==6947==    by 0x54406E4: (below main) (in /lib64/libc-2.22.so)
==6947== 
==6947== 2,016 bytes in 7 blocks are possibly lost in loss record 32 of 33
==6947==    at 0x4C2B240: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6947==    by 0x4011291: allocate_dtv (in /lib64/ld-2.22.so)
==6947==    by 0x4011AED: _dl_allocate_tls (in /lib64/ld-2.22.so)
==6947==    by 0x520C170: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.22.so)
==6947==    by 0x6B4D0A1: ??? (in /usr/lib64/libgomp.so.1.0.0)
==6947==    by 0x4F1ADC4: DrawPolygonPrimitive (render.c:3981)
==6947==    by 0x4F234EE: DrawPrimitive (render.c:4588)
==6947==    by 0x4F234EE: DrawImage (render.c:3424)
==6947==    by 0x816B42F: ???
==6947==    by 0x4EBEB77: ReadImage (constitute.c:1607)
==6947==    by 0x79D29FB: ???
==6947==    by 0x4EBEB77: ReadImage (constitute.c:1607)
==6947==    by 0x4E9F037: ConvertImageCommand (command.c:4348)
==6947== 
$

AFTER

$ valgrind -q --leak-check=full gm convert memory-leaks-CySdxTUBH3AFFf8fpXeyNzsjxMbxmLvm.svg~ /dev/null
==6961== 2,016 bytes in 7 blocks are possibly lost in loss record 23 of 24
==6961==    at 0x4C2B240: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6961==    by 0x4011291: allocate_dtv (in /lib64/ld-2.22.so)
==6961==    by 0x4011AED: _dl_allocate_tls (in /lib64/ld-2.22.so)
==6961==    by 0x5387170: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.22.so)
==6961==    by 0x7E2A0A1: ??? (in /usr/lib64/libgomp.so.1.0.0)
==6961==    by 0x4F4AE34: DrawPolygonPrimitive (render.c:3981)
==6961==    by 0x4F5355E: DrawPrimitive (render.c:4588)
==6961==    by 0x4F5355E: DrawImage (render.c:3424)
==6961==    by 0x500B60F: ReadMVGImage (mvg.c:195)
==6961==    by 0x4EF0CE7: ReadImage (constitute.c:1607)
==6961==    by 0x503DF9B: ReadSVGImage (svg.c:2900)
==6961==    by 0x4EF0CE7: ReadImage (constitute.c:1607)
==6961==    by 0x4ED1227: ConvertImageCommand (command.c:4348)
==6961== 
$
[issue partly solved]
Comment 13 Petr Gajdos 2018-01-22 08:00:22 UTC
[none of the above (11,42.x/GraphicsMagick) involves WriteOnePNGImage()]
Comment 14 Petr Gajdos 2018-01-22 08:52:46 UTC
11/ImageMagick:

