Bugzilla – Bug 1000399
VUL-0: CVE-2016-7529: ImageMagick: out of bound in quantum handling
Last modified: 2017-08-30 10:11:29 UTC
CVE-2016-7529 This bug was found while fuzzing ImageMagick with afl-fuzz Tested on ImageMagick version Tested on git commit 8bc3ab67d818204fe5f0fe1dc29b873d37360461 Command: magick id:000081,sig:06,src:000075,op:havoc,rep:16 /dev/null References: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1539053 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7529 http://seclists.org/oss-sec/2016/q3/590 https://github.com/ImageMagick/ImageMagick/commit/3ab016764c7f787829d9065440d86f5609765110
bugbot adjusting priority
(In reply to Victor Pereira from comment #0) > Command: magick id:000081,sig:06,src:000075,op:havoc,rep:16 /dev/null Note that there is no 'magick' command.
(In reply to Victor Pereira from comment #0) > https://github.com/ImageMagick/ImageMagick/commit/ > 3ab016764c7f787829d9065440d86f5609765110 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This does not seem to be correct commit. Following looks better: https://github.com/ImageMagick/ImageMagick/commit/a2e1064f288a353bc5fef7f79ccb7683759e775c Am I right?
Testcase. https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1539053/+attachment/4558290/+files/id%3A000081%2Csig%3A06%2Csrc%3A000075%2Cop%3Ahavoc%2Crep%3A16
For 13.2/ImageMagick and 12/ImageMagick I can demonstrate with: $ convert id:000081,sig:06,src:000075,op:havoc,rep:16 /dev/null convert: magick/quantum.c:267: DestroyQuantumPixels: Assertion `quantum_info->pixels[i][extent] == 0xab' failed. Aborted (core dumped) $ 11/ImageMagick does not recognize the image format. 11/GraphicsMagick reports 'gm convert: Improper image header (test).'. 13.2/GraphicsMagick and 42.1/GraphicsMagick report valgrind errors.
This report is bogus. From oss-security: -----------------------8<------------------ out of bound access in xcf file coder: Debian Bug: https://bugs.debian.org/832504 Additional references: ---------------------- https://bugs.launchpad.net/bugs/1539051 https://bugs.launchpad.net/bugs/1539052 https://github.com/ImageMagick/ImageMagick/issues/104 https://github.com/ImageMagick/ImageMagick/issues/103 https://github.com/ImageMagick/ImageMagick/commit/a2e1064f288a353bc5fef7f79ccb7683759e775c AddressSanitizer: heap-buffer-overflow READ of size 1 Use CVE-2016-7529. ----------------------->8------------------- The comment 0 of this bug including links are pointing to another problem.
If I am not mistaken, correct testcases for CVE-2016-7529 can be found in https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1539051 https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1539052
valgrind errors seems to be present even after patching (probably another bug is manifesting), so not sure how to demonstrate the problem with the testcases. The code seem to be everyhere, considering affected all GM and IM versions.
(even subject is wrong, obviously)
*** Bug 1000703 has been marked as a duplicate of this bug. ***
Now CVE-2016-7530, aka 'out of bound in quantum handling'. For testcase see comment 4, result of it before is in comment 5. From oss-sec: ------------------------8<----------------- out of bound in quantum handling: Debian Bug: https://bugs.debian.org/832506 Additional references: ---------------------- https://bugs.launchpad.net/bugs/1539067 https://bugs.launchpad.net/bugs/1539053 https://github.com/ImageMagick/ImageMagick/issues/105 https://github.com/ImageMagick/ImageMagick/commit/63346f34f9d19179599b5b256e5e8d3dda46435c https://github.com/ImageMagick/ImageMagick/commit/c4e63ad30bc42da691f2b5f82a24516dd6b4dc70 https://github.com/ImageMagick/ImageMagick/issues/110 https://github.com/ImageMagick/ImageMagick/commit/b5ed738f8060266bf4ae521f7e3ed145aa4498a3 AddressSanitizer: heap-buffer-overflow WRITE of size 1 Use CVE-2016-7530. --------------------------->8----------------
(In reply to Petr Gajdos from comment #5) > For 13.2/ImageMagick and 12/ImageMagick I can demonstrate with: > > $ convert id:000081,sig:06,src:000075,op:havoc,rep:16 /dev/null > convert: magick/quantum.c:267: DestroyQuantumPixels: Assertion > `quantum_info->pixels[i][extent] == 0xab' failed. > Aborted (core dumped) > $ For 13.2/ImageMagick and 12/ImageMagick this went away: $ convert *16 /dev/null $ Memory errors remained. > 11/ImageMagick does not recognize the image format. > > 11/GraphicsMagick reports 'gm convert: Improper image header (test).'. > > 13.2/GraphicsMagick and 42.1/GraphicsMagick report valgrind errors. Memory errors seem to be not good measure, the code looks differently. Considering these unaffected.
