graphicsmagick: CVE-2017-10800: OOM in ReadMATImage()

Debian Bug report logs - #867060
graphicsmagick: CVE-2017-10800: OOM in ReadMATImage()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: graphicsmagick: CVE-2017-10800: OOM in ReadMATImage()

Date: Mon, 03 Jul 2017 20:56:23 +0200

Source: graphicsmagick
Version: 1.3.25-8
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for graphicsmagick.

CVE-2017-10800[0]:
| When GraphicsMagick 1.3.25 processes a MATLAB image in coders/mat.c, it
| can lead to a denial of service (OOM) in ReadMATImage() if the size
| specified for a MAT Object is larger than the actual amount of data.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10800
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10800
[1] http://hg.code.sf.net/p/graphicsmagick/code/rev/e5761e3a2012

Please adjust the affected versions in the BTS as needed, only checked
unstable source.

Regards,
Salvatore

Message #10 received at 867060@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 867060@bugs.debian.org

Cc: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

Subject: Re: Bug#867060: graphicsmagick: CVE-2017-10800: OOM in ReadMATImage()

Date: Mon, 3 Jul 2017 21:12:11 +0200

On Mon, Jul 03, 2017 at 08:56:23PM +0200, Salvatore Bonaccorso wrote:
> Source: graphicsmagick
> Version: 1.3.25-8
> Severity: important
> Tags: security upstream patch
> 
> Hi,
> 
> the following vulnerability was published for graphicsmagick.
> 
> CVE-2017-10800[0]:
> | When GraphicsMagick 1.3.25 processes a MATLAB image in coders/mat.c, it
> | can lead to a denial of service (OOM) in ReadMATImage() if the size
> | specified for a MAT Object is larger than the actual amount of data.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-10800
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10800
> [1] http://hg.code.sf.net/p/graphicsmagick/code/rev/e5761e3a2012

That commit is unfortunately not enough. All related changesets to
mat.c since the above one should be taken into account. I got this
comment as reply to filling this bugreport directly from Bob
Friesenhahn (upstream).

Regards,
Salvatore

Message #17 received at 867060@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 867060@bugs.debian.org

Cc: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

Subject: Re: Bug#867060: graphicsmagick: CVE-2017-10800: OOM in ReadMATImage()

Date: Tue, 4 Jul 2017 00:59:18 +0200

Hi,

On Mon, Jul 3, 2017 at 9:12 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> On Mon, Jul 03, 2017 at 08:56:23PM +0200, Salvatore Bonaccorso wrote:
>> the following vulnerability was published for graphicsmagick.
>>
>> CVE-2017-10800[0]:
>> [0] https://security-tracker.debian.org/tracker/CVE-2017-10800
>>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10800
>> [1] http://hg.code.sf.net/p/graphicsmagick/code/rev/e5761e3a2012
>
> That commit is unfortunately not enough. All related changesets to
> mat.c since the above one should be taken into account. I got this
> comment as reply to filling this bugreport directly from Bob
> Friesenhahn (upstream).
 I've found seven commits (after releasing 1.3.25), but I think the
first may not be relevant to the security issue. That is, from 24th of
October, 2016: "Ability to read multiple images from Matlab V4
format."
http://hg.code.sf.net/p/graphicsmagick/code/rev/65694fa21e4f

IMHO, the relevant commits in order:
Safety check for forged and or corrupted data.
http://hg.code.sf.net/p/graphicsmagick/code/rev/610107622601

Check whether reported object size overflows file size.
http://hg.code.sf.net/p/graphicsmagick/code/rev/e5761e3a2012

argument of function has been changed, and not all occurances of Size
has been cleaned up.
http://hg.code.sf.net/p/graphicsmagick/code/rev/306ceaeb6963

MagickAllocateMemory(unsigned char *,(size_t)(*Size<16384) ? *Size : 16384);
typecasted only first part of ternal operator but not a result.
http://hg.code.sf.net/p/graphicsmagick/code/rev/1aa46f86836e

MATLAB_HDR.ObjectSize is UINT32, type this explicitly.
http://hg.code.sf.net/p/graphicsmagick/code/rev/b62e9fdf79ad

Get rid of stupid comparison warning.
http://hg.code.sf.net/p/graphicsmagick/code/rev/df29d5a048ec

Please check if I may be wrong and/or the Matlab V4 format patch is
needed to fix this vulnerability.

