Bug 1074119 - (CVE-2017-17885) VUL-0: CVE-2017-17885: ImageMagick: A Memory leak in the function ReadPICTImage could lead to a denial of service
(CVE-2017-17885)
VUL-0: CVE-2017-17885: ImageMagick: A Memory leak in the function ReadPICTIma...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/197263/
CVSSv3:RedHat:CVE-2017-17885:3.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-27 08:27 UTC by Victor Pereira
Modified: 2018-03-06 23:47 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-12-27 08:27:52 UTC
CVE-2017-17885

In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in
the function ReadPICTImage in coders/pict.c, which allows attackers to
cause a denial of service via a crafted PICT image file.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17885
Comment 2 Petr Gajdos 2018-01-30 15:09:28 UTC
BEFORE

12/ImageMagick

$ valgrind -q --leak-check=full convert ReadPICTImage-memory-leaks /dev/null
convert: improper image header `ReadPICTImage-memory-leaks' @ error/pict.c/ReadPICTImage/1110.
convert: no images defined `/dev/null' @ error/convert.c/ConvertImageCommand/3149.
$
[no issues observed]

It fails here:

                if (ReadPixmap(image,&pixmap) == MagickFalse)
                  {
                    tile_image=DestroyImage(tile_image);
                    ThrowReaderException(CorruptImageError,
                      "ImproperImageHeader");
                  }

This is _after_
            if (tile_image == (Image *) NULL)
              ThrowReaderException(CorruptImageError,"ImproperImageHeader");

which means tile_image is not NULL.

11/ImageMagick

$ valgrind -q --leak-check=full convert ReadPICTImage-memory-leaks /dev/null
convert: Improper image header `ReadPICTImage-memory-leaks'.
convert: missing an image filename `/dev/null'.
==1917== 
==1917== 2,128 bytes in 7 blocks are possibly lost in loss record 3 of 3
==1917==    at 0x4C23484: calloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==1917==    by 0x4010AEE: _dl_allocate_tls (in /lib64/ld-2.9.so)
==1917==    by 0x6B7774A: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.9.so)
==1917==    by 0x696CF35: (within /usr/lib64/libgomp.so.1.0.0)
==1917==    by 0x4F0E3E1: SetImageBackgroundColor (image.c:342)
==1917==    by 0x9F0D309: ???
==1917==    by 0x4E94D87: ReadImage (constitute.c:441)
==1917==    by 0x5292BC3: ConvertImageCommand (convert.c:565)
==1917==    by 0x400F73: main (convert.c:122)
$
[unrelated memory leak, see bug 1052761 comment 1]

11/GraphicsMagick

$ valgrind -q --leak-check=full gm convert ReadPICTImage-memory-leaks /dev/null
gm convert: Improper image header (ReadPICTImage-memory-leaks).
$
[no issues observed]

42.3/GraphicsMagick

$ valgrind -q --leak-check=full gm convert ReadPICTImage-memory-leaks /dev/null
gm convert: Improper image header (ReadPICTImage-memory-leaks).
$
[no issues observed]


PATCH

https://github.com/ImageMagick/ImageMagick/commit/5e863ae629010110772321fd181bac34c4b57345

12,11/ImageMagick: code is there
HG,42.3,11/GraphicsMagick: coder is there (upstream notified)


AFTER

12/ImageMagick

$ valgrind -q --leak-check=full convert ReadPICTImage-memory-leaks /dev/null
convert: improper image header `ReadPICTImage-memory-leaks' @ error/pict.c/ReadPICTImage/1110.
convert: no images defined `/dev/null' @ error/convert.c/ConvertImageCommand/3149.
$
[no change]

11/ImageMagick

$ valgrind -q --leak-check=full convert ReadPICTImage-memory-leaks /dev/null
convert: Improper image header `ReadPICTImage-memory-leaks'.
convert: missing an image filename `/dev/null'.
==28844== 
==28844== 2,128 bytes in 7 blocks are possibly lost in loss record 3 of 3
==28844==    at 0x4C23484: calloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==28844==    by 0x4010AEE: _dl_allocate_tls (in /lib64/ld-2.9.so)
==28844==    by 0x6B7774A: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.9.so)
==28844==    by 0x696CF35: (within /usr/lib64/libgomp.so.1.0.0)
==28844==    by 0x4F0E3E1: SetImageBackgroundColor (image.c:342)
==28844==    by 0x9F0D513: ???
==28844==    by 0x4E94D87: ReadImage (constitute.c:441)
==28844==    by 0x5292BC3: ConvertImageCommand (convert.c:565)
==28844==    by 0x400F73: main (convert.c:122)
$
[no change]

11/GraphicsMagick

$ valgrind -q --leak-check=full gm convert ReadPICTImage-memory-leaks /dev/null
gm convert: Improper image header (ReadPICTImage-memory-leaks).
$
[no change]

