Bug 983527 (CVE-2015-8895) - VUL-1: CVE-2015-8895: ImageMagick: Integer and Buffer overflow in coders/icon.c
Summary: VUL-1: CVE-2015-8895: ImageMagick: Integer and Buffer overflow in coders/icon.c
Status: RESOLVED FIXED
Alias: CVE-2015-8895
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Petr Gajdos
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-07 15:12 UTC by Marcus Meissner
Modified: 2016-07-20 10:12 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
corruption.ico (170.36 KB, application/octet-stream)
2016-06-07 15:14 UTC, Marcus Meissner 		Details
corruption2.ico (170.36 KB, application/octet-stream)
2016-06-07 15:17 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-07 15:12:50 UTC 
via oss-sec

    2) pict/icon processing issues:
    Integer and Buffer overflow in coders/icon.c 
    https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747
    Reportedly fixed with:
    https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734


Use CVE-2015-8895 for the "Memory is allocated based on the sum of a
user-supplied value and a fixed value. That sum can overflow, causing
only a small amount of memory to be allocated, while the program
assumes more was allocated." It is possible that
0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 also fixes other issues that
are outside the scope of this CVE.
Comment 1 Marcus Meissner 2016-06-07 15:14:52 UTC 
Created attachment 679923 [details]
corruption.ico

QA REPRODUCER:

convert corruption.ico /dev/null

should not crash
Comment 2 Marcus Meissner 2016-06-07 15:17:16 UTC 
Created attachment 679924 [details]
corruption2.ico

QA REPRODUCER:

convert corruption2.ico /dev/null 

or

gm convert corruption2.ico /dev/null
Comment 3 Marcus Meissner 2016-06-07 15:18:55 UTC 
supposedly only reproduces on 32bit.

however on a sle11 system neither graphicsmagic nor imagemagick crash.
Comment 4 Swamp Workflow Management 2016-06-07 22:01:23 UTC 
bugbot adjusting priority
Comment 5 Petr Gajdos 2016-06-09 08:02:15 UTC 
I get 'improper image header' error and clean exit for GraphicsMagick on i586, for ImageMagick I indeed get a crash in i586 and 13.2 and 12, only valgrind error on 11.
Comment 6 Petr Gajdos 2016-06-09 08:13:58 UTC 
AFTER (13.2)
$ convert corruption.ico bleble.gif
983527: memory allocation failed `corruption.ico' @ error/icon.c/ReadICONImage/351.
983527: no images defined `bleble.gif' @ error/convert.c/ConvertImageCommand/3187.
$
Comment 7 Petr Gajdos 2016-06-09 08:25:56 UTC 
Probably because 'Icon image encoded as a compressed PNG image' feature was added later (not checked) the code is there only for 13.2/ImageMagick and 12/ImageMagick. Considering others not affected.
Comment 8 Petr Gajdos 2016-06-09 08:26:34 UTC 
(the valgrind error in 11/ImageMagick is probably another problem)
Comment 9 Petr Gajdos 2016-06-23 13:06:54 UTC 
I believe all fixed.
Comment 10 Bernhard Wiedemann 2016-06-23 14:01:52 UTC 
This is an autogenerated message for OBS integration:
This bug (983527) was mentioned in
https://build.opensuse.org/request/show/404239 13.2 / ImageMagick
Comment 13 Bernhard Wiedemann 2016-06-29 14:02:01 UTC 
This is an autogenerated message for OBS integration:
This bug (983527) was mentioned in
https://build.opensuse.org/request/show/405459 13.2 / ImageMagick
Comment 14 Swamp Workflow Management 2016-07-06 19:06:08 UTC 
openSUSE-SU-2016:1748-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-26.1
Comment 15 Swamp Workflow Management 2016-07-11 14:28:33 UTC 
SUSE-SU-2016:1784-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
Comment 16 Swamp Workflow Management 2016-07-20 10:10:48 UTC 
openSUSE-SU-2016:1833-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-15.1