Thanks in advance,
Laszlo/GCS

Message #22 received at 867060-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 867060-close@bugs.debian.org

Subject: Bug#867060: fixed in graphicsmagick 1.3.26-1

Date: Thu, 06 Jul 2017 05:49:14 +0000

Source: graphicsmagick
Source-Version: 1.3.26-1

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867060@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 05 Jul 2017 16:14:40 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.26-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared library
 libgraphicsmagick++1-dev - format-independent image processing - C++ development files
 libgraphicsmagick-q16-3 - format-independent image processing - C shared library
 libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 867060 867077 867085
Changes:
 graphicsmagick (1.3.26-1) unstable; urgency=high
 .
   * New upstream release, fixing the following security issues among others:
     - META: Fix heap overflow while parsing 8BIM chunk (CVE-2016-7800).
     - WPG: Fix heap overflow (CVE-2016-7996). Fix assertion crash
       (CVE-2016-7997).
     - PNG: Enforce spec requirement that the dimensions of the JPEG embedded
       in a JDAT chunk must match the JHDR dimensions (CVE-2016-9830).
     - TIFF: Fix out of bounds read when reading CMYKA TIFF which claims to
       have only 2 samples per pixel (CVE-2017-6335).
     - JNG: Fix memory leak when reading invalid JNG image (CVE-2017-8350).
     - TIFF: Fix out of bounds read when reading RGB TIFF which claims to have
       only 1 sample per pixel (CVE-2017-10794) (closes: #867085).
     - DPX: Fix excessive use of memory (DOS issue) due to file header claiming
       large image dimensions but insufficient backing data. (CVE-2017-10799)
       (closes: #867077).
     - MAT: Fix excessive use of memory (DOS issue) due to continuing
       processing with insufficient data and claimed large image size. Verify
       each file extent to make sure that it is within range of file size.
       (CVE-2017-10800) (closes: #867060).
   * Remove previously backported security patches.
   * Self-tests build hack no longer needed.
   * Update library symbols for this release.
   * Update Standards-Version to 4.0.0 and debhelper level to 10 .
Checksums-Sha1:
 4129d5473cc8f801b0115dc8657d14d48c461d4a 2804 graphicsmagick_1.3.26-1.dsc
 2cc885d1b157996aa14c98e34f7aa17815d00c41 5400564 graphicsmagick_1.3.26.orig.tar.xz
 24c93cf23a5e5453189340ea40ccc1d205eff684 138488 graphicsmagick_1.3.26-1.debian.tar.xz
 9f7944055dea117b307727ef90f49b6997a75a86 3171326 graphicsmagick-dbg_1.3.26-1_amd64.deb
 750b75f94874d2aee96972a95e1d30267e834004 22042 graphicsmagick-imagemagick-compat_1.3.26-1_all.deb
 716f37a83df7c50530b9de3d9268b953dc898825 25468 graphicsmagick-libmagick-dev-compat_1.3.26-1_all.deb
 e25842e2dd97064c1d4c64b2b42ca4c9ef5ab85c 11529 graphicsmagick_1.3.26-1_amd64.buildinfo
 820e8963d2a56edba06942f5551ab44c517abfff 862990 graphicsmagick_1.3.26-1_amd64.deb
 c1226b02b4a2d7bb362d8218dc04663de9dc691d 69340 libgraphics-magick-perl_1.3.26-1_amd64.deb
 bcc6234553deaa7cbd33a04791362a08a4a8a496 115576 libgraphicsmagick++-q16-12_1.3.26-1_amd64.deb
 9dcbb55119a9a1c39bfa1c2d3fd2dd55ca3c7f14 301664 libgraphicsmagick++1-dev_1.3.26-1_amd64.deb
 594b57d5e55aa7daba32aedae153661e0b12a69f 1110570 libgraphicsmagick-q16-3_1.3.26-1_amd64.deb
 653cfe2b23899b664017ef9b9f0ff1bd0bb60c05 1333398 libgraphicsmagick1-dev_1.3.26-1_amd64.deb
Checksums-Sha256:
