Bug 985442 (CVE-2016-5688) - VUL-0: CVE-2016-5688: GraphicsMagick,ImageMagick: Re: Various invalid memory reads in ImageMagick WPG
Summary: VUL-0: CVE-2016-5688: GraphicsMagick,ImageMagick: Re: Various invalid memory ...
Status: RESOLVED FIXED
Alias: CVE-2016-5688
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170273/
Whiteboard: CVSSv2:SUSE:CVE-2016-5688:6.8:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-17 14:42 UTC by Marcus Meissner
Modified: 2016-12-22 12:09 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
imagemagick-heapoverflow-SetPixelIndex.wpg (958 bytes, application/octet-stream)
2016-06-17 14:53 UTC, Marcus Meissner 		Details
imagemagick-invalid-write-ScaleCharToQuantum.wpg (870 bytes, application/octet-stream)
2016-06-17 14:55 UTC, Marcus Meissner 		Details
imagemagick-invalid-write-SetPixelIndex.wpg (1.06 KB, application/octet-stream)
2016-06-17 15:00 UTC, Marcus Meissner 		Details
valgrind convert imagemagick-invalid-write-SetPixelIndex.wpg foo.jpg x86_64 (11.87 KB, text/plain)
2016-07-08 13:47 UTC, Ondřej Súkup 		Details
valgrind convert imagemagick-invalid-write-SetPixelIndex.wpg foo.jpg s390x (4.78 KB, text/plain)
2016-07-08 13:47 UTC, Ondřej Súkup 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-17 14:42:12 UTC 
http://seclists.org/oss-sec/2016/q2/564



    Several bugs in the WPG parser could lead to a heap overflow and random
    invalid memory writes. These bugs only seem to appear when a memory
    limit is set.

    Sample for heap write overflow in SetPixelIndex

    Sample for unclear invalid write in ScaleCharToQuantum

    Sample for unclear invalid write in SetPixelIndex

    https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7
    https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f


As far as we can tell, this can be thought of as a single issue in
which some type of input validation (associated with a SetImageExtent
return-value check) occurred in the wrong place, and was accompanied
by incorrect error handling. The various write-access observations
would then be consequences of this.

Use CVE-2016-5688 for this entire report about the WPG parser.
Comment 1 Marcus Meissner 2016-06-17 14:46:15 UTC 
QA REPRODUCER:

https://crashes.fuzzing-project.org/imagemagick-heapoverflow-SetPixelIndex.wpg

Sample for heap write overflow in SetPixelIndex

https://crashes.fuzzing-project.org/imagemagick-invalid-write-ScaleCharToQuantum.wpg

Sample for unclear invalid write in ScaleCharToQuantum

https://crashes.fuzzing-project.org/imagemagick-invalid-write-SetPixelIndex.wpg

Sample for unclear invalid write in SetPixelIndex


(currently not downloadable)
Comment 2 Marcus Meissner 2016-06-17 14:50:18 UTC 
all IM and GM need the first patch

second patch does not look affecting SLE11 IM, SLE11 GM ... SLE12 IM probably affected.
Comment 3 Marcus Meissner 2016-06-17 14:53:35 UTC 
Created attachment 681222 [details]
imagemagick-heapoverflow-SetPixelIndex.wpg

QA REPRODUCER:

convert imagemagick-heapoverflow-SetPixelIndex.wpg foo.jpg
Comment 4 Marcus Meissner 2016-06-17 14:55:42 UTC 
Created attachment 681223 [details]
imagemagick-invalid-write-ScaleCharToQuantum.wpg

QA REPRODUCER:

convert imagemagick-invalid-write-ScaleCharToQuantum.wpg foo.jpg
Comment 5 Marcus Meissner 2016-06-17 15:00:16 UTC 
Created attachment 681227 [details]
imagemagick-invalid-write-SetPixelIndex.wpg

