bugbot adjusting priority

Hi Mikhail,

I am not sure how the memory leak happens and how it is fixed. Could you please elaborate?

(In reply to Petr Gajdos from comment #2)
> Hi Mikhail,
> 
> I am not sure how the memory leak happens and how it is fixed. Could you
> please elaborate?

Hello!

Nope, sorry.:(

security-team, could you please help us (see comment 2)?

Thanks

I've got an explanation from the upstream developers regarding the nature of the
memory leak that's been fixed in this commit:

> The MPC image format memory maps an existing ImageMagick pixel cache in
> memory. The previous AcquireImageColormap() method call (prior to this
> commit), subsequently calls SetImageStorageClass(). This in turn calls
> SyncImagePixelCache(), which improperly allocates a new pixel cache. Next, the
> MPC coder calls PersistPixelCache() which overwrites the previous pixel cache
> causing a memory leak. Now we allocate the image colormap inside the MPC
> module which avoids the spurious call to SyncImagePixelCache(). Its so simple
> :-).

I hope this helps you better understand the issue.

My findings so far:

ImageMagick is affected:

SUSE:SLE-12:Update/ImageMagick/ImageMagick-6.8.8-1/coders/mpc.c:843,935
SUSE:SLE-11:Update/ImageMagick/ImageMagick-6.4.3/coders/mpc.c:743,835
-> PersistPixelCache() is just PersistCache() here, but seems to do the same

GraphicsMagick is not affected:

SUSE:SLE-11:Update/GraphicsMagick/GraphicsMagick-1.2.5/coders/mpc.c:714
-> AllocateImageColormap does not call SyncPixelCache()
openSUSE:Leap:42.1:Update/GraphicsMagick/GraphicsMagick-1.3.21/coders/mpc.c:732
-> AllocateImageColormap does not call SyncPixelCache()
openSUSE:Leap:42.2:Update/GraphicsMagick/GraphicsMagick-1.3.25/coders/mpc.c:794
-> AllocateImageColormap does not call SyncPixelCache()

Okay, assuming the second hunk is not related to this CVE. Thanks for your analysis.

Hi Petr,

(In reply to pgajdos@suse.com from comment #10)
> Okay, assuming the second hunk is not related to this CVE.

You mean the part where the call to SetImageExtent() has been replaced? I just
had a look, that's also part of the issue, because this function also calls
SyncImagePixelCache().

Please include this, too. Thank you!

Unfortunately there is nothing like WidthResource or HeightResource in older versions of ImageMagick.

(In reply to pgajdos@suse.com from comment #12)

> Unfortunately there is nothing like WidthResource or HeightResource in older
> versions of ImageMagick.

Ah sorry! I've justed looked for function SetImageExtent, which is existing in
our ImageMagick versions, but the function isn't called at all in mpc.c.

You can ignore the second hunk then.

Too much *Magick today for me ;-)

Affected: ImageMagick

Packages submitted, I believe all fixed.

SUSE-SU-2017:0529-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017308,1017310,1017311,1017312,1017313,1017314,1017318,1017319,1017320,1017321,1017322,1017324,1017325,1017326,1017421,1020433,1020435,1020436,1020439,1020441,1020443,1020446,1020448
CVE References: CVE-2016-10046,CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10060,CVE-2016-10061,CVE-2016-10062,CVE-2016-10063,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10069,CVE-2016-10070,CVE-2016-10071,CVE-2016-10144,CVE-2016-10145,CVE-2016-10146,CVE-2017-5506,CVE-2017-5507,CVE-2017-5508,CVE-2017-5510,CVE-2017-5511
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-59.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-59.1

SUSE-SU-2017:0586-1: An update that fixes 21 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017308,1017310,1017311,1017312,1017313,1017314,1017318,1017319,1017320,1017321,1017322,1017324,1017326,1017421,1020433,1020435,1020436,1020439,1020441,1020443,1020448
CVE References: CVE-2016-10046,CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10060,CVE-2016-10063,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10070,CVE-2016-10071,CVE-2016-10144,CVE-2016-10145,CVE-2016-10146,CVE-2017-5506,CVE-2017-5507,CVE-2017-5508,CVE-2017-5511
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.65.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.65.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.65.1

openSUSE-SU-2017:0587-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017308,1017310,1017311,1017312,1017313,1017314,1017318,1017319,1017320,1017321,1017322,1017324,1017325,1017326,1017421,1020433,1020435,1020436,1020439,1020441,1020443,1020446,1020448
CVE References: CVE-2016-10046,CVE-2016-10048,CVE-2016-10049,CVE-2016-10050,CVE-2016-10051,CVE-2016-10052,CVE-2016-10059,CVE-2016-10060,CVE-2016-10061,CVE-2016-10062,CVE-2016-10063,CVE-2016-10064,CVE-2016-10065,CVE-2016-10068,CVE-2016-10069,CVE-2016-10070,CVE-2016-10071,CVE-2016-10144,CVE-2016-10145,CVE-2016-10146,CVE-2017-5506,CVE-2017-5507,CVE-2017-5508,CVE-2017-5510,CVE-2017-5511
Sources used:
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-28.1
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-30.1

GM not affected. IM all codestreams released. openSUSE comes from SLE. Closing.