Bug 1000691 (CVE-2015-8958) - VUL-0: CVE-2015-8958: ImageMagick: Potential DOS in sun file handling due to malformed files
Summary: VUL-0: CVE-2015-8958: ImageMagick: Potential DOS in sun file handling due to ...
Status: RESOLVED FIXED
Alias: CVE-2015-8958
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2015-8958:4.3:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-23 10:52 UTC by Johannes Segitz
Modified: 2016-12-22 12:16 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
testcase (3.04 KB, image/x-sun-raster)
2016-10-03 14:35 UTC, Petr Gajdos 		Details
patch against 13.2 and 12 (903 bytes, patch)
2016-10-04 11:05 UTC, Petr Gajdos 		Details | Diff
patch against 11 (961 bytes, patch)
2016-10-04 11:06 UTC, Petr Gajdos 		Details | Diff
patch against 13.2 and 12 (25.24 KB, patch)
2016-10-04 11:08 UTC, Petr Gajdos 		Details | Diff
patch against 11 (25.24 KB, patch)
2016-10-04 11:10 UTC, Petr Gajdos 		Details | Diff
patch against 13.2 and 12 (12.16 KB, patch)
2016-10-04 11:11 UTC, Petr Gajdos 		Details | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-09-23 22:01:06 UTC 
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-10-03 14:35:31 UTC 
Created attachment 695457 [details]
testcase

Downloaded from the dropbox (upstream bug).
Comment 3 Petr Gajdos 2016-10-03 14:42:03 UTC 
Similarly to bug 1000690.

13.2/ImageMagick
$ convert 4a1d6a6d bleble.jpg
Aborted (core dumped)
$

12/ImageMagick
$ convert 4a1d6a6d test.bmp
Aborted (core dumped)
$ 

11/ImageMagick
$ convert 4a1d6a6d bleble.png
$

---------

42.1/GraphicsMagick
$ gm convert 4a1d6a6d bleble.png
gm convert: Improper image header (4a1d6a6d).
$

13.2/GraphicsMagick
$ gm convert 4a1d6a6d bleble.png
Segmentation fault (core dumped)
$

42.1/GraphicsMagick
$ gm convert 4a1d6a6d bleble.png
Segmentation fault (core dumped)
$
Comment 4 Petr Gajdos 2016-10-03 14:54:10 UTC 
GraphicsMagick: after applying patch mentioned in bug 1000691 comment 6, the segfault went away:

$ gm convert 4a1d6a6d test.bmp
gm convert: Improper image header (4a1d6a6d).
$
Comment 6 Petr Gajdos 2016-10-04 11:03:24 UTC 
13.2/ImageMagick and 12/ImageMagick does not crash after patching.
Comment 7 Petr Gajdos 2016-10-04 11:05:26 UTC 
Created attachment 695596 [details]
patch against 13.2 and 12
Comment 8 Petr Gajdos 2016-10-04 11:06:29 UTC 
Created attachment 695597 [details]
patch against 11
Comment 9 Petr Gajdos 2016-10-04 11:07:20 UTC 
Considering affected all versions of ImageMagick, 13.2/GraphicsMagick and 11/GraphicsMagick.
Comment 10 Petr Gajdos 2016-10-04 11:08:39 UTC 
Created attachment 695598 [details]
patch against 13.2 and 12
Comment 11 Petr Gajdos 2016-10-04 11:10:12 UTC 
Created attachment 695599 [details]
patch against 11
Comment 12 Petr Gajdos 2016-10-04 11:11:00 UTC 
Created attachment 695600 [details]
patch against 13.2 and 12
Comment 13 Petr Gajdos 2016-10-04 11:11:31 UTC 
Nice one.
Comment 14 Petr Gajdos 2016-10-13 13:40:11 UTC 
I believe all fixed.
Comment 15 Bernhard Wiedemann 2016-10-13 14:01:22 UTC 
This is an autogenerated message for OBS integration:
This bug (1000691) was mentioned in
https://build.opensuse.org/request/show/434745 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/434746 13.2 / ImageMagick
Comment 18 Bernhard Wiedemann 2016-10-18 14:02:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1000691) was mentioned in
https://build.opensuse.org/request/show/435916 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/435917 13.2 / ImageMagick
Comment 19 Swamp Workflow Management 2016-10-26 12:07:34 UTC 
openSUSE-SU-2016:2641-1: An update that fixes 28 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000702,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,985442,999673
CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-12.1
Comment 20 Swamp Workflow Management 2016-10-28 16:08:43 UTC 
SUSE-SU-2016:2667-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
Comment 21 Swamp Workflow Management 2016-10-28 19:07:41 UTC 
openSUSE-SU-2016:2671-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000703,1000704,1000706,1000707,1000708,1000709,1000710,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7536,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-34.1
Comment 22 jun wang 2016-11-04 10:37:20 UTC 
after updating all packages to 6.4.3.6-7.53.2 from http://download.suse.de/ibs/SUSE:/Maintenance:/3354/,
this issue was NOT fixed, and I got a Segmentation fault.

