graphicsmagick: CVE-2017-11102

Debian Bug report logs - #867746
graphicsmagick: CVE-2017-11102

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: graphicsmagick: CVE-2017-11102

Date: Sun, 09 Jul 2017 10:06:40 +0200

Source: graphicsmagick
Version: 1.3.26-1
Severity: important
Tags: patch upstream security

Hi,

the following vulnerability was published for graphicsmagick.

CVE-2017-11102[0]:
| The ReadOneJNGImage function in coders/png.c in GraphicsMagick 1.3.26
| allows remote attackers to cause a denial of service (application
| crash) during JNG reading via a zero-length color_image data
| structrure.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11102
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11102
[1] http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5
[2] http://hg.code.sf.net/p/graphicsmagick/code/rev/dea93a690fc1

Please adjust the affected versions in the BTS as needed. Only check
for unstable has been done, and unless I was completely wrong on
checking the JNG support should be enabled.

Regards,
Salvatore

Message #10 received at 867746@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 867746@bugs.debian.org

Subject: Re: Bug#867746: graphicsmagick: CVE-2017-11102

Date: Sun, 9 Jul 2017 11:38:39 +0200

Hi Salvatore,

On Sun, Jul 9, 2017 at 10:06 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> the following vulnerability was published for graphicsmagick.
>
> CVE-2017-11102[0]:
 Thanks for the heads-up - luckily I already known this. At the moment
I'm sure it affects Stretch as well. I mean, JNG support is not
enabled, neither disabled and depends on the software environment
GraphicsMagick compiled in. This means any user may compile
GraphicsMagick on his/her system, can be vulnerable. The fix is in two
commits and while the second seems to be a code cleanup only, it
breaks the package. Pinged upstream about it, but I still waiting for
the answer.

Regards,
Laszlo/GCS

Message #15 received at 867746@bugs.debian.org (full text, mbox, reply):

From: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

To: László Böszörményi <gcs@debian.org>, 867746@bugs.debian.org

Subject: Re: Bug#867746: graphicsmagick: CVE-2017-11102

Date: Sun, 9 Jul 2017 08:42:30 -0500 (CDT)

[Message part 1 (text/plain, inline)]

On Sun, 9 Jul 2017, László Böszörményi wrote:

> Hi Salvatore,
>
> On Sun, Jul 9, 2017 at 10:06 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
>> the following vulnerability was published for graphicsmagick.
>>
>> CVE-2017-11102[0]:
> Thanks for the heads-up - luckily I already known this. At the moment
> I'm sure it affects Stretch as well. I mean, JNG support is not
> enabled, neither disabled and depends on the software environment
> GraphicsMagick compiled in. This means any user may compile
> GraphicsMagick on his/her system, can be vulnerable. The fix is in two
> commits and while the second seems to be a code cleanup only, it
> breaks the package. Pinged upstream about it, but I still waiting for
> the answer.

As far as I am aware, I do not have any email from you about this. 
While there was intermediate breakage, the png.c changes between 
Mercurial changeset 15059:dea93a690fc1 and 15066:e8f859704230 are 
believed to solve the assertion problem, as well as solve a memory 
leak problem in the error path.  The test suite is completely passing.

  hg diff -r 15059 -r 15066 coders/png.c

Bob
-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Message #20 received at 867746@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

Cc: 867746@bugs.debian.org

Subject: Re: Bug#867746: graphicsmagick: CVE-2017-11102

Date: Sun, 9 Jul 2017 16:32:53 +0200

On Sun, Jul 9, 2017 at 3:42 PM, Bob Friesenhahn
<bfriesen@simple.dallas.tx.us> wrote:
> On Sun, 9 Jul 2017, László Böszörményi wrote:
>> Thanks for the heads-up - luckily I already known this. At the moment
>> I'm sure it affects Stretch as well. I mean, JNG support is not
>> enabled, neither disabled and depends on the software environment
>> GraphicsMagick compiled in. This means any user may compile
>> GraphicsMagick on his/her system, can be vulnerable. The fix is in two
>> commits and while the second seems to be a code cleanup only, it
>> breaks the package. Pinged upstream about it, but I still waiting for
>> the answer.
>
> As far as I am aware, I do not have any email from you about this. While
> there was intermediate breakage, the png.c changes between Mercurial
> changeset 15059:dea93a690fc1 and 15066:e8f859704230 are believed to solve
> the assertion problem, as well as solve a memory leak problem in the error
> path.  The test suite is completely passing.
 Learning from my previous email, when you noted that you are not the
author of the fix - I asked Glenn Randers-Pehrson as he is the author
of the fixing commits[1][2]. If I apply both on 1.3.26 then the self
test fails with:
-- cut --
t/jbig/write.t ....
1..1
ok 1
ok
perl: magick/image.c:1307: DestroyImageInfo: Assertion
`image_info->signature == MagickSignature' failed.
Magick: abort due to signal 6 (SIGABRT) "Abort"...
t/jng/read.t ......
1..11
ok 1
Failed 10/11 subtests
perl: magick/image.c:1307: DestroyImageInfo: Assertion
`image_info->signature == MagickSignature' failed.
Magick: abort due to signal 6 (SIGABRT) "Abort"...
-- cut --

