Bug 1057153 (CVE-2017-14137) - VUL-1: CVE-2017-14137: ImageMagick: excessive memory allocation in ReadWEBPImage in coders/webp.c
Summary: VUL-1: CVE-2017-14137: ImageMagick: excessive memory allocation in ReadWEBPIm...
Status: RESOLVED WORKSFORME
Alias: CVE-2017-14137
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Petr Gajdos
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/191434/
Whiteboard: CVSSv3:SUSE:CVE-2017-14137:5.3:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-05 07:27 UTC by Alexander Bergmann
Modified: 2019-02-24 07:39 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-09-05 07:27:53 UTC 
CVE-2017-14137

ReadWEBPImage in coders/webp.c in ImageMagick 7.0.6-5 has a issue where
memory allocation is excessive because it depends only on a length
field in a header.

Upstream bug:
https://github.com/ImageMagick/ImageMagick/issues/641

Upstream fix:
https://github.com/ImageMagick/ImageMagick/commit/cb63560ba25e4a6c51ab282538c24877fff7d471

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14137
http://www.cvedetails.com/cve/CVE-2017-14137/
Comment 1 Marcus Meissner 2017-09-29 09:18:46 UTC 
large memory OOM DoS
Comment 2 Petr Gajdos 2017-11-07 08:11:40 UTC 
(In reply to Alexander Bergmann from comment #0)
> Upstream bug:
> https://github.com/ImageMagick/ImageMagick/issues/641
> 
> Upstream fix:
> https://github.com/ImageMagick/ImageMagick/commit/
> cb63560ba25e4a6c51ab282538c24877fff7d471

From the bug discussion of the bug:

"The fix breaks reading all WebP images. Line 266 in the new code sets webp_image to null and then we immediately try to dereference it on line 269."
Comment 4 Petr Gajdos 2017-11-07 09:01:14 UTC 
No testcase.
Comment 5 Petr Gajdos 2017-11-07 09:02:04 UTC 
I think

+  if (length > GetBlobSize(image))
+    ThrowWEBPException(CorruptImageError,"InsufficientImageDataInFile");

is relevant part. Others fixes memory leaks.
Comment 6 Petr Gajdos 2017-11-07 09:12:56 UTC 
Where memory leaks are subject of the bug 1057157.
Comment 7 Petr Gajdos 2017-11-07 10:10:02 UTC 
11/GraphicsMagick and 11/ImageMagick does not have webp.c.
Comment 8 Petr Gajdos 2017-11-07 10:20:51 UTC 
(In reply to Petr Gajdos from comment #5)
> I think
> 
> +  if (length > GetBlobSize(image))
> +    ThrowWEBPException(CorruptImageError,"InsufficientImageDataInFile");

12/ImageMagick neither GraphicsMagick are affected by this.


 length=(size_t) GetBlobSize(image);

instead of 

 length=(size_t) (ReadWebPLSBWord(header+4)+8);

Factory/ImageMagick is already fixed.