Bug 983253 (CVE-2015-8902) - VUL-1: CVE-2015-8902: ImageMagick: PDB file DoS (CPU consumption)
Summary: VUL-1: CVE-2015-8902: ImageMagick: PDB file DoS (CPU consumption)
Status: RESOLVED FIXED
Alias: CVE-2015-8902
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Petr Gajdos
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/169808/
Whiteboard: CVSSv2:SUSE:CVE-2015-8902:5.0:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-06 11:39 UTC by Marcus Meissner
Modified: 2019-10-23 14:39 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
CVE-2015-8902.pdb (409 bytes, application/octet-stream)
2016-06-06 11:41 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2016-06-06 11:41:14 UTC 
Created attachment 679673 [details]
CVE-2015-8902.pdb

QA REPRODUCER:

identify CVE-2015-8902.pdb

gm identify CVE-2015-8902.pdb
Comment 2 Marcus Meissner 2016-06-06 11:41:34 UTC 
graphicsmagic does not hang:

$ gm identify CVE-2015-8902.pdb
CVE-2015-8902.pdb PDB 32x54+0+0 PseudoClass 4c 8-bit 409 0.000u 0:01
$
Comment 3 Marcus Meissner 2016-06-06 12:06:26 UTC 
from bugreport:
---
I did run it through valgrind --tool=callgrind for about 20-30 seconds or so. When I pulled it into kcachegrind it apparently spent 1.3B calls in ReadBlobByte. It looks like the loop is on line 372 of coders/pdb.c while reading the pad.
---
Comment 4 Swamp Workflow Management 2016-06-06 22:01:54 UTC 
bugbot adjusting priority
Comment 5 Petr Gajdos 2016-06-07 07:39:35 UTC 
The www.imagemagick.org says:

The authoritative ImageMagick web site is http://www.imagemagick.org. The authoritative source code repository is http://git.imagemagick.org/repos/ImageMagick. We maintain a source code mirror at GitLab and GitHub.

So it seems that trac links are now useless.
Comment 6 Petr Gajdos 2016-06-07 08:31:44 UTC 
(In reply to Marcus Meissner from comment #1)
> QA REPRODUCER:
> 
> identify CVE-2015-8902.pdb

(In reply to Marcus Meissner from comment #2)
> graphicsmagic does not hang:
> 
> $ gm identify CVE-2015-8902.pdb
> CVE-2015-8902.pdb PDB 32x54+0+0 PseudoClass 4c 8-bit 409 0.000u 0:01
> $

Both are true for all versions we maintain.
Comment 7 Petr Gajdos 2016-06-07 08:51:38 UTC 
https://subversion.imagemagick.org is also down in case someone have the idea that the number of the changeset from the trac link would correspond to some svn commit number. Unfortunately, I have no offline checkout of ImageMagick from the past.
Comment 8 Petr Gajdos 2016-06-07 08:54:29 UTC 
And no,

http://git.imagemagick.org/repos/ImageMagick/commits/master?utf8=%E2%9C%93&search=26932

does not work also.
Comment 9 Petr Gajdos 2016-06-07 11:35:58 UTC 
The backtrace of the hung

#0  0x00007ffff79811cf in ReadBlobByte (image=image@entry=0x61dc10) at magick/blob.c:3017
#1  0x00007ffff3e5c888 in ReadPDBImage (image_info=0x60e190, exception=0x6053f0) at coders/pdb.c:373
#2  0x00007ffff79b6fb8 in ReadImage (image_info=image_info@entry=0x6097e0, exception=exception@entry=0x6053f0) at magick/constitute.c:547
#3  0x00007ffff79b808b in ReadImages (image_info=image_info@entry=0x6097e0, exception=exception@entry=0x6053f0) at magick/constitute.c:853
#4  0x00007ffff764ffa1 in ConvertImageCommand (image_info=0x6097e0, argc=3, argv=0x6042b0, metadata=0x0, exception=0x6053f0) at wand/convert.c:619
#5  0x00007ffff76bc773 in MagickCommandGenesis (image_info=image_info@entry=0x605630, command=0x4008b0 <ConvertImageCommand@plt>, argc=argc@entry=3, argv=argv@entry=0x7fffffffe7c8, 
    metadata=metadata@entry=0x0, exception=exception@entry=0x6053f0) at wand/mogrify.c:168
#6  0x0000000000400927 in ConvertMain (argv=0x7fffffffe7c8, argc=3) at utilities/convert.c:81
#7  main (argc=3, argv=0x7fffffffe7c8) at utilities/convert.c:92

and the date of the comment

http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26932#p119111

points to 

https://github.com/ImageMagick/ImageMagick/commit/89f839d02a8f261c94f7f7075c3cf90724802958
Comment 10 Petr Gajdos 2016-06-07 11:38:54 UTC 
GraphicsMagick does not have

while (num_pad_bytes--) ReadBlobByte( image );

code, considering it not vulnerable.
Comment 11 Petr Gajdos 2016-06-07 11:46:52 UTC 
AFTER

$ identify CVE-2015-8902.pdb
identify: Memory allocation failed `CVE-2015-8902.pdb'.
$

(returns immediately)
Comment 12 Petr Gajdos 2016-06-23 13:07:03 UTC 
I believe all fixed.
Comment 13 Bernhard Wiedemann 2016-06-23 14:00:44 UTC 
This is an autogenerated message for OBS integration:
This bug (983253) was mentioned in
https://build.opensuse.org/request/show/404239 13.2 / ImageMagick
Comment 17 Bernhard Wiedemann 2016-06-29 14:00:49 UTC 
This is an autogenerated message for OBS integration:
This bug (983253) was mentioned in
https://build.opensuse.org/request/show/405459 13.2 / ImageMagick
Comment 18 Swamp Workflow Management 2016-07-06 19:04:55 UTC 
openSUSE-SU-2016:1748-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-26.1
Comment 19 Swamp Workflow Management 2016-07-11 14:08:21 UTC 
SUSE-SU-2016:1782-1: An update that fixes 57 vulnerabilities is now available.

Category: security (important)
Bug References: 983234,983253,983259,983292,983305,983308,983521,983523,983533,983739,983746,983752,983774,983794,983796,983799,983803,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984150,984160,984166,984181,984184,984185,984186,984187,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984408,984409,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9842,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9849,CVE-2014-9851,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.45.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.45.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.45.1
Comment 20 Swamp Workflow Management 2016-07-11 14:27:23 UTC 
SUSE-SU-2016:1784-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
Comment 21 Swamp Workflow Management 2016-07-20 10:09:39 UTC 
openSUSE-SU-2016:1833-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-15.1