$ valgrind -q --leak-check=full convert memory-leaks-CySdxTUBH3AFFf8fpXeyNzsjxMbxmLvm.svg~ /dev/null
convert: no image vector graphics `/dev/null'.
==25525== 
==25525== 8 bytes in 1 blocks are definitely lost in loss record 3 of 18
==25525==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25525==    by 0x5064A47: ReadSVGImage (svg.c:265)
==25525==    by 0x4EC4AA7: ReadImage (constitute.c:441)
==25525==    by 0x5447CC3: ConvertImageCommand (convert.c:565)
==25525==    by 0x401083: main (convert.c:122)
==25525== 
==25525== 
==25525== 1,600 bytes in 20 blocks are possibly lost in loss record 12 of 18
==25525==    at 0x4C23484: calloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25525==    by 0x874E8A9: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.1800.2)
==25525==    by 0x82E83D4: (within /usr/lib64/libgobject-2.0.so.0.1800.2)
==25525==    by 0x82E8449: (within /usr/lib64/libgobject-2.0.so.0.1800.2)
==25525==    by 0x82EAA1A: g_type_init_with_debug_flags (in /usr/lib64/libgobject-2.0.so.0.1800.2)
==25525==    by 0x6C94668: rsvg_init (in /usr/lib64/librsvg-2.so.2.22.3)
==25525==    by 0x50617E8: RegisterSVGImage (svg.c:3036)
==25525==    by 0x4F974D4: RegisterStaticModules (static.c:254)
==25525==    by 0x4F4CF03: GetMagickInfo (magick.c:804)
==25525==    by 0x4F4D182: MagickCoreGenesis (magick.c:1202)
==25525==    by 0x400F88: main (convert.c:101)
==25525== 
==25525== 
==25525== 2,352 bytes in 7 blocks are possibly lost in loss record 13 of 18
==25525==    at 0x4C23484: calloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25525==    by 0x4010AEE: _dl_allocate_tls (in /lib64/ld-2.9.so)
==25525==    by 0x915474A: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.9.so)
==25525==    by 0x8F49F35: (within /usr/lib64/libgomp.so.1.0.0)
==25525==    by 0x4F3E101: SetImageBackgroundColor (image.c:342)
==25525==    by 0x5064C1E: ReadSVGImage (svg.c:2837)
==25525==    by 0x4EC4AA7: ReadImage (constitute.c:441)
==25525==    by 0x5447CC3: ConvertImageCommand (convert.c:565)
==25525==    by 0x401083: main (convert.c:122)
==25525== 
==25525== 
==25525== 11,216 bytes in 3 blocks are possibly lost in loss record 16 of 18
==25525==    at 0x4C232D0: memalign (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25525==    by 0x4C2338A: posix_memalign (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25525==    by 0x8763451: (within /usr/lib64/libglib-2.0.so.0.1800.2)
==25525==    by 0x87645ED: g_slice_alloc (in /usr/lib64/libglib-2.0.so.0.1800.2)
==25525==    by 0x6C91C2D: (within /usr/lib64/librsvg-2.so.2.22.3)
==25525==    by 0x6C99FA2: rsvg_handle_render_cairo_sub (in /usr/lib64/librsvg-2.so.2.22.3)
==25525==    by 0x5064CEB: ReadSVGImage (svg.c:2857)
==25525==    by 0x4EC4AA7: ReadImage (constitute.c:441)
==25525==    by 0x5447CC3: ConvertImageCommand (convert.c:565)
==25525==    by 0x401083: main (convert.c:122)
$

All leaks are related to SVG reads. First one (8 bytes) is easy to fix and I will follow up with a patch. For the next ones, I am not sure how much it is ImageMagick issue or underlying libraries issue. For example, the second one (1.6 k one) happens with some memory allocated via rsvg_init(), which does not return anything as handle of allocated memory. rsvg_term() is called.
Comment 15 Petr Gajdos 2018-01-22 10:47:42 UTC
12/ImageMagick

BEFORE

$ valgrind --leak-check=full convert memory-leaks-CySdxTUBH3AFFf8fpXeyNzsjxMbxmLvm.svg~ ble.png
[..]
==9216== LEAK SUMMARY:
==9216==    definitely lost: 27,664 bytes in 56 blocks
==9216==    indirectly lost: 44,387 bytes in 521 blocks
==9216==      possibly lost: 656 bytes in 1 blocks
==9216==    still reachable: 5,727 bytes in 18 blocks
==9216==         suppressed: 0 bytes in 0 blocks
==9216==         suppressed: 0 bytes in 0 blocks
==9216== Reachable blocks (those to which a pointer was found) are not shown.
==9216== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==9216== 
==9216== For counts of detected and suppressed errors, rerun with: -v
==9216== ERROR SUMMARY: 57 errors from 57 contexts (suppressed: 0 from 0)
$

