Bug 1094221 (CVE-2017-18272) - VUL-0: CVE-2017-18272: GraphicsMagick: use-after-free in ReadOneMNGImage in coders/png.c, which allows attackers to cause a denial of service
Summary: VUL-0: CVE-2017-18272: GraphicsMagick: use-after-free in ReadOneMNGImage in c...
Status: RESOLVED WORKSFORME
Alias: CVE-2017-18272
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Petr Gajdos
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/206159/
Whiteboard: CVSSv3:SUSE:CVE-2017-18272:5.3:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-22 14:44 UTC by Johannes Segitz
Modified: 2018-05-23 22:37 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Reproducer (532 bytes, application/octet-stream)
2018-05-22 14:44 UTC, Johannes Segitz 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2018-05-22 14:44:59 UTC 
Created attachment 770998 [details]
Reproducer

CVE-2017-18272

In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-25, there is a use-after-free in
ReadOneMNGImage in coders/png.c, which allows attackers to cause a denial of
service via a crafted MNG image file that is mishandled in an
MngInfoDiscardObject call.

Our ImageMagick doesn't have this on SLES, but GM looks vulnerable

Reproducer: identify -verbose use-after-free-ReadMNGImage

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18272
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18272.html
https://github.com/ImageMagick/ImageMagick/issues/918
Comment 1 Petr Gajdos 2018-05-23 11:06:36 UTC 
BEFORE

12/ImageMagick

$ valgrind -q identify -verbose use-after-free-ReadMNGImage
identify: insufficient image data in file `use-after-free-ReadMNGImage' @ error/png.c/ReadOneMNGImage/5227.
$

11/ImageMagick

$ valgrind -q identify -verbose use-after-free-ReadMNGImage
identify: Insufficient image data in file `use-after-free-ReadMNGImage'.
$

11/GraphicsMagick

$ valgrind -q gm identify -verbose use-after-free-ReadMNGImage
gm identify: Corrupt image (use-after-free-ReadMNGImage).
$

12/GraphicsMagick

$ valgrind -q gm identify -verbose use-after-free-ReadMNGImage
gm identify: Corrupt image (use-after-free-ReadMNGImage).
gm identify: Request did not return an image.
$

HG/GraphicsMagick

$ valgrind -q gm identify -verbose use-after-free-ReadMNGImage
gm identify: Corrupt image (use-after-free-ReadMNGImage).
gm identify: Request did not return an image.
$

[no issues observed]


PATCH

https://github.com/ImageMagick/ImageMagick/commit/2460f71fcdb112dacbc14e3d9b9913dec66af820

11,12/ImageMagick: not vulnerable:

             if (length > 1)
              {
                 [..]
              }
            chunk=(unsigned char *) RelinquishMagickMemory(chunk);
            continue;

42.3,11/GraphicsMagick: In ImageMagick, ReadOneMNGImage() should not free mng_info structure as ReadMNGImage() will do after return from ReadOneMNGImage() (ThrowReaderException() will do the return). In GraphicsMagick, all is done in ReadMNGImage() (no ReadOneMNGImage()) and after ThrowReaderException() will return from ReadMNGImage() happen and thus the free of mng_info is neccessary.

I think no currently maintained codestream is affected.
Comment 2 Petr Gajdos 2018-05-23 11:07:10 UTC 
However, see
https://github.com/ImageMagick/ImageMagick/issues/1139