Bug 1078433 – VUL-1: CVE-2018-6405: GraphicsMagick,ImageMagick: In the ReadDCMImage function in coders/dcm.c in ImageMagick before 7.0.7-23,each redmap, greenmap, and bluemap variable can be overwritten by a new pointer.The previous pointer is lost, wh

Bug 1078433 - (CVE-2018-6405) VUL-1: CVE-2018-6405: GraphicsMagick,ImageMagick: In the ReadDCMImage function in coders/dcm.c in ImageMagick before 7.0.7-23,each redmap, greenmap, and bluemap variable can be overwritten by a new pointer.The previous pointer is lost, wh

(CVE-2018-6405)
Summary:	VUL-1: CVE-2018-6405: GraphicsMagick,ImageMagick: In the ReadDCMImage functio...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/199245/
Whiteboard:	CVSSv3:SUSE:CVE-2018-6405:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-01-31 08:02 UTC by Marcus Meissner
Modified:	2019-01-03 23:37 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
crashes.zip (615 bytes, application/octet-stream) 2018-01-31 08:05 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2018-01-31 08:02:55 UTC

CVE-2018-6405

In the ReadDCMImage function in coders/dcm.c in ImageMagick before 7.0.7-23,
each redmap, greenmap, and bluemap variable can be overwritten by a new pointer.
The previous pointer is lost, which leads to a memory leak. This allows remote
attackers to cause a denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6405
http://www.cvedetails.com/cve/CVE-2018-6405/
https://github.com/ImageMagick/ImageMagick/issues/964

Comment 1 Marcus Meissner 2018-01-31 08:05:34 UTC

Created attachment 758189 [details]
crashes.zip

QA REPRODUCER:

unpack zip file

ImageMagick:

valgrind --leak-check=full convert leak1.dcm foo.jpg

valgrind --leak-check=full convert leak2.dcm foo.jpg

valgrind --leak-check=full convert leak3.dcm foo.jpg

Comment 2 Marcus Meissner 2018-01-31 08:07:25 UTC

QA REPRODUCER:

for GHraphicsMagick:

valgrind --leak-check=full gm convert leak1.dcm foo.jpg

valgrind --leak-check=full gm convert leak2.dcm foo.jpg

valgrind --leak-check=full gm convert leak3.dcm foo.jpg

Comment 3 Marcus Meissner 2018-01-31 08:08:01 UTC

ImageMagick affected everywhere

GraphicsMagick affected on SLE11, but apparently not on Leap 42 or newer

Comment 4 Petr Gajdos 2018-02-09 09:32:25 UTC

BEFORE

12/ImageMagick

$ valgrind -q --leak-check=full convert leak1.dcm out.png
convert: insufficient image data in file `leak1.dcm' @ error/dcm.c/ReadDCMImage/3075.
convert: no images defined `out.png' @ error/convert.c/ConvertImageCommand/3149.
==28588== 24 bytes in 2 blocks are definitely lost in loss record 6 of 10
==28588==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==28588==    by 0x8437B0A: ???
==28588==    by 0x4EBFE1A: ReadImage (constitute.c:601)
==28588==    by 0x4EC0EDA: ReadImages (constitute.c:907)
==28588==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==28588==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==28588==    by 0x400836: ConvertMain (convert.c:81)
==28588==    by 0x400836: main (convert.c:92)
==28588== 
$
$ valgrind -q --leak-check=full convert leak2.dcm out.png
convert: unexpected end-of-file `leak2.dcm': No such file or directory @ error/dcm.c/ReadDCMImage/3506.
convert: improper image header `leak2.dcm' @ error/dcm.c/ReadDCMImage/3511.
convert: no images defined `out.png' @ error/convert.c/ConvertImageCommand/3149.
==28593== 104 bytes in 2 blocks are definitely lost in loss record 10 of 11
==28593==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==28593==    by 0x8439382: ???
==28593==    by 0x4EBFE1A: ReadImage (constitute.c:601)
==28593==    by 0x4EC0EDA: ReadImages (constitute.c:907)
==28593==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==28593==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==28593==    by 0x400836: ConvertMain (convert.c:81)
==28593==    by 0x400836: main (convert.c:92)
==28593== 
==28593== 208 bytes in 2 blocks are definitely lost in loss record 11 of 11
==28593==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==28593==    by 0x84390A2: ???
==28593==    by 0x4EBFE1A: ReadImage (constitute.c:601)
==28593==    by 0x4EC0EDA: ReadImages (constitute.c:907)
==28593==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==28593==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==28593==    by 0x400836: ConvertMain (convert.c:81)
==28593==    by 0x400836: main (convert.c:92)
==28593== 
$
$ valgrind -q --leak-check=full convert leak3.dcm out.png
convert: insufficient image data in file `leak3.dcm' @ error/dcm.c/ReadDCMImage/3075.
convert: no images defined `out.png' @ error/convert.c/ConvertImageCommand/3149.
==28596== 392 bytes in 2 blocks are definitely lost in loss record 10 of 10
==28596==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==28596==    by 0x8437A21: ???
==28596==    by 0x4EBFE1A: ReadImage (constitute.c:601)
==28596==    by 0x4EC0EDA: ReadImages (constitute.c:907)
==28596==    by 0x5319B8E: ConvertImageCommand (convert.c:617)
==28596==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==28596==    by 0x400836: ConvertMain (convert.c:81)
==28596==    by 0x400836: main (convert.c:92)
==28596== 
$