If I remove the second[2] commit, then all is fine again. Environment
is Debian/Sid, Perl is 5.24.1 version.

Regards,
Laszlo/GCS
[1] http://hg.code.sf.net/p/graphicsmagick/code/rev/dea93a690fc1
[2] http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5

Message #25 received at 867746@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

Cc: 867746@bugs.debian.org

Subject: Re: Bug#867746: graphicsmagick: CVE-2017-11102

Date: Sun, 9 Jul 2017 17:02:35 +0200

On Sun, Jul 9, 2017 at 4:32 PM, László Böszörményi (GCS) <gcs@debian.org> wrote:
> On Sun, Jul 9, 2017 at 3:42 PM, Bob Friesenhahn
> <bfriesen@simple.dallas.tx.us> wrote:
>> On Sun, 9 Jul 2017, László Böszörményi wrote:
>> As far as I am aware, I do not have any email from you about this. While
>> there was intermediate breakage, the png.c changes between Mercurial
>> changeset 15059:dea93a690fc1 and 15066:e8f859704230 are believed to solve
>> the assertion problem, as well as solve a memory leak problem in the error
>> path.  The test suite is completely passing.
>  Learning from my previous email, when you noted that you are not the
> author of the fix - I asked Glenn Randers-Pehrson as he is the author
> of the fixing commits[1][2]. If I apply both on 1.3.26 then the self
> test fails with:
 Ah, just found out you have additional commits since then. Tested
check-in 4d0baa and it fixes the self test problem. But I suspect I
need dc7e12 as well, right?

Laszlo/GCS

Message #30 received at 867746@bugs.debian.org (full text, mbox, reply):

From: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

To: László Böszörményi <gcs@debian.org>, 867746@bugs.debian.org

Subject: Re: Bug#867746: graphicsmagick: CVE-2017-11102

Date: Sun, 9 Jul 2017 11:43:48 -0500 (CDT)

[Message part 1 (text/plain, inline)]

On Sun, 9 Jul 2017, László Böszörményi wrote:

> On Sun, Jul 9, 2017 at 4:32 PM, László Böszörményi (GCS) <gcs@debian.org> wrote:
>> On Sun, Jul 9, 2017 at 3:42 PM, Bob Friesenhahn
>> <bfriesen@simple.dallas.tx.us> wrote:
>>> On Sun, 9 Jul 2017, László Böszörményi wrote:
>>> As far as I am aware, I do not have any email from you about this. While
>>> there was intermediate breakage, the png.c changes between Mercurial
>>> changeset 15059:dea93a690fc1 and 15066:e8f859704230 are believed to solve
>>> the assertion problem, as well as solve a memory leak problem in the error
>>> path.  The test suite is completely passing.
>>  Learning from my previous email, when you noted that you are not the
>> author of the fix - I asked Glenn Randers-Pehrson as he is the author
>> of the fixing commits[1][2]. If I apply both on 1.3.26 then the self
>> test fails with:
> Ah, just found out you have additional commits since then. Tested
> check-in 4d0baa and it fixes the self test problem. But I suspect I
> need dc7e12 as well, right?

You would need all of these changesets:

changeset:   15066:e8f859704230
user:        Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
date:        Sat Jul 08 18:05:51 2017 -0400
files:       coders/png.c
description:
Another attempt to checkin revised double-free fix.


changeset:   15064:4d0baa77245b
user:        Bob Friesenhahn <bfriesen@GraphicsMagick.org>
date:        Sat Jul 08 12:59:45 2017 -0500
files:       ChangeLog coders/png.c www/Changelog.html
description:
JNG: Fix double frees caused by changeset 15060:d445af60a8d5 commited 
on 2017-07-06


changeset:   15060:d445af60a8d5
user:        Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
date:        Thu Jul 06 10:42:50 2017 -0400
files:       ChangeLog coders/png.c
description:
coders/png.c: Consolidate JNG cleanup into a new DestroyJNG() 
function.