QA REPRODUCER: 

convert imagemagick-invalid-write-SetPixelIndex.wpg foo.jpg
Comment 6 Swamp Workflow Management 2016-06-17 22:00:45 UTC 
bugbot adjusting priority
Comment 7 Petr Gajdos 2016-06-23 12:37:44 UTC 
Fixed everywhere.
Comment 8 Petr Gajdos 2016-06-23 13:07:08 UTC 
I believe all fixed.
Comment 9 Swamp Workflow Management 2016-07-01 15:13:28 UTC 
openSUSE-SU-2016:1724-1: An update that fixes 37 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983234,983259,983309,983455,983521,983523,983533,983752,983794,983796,983799,983803,984028,984032,984035,984135,984142,984144,984145,984150,984166,984181,984193,984372,984373,984375,984379,984394,984398,984400,984408,984409,984433,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9840,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2015-8901,CVE-2015-8903,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-9.1
Comment 10 Swamp Workflow Management 2016-07-06 19:14:07 UTC 
openSUSE-SU-2016:1748-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-26.1
Comment 14 Ondřej Súkup 2016-07-08 13:47:27 UTC 
Created attachment 683535 [details]
valgrind convert imagemagick-invalid-write-SetPixelIndex.wpg foo.jpg x86_64
Comment 15 Ondřej Súkup 2016-07-08 13:47:55 UTC 
Created attachment 683536 [details]
valgrind convert imagemagick-invalid-write-SetPixelIndex.wpg foo.jpg s390x
Comment 16 Ondřej Súkup 2016-07-08 13:48:46 UTC 
looks as partially fixed, valgrind results from x86_64 and s390x attached
Comment 17 Swamp Workflow Management 2016-07-11 14:18:10 UTC 
SUSE-SU-2016:1782-1: An update that fixes 57 vulnerabilities is now available.

Category: security (important)
Bug References: 983234,983253,983259,983292,983305,983308,983521,983523,983533,983739,983746,983752,983774,983794,983796,983799,983803,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984150,984160,984166,984181,984184,984185,984186,984187,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984408,984409,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9842,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9849,CVE-2014-9851,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.45.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.45.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.45.1
Comment 18 Swamp Workflow Management 2016-07-11 14:26:34 UTC 
SUSE-SU-2016:1783-1: An update that fixes 37 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983234,983259,983309,983455,983521,983523,983533,983752,983794,983796,983799,983803,984028,984032,984035,984135,984142,984144,984145,984150,984166,984181,984193,984372,984373,984375,984379,984394,984398,984400,984408,984409,984433,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9840,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2015-8901,CVE-2015-8903,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.41.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.41.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.41.1
Comment 19 Swamp Workflow Management 2016-07-11 14:37:58 UTC 
SUSE-SU-2016:1784-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-30.2
Comment 20 Swamp Workflow Management 2016-07-20 10:21:05 UTC 
openSUSE-SU-2016:1833-1: An update that fixes 68 vulnerabilities is now available.

Category: security (important)
Bug References: 983232,983234,983253,983259,983292,983305,983308,983521,983523,983527,983533,983739,983746,983752,983774,983794,983796,983799,983803,984014,984018,984023,984028,984032,984035,984135,984137,984142,984144,984145,984149,984150,984160,984166,984172,984179,984181,984183,984184,984185,984186,984187,984191,984193,984370,984372,984373,984374,984375,984379,984394,984398,984400,984401,984404,984406,984408,984409,984427,984433,984436,985442,985448,985451,985456,985460,986608,986609
CVE References: CVE-2014-9805,CVE-2014-9806,CVE-2014-9807,CVE-2014-9808,CVE-2014-9809,CVE-2014-9810,CVE-2014-9811,CVE-2014-9812,CVE-2014-9813,CVE-2014-9814,CVE-2014-9815,CVE-2014-9816,CVE-2014-9817,CVE-2014-9818,CVE-2014-9819,CVE-2014-9820,CVE-2014-9821,CVE-2014-9822,CVE-2014-9823,CVE-2014-9824,CVE-2014-9825,CVE-2014-9826,CVE-2014-9828,CVE-2014-9829,CVE-2014-9830,CVE-2014-9831,CVE-2014-9832,CVE-2014-9833,CVE-2014-9834,CVE-2014-9835,CVE-2014-9836,CVE-2014-9837,CVE-2014-9838,CVE-2014-9839,CVE-2014-9840,CVE-2014-9841,CVE-2014-9842,CVE-2014-9843,CVE-2014-9844,CVE-2014-9845,CVE-2014-9846,CVE-2014-9847,CVE-2014-9848,CVE-2014-9849,CVE-2014-9850,CVE-2014-9851,CVE-2014-9852,CVE-2014-9853,CVE-2014-9854,CVE-2015-8894,CVE-2015-8895,CVE-2015-8896,CVE-2015-8897,CVE-2015-8898,CVE-2015-8900,CVE-2015-8901,CVE-2015-8902,CVE-2015-8903,CVE-2016-4562,CVE-2016-4563,CVE-2016-4564,CVE-2016-5687,CVE-2016-5688,CVE-2016-5689,CVE-2016-5690,CVE-2016-5691,CVE-2016-5841,CVE-2016-5842
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-15.1
Comment 21 Marcus Meissner 2016-08-01 14:48:04 UTC 
considering fixed and released
Comment 22 Swamp Workflow Management 2016-08-15 13:14:19 UTC 
openSUSE-SU-2016:2073-1: An update that fixes 22 vulnerabilities is now available.