AFTER

$ valgrind --leak-check=full convert memory-leaks-CySdxTUBH3AFFf8fpXeyNzsjxMbxmLvm.svg~ ble.png
==9224== LEAK SUMMARY:
==9224==    definitely lost: 0 bytes in 0 blocks
==9224==    indirectly lost: 0 bytes in 0 blocks
==9224==      possibly lost: 6,972 bytes in 104 blocks
==9224==    still reachable: 142,374 bytes in 483 blocks
==9224==         suppressed: 0 bytes in 0 blocks
==9224== Reachable blocks (those to which a pointer was found) are not shown.
==9224== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==9224== 
==9224== For counts of detected and suppressed errors, rerun with: -v
==9224== ERROR SUMMARY: 104 errors from 104 contexts (suppressed: 0 from 0)
$
[more errors, but less lost bytes]

But essentialy: The code control does not reach the patched code for this testcase (inside of the diff), AcquireImageColormap() succedes.
Comment 17 Petr Gajdos 2018-01-22 12:23:33 UTC
Submitted for: 12/ImageMagick, 11/ImageMagick, 11/GraphicsMagick and 42.x/GraphicsMagick
Comment 18 Petr Gajdos 2018-01-22 12:24:49 UTC
I believe all fixed.
Comment 21 Swamp Workflow Management 2018-02-02 14:12:42 UTC
SUSE-SU-2018:0349-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055068,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1072901,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13059,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17681,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18008,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5246,CVE-2018-5685
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.33.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.33.1
Comment 22 Swamp Workflow Management 2018-02-02 14:17:42 UTC
SUSE-SU-2018:0350-1: An update that solves 30 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5685
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.29.2
Comment 23 Swamp Workflow Management 2018-02-08 11:16:30 UTC
openSUSE-SU-2018:0396-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1050037,1050072,1050098,1050100,1050635,1051442,1052470,1052708,1052717,1052721,1052768,1052777,1052781,1054600,1055068,1055374,1055455,1055456,1057000,1060162,1062752,1072362,1072901,1074120,1074125,1074185,1074309,1075939,1076021,1076051
CVE References: CVE-2017-10995,CVE-2017-11505,CVE-2017-11525,CVE-2017-11526,CVE-2017-11539,CVE-2017-11639,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12671,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13059,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14649,CVE-2017-15218,CVE-2017-17504,CVE-2017-17681,CVE-2017-17879,CVE-2017-17884,CVE-2017-17914,CVE-2017-18008,CVE-2017-18027,CVE-2017-18029,CVE-2017-9261,CVE-2017-9262,CVE-2018-5246,CVE-2018-5685
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-52.1
Comment 24 Swamp Workflow Management 2018-02-09 20:12:12 UTC
SUSE-SU-2018:0413-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043353,1043354,1047908,1047910,1050037,1050072,1050100,1051442,1052470,1052708,1052717,1052768,1052777,1052781,1054600,1055038,1055374,1055455,1055456,1057000,1060162,1062752,1067198,1073690,1074023,1074120,1074125,1074175,1075939
CVE References: CVE-2014-9811,CVE-2017-10995,CVE-2017-11102,CVE-2017-11505,CVE-2017-11526,CVE-2017-11539,CVE-2017-11750,CVE-2017-12565,CVE-2017-12640,CVE-2017-12641,CVE-2017-12643,CVE-2017-12673,CVE-2017-12676,CVE-2017-12935,CVE-2017-13065,CVE-2017-13141,CVE-2017-13142,CVE-2017-13147,CVE-2017-14103,CVE-2017-14174,CVE-2017-14649,CVE-2017-15218,CVE-2017-15238,CVE-2017-16669,CVE-2017-17501,CVE-2017-17504,CVE-2017-17782,CVE-2017-17879,CVE-2017-17884,CVE-2017-17915,CVE-2017-8352,CVE-2017-9261,CVE-2017-9262,CVE-2018-5685
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.33.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.33.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.33.1
Comment 25 Marcus Meissner 2018-02-12 08:51:51 UTC
released