Bug 1000394 (CVE-2016-7540) - VUL-0: CVE-2016-7540: ImageMagick: writing to RGF format aborts
Summary: VUL-0: CVE-2016-7540: ImageMagick: writing to RGF format aborts
Status: RESOLVED FIXED
Alias: CVE-2016-7540
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/172863/
Whiteboard: CVSSv2:RedHat:CVE-2016-7540:4.3:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-22 10:52 UTC by Victor Pereira
Modified: 2016-12-22 12:10 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-09-22 10:52:55 UTC 
CVE-2016-7540

The rgf format (LEGO MINDSTORMS EV3 images) caused a software abort because
exception == NULL. When WriteRGFImage is called from WriteImage, it is only
passed two parameters, not three. So, removed the extra parameter and use
image->exception instead as in other coders.


References:
https://bugs.launchpad.net/bugs/1594060
https://github.com/ImageMagick/ImageMagick/pull/223  
https://bugs.debian.org/827643
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7540
http://seclists.org/oss-sec/2016/q3/590
https://github.com/ImageMagick/ImageMagick/commit/3ab016764c7f787829d9065440d86f5609765110
Comment 1 Swamp Workflow Management 2016-09-22 22:01:13 UTC 
bugbot adjusting priority
Comment 3 Petr Gajdos 2016-09-26 10:11:17 UTC 
I am able to manifest with

$ convert mindstorms.bmp mindstorms.rgf 
convert: coders/rgf.c:345: WriteRGFImage: Assertion `exception != (ExceptionInfo *) ((void *)0)' failed.
Aborted (core dumped)
$

for 13.2/ImageMagick and 12/ImageMagick. Other 11/ImageMagick and all versions of GraphicsMagick does not support rgf format.
Comment 4 Petr Gajdos 2016-09-26 10:12:24 UTC 
(In reply to Victor Pereira from comment #0)
> https://github.com/ImageMagick/ImageMagick/commit/
> 3ab016764c7f787829d9065440d86f5609765110

This link seems to be bogus, am I correct? The correct one seems to be:
https://github.com/ImageMagick/ImageMagick/commit/a0108a892f9ea3c2bb1e7a49b7d71376c2ecbff7
Comment 5 Petr Gajdos 2016-10-13 13:40:14 UTC 
I believe all fixed.
Comment 6 Bernhard Wiedemann 2016-10-13 14:00:27 UTC 
This is an autogenerated message for OBS integration:
This bug (1000394) was mentioned in
https://build.opensuse.org/request/show/434746 13.2 / ImageMagick
Comment 9 Bernhard Wiedemann 2016-10-18 14:01:27 UTC 
This is an autogenerated message for OBS integration:
This bug (1000394) was mentioned in
https://build.opensuse.org/request/show/435917 13.2 / ImageMagick
Comment 11 Bernhard Wiedemann 2016-10-20 10:01:36 UTC 
This is an autogenerated message for OBS integration:
This bug (1000394) was mentioned in
https://build.opensuse.org/request/show/436494 13.2 / ImageMagick
Comment 12 Swamp Workflow Management 2016-10-28 16:07:33 UTC 
SUSE-SU-2016:2667-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
Comment 13 Swamp Workflow Management 2016-10-28 19:06:31 UTC 
openSUSE-SU-2016:2671-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000703,1000704,1000706,1000707,1000708,1000709,1000710,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7536,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-34.1
Comment 14 Swamp Workflow Management 2016-11-10 16:13:34 UTC 
openSUSE-SU-2016:2770-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-21.1
Comment 15 Marcus Meissner 2016-12-22 12:10:12 UTC 
released