(In reply to Petr Gajdos from comment #12) > (In reply to Petr Gajdos from comment #5) > Memory errors remained. > > > 11/ImageMagick does not recognize the image format. > > > > 11/GraphicsMagick reports 'gm convert: Improper image header (test).'. > > > > 13.2/GraphicsMagick and 42.1/GraphicsMagick report valgrind errors. > > Memory errors seem to be not good measure, the code looks differently. > Considering these unaffected. Actually, 11/ImageMagick/SetQuantumDepth() code looks similar. Considering partially affected, too.
This is an autogenerated message for OBS integration: This bug (1000399) was mentioned in https://build.opensuse.org/request/show/434745 13.2 / GraphicsMagick https://build.opensuse.org/request/show/434746 13.2 / ImageMagick https://build.opensuse.org/request/show/434747 42.1 / GraphicsMagick
This is an autogenerated message for OBS integration: This bug (1000399) was mentioned in https://build.opensuse.org/request/show/435916 13.2 / GraphicsMagick https://build.opensuse.org/request/show/435917 13.2 / ImageMagick https://build.opensuse.org/request/show/435919 42.1 / GraphicsMagick
This is an autogenerated message for OBS integration: This bug (1000399) was mentioned in https://build.opensuse.org/request/show/436494 13.2 / ImageMagick
openSUSE-SU-2016:2641-1: An update that fixes 28 vulnerabilities is now available. Category: security (moderate) Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000702,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,985442,999673 CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684 Sources used: openSUSE 13.2 (src): GraphicsMagick-1.3.20-12.1
openSUSE-SU-2016:2644-1: An update that fixes 23 vulnerabilities is now available. Category: security (moderate) Bug References: 1000399,1000434,1000689,1000693,1000695,1000698,1000700,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,999673 CVE References: CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684 Sources used: openSUSE Leap 42.1 (src): GraphicsMagick-1.3.21-14.1
SUSE-SU-2016:2667-1: An update that solves 41 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328 CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): ImageMagick-6.8.8.1-40.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): ImageMagick-6.8.8.1-40.1 SUSE Linux Enterprise Server 12-SP1 (src): ImageMagick-6.8.8.1-40.1 SUSE Linux Enterprise Desktop 12-SP1 (src): ImageMagick-6.8.8.1-40.1
openSUSE-SU-2016:2671-1: An update that solves 41 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000703,1000704,1000706,1000707,1000708,1000709,1000710,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328 CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7536,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684 Sources used: openSUSE 13.2 (src): ImageMagick-6.8.9.8-34.1
SUSE-SU-2016:2724-1: An update that fixes 26 vulnerabilities is now available. Category: security (moderate) Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,999673 CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684 Sources used: SUSE Studio Onsite 1.3 (src): GraphicsMagick-1.2.5-4.46.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): GraphicsMagick-1.2.5-4.46.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): GraphicsMagick-1.2.5-4.46.1
openSUSE-SU-2016:2770-1: An update that solves 41 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328 CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684 Sources used: openSUSE Leap 42.1 (src): ImageMagick-6.8.8.1-21.1
This is an autogenerated message for OBS integration: This bug (1000399) was mentioned in https://build.opensuse.org/request/show/442718 42.2 / GraphicsMagick
SUSE-SU-2016:2964-1: An update that fixes 34 vulnerabilities is now available. Category: security (important) Bug References: 1000399,1000434,1000436,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000698,1000699,1000700,1000701,1000703,1000704,1000707,1000709,1000711,1000713,1000714,1001066,1001221,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1007245 CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-5687,CVE-2016-6823,CVE-2016-7101,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7533,CVE-2016-7535,CVE-2016-7537,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ImageMagick-6.4.3.6-7.54.1 SUSE Linux Enterprise Server 11-SP4 (src): ImageMagick-6.4.3.6-7.54.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ImageMagick-6.4.3.6-7.54.1
openSUSE-SU-2016:3060-1: An update that fixes 31 vulnerabilities is now available. Category: security (important) Bug References: 1000399,1000434,1000689,1000698,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,1007245,1011130,982178,983521,983752,983794,983799,984145,984150,984166,984372,984375,984394,984400,984436 CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9809,CVE-2014-9815,CVE-2014-9817,CVE-2014-9820,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9845,CVE-2014-9846,CVE-2014-9853,CVE-2016-5118,CVE-2016-6823,CVE-2016-7101,CVE-2016-7515,CVE-2016-7522,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862,CVE-2016-9556 Sources used: openSUSE Leap 42.2 (src): GraphicsMagick-1.3.25-3.1
released
CVE-2016-7529: in GraphicsMagick, the xcf issue is solved another way and fails right before allocation with: gm convert: Corrupt image (Claimed tile data length is insufficient for tile data). Considering unaffected.