changeset:   15059:dea93a690fc1
parent:      15057:a42ae8447fe7
user:        Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
date:        Wed Jul 05 09:41:22 2017 -0400
files:       ChangeLog coders/png.c
description:
Stop crash due to zero-length color_image while reading a JNG


I think that this will result in a useful patch:

 hg diff -r dea93a690fc1 -r e8f859704230 coders/png.c

Bob
-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Message #35 received at 867746-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 867746-close@bugs.debian.org

Subject: Bug#867746: fixed in graphicsmagick 1.3.26-2

Date: Sun, 09 Jul 2017 17:20:25 +0000

Source: graphicsmagick
Source-Version: 1.3.26-2

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867746@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 08 Jul 2017 07:33:10 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.26-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared library
 libgraphicsmagick++1-dev - format-independent image processing - C++ development files
 libgraphicsmagick-q16-3 - format-independent image processing - C shared library
 libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 867746
Changes:
 graphicsmagick (1.3.26-2) unstable; urgency=high
 .
   * Fix CVE-2017-11102: remote denial of service during JNG reading via a
     zero-length color_image data structrure in ReadOneJNGImage (png.c)
     (closes: #867746).
   * Add new DestroyJNGInfo@Base and remove DestroyJNG@Base obsolete symbols.
Checksums-Sha1:
 261bd79dd277ee0b86e2c727c0dda20893bee3f2 2804 graphicsmagick_1.3.26-2.dsc
 9469b658cff7712d6ff29f6bf1aa2a51f8e8d0b9 141068 graphicsmagick_1.3.26-2.debian.tar.xz
 51ba310b574423806990c36f6459a69f8223360c 3172092 graphicsmagick-dbg_1.3.26-2_amd64.deb
 b87d65b1f4570ec42024c024b2a181f3bddd3d74 22250 graphicsmagick-imagemagick-compat_1.3.26-2_all.deb
 ce2970168c5f4e117a9f61775f4d04e46966edf5 25686 graphicsmagick-libmagick-dev-compat_1.3.26-2_all.deb
 1ec1c28d99caf2d39483a8e3356df1f01802a090 11529 graphicsmagick_1.3.26-2_amd64.buildinfo
 430cce512f00c71b82863e165648ed2166110824 863132 graphicsmagick_1.3.26-2_amd64.deb
 5e8a9574922c9a4f5e00a618699eadaedc89dad6 69544 libgraphics-magick-perl_1.3.26-2_amd64.deb
 d62bc14fd6d80e10ba105f743b21a3f5be4b9098 116468 libgraphicsmagick++-q16-12_1.3.26-2_amd64.deb
 1791a8ce770b797b2821c2e781cb15eb9dad0916 301606 libgraphicsmagick++1-dev_1.3.26-2_amd64.deb
 bd9e04d314bb4f04dd1a2f172b3f7d0190f7c9ed 1110992 libgraphicsmagick-q16-3_1.3.26-2_amd64.deb
 a9596daa8242d83000c5c4ee54b18ded697f961b 1335024 libgraphicsmagick1-dev_1.3.26-2_amd64.deb
Checksums-Sha256:
 4a267536ea9f85e4a8a93ea098d5fb6fe06f4aaacaab88c4b1457a71cab960ad 2804 graphicsmagick_1.3.26-2.dsc
 6192d136f8550b6cb7c6a5ac9f93c2267e59ae2df042dd390cdaf4395d0f79e1 141068 graphicsmagick_1.3.26-2.debian.tar.xz
 553e053fcc6d8cf03bd2bf527b6d75c886e9e6a3c96f75f016de75de7ea8a85e 3172092 graphicsmagick-dbg_1.3.26-2_amd64.deb
