999673 – (CVE-2016-7448) VUL-0: CVE-2016-7446 CVE-2016-7447 CVE-2016-7448 CVE-2016-7449: GraphicsMagick: various issues fixed in 1.3.25

Bug 999673 (CVE-2016-7448) - VUL-0: CVE-2016-7446 CVE-2016-7447 CVE-2016-7448 CVE-2016-7449: GraphicsMagick: various issues fixed in 1.3.25

Summary: VUL-0: CVE-2016-7446 CVE-2016-7447 CVE-2016-7448 CVE-2016-7449: GraphicsMagic...

Status:	RESOLVED FIXED

Alias:	CVE-2016-7448

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/172725/
Whiteboard:	CVSSv2:SUSE:CVE-2016-7446:6.8:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-09-19 13:39 UTC by Victor Pereira
Modified:	2017-01-30 15:24 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2016-09-19 13:39:38 UTC

rh#1374233

Various issues were fixed in GraphicsMagick 1.3.25:

1. A last instance of CVE-2016-2317 [tracked as bug 1306148] (heap buffer overflow) in the MVG rendering code (also impacts SVG). This problem was originally reported by Gustavo Grieco.

2. A possible heap overflow of the EscapeParenthesis() function. While I was not able to reproduce it for myself, the implementation is replaced with a different algorithm. This problem was reported by Gustavo Grieco.

3. The Utah RLE reader did not validate that header information was reasonable given the file size and so it could cause huge memory allocations and/or consume huge amounts of CPU. This problem was reported by Agostino Sarubbo.

4. The TIFF reader had a bug pertaining to use of TIFFGetField() when a 'count' value is returned. The bug caused a heap read overflow (due to using strlcpy() to copy a possibly unterminated string) which could allow an untrusted file to crash the software.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1374233
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7448
http://seclists.org/oss-sec/2016/q3/550

Comment 1 Swamp Workflow Management 2016-09-19 22:01:38 UTC

bugbot adjusting priority

Comment 2 Petr Gajdos 2016-10-04 12:44:59 UTC

I tried to map CVEs to commits, could you please review?

(In reply to Victor Pereira from comment #0)
> 1. A last instance of CVE-2016-2317 [tracked as bug 1306148] (heap buffer
> overflow) in the MVG rendering code (also impacts SVG). This problem was
> originally reported by Gustavo Grieco.

CVE-2016-7446
http://hg.code.sf.net/p/graphicsmagick/code/rev/98394eb235a6

> 2. A possible heap overflow of the EscapeParenthesis() function. While I was
> not able to reproduce it for myself, the implementation is replaced with a
> different algorithm. This problem was reported by Gustavo Grieco.

CVE-2016-7447
http://hg.code.sf.net/p/graphicsmagick/code/rev/d580e3c3c034

> 3. The Utah RLE reader did not validate that header information was
> reasonable given the file size and so it could cause huge memory allocations
> and/or consume huge amounts of CPU. This problem was reported by Agostino
> Sarubbo.

CVE-2016-7448
http://hg.code.sf.net/p/graphicsmagick/code/rev/30043afadb10
http://hg.code.sf.net/p/graphicsmagick/code/rev/d972c761b55d

> 4. The TIFF reader had a bug pertaining to use of TIFFGetField() when a
> 'count' value is returned. The bug caused a heap read overflow (due to using
> strlcpy() to copy a possibly unterminated string) which could allow an
> untrusted file to crash the software.

CVE-2016-7449
http://hg.code.sf.net/p/graphicsmagick/code/rev/eb58028dacf5

Comment 3 Petr Gajdos 2016-10-04 14:33:05 UTC

(In reply to Petr Gajdos from comment #2)
> CVE-2016-7446
> http://hg.code.sf.net/p/graphicsmagick/code/rev/98394eb235a6

Affected: all versions

> CVE-2016-7447
> http://hg.code.sf.net/p/graphicsmagick/code/rev/d580e3c3c034

Affected: all versions

> CVE-2016-7448
> http://hg.code.sf.net/p/graphicsmagick/code/rev/30043afadb10
> http://hg.code.sf.net/p/graphicsmagick/code/rev/d972c761b55d

Affected: all versions

> CVE-2016-7449
> http://hg.code.sf.net/p/graphicsmagick/code/rev/eb58028dacf5

Affected: 42.1/GraphicsMagick, 13.2/GraphicsMagick

Comment 4 Johannes Segitz 2016-10-05 12:50:56 UTC

(In reply to Petr Gajdos from comment #2)
Looks good to me

Comment 5 Petr Gajdos 2016-10-13 13:40:09 UTC

I believe all fixed.

Comment 6 Bernhard Wiedemann 2016-10-13 14:02:51 UTC

This is an autogenerated message for OBS integration:
This bug (999673) was mentioned in
https://build.opensuse.org/request/show/434745 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/434747 42.1 / GraphicsMagick

Comment 8 Bernhard Wiedemann 2016-10-18 14:03:06 UTC

This is an autogenerated message for OBS integration:
This bug (999673) was mentioned in
https://build.opensuse.org/request/show/435916 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/435919 42.1 / GraphicsMagick

Comment 10 Swamp Workflow Management 2016-10-26 12:11:19 UTC

openSUSE-SU-2016:2641-1: An update that fixes 28 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000702,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,985442,999673
CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-12.1

Comment 11 Swamp Workflow Management 2016-10-26 12:20:04 UTC

openSUSE-SU-2016:2644-1: An update that fixes 23 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000689,1000693,1000695,1000698,1000700,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,999673
CVE References: CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-14.1

Comment 12 Swamp Workflow Management 2016-11-04 14:11:05 UTC

SUSE-SU-2016:2724-1: An update that fixes 26 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,999673
CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.46.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.46.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.46.1

Comment 13 Marcus Meissner 2016-12-22 11:01:54 UTC

released