Bug 983309 (CVE-2016-5240) - VUL-0: CVE-2016-5240: GraphicsMagick: SVG converting issue resulting in DoS (endless loop)
Summary: VUL-0: CVE-2016-5240: GraphicsMagick: SVG converting issue resulting in DoS (...
Status: RESOLVED FIXED
Alias: CVE-2016-5240
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/169761/
Whiteboard: CVSSv2:NVD:CVE-2016-5240:4.3:(AV:N/AC...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-06 14:59 UTC by Marcus Meissner
Modified: 2020-05-12 17:52 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
circular.svg (6.14 KB, image/svg+xml)
2016-06-06 15:09 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-06 14:59:07 UTC 
rh#1333417

    We recently tested GraphicsMagick with our tool and found two issues that
    causes DoS:


    * Infinite loop caused by converting a circularly defined svg file.

Use CVE-2016-5240.

        http://www.openwall.com/lists/oss-security/2016/05/01/6


        It is worth noting that ImageMagick's built-in SVG renderer has the 
        same problem with "circular.svg" (specify the input file name like 
        "msvg:circular.svg").


We feel that this ImageMagick issue is also within the scope of the
CVE-2016-5240 ID.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1333417
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5240
http://seclists.org/oss-sec/2016/q2/460
Comment 1 Marcus Meissner 2016-06-06 15:09:39 UTC 
Created attachment 679699 [details]
circular.svg

QA REPRODUCER: 

convert msvg:circular.svg foo.gif

will hang forever
Comment 2 Swamp Workflow Management 2016-06-06 22:03:13 UTC 
bugbot adjusting priority
Comment 3 Petr Gajdos 2016-06-08 08:21:44 UTC 
I get

$ convert msvg:circular.svg foo.gif
983309: must specify image size `circular.svg' @ error/mvg.c/ReadMVGImage/185.
983309: no images defined `foo.gif' @ error/convert.c/ConvertImageCommand/3144.
$

of 

$ convert msvg:circular.svg foo.gif
983309: non-conforming drawing primitive definition `line' @ error/draw.c/DrawImage/3321.
$

so not reproducible for me anywhere for ImageMagick.

$ gm convert circular.svg foo.gif

hangs
Comment 5 Petr Gajdos 2016-06-08 09:00:17 UTC 
AFTER

$ gm convert circular.svg bleble.png
gm convert: Non-conforming drawing primitive definition (stroke-dasharray).
$
Comment 6 Petr Gajdos 2016-06-08 09:14:46 UTC 
The reason I do not get it is simple -- this is fixed already with one of CVE-2016-4562,4563,4564 for ImageMagick.
Comment 7 Petr Gajdos 2016-06-23 13:07:01 UTC 
I believe all fixed.
Comment 8 Bernhard Wiedemann 2016-06-23 14:01:30 UTC 
This is an autogenerated message for OBS integration:
This bug (983309) was mentioned in
https://build.opensuse.org/request/show/404238 13.2 / GraphicsMagick
Comment 10 Bernhard Wiedemann 2016-06-23 16:00:35 UTC 
This is an autogenerated message for OBS integration:
This bug (983309) was mentioned in
https://build.opensuse.org/request/show/404251 13.2 / GraphicsMagick
Comment 12 Swamp Workflow Management 2016-07-11 14:20:48 UTC 
SUSE-SU-2016:1783-1: An update that fixes 37 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983234,983259,983309,983455,983521,983523,983533,983752,983794,983796,983799,983803,984028,984032,984035,984135,984142,984144,984145,984150,984166,984181,984193,984372,984373,984375,984379,984394,984398,984400,984408,984409,984433,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9840,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2015-8901,CVE-2015-8903,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.41.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.41.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.41.1
Comment 13 Bernhard Wiedemann 2016-08-05 10:00:19 UTC 
This is an autogenerated message for OBS integration:
This bug (983309) was mentioned in
https://build.opensuse.org/request/show/417050 42.1 / GraphicsMagick
Comment 14 Swamp Workflow Management 2016-08-15 13:11:24 UTC 
openSUSE-SU-2016:2073-1: An update that fixes 22 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983309,983455,983521,983523,983533,983752,983794,983799,984142,984145,984150,984166,984372,984375,984379,984394,984400,984408,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9809,CVE-2014-9815,CVE-2014-9817,CVE-2014-9819,CVE-2014-9820,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9845,CVE-2014-9846,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-11.1
Comment 15 Wolfgang Frisch 2020-01-15 10:47:36 UTC 
Fixed.