 9e7ab0ed217250e871d4c16e1f390bc583a8fe123660a68a12ce2a626c965bca 22250 graphicsmagick-imagemagick-compat_1.3.26-2_all.deb
 12da94016e02ebd3fcdb63f9bb9421b527530285df2a2ad80c8adee83765d991 25686 graphicsmagick-libmagick-dev-compat_1.3.26-2_all.deb
 9029b8a7ccdce1aebe7df7015e4a4f3a777d10dfa22f087bd3985cb0e05c7471 11529 graphicsmagick_1.3.26-2_amd64.buildinfo
 0c6a887ebdb912101d7870023b1c4ed992a5f9867297cabb03ae18dba38fe40a 863132 graphicsmagick_1.3.26-2_amd64.deb
 2d24a9990f0aa0e070652323dd2cc4e42e86320141957f717118b5df78b9ac17 69544 libgraphics-magick-perl_1.3.26-2_amd64.deb
 b22a2a7033288a3dc2aa737b740079a3dcd574d0f7b3128e6c389e95944bd1b7 116468 libgraphicsmagick++-q16-12_1.3.26-2_amd64.deb
 b4c8ea6048d70f8f885ce69e93e8bba56a06b9a1967d527289950964a60257b1 301606 libgraphicsmagick++1-dev_1.3.26-2_amd64.deb
 db81ecc39ba444495f745088f34e5d05fe0272ee79072a04551ee47784d54ea6 1110992 libgraphicsmagick-q16-3_1.3.26-2_amd64.deb
 da5f95c3a9648ccbc320e388562a778231ba54b369a68453ee73724bee93fb4a 1335024 libgraphicsmagick1-dev_1.3.26-2_amd64.deb
Files:
 0f65c76d6034b24e09d211bcd37181fa 2804 graphics optional graphicsmagick_1.3.26-2.dsc
 1b6894c4563d41f68d887d45982257b0 141068 graphics optional graphicsmagick_1.3.26-2.debian.tar.xz
 5c1eafd943d3ac88b14b18cebe91ec1c 3172092 debug extra graphicsmagick-dbg_1.3.26-2_amd64.deb
 bb926571ac5f99f7d3c50d0592f0845f 22250 graphics extra graphicsmagick-imagemagick-compat_1.3.26-2_all.deb
 b57e46ff8ab08d810b35fdaa5c299681 25686 graphics extra graphicsmagick-libmagick-dev-compat_1.3.26-2_all.deb
 57cb6c8501fa8cccbe971baf9ae56fc9 11529 graphics optional graphicsmagick_1.3.26-2_amd64.buildinfo
 c179b9a7723fdfba060fbedb519fad07 863132 graphics optional graphicsmagick_1.3.26-2_amd64.deb
 4e8908994eb691db9863412f8f5576b1 69544 perl optional libgraphics-magick-perl_1.3.26-2_amd64.deb
 2e4d744f92ec8408da2a077a75d0cf00 116468 libs optional libgraphicsmagick++-q16-12_1.3.26-2_amd64.deb
 eebc6d34b4d48995276cf96309d825bb 301606 libdevel optional libgraphicsmagick++1-dev_1.3.26-2_amd64.deb
 12f36955a741e6aa87818afd247c3540 1110992 libs optional libgraphicsmagick-q16-3_1.3.26-2_amd64.deb
 66b0fd1e07e93792baeba4f1b6ca97ae 1335024 libdevel optional libgraphicsmagick1-dev_1.3.26-2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlliYEQACgkQ3OMQ54ZM
yL/XnA/6AnYCUgdT/kuKKf1MHvlaeztrcCB95HuNmUmr6JfXWrh+LkA2qPhcDsHe
WTIv7Z3NQrUBCPRlDoF3A1PTiQyC0IfpPqITjIS4wO3HAxGxF04290/e7gzO8UJ9
SUUt2jp9VVCF2aqZu19UmDyJyOOtlj1AJKEao1LeIERMl/9JLKK07rX09+K7sqUv
7BjSFSutZ9T1lVCutwtgzboO7V6hKDxl6aokznXVFkWDAv/hZHLqdeROaMX2UsvF
ficZL2D8sVsHHurc05nR0XU6viO4qa5JPjQMUvTlDKilh/zvr0YfYtEcZcwTHm/m
FD8SpMOp1P6vtOhm+pk1lpPKPAB4je6JnIzLTk8Ppfw+Pc0sOvA+SnlEAqen7hbo
ahQ1lmjeSBqTxcr9eBzjlZMTe9cHd4Nbl7j5XeFbqJWfgrJQgnViPvCQm3yfnpwP
O7fI0YvgSuOF/QDalltz5BP4xvpc5FboRE+lfYqQa8lQX8yTDlvvfS2RJhyJifGy
Oaho06+90o1OWPBYkz8uFBoQ3dg8QdLenY3ugmLM1GhsQUXyaLWPnbyO/y0gcZvM
pW1vHXe4J8cvdldjPHEyfwmMp56Bj5OAqxoXN2tXUDV2Vl1Z/sB+Lg/96eqRhNiK
5gwYMJuzE1ODTj6rfUGHv0xNDLYHUEzj4tZ+YR3AHniPeGBRFas=
=OSbO
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.