 9b64964c43fc2b8b531fa301123bc0641938ea40e1f6e70433b548e8f71ad49f 2804 graphicsmagick_1.3.26-1.dsc
 fba015f3d5e5d5f17e57db663f1aa9d338e7b62f1d415b85d13ee366927e5f88 5400564 graphicsmagick_1.3.26.orig.tar.xz
 f5406b60636193a6304597c75a89300c2a87a260bb954d1765c57dae42cd696c 138488 graphicsmagick_1.3.26-1.debian.tar.xz
 dda8e6c27bcec112a95bcb2cd56d797f6885d1a08240298dd4d19171aa9a817b 3171326 graphicsmagick-dbg_1.3.26-1_amd64.deb
 fc9696bc3864196b15e846f01b3c463104d6aa2f4dfb712d0696f74e3d320272 22042 graphicsmagick-imagemagick-compat_1.3.26-1_all.deb
 11aecd5de1a70dc5b51176deeae7962a4de5e8607df5eaf5fb48f85b3b7e965f 25468 graphicsmagick-libmagick-dev-compat_1.3.26-1_all.deb
 9b60b399d7ee505c97a62800f9eb38f3d486fffd7ac1127721b64de2bffc4ad2 11529 graphicsmagick_1.3.26-1_amd64.buildinfo
 bfd8c8b06523906d2be8a995fe82de472ff9f6e2cb413f6ba5e38c6518ddc2b2 862990 graphicsmagick_1.3.26-1_amd64.deb
 d1553acc7f90391788a60287a0af6b54e19a568c7f0c9ecb42a55218c7ae9677 69340 libgraphics-magick-perl_1.3.26-1_amd64.deb
 04e7e11ed3664bbbcbebf53c06d2844f5e1dcb069e2e970a600e66366f8a8f51 115576 libgraphicsmagick++-q16-12_1.3.26-1_amd64.deb
 97f7bff30f6a7a0b42d38d7f94009e9ffc620fdd91a260278abcc2e64cd56e8c 301664 libgraphicsmagick++1-dev_1.3.26-1_amd64.deb
 66485f40602f7b30f45f3930031fc543a963ac162f30843639aff9535550617a 1110570 libgraphicsmagick-q16-3_1.3.26-1_amd64.deb
 0b8cfaba64a136ded1b2cae4e1c11ceb46b627d8d33d35b16c586d1a4b2b5fe0 1333398 libgraphicsmagick1-dev_1.3.26-1_amd64.deb
Files:
 e93fbc3783c92498dd7b625b9a769ef5 2804 graphics optional graphicsmagick_1.3.26-1.dsc
 bf6bd27b6d440ec3b2f6db63fe61845c 5400564 graphics optional graphicsmagick_1.3.26.orig.tar.xz
 7f1acc3d38ed339d49d29b41b9f86e57 138488 graphics optional graphicsmagick_1.3.26-1.debian.tar.xz
 aaac8eec606a82a2c3cbed4a2f74887c 3171326 debug extra graphicsmagick-dbg_1.3.26-1_amd64.deb
 aef87ba579b67c309b3818e4c44c0679 22042 graphics extra graphicsmagick-imagemagick-compat_1.3.26-1_all.deb
 43a1c009e8fd93b40d404e32a533fe91 25468 graphics extra graphicsmagick-libmagick-dev-compat_1.3.26-1_all.deb
 49172bc839412468b5884f3687528b9c 11529 graphics optional graphicsmagick_1.3.26-1_amd64.buildinfo
 9f796567506e366dfd5e11b6a5695b0c 862990 graphics optional graphicsmagick_1.3.26-1_amd64.deb
 a6da6edec70f3336458cb9b9fbed399a 69340 perl optional libgraphics-magick-perl_1.3.26-1_amd64.deb
 4dc996ac8ecc19e6577fd789065cd1fe 115576 libs optional libgraphicsmagick++-q16-12_1.3.26-1_amd64.deb
 2279ef04c0d168a579ff9a4cf20ec9b0 301664 libdevel optional libgraphicsmagick++1-dev_1.3.26-1_amd64.deb
 5e53201581474dc4d0a20609fd2c1eee 1110570 libs optional libgraphicsmagick-q16-3_1.3.26-1_amd64.deb
 1bacb3904a93e61c82406ff950adcb7c 1333398 libdevel optional libgraphicsmagick1-dev_1.3.26-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlldyxgACgkQ3OMQ54ZM
yL/d/A//WNl9gLi6iYrEsgN6Of4+Iktv1/5Ch6bm7GKh4735LhDb1R8u1ee2/fEv
aFKhFFqQ6Gs2vtLL2zHWy2oYlxJKhC/fq90Jcg9FRVYA+bHTP6gRlw/s036u0lwp
8t4rnkEcNAS9msEe1mpVULOh4ct/hdmOxcNhroney2CCBSTSDDraTsH7uoXviC4I
mvuwYjz2Ig6Uxzm6w6yM1m769eOIULCj6AW7DuavRAcnDZ8Agh4l3jULtmzAqMHF
gCySkdNzwh4qbuJ2oV+nEwDMhvBRGzARzPdS0Vj0pG8vbvGQ70B0T4wX86aezW/d
xSDZdivNiNi3V0T8NV/WXKN0ORYYVHbjcnD1xMEN8/5yI/PbLi4+tkpBQuu3W/xY
/ltRwWkvF9GUkAfyrtQf97isauDH1VSo3pVzc+M997BATSPSZj5exEmrjh4errkd
dLMC9z2ZCCt969cEwwjTRtDUYhBdLoO47hW9LYsHRuVjhFiBFy3rtmEdKnH+7lYa
Exy6fXlnUdPl3MBBeXZ0JNBCHZH68rSYv+Qs2EBSZ3aSyEDpkgclT274CoVlU87a
a81ztJPs9AMNTetfy4xA9h4uty6aaOpf5XCLo+CSdb0u0O7NauyzbNiEZydRldLb
BkjwOn8qYlY3VeEoq78W8sBi4F6sCZFpE/99OFmARwbV7gS/HG4=
=pyWs
-----END PGP SIGNATURE-----

