983455 – (CVE-2016-5241) VUL-0: CVE-2016-5241: GraphicsMagick: arithmetic exception (div by 0) in SVG conversion

Bug 983455 (CVE-2016-5241) - VUL-0: CVE-2016-5241: GraphicsMagick: arithmetic exception (div by 0) in SVG conversion

Summary: VUL-0: CVE-2016-5241: GraphicsMagick: arithmetic exception (div by 0) in SVG...

Status:	RESOLVED FIXED

Alias:	CVE-2016-5241

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Petr Gajdos
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/169760/
Whiteboard:	CVSSv2:RedHat:CVE-2016-5241:4.3:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-06-07 09:42 UTC by Marcus Meissner
Modified:	2016-08-15 13:11 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
sigfpe.svg (1.42 KB, text/plain) 2016-06-07 09:44 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-07 09:42:27 UTC

via oss-sec

    * Arithmetic exception converting a svg file caused by a X%0 operation in
    magick/render.c:3800

        (long) (y-fill_pattern->tile_info.y) % fill_pattern->rows,


Use CVE-2016-5241.


References:
http://seclists.org/oss-sec/2016/q2/460

Comment 1 Marcus Meissner 2016-06-07 09:44:49 UTC

Created attachment 679838 [details]
sigfpe.svg

QA REPRODUCER:

convert sigfpe.svg foo.gif

... it should crash with arithmetic exception, but does not crash for me on x86-64

Comment 2 Swamp Workflow Management 2016-06-07 22:00:38 UTC

bugbot adjusting priority

Comment 3 Petr Gajdos 2016-06-08 10:34:40 UTC

(In reply to Marcus Meissner from comment #1)
> Created attachment 679838 [details]
> sigfpe.svg
> 
> QA REPRODUCER:
> 
> convert sigfpe.svg foo.gif
> 
> ... it should crash with arithmetic exception, but does not crash for me on
> x86-64

It would not, you are using librsvg, but neither

$ convert msvg:sigfpe.svg blabla.png
convert: Must specify image size `/tmp/magick-XXTTf1s2'.
convert: missing an image filename `blabla.png'.
$

does not.

I get 

$ gm convert sigfpe.svg foo.gif
Aborted (core dumped)
$

for 13.2 but not 11.

Comment 4 Petr Gajdos 2016-06-08 10:43:43 UTC

http://hg.code.sf.net/p/graphicsmagick/code/rev/8d175c4edfe7

Comment 5 Petr Gajdos 2016-06-08 10:45:56 UTC

AFTER on 13.2

$ gm convert sigfpe.svg blabla.png
gm convert: Unable to open file (#a) [No such file or directory].
$

$ ls
sigfpe.svg
$ gm convert sigfpe.svg blabla.png
gm convert: Unable to open file (#a) [No such file or directory].
$

Comment 6 Petr Gajdos 2016-06-08 11:25:03 UTC

11/GraphicsMagick: code is there, considering affected (the check on zero before module will not harm)

I failed to find the code in ImageMagick.

Comment 7 Petr Gajdos 2016-06-08 11:27:49 UTC

QA: the reproducer exposes the issue only on 13.2, not on 11

Comment 8 Petr Gajdos 2016-06-23 13:07:16 UTC

I believe all fixed.

Comment 9 Bernhard Wiedemann 2016-06-23 14:01:36 UTC

This is an autogenerated message for OBS integration:
This bug (983455) was mentioned in
https://build.opensuse.org/request/show/404238 13.2 / GraphicsMagick

Comment 11 Bernhard Wiedemann 2016-06-23 16:00:42 UTC

This is an autogenerated message for OBS integration:
This bug (983455) was mentioned in
https://build.opensuse.org/request/show/404251 13.2 / GraphicsMagick

Comment 13 Swamp Workflow Management 2016-07-01 15:08:45 UTC

openSUSE-SU-2016:1724-1: An update that fixes 37 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983234,983259,983309,983455,983521,983523,983533,983752,983794,983796,983799,983803,984028,984032,984035,984135,984142,984144,984145,984150,984166,984181,984193,984372,984373,984375,984379,984394,984398,984400,984408,984409,984433,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9840,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2015-8901,CVE-2015-8903,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-9.1

Comment 14 Swamp Workflow Management 2016-07-11 14:21:02 UTC

SUSE-SU-2016:1783-1: An update that fixes 37 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983234,983259,983309,983455,983521,983523,983533,983752,983794,983796,983799,983803,984028,984032,984035,984135,984142,984144,984145,984150,984166,984181,984193,984372,984373,984375,984379,984394,984398,984400,984408,984409,984433,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9840,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2015-8901,CVE-2015-8903,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.41.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.41.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.41.1

Comment 15 Bernhard Wiedemann 2016-08-05 10:00:34 UTC

This is an autogenerated message for OBS integration:
This bug (983455) was mentioned in
https://build.opensuse.org/request/show/417050 42.1 / GraphicsMagick

Comment 16 Swamp Workflow Management 2016-08-15 13:11:35 UTC

openSUSE-SU-2016:2073-1: An update that fixes 22 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983309,983455,983521,983523,983533,983752,983794,983799,984142,984145,984150,984166,984372,984375,984379,984394,984400,984408,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9809,CVE-2014-9815,CVE-2014-9817,CVE-2014-9819,CVE-2014-9820,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9845,CVE-2014-9846,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-11.1