Bug 1043291 - (CVE-2017-9499) VUL-2: CVE-2017-9499: ImageMagick: in version 7.0.5-7 Q16, an assertion failure was found, which could lead to denial of service (mpc.c)
(CVE-2017-9499)
VUL-2: CVE-2017-9499: ImageMagick: in version 7.0.5-7 Q16, an assertion failu...
Status: RESOLVED WORKSFORME
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Petr Gajdos
Security Team bot
https://smash.suse.de/issue/186404/
CVSSv2:NVD:CVE-2017-9499:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-08 06:36 UTC by Victor Pereira
Modified: 2020-05-12 18:04 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-06-08 06:36:01 UTC
CVE-2017-9499

In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the function
SetPixelChannelAttributes, which allows attackers to cause a denial of service
via a crafted file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9499
http://www.cvedetails.com/cve/CVE-2017-9499/
https://github.com/ImageMagick/ImageMagick/commit/7fd419441bc7103398e313558171d342c6315f44
https://github.com/ImageMagick/ImageMagick/issues/492
Comment 1 Marcus Meissner 2017-09-27 14:08:21 UTC
defined abort, can be defered.
Comment 2 Petr Gajdos 2018-03-06 10:31:58 UTC
BEFORE

12/ImageMagick

$ valgrind -q convert assertion-failed-in-SetPixelChannelAttributes-pixel-accessor695 out.png
convert: incompatible API `assertion-failed-in-SetPixelChannelAttributes-pixel-accessor695' @ error/mpc.c/ReadMPCImage/785.
convert: no images defined `out.png' @ error/convert.c/ConvertImageCommand/3149.
$

11/ImageMagick

$ valgrind -q convert assertion-failed-in-SetPixelChannelAttributes-pixel-accessor695 out.png
convert: unable to open cache `assertion-failed-in-SetPixelChannelAttributes-pixel-accessor695': No such file or directory.
convert: unable to persist pixel cache `assertion-failed-in-SetPixelChannelAttributes-pixel-accessor695'.
convert: missing an image filename `out.png'.
$

11/GraphicsMagick

$ valgrind -q gm convert assertion-failed-in-SetPixelChannelAttributes-pixel-accessor695 out.png
gm convert: Improper image header (assertion-failed-in-SetPixelChannelAttributes-pixel-accessor695).
$

42.3/GraphicsMagick

$ valgrind -q gm convert assertion-failed-in-SetPixelChannelAttributes-pixel-accessor695 out.png
gm convert: Improper image header (assertion-failed-in-SetPixelChannelAttributes-pixel-accessor695).
$

PATCH

comment 0

There's no case 'N': branch of the switch. Seem to be ImageMagick 7 only.



AFTER