11/ImageMagick

$ valgrind -q --leak-check=full convert leak1.dcm out.png
convert: Insufficient image data in file `leak1.dcm'.
convert: missing an image filename `out.png'.
$
$ valgrind -q --leak-check=full convert leak2.dcm out.png
convert: Unexpected end-of-file `leak2.dcm': No such file or directory.
convert: Improper image header `leak2.dcm'.
convert: missing an image filename `out.png'.
==15458== 
==15458== 104 bytes in 2 blocks are definitely lost in loss record 2 of 2
==15458==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==15458==    by 0x9F272D1: ???
==15458==    by 0x4E94D87: ReadImage (constitute.c:441)
==15458==    by 0x5292BC3: ConvertImageCommand (convert.c:565)
==15458==    by 0x400F73: main (convert.c:122)
$
$ valgrind -q --leak-check=full convert leak3.dcm out.png
convert: Insufficient image data in file `leak3.dcm'.
convert: missing an image filename `out.png'.
$

11/GraphicsMagick

$ valgrind -q --leak-check=full gm convert leak1.dcm out.png
gm convert: Insufficient image data in file (leak1.dcm).
$
$ valgrind -q --leak-check=full gm convert leak2.dcm out.png
gm convert: Unexpected end-of-file (leak2.dcm).
==15483== 
==15483== 104 bytes in 2 blocks are definitely lost in loss record 2 of 2
==15483==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==15483==    by 0x86B0245: ???
==15483==    by 0x4EA01CC: ReadImage (constitute.c:6000)
==15483==    by 0x4E8CBCF: ConvertImageCommand (command.c:3171)
==15483==    by 0x4E73683: MagickCommand (command.c:7657)
==15483==    by 0x4E737FE: GMCommand (command.c:15277)
==15483==    by 0x76E2585: (below main) (in /lib64/libc-2.9.so)
$
$ valgrind -q --leak-check=full gm convert leak3.dcm out.png
gm convert: Insufficient image data in file (leak3.dcm).
$

42.3/GraphicsMagick

$ valgrind -q --leak-check=full gm convert leak1.dcm out.png
gm convert: Improper image header (leak1.dcm).
$
$ valgrind -q --leak-check=full gm convert leak2.dcm out.png
gm convert: Unexpected end-of-file (leak2.dcm).
$
$ valgrind -q --leak-check=full gm convert leak3.dcm out.png
gm convert: Insufficient image data in file (leak3.dcm).
$

PATCH

https://github.com/ImageMagick/ImageMagick/commit/fb0a464122e0d8a1e1e31f6cd6d3f4d085fa8fb0

and I will use also similar

https://github.com/ImageMagick/ImageMagick/commit/4679dc1cfb1e1d53c3510deeab47e4c7cc754a4c

and 

https://github.com/ImageMagick/ImageMagick/commit/caedfada2addf611eebb8c88477a47c6c2f641ca

