Bug 1000690 (CVE-2015-8957) - VUL-0: CVE-2015-8957: ImageMagick: Buffer overflow in sun file handling
Summary: VUL-0: CVE-2015-8957: ImageMagick: Buffer overflow in sun file handling
Status: RESOLVED FIXED
Alias: CVE-2015-8957
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2015-8957:4.3:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-23 10:52 UTC by Johannes Segitz
Modified: 2019-08-16 15:12 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
testcase (3.25 KB, image/x-sun-raster)
2016-10-03 08:52 UTC, Petr Gajdos 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-09-23 22:00:52 UTC 
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-10-03 08:52:21 UTC 
Created attachment 695388 [details]
testcase

Downloaded from the dropbox link from the ImageMagick bug.
Comment 3 Petr Gajdos 2016-10-03 08:58:33 UTC 
13.2/ImageMagick
$ convert 68e4a715 test.bmp
Aborted (core dumped)
$

12/ImageMagick
$ convert 68e4a715 test.bmp
Aborted (core dumped)
$

11/ImageMagick
$ convert 68e4a715 test.bmp
$
(gives valgrind errors)

-------

42.1/GraphicsMagick
$ gm convert 68e4a715 test.bmp
gm convert: Improper image header (68e4a715).
$
(no valgrind error) 

13.2/GraphicsMagick
$ gm convert 68e4a715 test.bmp
Segmentation fault (core dumped)
$

11/GraphicsMagick
$ gm convert 68e4a715 test.bmp
Segmentation fault (core dumped)
$
Comment 5 Petr Gajdos 2016-10-03 11:54:23 UTC 
GraphicsMagick's sun.c was rewritten between 1.3.20 and 1.3.21:

http://hg.code.sf.net/p/graphicsmagick/code/diff/512c92a92cad/coders/sun.c
Comment 6 Petr Gajdos 2016-10-03 14:11:21 UTC 
For 13.2/GraphicsMagick and 11/GraphicsMagick, I have removed 

  GraphicsMagick-CVE-2014-9818,9829.patch and
  GraphicsMagick-CVE-2014-9830.patch

and added

  GraphicsMagick-CVE-2014-9818,9829,9830-CVE-2015-8957.patch

instead, which consists of two commits:

  http://hg.code.sf.net/p/graphicsmagick/code/rev/512c92a92cad
  http://hg.code.sf.net/p/graphicsmagick/code/rev/5167667fabf8
Comment 7 Petr Gajdos 2016-10-03 14:12:15 UTC 
After patching, the ImageMagick does not crash, but still shows memory errors from valgrind. 

GraphicsMagick does not crash and gives 'gm convert: Improper image header (68e4a715).'
Comment 8 Petr Gajdos 2016-10-03 14:13:53 UTC 
At the end, all versions of ImageMagick and 11/GraphicsMagick and 13.2/GraphicsMagick are considered to be affected.
Comment 9 Petr Gajdos 2016-10-13 13:40:11 UTC 
I believe all fixed.
Comment 10 Bernhard Wiedemann 2016-10-13 14:01:14 UTC 
This is an autogenerated message for OBS integration:
This bug (1000690) was mentioned in
https://build.opensuse.org/request/show/434745 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/434746 13.2 / ImageMagick
Comment 13 Bernhard Wiedemann 2016-10-18 14:02:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1000690) was mentioned in
https://build.opensuse.org/request/show/435916 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/435917 13.2 / ImageMagick
Comment 15 Bernhard Wiedemann 2016-10-20 10:02:16 UTC 
This is an autogenerated message for OBS integration:
This bug (1000690) was mentioned in
https://build.opensuse.org/request/show/436494 13.2 / ImageMagick
Comment 16 Swamp Workflow Management 2016-10-26 12:07:23 UTC 
openSUSE-SU-2016:2641-1: An update that fixes 28 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000702,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,985442,999673
CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-12.1
Comment 17 Swamp Workflow Management 2016-10-28 16:08:35 UTC 
SUSE-SU-2016:2667-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
Comment 18 Swamp Workflow Management 2016-10-28 19:07:31 UTC 
openSUSE-SU-2016:2671-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000703,1000704,1000706,1000707,1000708,1000709,1000710,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7536,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-34.1
Comment 19 jun wang 2016-11-04 10:36:59 UTC 
after updating all packages to 6.4.3.6-7.53.2 from http://download.suse.de/ibs/SUSE:/Maintenance:/3354/,
this issue was NOT fixed, and I got a Segmentation fault.

