Bug 1084060 - (CVE-2017-18219) VUL-2: CVE-2017-18219: GraphicsMagick,ImageMagick: An issue was discovered in GraphicsMagick 1.3.26. An allocation failurevulnerability was found in the function ReadOnePNGImage in coders/png.c, whichallows attackers to cause a denial of service via
(CVE-2017-18219)
VUL-2: CVE-2017-18219: GraphicsMagick,ImageMagick: An issue was discovered in...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/201241/
CVSSv3:RedHat:CVE-2017-18219:3.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-06 07:13 UTC by Marcus Meissner
Modified: 2018-05-18 15:46 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
allocation_failure_in_ReadOnePNGImage (260 bytes, application/octet-stream)
2018-03-06 07:17 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-03-06 07:13:28 UTC
CVE-2017-18219

An issue was discovered in GraphicsMagick 1.3.26. An allocation failure
vulnerability was found in the function ReadOnePNGImage in coders/png.c, which
allows attackers to cause a denial of service via a crafted file that triggers
an attempt at a large png_pixels array allocation.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18219
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18219
https://sourceforge.net/p/graphicsmagick/bugs/459/
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/cadd4b0522fa
Comment 1 Marcus Meissner 2018-03-06 07:16:03 UTC
SEL11 IM and GM report "CRC failure" and do not do big allocations apparently.

SLE12 IM same

Leap 42 GM reports immediately not enough memory, same for Tumbleweed.

Seems a non issue.
Comment 2 Marcus Meissner 2018-03-06 07:17:55 UTC
Created attachment 762779 [details]
allocation_failure_in_ReadOnePNGImage

QA REPRODUCER:

IM:

convert allocation_failure_in_ReadOnePNGImage /dev/null

GgraphicsMagick:

gm convert allocation_failure_in_ReadOnePNGImage /dev/null
Comment 4 Petr Gajdos 2018-03-06 10:59:59 UTC
Looking on the first patch, you would have to play with policy and set MemoryResource. Question is, how would the bug manifest afterwards.
Comment 5 Petr Gajdos 2018-03-06 12:03:44 UTC
Nevertheless:
42.3,11/GraphicsMagick the code is already in due png.c-update.patch, I will add this CVE and bug number there
12,11/ImageMagick: MemoryResource is checked in AcquireVirtualMemory(), I guess no need to patch
Comment 6 Petr Gajdos 2018-03-06 12:40:30 UTC
.
Comment 7 Petr Gajdos 2018-03-06 12:46:37 UTC
11/ImageMagick needs the patch, actually.
Comment 8 Petr Gajdos 2018-03-06 12:46:52 UTC
Will submit for 11/ImageMagick.
Comment 9 Petr Gajdos 2018-03-06 13:08:35 UTC
Rpm changelog change will be submitted into 42.3/GraphicsMagick and 11/GraphicsMagick.
Comment 10 Petr Gajdos 2018-03-10 12:48:24 UTC
I believe all fixed.
Comment 12 Swamp Workflow Management 2018-03-12 12:44:09 UTC
This is an autogenerated message for OBS integration:
This bug (1084060) was mentioned in
https://build.opensuse.org/request/show/585295 42.3 / GraphicsMagick
Comment 13 Swamp Workflow Management 2018-03-14 11:20:30 UTC
This is an autogenerated message for OBS integration:
This bug (1084060) was mentioned in
https://build.opensuse.org/request/show/586755 42.3 / GraphicsMagick
Comment 14 Swamp Workflow Management 2018-03-18 14:08:54 UTC
openSUSE-SU-2018:0733-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1058630,1059735,1066168,1066170,1082283,1082291,1084060,1084062,1085233
CVE References: CVE-2017-14314,CVE-2017-14505,CVE-2017-15016,CVE-2017-15017,CVE-2017-16352,CVE-2017-16353,CVE-2017-18219,CVE-2017-18220,CVE-2017-18230
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-79.1
Comment 16 Swamp Workflow Management 2018-04-03 19:12:22 UTC
SUSE-SU-2018:0864-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1050087,1058630,1059735,1066168,1066170,1082283,1082291,1082348,1084060,1084062,1085233
CVE References: CVE-2017-11524,CVE-2017-12691,CVE-2017-12693,CVE-2017-14314,CVE-2017-14343,CVE-2017-14505,CVE-2017-15016,CVE-2017-15017,CVE-2017-16352,CVE-2017-16353,CVE-2017-18219,CVE-2017-18220,CVE-2017-18230
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.44.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.44.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.44.1
Comment 17 Swamp Workflow Management 2018-04-05 19:12:52 UTC
SUSE-SU-2018:0880-1: An update that fixes 16 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1043290,1050087,1056434,1058630,1059735,1066168,1066170,1082283,1082291,1082348,1082362,1082792,1084060,1086011
CVE References: CVE-2017-11524,CVE-2017-12691,CVE-2017-12692,CVE-2017-12693,CVE-2017-13768,CVE-2017-14314,CVE-2017-14343,CVE-2017-14505,CVE-2017-15016,CVE-2017-15017,CVE-2017-16352,CVE-2017-16353,CVE-2017-18219,CVE-2017-9500,CVE-2018-7443,CVE-2018-8804
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.40.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.40.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.40.1
Comment 18 Marcus Meissner 2018-05-18 15:46:44 UTC
done