Bug 1027255 - (CVE-2017-6335) VUL-0: CVE-2017-6335: ImageMagick,GraphicsMagick: heap out of bounds write issue
(CVE-2017-6335)
VUL-0: CVE-2017-6335: ImageMagick,GraphicsMagick: heap out of bounds write issue
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2017-6335:6.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-28 15:14 UTC by Mikhail Kasimov
Modified: 2017-08-14 14:10 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
tiff_c.patch (1.05 KB, patch)
2017-02-28 15:14 UTC, Mikhail Kasimov
Details | Diff
foo.img (2.21 KB, application/x-raw-disk-image)
2017-05-29 14:58 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-02-28 15:14:55 UTC
Created attachment 715743 [details]
tiff_c.patch

Ref: http://seclists.org/oss-sec/2017/q1/494
=============================================
GraphicsMagick versions up to 1.3.25 encounter a write beyond an allocated heap buffer when reading CMYKA TIFF files which claim to offer fewer samples per pixel than required.


This is the tiffinfo description of the problematic TIFF file:

TIFF Directory at offset 0x808 (2056)
  Image Width: 34 Image Length: 48
  Bits/Sample: 8
  Sample Format: unsigned integer
  Compression Scheme: None
  Photometric Interpretation: separated
  Extra Samples: 1<unassoc-alpha>
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 2
  Rows/Strip: 32
  Planar Configuration: single image plane

The fix for this is Mercurial changeset 14998:6156b4c2992d which may be viewed at SourceForge via this link:


https://sourceforge.net/p/graphicsmagick/code/ci/6156b4c2992d855ece6079653b3b93c3229fc4b8/

A minimal patch to correct the problem is attached.

This issue was reported to us on February 15, 2017 by Valon Chu.

Bob
--
Bob Friesenhahn
bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
=============================================

https://software.opensuse.org/package/GraphicsMagick

TW: 1.3.25 (official repo)
42.2: 1.3.25 (official repo)
42.1: 1.3.21 (official repo)

Ref: http://seclists.org/oss-sec/2017/q1/522
=============================================
This problem has been issued CVE-2017-6335.

The original reporter has tried to post CVE-assignment information to the list but the mail has not made it through yet.


Bob
=============================================
Comment 1 Marcus Meissner 2017-02-28 16:03:24 UTC
code is in SLE11 GraphicsMagick too.

ImageMagick in SLE11 code looks different, but similar problematic:

        pad=(size_t) MagickMax((size_t) samples_per_pixel-3,0);
        quantum_type=RGBQuantum;
        if (image->matte != MagickFalse)
          {
            quantum_type=RGBAQuantum;
            pad=(size_t) MagickMax((size_t) samples_per_pixel-4,0);
          }
        if (image->colorspace == CMYKColorspace)
          {
            pad=(size_t) MagickMax((size_t) samples_per_pixel-4,0);
            quantum_type=CMYKQuantum;
            if (image->matte != MagickFalse)
              {
                quantum_type=CMYKAQuantum;
                pad=(size_t) MagickMax((size_t) samples_per_pixel-5,0);
              }
          }

it should also check samples_per_pixel , otherwise above will turn to be very large numbers after converting -1 to size_t
Comment 2 Swamp Workflow Management 2017-02-28 23:01:19 UTC
bugbot adjusting priority
Comment 3 Petr Gajdos 2017-03-20 16:57:32 UTC
(In reply to Marcus Meissner from comment #1)
> ImageMagick in SLE11 code looks different, but similar problematic:
> 
>         pad=(size_t) MagickMax((size_t) samples_per_pixel-3,0);
>         quantum_type=RGBQuantum;
>         if (image->matte != MagickFalse)
>           {
>             quantum_type=RGBAQuantum;
>             pad=(size_t) MagickMax((size_t) samples_per_pixel-4,0);
>           }
>         if (image->colorspace == CMYKColorspace)
>           {
>             pad=(size_t) MagickMax((size_t) samples_per_pixel-4,0);
>             quantum_type=CMYKQuantum;
>             if (image->matte != MagickFalse)
>               {
>                 quantum_type=CMYKAQuantum;
>                 pad=(size_t) MagickMax((size_t) samples_per_pixel-5,0);
>               }
>           }
> 
> it should also check samples_per_pixel , otherwise above will turn to be
> very large numbers after converting -1 to size_t

Perhaps, but not similar enough to qualify as the same CVE I think. At least we would have to have the testcase to prove it and to fill ImageMagick's upstream bug.
Comment 4 Petr Gajdos 2017-03-21 18:26:37 UTC
I think ImageMagick is not affected as indicated in comment There is for example:

    if ((samples_per_pixel >= 4) && (interlace == PLANARCONFIG_SEPARATE))
      if ((image->matte == MagickFalse) || (samples_per_pixel >= 5))
        method=ReadCMYKAMethod;

So in case method=ReadCMYKAMethod there is samples_per_pixel at least 4. I obviously had not went trough all paths, but this potential problem would be another issue deserving another CVE.
Comment 5 Petr Gajdos 2017-03-21 18:27:06 UTC
(In reply to Petr Gajdos from comment #4)
> I think ImageMagick is not affected as indicated in comment There is for

indicated in comment 1
Comment 6 Petr Gajdos 2017-03-21 18:27:37 UTC
Submitted to all GraphicsMagicks.
Comment 7 Bernhard Wiedemann 2017-03-21 19:00:21 UTC
This is an autogenerated message for OBS integration:
This bug (1027255) was mentioned in
https://build.opensuse.org/request/show/481863 42.2 / GraphicsMagick
https://build.opensuse.org/request/show/481865 42.1 / GraphicsMagick
Comment 9 Swamp Workflow Management 2017-03-30 22:08:32 UTC
openSUSE-SU-2017:0891-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1027255
CVE References: CVE-2017-6335
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-29.1
Comment 10 Swamp Workflow Management 2017-03-30 22:09:55 UTC
openSUSE-SU-2017:0894-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1027255
CVE References: CVE-2017-6335
Sources used:
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.3.1
Comment 11 Swamp Workflow Management 2017-04-04 13:09:00 UTC
SUSE-SU-2017:0918-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1027255
CVE References: CVE-2017-6335
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.65.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.65.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.65.1
Comment 12 Victor Pereira 2017-05-19 07:56:10 UTC
fixed and released
Comment 13 Marcus Meissner 2017-05-29 14:58:08 UTC
Created attachment 726835 [details]
foo.img

QA REPRODUCER:

valgrind convert foo.img foo.jpg

should show less warnings after the update

for graphicsmagick use

valgrind gm convert foo.img foo.jpg
Comment 14 Petr Gajdos 2017-08-14 14:10:36 UTC
Assuming GraphicsMagick mercurial master is fixed (CVE assignment comes from Bob).