12/ImageMagick: affected, will be patched
11/ImageMagick: only graymap code, will be patched
11/GraphicsMagick: only graymap code, will be patched
42.3/GraphicsMagick: only graymap, but different approach; as valgrind does not complain, considering not affected

AFTER

12/ImageMagick

$ valgrind -q --leak-check=full convert leak1.dcm out.png
convert: insufficient image data in file `leak1.dcm' @ error/dcm.c/ReadDCMImage/3083.
convert: no images defined `out.png' @ error/convert.c/ConvertImageCommand/3149.
$
$ valgrind -q --leak-check=full convert leak2.dcm out.png
convert: unexpected end-of-file `leak2.dcm': No such file or directory @ error/dcm.c/ReadDCMImage/3522.
convert: improper image header `leak2.dcm' @ error/dcm.c/ReadDCMImage/3527.
convert: no images defined `out.png' @ error/convert.c/ConvertImageCommand/3149.
$
$ valgrind -q --leak-check=full convert leak3.dcm out.png
convert: insufficient image data in file `leak3.dcm' @ error/dcm.c/ReadDCMImage/3083.
convert: no images defined `out.png' @ error/convert.c/ConvertImageCommand/3149.
$

11/ImageMagick:

$ valgrind -q --leak-check=full convert leak1.dcm out.png
convert: Insufficient image data in file `leak1.dcm'.
convert: missing an image filename `out.png'.
$
$ valgrind -q --leak-check=full convert leak2.dcm out.png
convert: Unexpected end-of-file `leak2.dcm': No such file or directory.
convert: Improper image header `leak2.dcm'.
convert: missing an image filename `out.png'.
$
$ valgrind -q --leak-check=full convert leak3.dcm out.png
convert: Insufficient image data in file `leak3.dcm'.
convert: missing an image filename `out.png'.
$

11/GraphicsMagick:

$ valgrind -q --leak-check=full gm convert leak1.dcm out.png
gm convert: Insufficient image data in file (leak1.dcm).
$
$ valgrind -q --leak-check=full gm convert leak2.dcm out.png
gm: symbol lookup error: /usr/lib64/GraphicsMagick-1.2.5/modules-Q8/coders/dcm.so: undefined symbol: RelinquishMagickMemory
$
$ valgrind -q --leak-check=full gm convert leak3.dcm out.png
gm convert: Insufficient image data in file (leak3.dcm).
$

Comment 5 Petr Gajdos 2018-02-09 09:32:45 UTC

Will submit for: 12/ImageMagick, 11/ImageMagick and 11/GraphicsMagick

Comment 6 Petr Gajdos 2018-02-09 16:02:06 UTC

I believe all fixed.

Comment 13 Swamp Workflow Management 2018-02-20 14:11:11 UTC

SUSE-SU-2018:0486-1: An update that fixes 24 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1048110,1049374,1049375,1050048,1050617,1050669,1052207,1052248,1052251,1052254,1052472,1052688,1052711,1052747,1052750,1052761,1055069,1055229,1058009,1074119,1076182,1078433
CVE References: CVE-2017-11166,CVE-2017-11448,CVE-2017-11450,CVE-2017-11537,CVE-2017-11637,CVE-2017-11638,CVE-2017-11642,CVE-2017-12418,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12654,CVE-2017-12664,CVE-2017-12665,CVE-2017-12668,CVE-2017-12674,CVE-2017-13058,CVE-2017-13131,CVE-2017-14224,CVE-2017-17885,CVE-2017-18028,CVE-2017-9407,CVE-2018-6405
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.34.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.34.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.34.1

