Bug 1036985 – VUL-1: CVE-2017-8350: ImageMagick, GraphicsMagick: denial of service (memory leak) via a crafted file (ReadJNGImage function in png.c)

Bug 1036985 - (CVE-2017-8350) VUL-1: CVE-2017-8350: ImageMagick, GraphicsMagick: denial of service (memory leak) via a crafted file (ReadJNGImage function in png.c)

(CVE-2017-8350)
Summary:	VUL-1: CVE-2017-8350: ImageMagick, GraphicsMagick: denial of service (memory ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	unspecified
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2017-8350:3.5:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-04-30 20:25 UTC by Mikhail Kasimov
Modified:	2017-09-08 10:52 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
CVE-2017-8350_memory-leak-in-ReadJNGImage-8_testcase (397 bytes, image/x-jng) 2017-04-30 20:25 UTC, Mikhail Kasimov	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail Kasimov 2017-04-30 20:25:04 UTC

Created attachment 723258 [details]
CVE-2017-8350_memory-leak-in-ReadJNGImage-8_testcase

Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-8350
====================================================
Description

In ImageMagick 7.0.5-5, the ReadJNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file.

Source:  MITRE      Last Modified:  04/30/2017
====================================================

Hyperlink

[1] https://github.com/ImageMagick/ImageMagick/issues/447

[2] Testcase: https://github.com/bestshow/p0cs/blob/master/memory-leak-in-ReadJNGImage-8.jng

[3] https://github.com/ImageMagick/ImageMagick/commit/a353ee3914d7f0a83078f5ef84a7766587c98121 (master)

[4] https://github.com/ImageMagick/ImageMagick/commit/7a8d04796a94852c72fd90441a0805c27f1b3210 (ImageMagick-6)


(open-)SUSE: https://software.opensuse.org/package/ImageMagick

7.0.5.4 (TW, official repo)
6.8.8.1 (42.{1,2}, official repo)

Comment 1 Petr Gajdos 2017-05-17 15:12:57 UTC

I believe all fixed.

Comment 3 Bernhard Wiedemann 2017-05-17 16:03:47 UTC

This is an autogenerated message for OBS integration:
This bug (1036985) was mentioned in
https://build.opensuse.org/request/show/495650 42.2 / GraphicsMagick

Comment 5 Swamp Workflow Management 2017-05-26 10:08:57 UTC

openSUSE-SU-2017:1413-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1036985,1036986,1036988,1036990
CVE References: CVE-2017-8350,CVE-2017-8351,CVE-2017-8353,CVE-2017-8355
Sources used:
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.6.1

Comment 8 Marcus Meissner 2017-06-06 09:18:44 UTC

In SLE12 and older, the error exits in ReadJNGImage that cause the leakage do not yet exists. 

As the testcase will not follow the error exits, it will not leak ... 

(It might have other problems due to missing error exits, but well .. not the leaks.)

Comment 10 Swamp Workflow Management 2017-06-06 16:13:06 UTC

SUSE-SU-2017:1489-1: An update that fixes 27 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028075,1033091,1034870,1034872,1034876,1036976,1036977,1036978,1036980,1036981,1036982,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1036991,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2017-6502,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8343,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8347,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8356,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-70.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-70.1

Comment 12 Swamp Workflow Management 2017-06-14 13:12:53 UTC

openSUSE-SU-2017:1560-1: An update that fixes 27 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028075,1033091,1034870,1034872,1034876,1036976,1036977,1036978,1036980,1036981,1036982,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1036991,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2017-6502,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8343,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8347,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8356,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.3.1

Comment 13 Václav Šístek 2017-06-14 14:55:22 UTC

While testing the latest fix in GraphicsMagick, I have seen this:

Before the update:
    # valgrind --leak-check=full gm identify memory-leak-in-ReadJNGImage-8.jng
    ...
    gm identify: Bogus Huffman table definition (/tmp/gmqIzBxD).
    ==20938==
    ==20938== HEAP SUMMARY:
    ==20938==     in use at exit: 40 bytes in 2 blocks
    ==20938==   total heap usage: 1,528 allocs, 1,526 frees, 521,450 bytes allocated
    ==20938==
    ==20938== LEAK SUMMARY:
    ==20938==    definitely lost: 0 bytes in 0 blocks
    ==20938==    indirectly lost: 0 bytes in 0 blocks
    ==20938==      possibly lost: 0 bytes in 0 blocks
    ==20938==    still reachable: 40 bytes in 2 blocks
    ==20938==         suppressed: 0 bytes in 0 blocks
    ==20938== Reachable blocks (those to which a pointer was found) are not shown.
    ==20938== To see them, rerun with: --leak-check=full --show-reachable=yes
    ==20938==
    ==20938== For counts of detected and suppressed errors, rerun with: -v
    ==20938== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 4 from 4)

After the update:
    # valgrind --leak-check=full gm identify memory-leak-in-ReadJNGImage-8.jng
    ...
    gm identify: Bogus Huffman table definition (/tmp/gmXU29kS).
    ==23314==
    ==23314== HEAP SUMMARY:
    ==23314==     in use at exit: 11,864 bytes in 6 blocks
    ==23314==   total heap usage: 1,525 allocs, 1,519 frees, 521,258 bytes allocated
    ==23314==
    ==23314== 11,256 (6,840 direct, 4,416 indirect) bytes in 1 blocks are definitely lost in loss record 6 of 6
    ==23314==    at 0x4C29F09: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==23314==    by 0x4EF4116: AllocateImage (in /usr/lib64/libGraphicsMagick.so.2.0.5)
    ==23314==    by 0x8097BF7: ???
    ==23314==    by 0x4EA844C: ReadImage (in /usr/lib64/libGraphicsMagick.so.2.0.5)
    ==23314==    by 0x4F0460D: ReadStream (in /usr/lib64/libGraphicsMagick.so.2.0.5)
    ==23314==    by 0x4EA9228: PingImage (in /usr/lib64/libGraphicsMagick.so.2.0.5)
    ==23314==    by 0x4E8ED17: IdentifyImageCommand (in /usr/lib64/libGraphicsMagick.so.2.0.5)
    ==23314==    by 0x4E7B673: MagickCommand (in /usr/lib64/libGraphicsMagick.so.2.0.5)
    ==23314==    by 0x4E7B7EE: GMCommand (in /usr/lib64/libGraphicsMagick.so.2.0.5)
    ==23314==    by 0x7729C35: (below main) (in /lib64/libc-2.11.3.so)
    ==23314==
    ==23314== LEAK SUMMARY:
    ==23314==    definitely lost: 6,840 bytes in 1 blocks
    ==23314==    indirectly lost: 4,416 bytes in 2 blocks
    ==23314==      possibly lost: 0 bytes in 0 blocks
    ==23314==    still reachable: 608 bytes in 3 blocks
    ==23314==         suppressed: 0 bytes in 0 blocks
    ==23314== Reachable blocks (those to which a pointer was found) are not shown.
    ==23314== To see them, rerun with: --leak-check=full --show-reachable=yes
    ==23314==
    ==23314== For counts of detected and suppressed errors, rerun with: -v
    ==23314== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)

Seems like new leak introduced.

Comment 14 Petr Gajdos 2017-06-15 09:29:15 UTC

(In reply to Václav Šístek from comment #13)
> Seems like new leak introduced.

Yes, I can confirm this statement. The offending hunk is that one discussed in bug 1040304 comment 12.

Comment 15 Petr Gajdos 2017-06-16 08:54:18 UTC

The issue described in comment 14 manifests itself also with GraphicsMagick-1.3.25 in Tumbleweed.

Comment 16 Petr Gajdos 2017-06-16 09:11:39 UTC

Even latest png.c decoder exposes the issue.

Comment 17 Petr Gajdos 2017-06-16 09:20:56 UTC

Author (Bob Friesenhahn) notified.