The testfile is from comment#2.
Comment 20 Swamp Workflow Management 2016-11-04 14:08:17 UTC 
SUSE-SU-2016:2724-1: An update that fixes 26 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,999673
CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.46.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.46.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.46.1
Comment 22 Swamp Workflow Management 2016-11-10 16:14:35 UTC 
openSUSE-SU-2016:2770-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-21.1
Comment 23 Marcus Meissner 2016-11-12 15:56:36 UTC 
see comment #c19
Comment 24 Petr Gajdos 2016-11-14 06:32:24 UTC 
See comment #3.
Comment 25 Petr Gajdos 2016-11-14 06:37:03 UTC 
Was too quick.
Comment 26 jun wang 2016-11-14 06:44:32 UTC 
(In reply to Petr Gajdos from comment #24)
> See comment #3.


run the command on SLE11SP4 after updating all packages:

# valgrind convert 68e4a715 test.bmp
==5426== Memcheck, a memory error detector
==5426== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==5426== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==5426== Command: convert 68e4a715 test.bmp
==5426==
==5426== Invalid read of size 1
==5426==    at 0xAB6F4F0: ??? (in /usr/lib64/ImageMagick-6.4.3/modules-Q16/coders/sun.so)
==5426==    by 0x4E9CD67: ReadImage (in /usr/lib64/libMagickCore.so.1.0.0)
==5426==    by 0x529AB82: ConvertImageCommand (in /usr/lib64/libMagickWand.so.1.0.0)
==5426==    by 0x400F73: ??? (in /usr/bin/convert)
==5426==    by 0x83DCC35: (below main) (in /lib64/libc-2.11.3.so)
==5426==  Address 0xa2f3760 is 0 bytes after a block of size 3,072 alloc'd
==5426==    at 0x4C29F09: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
...
...
==5426== HEAP SUMMARY:
==5426==     in use at exit: 2,560 bytes in 6 blocks
==5426==   total heap usage: 17,214 allocs, 17,208 frees, 155,172,386 bytes allocated
==5426==
==5426== LEAK SUMMARY:
==5426==    definitely lost: 0 bytes in 0 blocks
==5426==    indirectly lost: 0 bytes in 0 blocks
==5426==      possibly lost: 592 bytes in 1 blocks
==5426==    still reachable: 1,968 bytes in 5 blocks
==5426==         suppressed: 0 bytes in 0 blocks
==5426== Rerun with --leak-check=full to see details of leaked memory
==5426==
==5426== For counts of detected and suppressed errors, rerun with: -v
==5426== ERROR SUMMARY: 2055000 errors from 2 contexts (suppressed: 4 from 4)
Comment 27 Petr Gajdos 2016-11-14 07:30:54 UTC 
No, I do not get a segfault anymore. I still get valgrind errors, yes, as I wrote in comment 7. What command do you use to get the segfault?
Comment 28 jun wang 2016-11-14 08:06:21 UTC 
(In reply to Petr Gajdos from comment #27)
> No, I do not get a segfault anymore. I still get valgrind errors, yes, as I
> wrote in comment 7. What command do you use to get the segfault?

# convert 68e4a715 test.bmp
Segmentation fault
Comment 29 Petr Gajdos 2016-11-14 08:53:56 UTC 
With the same command, I do not get the segfault on my system. Backtrace on 147.2.215.179:

#0  ReadSUNImage (image_info=0xa53160, exception=0x603080) at coders/sun.c:459
#1  0x00007ffff7a1ed68 in ReadImage (image_info=0xa4efc0, exception=0x603080) at magick/constitute.c:441
#2  0x00007ffff76eeb83 in ConvertImageCommand (image_info=0xa4efc0, argc=3, argv=0x605e40, metadata=0x0, exception=0x603080)
    at wand/convert.c:560
#3  0x0000000000400f74 in main (argc=3, argv=0x7fffffffe398) at utilities/convert.c:122
Comment 30 Petr Gajdos 2016-11-14 14:37:05 UTC 
See bug 1000691 comment 33.
Comment 31 Petr Gajdos 2016-11-14 14:49:37 UTC 
See sr#123961.
Comment 34 Swamp Workflow Management 2016-12-01 17:08:52 UTC 
SUSE-SU-2016:2964-1: An update that fixes 34 vulnerabilities is now available.

Category: security (important)
Bug References: 1000399,1000434,1000436,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000698,1000699,1000700,1000701,1000703,1000704,1000707,1000709,1000711,1000713,1000714,1001066,1001221,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1007245
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-5687,CVE-2016-6823,CVE-2016-7101,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7533,CVE-2016-7535,CVE-2016-7537,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
Comment 35 Marcus Meissner 2016-12-22 12:15:37 UTC 
released. i think needinfo is provided