Category: security (important)
Bug References: 965853,983309,983455,983521,983523,983533,983752,983794,983799,984142,984145,984150,984166,984372,984375,984379,984394,984400,984408,984436,985442
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9809,CVE-2014-9815,CVE-2014-9817,CVE-2014-9819,CVE-2014-9820,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9839,CVE-2014-9845,CVE-2014-9846,CVE-2014-9853,CVE-2015-8894,CVE-2015-8896,CVE-2016-2317,CVE-2016-2318,CVE-2016-5240,CVE-2016-5241,CVE-2016-5688
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-11.1
Comment 23 Petr Gajdos 2016-09-29 10:25:39 UTC 
While trying to test cases for bsc#1000436, I noticed that a regression to the wpg coder was introduced during the big update to all versions of GraphicsMagick:

$ gm convert test-686 test.jpg
gm: symbol lookup error: /usr/lib64/GraphicsMagick-1.3.21/modules-Q16/coders/wpg.so: undefined symbol: SetImageExtent
$

Patch for CVE-2016-5688 is causing it. This seems to be true for all 11/42.1/13.2. What is the process now?

Unfortunately, after quick search, I have no idea so far what is GraphicsMagick counterpart to SetImageExtent, if any.
Comment 24 Petr Gajdos 2016-09-29 10:45:16 UTC 
GraphicsMagick Mercurial repository does not seem to have the patch.
Comment 25 Petr Gajdos 2016-09-29 11:22:28 UTC 
Sent mail to GraphicsMagick upstream to clarify.
Comment 26 Marcus Meissner 2016-09-29 15:01:40 UTC 
we need to adjust the patch not to call an undefined function :/ 

              image->columns=Bitmap2Header1.Width;
              image->rows=Bitmap2Header1.Heigth;  

              status=SetImageExtent(image,image->columns,image->rows);
              if (status == MagickFalse)
                break;

what SetImageExtent does in ImageMagick SLE11 is setting image->columns and image->rows and flushing the pixel cache.

As GM does not have this cache this fix might not be needed.

I would fix this in the next update.
Comment 27 Petr Gajdos 2016-10-13 13:40:03 UTC 
I believe all fixed.
Comment 28 Bernhard Wiedemann 2016-10-13 14:02:35 UTC 
This is an autogenerated message for OBS integration:
This bug (985442) was mentioned in
https://build.opensuse.org/request/show/434745 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/434747 42.1 / GraphicsMagick
Comment 30 Bernhard Wiedemann 2016-10-18 14:02:59 UTC 
This is an autogenerated message for OBS integration:
This bug (985442) was mentioned in
https://build.opensuse.org/request/show/435916 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/435919 42.1 / GraphicsMagick
Comment 32 Swamp Workflow Management 2016-10-26 12:11:04 UTC 
openSUSE-SU-2016:2641-1: An update that fixes 28 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000702,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,985442,999673
CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-12.1
Comment 33 Marcus Meissner 2016-12-22 12:09:51 UTC 
released