Comment 19 Swamp Workflow Management 2017-06-19 10:11:50 UTC

SUSE-SU-2017:1599-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033091,1034870,1034872,1034876,1036976,1036978,1036980,1036981,1036983,1036984,1036985,1036986,1036987,1036988,1036989,1036990,1037527,1038000,1040025,1040303,1040304,1040306,1040332
CVE References: CVE-2014-9846,CVE-2016-10050,CVE-2017-7606,CVE-2017-7941,CVE-2017-7942,CVE-2017-7943,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8348,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8354,CVE-2017-8355,CVE-2017-8357,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9141,CVE-2017-9142,CVE-2017-9143,CVE-2017-9144
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.77.1

Comment 20 Swamp Workflow Management 2017-06-19 13:11:10 UTC

SUSE-SU-2017:1600-1: An update that fixes 17 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033091,1034876,1036978,1036980,1036981,1036984,1036985,1036986,1036987,1036988,1036990,1037527,1038000,1040025,1040304,1040332,984144
CVE References: CVE-2014-9847,CVE-2017-7606,CVE-2017-7941,CVE-2017-8344,CVE-2017-8345,CVE-2017-8346,CVE-2017-8349,CVE-2017-8350,CVE-2017-8351,CVE-2017-8352,CVE-2017-8353,CVE-2017-8355,CVE-2017-8765,CVE-2017-8830,CVE-2017-9098,CVE-2017-9142,CVE-2017-9144
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.77.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.77.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.77.1

Comment 21 Petr Gajdos 2017-06-26 06:49:00 UTC

changeset
http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/5114dbc8e25d

Comment 22 Petr Gajdos 2017-06-26 07:47:08 UTC

Packages submitted to 42.2/GraphicsMagick and 11/GraphicsMagick.

Comment 23 Bernhard Wiedemann 2017-06-26 08:00:47 UTC

This is an autogenerated message for OBS integration:
This bug (1036985) was mentioned in
https://build.opensuse.org/request/show/506174 42.2 / GraphicsMagick

Comment 25 Bernhard Wiedemann 2017-06-30 16:01:02 UTC

This is an autogenerated message for OBS integration:
This bug (1036985) was mentioned in
https://build.opensuse.org/request/show/507403 Factory / GraphicsMagick

Comment 27 Swamp Workflow Management 2017-07-06 19:10:31 UTC

openSUSE-SU-2017:1798-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1036985
CVE References: CVE-2017-8350
Sources used:
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.12.3

Comment 30 Petr Gajdos 2017-08-14 14:08:53 UTC

GraphicsMagick mercurial master is fixed.

Comment 33 Swamp Workflow Management 2017-08-22 16:08:06 UTC

SUSE-SU-2017:2229-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1036985,1042826,1043289,1049072,1050611,1050674
CVE References: CVE-2017-11403,CVE-2017-11636,CVE-2017-11643,CVE-2017-8350,CVE-2017-9439,CVE-2017-9501
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.9.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.9.1

Comment 34 Marcus Meissner 2017-08-25 12:42:25 UTC

released

Comment 35 Petr Gajdos 2017-09-08 10:51:07 UTC

As upstream notified me, 'GraphicsMagick mercurial master is fixed.' is still not true, but Glenn should be working on it.

Comment 36 Petr Gajdos 2017-09-08 10:52:45 UTC

I get:

$ valgrind --tool=memcheck --leak-check=full --read-var-info=yes  --error-exitcode=2 --track-origins=yes --num-callers=12 --quiet gm identify *.jng
gm identify: Bogus Huffman table definition (/tmp/gmUNhZqr).
gm identify: Request did not return an image.
==31646== 13,136 (6,864 direct, 6,272 indirect) bytes in 1 blocks are definitely lost in loss record 23 of 23
==31646==    at 0x4C2D08F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31646==    by 0x4F3E6A5: MagickMalloc (memory.c:156)
==31646==    by 0x4F22238: AllocateImage (image.c:336)
==31646==    by 0x7ADB4FD: ???
==31646==    by 0x4EE40D9: ReadImage (constitute.c:1607)
==31646==    by 0x4EE3705: PingImage (constitute.c:1370)
==31646==    by 0x4EB5D5B: IdentifyImageCommand (command.c:8379)
==31646==    by 0x4EB7329: MagickCommand (command.c:8869)
==31646==    by 0x4ED2E31: GMCommandSingle (command.c:17396)
==31646==    by 0x4ED2F65: GMCommand (command.c:17449)
==31646==    by 0x108799: main (gm.c:61)
==31646==
$