The testfile is from comment#2.
Comment 23 Swamp Workflow Management 2016-11-04 14:08:26 UTC 
SUSE-SU-2016:2724-1: An update that fixes 26 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,999673
CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.46.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.46.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.46.1
Comment 25 Swamp Workflow Management 2016-11-10 16:14:43 UTC 
openSUSE-SU-2016:2770-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-21.1
Comment 26 Marcus Meissner 2016-11-12 15:57:29 UTC 
see comment #c22
Comment 27 Petr Gajdos 2016-11-14 06:33:15 UTC 
See comment #3
Comment 28 Petr Gajdos 2016-11-14 06:40:22 UTC 
Was too quick.
Comment 29 jun wang 2016-11-14 06:42:48 UTC 
(In reply to Petr Gajdos from comment #27)
> See comment #3

Yes, run the command on SLE11SP4 after updating all packages:
$ convert 4a1d6a6d bleble.png
Segmentation fault

Please check it.
Comment 30 Petr Gajdos 2016-11-14 07:34:18 UTC 
I cannot reproduce the segfault. Could you please give me access to the machine where you are experiencing it?
Comment 31 jun wang 2016-11-14 08:09:10 UTC 
(In reply to Petr Gajdos from comment #30)
> I cannot reproduce the segfault. Could you please give me access to the
> machine where you are experiencing it?

Host:147.2.215.179
user: root
pw: novell

thank you:)
Comment 32 Petr Gajdos 2016-11-14 08:56:12 UTC 
Backtrace on 147.2.215.179:

#0  ReadSUNImage (image_info=0xa53160, exception=0x603080) at coders/sun.c:459
#1  0x00007ffff7a1ed68 in ReadImage (image_info=0xa4efc0, exception=0x603080) at magick/constitute.c:441
#2  0x00007ffff76eeb83 in ConvertImageCommand (image_info=0xa4efc0, argc=3, argv=0x605e40, metadata=0x0, exception=0x603080)
    at wand/convert.c:560
#3  0x0000000000400f74 in main (argc=3, argv=0x7fffffffe398) at utilities/convert.c:122
Comment 33 Petr Gajdos 2016-11-14 14:36:34 UTC 
(gdb) p sun_info
$36 = {magic = 1504078485, width = 32, height = 57305, depth = 1, length = 3072, type = 3, maptype = 0, maplength = 0}
(gdb)

There is a check in ReadSUNImage(), which is comparing width,height,depth tripple against length. The latest form of this check looks like:

    if ((sun_info.type != RT_ENCODED) &&
        ((number_pixels*sun_info.depth) > (8UL*sun_info.length)))
      ThrowReaderException(CorruptImageError,"ImproperImageHeader");

where number_pixels is result of width and height. You can see that the values above does fit the  condition (type is RT_FORMAT_RGB). We have this check already in sle12 and 13.2, but in 11, there is an older check. Updating to newest one fixes the segfault for me (see 147.2.215.179).
Comment 34 Petr Gajdos 2016-11-14 14:49:14 UTC 
See sr#123961.
Comment 38 Swamp Workflow Management 2016-12-01 17:09:02 UTC 
SUSE-SU-2016:2964-1: An update that fixes 34 vulnerabilities is now available.

Category: security (important)
Bug References: 1000399,1000434,1000436,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000698,1000699,1000700,1000701,1000703,1000704,1000707,1000709,1000711,1000713,1000714,1001066,1001221,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1007245
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-5687,CVE-2016-6823,CVE-2016-7101,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7533,CVE-2016-7535,CVE-2016-7537,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
Comment 39 Marcus Meissner 2016-12-22 12:16:21 UTC 
released. needinfo provided