Comment 14 Swamp Workflow Management 2018-02-22 14:11:04 UTC

SUSE-SU-2018:0524-1: An update that fixes 20 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1047900,1049374,1049375,1050617,1050669,1052248,1052251,1052254,1052472,1052688,1055069,1055229,1058009,1072934,1073081,1074307,1076182,1078433
CVE References: CVE-2017-11140,CVE-2017-11448,CVE-2017-11450,CVE-2017-11637,CVE-2017-11638,CVE-2017-11642,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12668,CVE-2017-13058,CVE-2017-13131,CVE-2017-14224,CVE-2017-17502,CVE-2017-17503,CVE-2017-17912,CVE-2017-18028,CVE-2017-9407,CVE-2018-6405
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.38.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.38.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.38.1

Comment 15 Swamp Workflow Management 2018-03-01 20:19:20 UTC

SUSE-SU-2018:0581-1: An update that fixes 35 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1042911,1048110,1048272,1049374,1049375,1050048,1050119,1050122,1050126,1050132,1050617,1052207,1052248,1052251,1052254,1052472,1052688,1052711,1052747,1052750,1052754,1052761,1055069,1055229,1056768,1057163,1058009,1072898,1074119,1074170,1075821,1076182,1078433
CVE References: CVE-2017-11166,CVE-2017-11170,CVE-2017-11448,CVE-2017-11450,CVE-2017-11528,CVE-2017-11530,CVE-2017-11531,CVE-2017-11533,CVE-2017-11537,CVE-2017-11638,CVE-2017-11642,CVE-2017-12418,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12654,CVE-2017-12663,CVE-2017-12664,CVE-2017-12665,CVE-2017-12668,CVE-2017-12674,CVE-2017-13058,CVE-2017-13131,CVE-2017-14060,CVE-2017-14139,CVE-2017-14224,CVE-2017-17682,CVE-2017-17885,CVE-2017-17934,CVE-2017-18028,CVE-2017-9405,CVE-2017-9407,CVE-2018-5357,CVE-2018-6405
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.42.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.42.1

Comment 16 Andreas Stieger 2018-03-06 19:44:24 UTC

Releasing for Leap, showing as done otherwise

Comment 17 Swamp Workflow Management 2018-03-06 23:17:52 UTC

openSUSE-SU-2018:0621-1: An update that fixes 35 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042824,1042911,1048110,1048272,1049374,1049375,1050048,1050119,1050122,1050126,1050132,1050617,1052207,1052248,1052251,1052254,1052472,1052688,1052711,1052747,1052750,1052754,1052761,1055069,1055229,1056768,1057163,1058009,1072898,1074119,1074170,1075821,1076182,1078433
CVE References: CVE-2017-11166,CVE-2017-11170,CVE-2017-11448,CVE-2017-11450,CVE-2017-11528,CVE-2017-11530,CVE-2017-11531,CVE-2017-11533,CVE-2017-11537,CVE-2017-11638,CVE-2017-11642,CVE-2017-12418,CVE-2017-12427,CVE-2017-12429,CVE-2017-12432,CVE-2017-12566,CVE-2017-12654,CVE-2017-12663,CVE-2017-12664,CVE-2017-12665,CVE-2017-12668,CVE-2017-12674,CVE-2017-13058,CVE-2017-13131,CVE-2017-14060,CVE-2017-14139,CVE-2017-14224,CVE-2017-17682,CVE-2017-17885,CVE-2017-17934,CVE-2017-18028,CVE-2017-9405,CVE-2017-9407,CVE-2018-5357,CVE-2018-6405
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-55.1

Comment 20 Petr Gajdos 2018-10-31 15:23:48 UTC

I had discovered a regression due fix for 11/ImageMagick, package resubmitted.

Comment 21 Petr Gajdos 2018-10-31 15:24:42 UTC

(In reply to Petr Gajdos from comment #20)
> I had discovered a regression due fix for 11/ImageMagick, package
> resubmitted.

11/GraphicsMagick, actually.

Comment 22 Swamp Workflow Management 2019-01-03 20:09:16 UTC

SUSE-SU-2019:13923-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042911,1052754,1078433,1112392,1112399,1113064,1119822,1119823
CVE References: CVE-2017-10794,CVE-2017-12663,CVE-2017-14997,CVE-2017-9405,CVE-2018-18544,CVE-2018-20184,CVE-2018-20185,CVE-2018-6405
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.78.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.78.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.78.1