1028079 – (CVE-2017-6500) VUL-1: CVE-2017-6500: GraphicsMagick: An issue was discovered in ImageMagick 6.9.7. A specially crafted sun filetriggers a heap-based buf...

Bug 1028079 (CVE-2017-6500) - VUL-1: CVE-2017-6500: GraphicsMagick: An issue was discovered in ImageMagick 6.9.7. A specially crafted sun filetriggers a heap-based buf...

Summary: VUL-1: CVE-2017-6500: GraphicsMagick: An issue was discovered in ImageMagick ...

Status:	RESOLVED WORKSFORME

Alias:	CVE-2017-6500

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Petr Gajdos
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/181228/
Whiteboard:	CVSSv2:SUSE:CVE-2017-6500:2.6:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2017-03-06 10:02 UTC by Marcus Meissner
Modified:	2017-06-14 19:24 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
bug1 (240 bytes, application/octet-stream) 2017-03-06 10:05 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2017-03-06 10:02:10 UTC

CVE-2017-6500

An issue was discovered in ImageMagick 6.9.7. A specially crafted sun file
triggers a heap-based buffer over-read.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6500
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856879
https://github.com/ImageMagick/ImageMagick/issues/376
https://github.com/ImageMagick/ImageMagick/issues/375
https://github.com/ImageMagick/ImageMagick/commit/3007531bfd326c5c1e29cd41d2cd80c166de8528

Comment 1 Marcus Meissner 2017-03-06 10:05:36 UTC

Created attachment 716411 [details]
bug1

QA REPRODUCER:

convert bug1 /dev/null

should not crash

valgrind convert bug1 /dev/null

should not show out of bounds reads

(NOTE: can not reproduce currently)

Comment 2 Marcus Meissner 2017-03-06 10:12:26 UTC

We have several patches touching this code already in ImageMagick, one of them probably has fixed it already.

similar to CVE-2016-7518 in bug 1000694.


GraphicsMagic in SLE11 seems to still have the buggy code.

Comment 3 Marcus Meissner 2017-03-06 10:12:46 UTC

QA REPRODUCER (GraphicsMagick):

gm convert bug1 /dev/null

should not show a backtrace

Comment 4 Swamp Workflow Management 2017-03-06 23:01:03 UTC

bugbot adjusting priority

Comment 7 Petr Gajdos 2017-03-21 13:15:51 UTC

I get no crash nor valgrind errors anywhere.

Comment 9 Petr Gajdos 2017-03-21 15:47:07 UTC

I bet the bug does not affect GraphicsMagick:

bytes_per_line += sun_info.width % 8 ? 1 : 0;

Comment 11 Swamp Workflow Management 2017-03-29 04:10:24 UTC

SUSE-RU-2017:0843-1: An update that has two recommended fixes can now be installed.

Category: recommended (low)
Bug References: 1027480,1028079
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.70.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.70.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.70.1