12/ImageMagick

$ valgrind -q --leak-check=full gm convert ReadPICTImage-memory-leaks /dev/null
gm convert: Improper image header (ReadPICTImage-memory-leaks).
$
[no change]
Comment 3 Petr Gajdos 2018-01-30 15:10:13 UTC
Will submit for: 12/ImageMagick, 11/ImageMagick, 11/GraphicsMagick and 42.3/GraphicsMagick.
Comment 4 Petr Gajdos 2018-01-31 09:30:09 UTC
(In reply to Petr Gajdos from comment #2)
> 12,11/ImageMagick: code is there
> HG,42.3,11/GraphicsMagick: coder is there (upstream notified)

Actually no. I was corrected by upstream and I double checked for older distros too: clone_info does not need to be freed on this place.
Comment 5 Petr Gajdos 2018-01-31 09:30:30 UTC
Will submit for: 12/ImageMagick and 11/ImageMagick.
Comment 6 Petr Gajdos 2018-02-02 09:31:34 UTC
I believe all fixed.
Comment 7 Marcus Meissner 2018-02-12 08:50:26 UTC
did not see submissions?
Comment 8 Petr Gajdos 2018-02-12 08:59:25 UTC
I see them.
Comment 9 Petr Gajdos 2018-02-12 09:22:16 UTC
$ isc cat home:pgajdos:maintenance:ImageMagick ImageMagick.SUSE_SLE-12_Update ImageMagick.changes | grep  CVE-2017-17885.*1074119
  * CVE-2017-17885 [bsc#1074119]
$

$ isc cat home:pgajdos:maintenance:ImageMagick ImageMagick.SUSE_SLE-11_Update ImageMagick.changes | grep  CVE-2017-17885.*1074119
  * CVE-2017-17885 [bsc#1074119]
$
Comment 10 Swamp Workflow Management 2018-02-20 14:10:53 UTC
SUSE-SU-2018:0486-1: An update that fixes 24 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1048110,1049374,1049375,1050048,1050617,1050669,1052207,1052248,1052251,1052254,1052472,1052688,1052711,1052747,1052750,1052761,1055069,1055229,1058009,1074119,1076182,1078433
CVE References: CVE-2017-11166,CVE-2017-11448,CVE-2017-11450,CVE-2017-11537,CVE-2017-11637,CVE-2017-11638,CVE-2017-11642,CVE-2017-12418,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12654,CVE-2017-12664,CVE-2017-12665,CVE-2017-12668,CVE-2017-12674,CVE-2017-13058,CVE-2017-13131,CVE-2017-14224,CVE-2017-17885,CVE-2017-18028,CVE-2017-9407,CVE-2018-6405
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.34.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.34.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.34.1
Comment 11 Swamp Workflow Management 2018-03-01 20:18:47 UTC
SUSE-SU-2018:0581-1: An update that fixes 35 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1042911,1048110,1048272,1049374,1049375,1050048,1050119,1050122,1050126,1050132,1050617,1052207,1052248,1052251,1052254,1052472,1052688,1052711,1052747,1052750,1052754,1052761,1055069,1055229,1056768,1057163,1058009,1072898,1074119,1074170,1075821,1076182,1078433
CVE References: CVE-2017-11166,CVE-2017-11170,CVE-2017-11448,CVE-2017-11450,CVE-2017-11528,CVE-2017-11530,CVE-2017-11531,CVE-2017-11533,CVE-2017-11537,CVE-2017-11638,CVE-2017-11642,CVE-2017-12418,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12654,CVE-2017-12663,CVE-2017-12664,CVE-2017-12665,CVE-2017-12668,CVE-2017-12674,CVE-2017-13058,CVE-2017-13131,CVE-2017-14060,CVE-2017-14139,CVE-2017-14224,CVE-2017-17682,CVE-2017-17885,CVE-2017-17934,CVE-2017-18028,CVE-2017-9405,CVE-2017-9407,CVE-2018-5357,CVE-2018-6405
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
Comment 12 Andreas Stieger 2018-03-06 19:44:30 UTC
Releasing for Leap, showing as done otherwise
Comment 13 Swamp Workflow Management 2018-03-06 23:17:21 UTC
openSUSE-SU-2018:0621-1: An update that fixes 35 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1042911,1048110,1048272,1049374,1049375,1050048,1050119,1050122,1050126,1050132,1050617,1052207,1052248,1052251,1052254,1052472,1052688,1052711,1052747,1052750,1052754,1052761,1055069,1055229,1056768,1057163,1058009,1072898,1074119,1074170,1075821,1076182,1078433
CVE References: CVE-2017-11166,CVE-2017-11170,CVE-2017-11448,CVE-2017-11450,CVE-2017-11528,CVE-2017-11530,CVE-2017-11531,CVE-2017-11533,CVE-2017-11537,CVE-2017-11638,CVE-2017-11642,CVE-2017-12418,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12654,CVE-2017-12663,CVE-2017-12664,CVE-2017-12665,CVE-2017-12668,CVE-2017-12674,CVE-2017-13058,CVE-2017-13131,CVE-2017-14060,CVE-2017-14139,CVE-2017-14224,CVE-2017-17682,CVE-2017-17885,CVE-2017-17934,CVE-2017-18028,CVE-2017-9405,CVE-2017-9407,CVE-2018-5357,CVE-2018-6405
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-55.1