Message #27 received at 867060@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>, Debian Security Team <team@security.debian.org>

Cc: 867060@bugs.debian.org

Subject: Re: Bug#867060: graphicsmagick: CVE-2017-10800: OOM in ReadMATImage()

Date: Fri, 7 Jul 2017 10:22:00 +0200

Hi Bob,

On Tue, Jul 4, 2017 at 12:59 AM, László Böszörményi (GCS)
<gcs@debian.org> wrote:
> On Mon, Jul 3, 2017 at 9:12 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
>> On Mon, Jul 03, 2017 at 08:56:23PM +0200, Salvatore Bonaccorso wrote:
>> That commit is unfortunately not enough. All related changesets to
>> mat.c since the above one should be taken into account. I got this
>> comment as reply to filling this bugreport directly from Bob
>> Friesenhahn (upstream).
>  I've found seven commits (after releasing 1.3.25), but I think the
> first may not be relevant to the security issue. That is, from 24th of
> October, 2016: "Ability to read multiple images from Matlab V4
> format."
> http://hg.code.sf.net/p/graphicsmagick/code/rev/65694fa21e4f
 This a friendly ping - you noted Salvatore Bonaccorso that the fix of
CVE-2017-10800 spans over multiple commits: does the above one (Matlab
V4 format support) add relevant safety checks for this vulnerability
or vica-versa only add more complexity?

Thanks already,
Laszlo/GCS

Message #32 received at 867060@bugs.debian.org (full text, mbox, reply):

From: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: Debian Security Team <team@security.debian.org>, 867060@bugs.debian.org

Subject: Re: Bug#867060: graphicsmagick: CVE-2017-10800: OOM in ReadMATImage()

Date: Fri, 7 Jul 2017 08:12:34 -0500 (CDT)

[Message part 1 (text/plain, inline)]

On Fri, 7 Jul 2017, László Böszörményi (GCS) wrote:

> Hi Bob,
>
> On Tue, Jul 4, 2017 at 12:59 AM, László Böszörményi (GCS)
> <gcs@debian.org> wrote:
>> On Mon, Jul 3, 2017 at 9:12 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
>>> On Mon, Jul 03, 2017 at 08:56:23PM +0200, Salvatore Bonaccorso wrote:
>>> That commit is unfortunately not enough. All related changesets to
>>> mat.c since the above one should be taken into account. I got this
>>> comment as reply to filling this bugreport directly from Bob
>>> Friesenhahn (upstream).
>>  I've found seven commits (after releasing 1.3.25), but I think the
>> first may not be relevant to the security issue. That is, from 24th of
>> October, 2016: "Ability to read multiple images from Matlab V4
>> format."
>> http://hg.code.sf.net/p/graphicsmagick/code/rev/65694fa21e4f
> This a friendly ping - you noted Salvatore Bonaccorso that the fix of
> CVE-2017-10800 spans over multiple commits: does the above one (Matlab
> V4 format support) add relevant safety checks for this vulnerability
> or vica-versa only add more complexity?

As far as I am aware (I am not the author of this code), the addition 
of Matlab V4 format support is not relevant to the security issue. 
It may be some work to extracate a good patch since the security fixes 
were put in after the Matlab V4 format support was added.

As usual, we recommend updating to the new release rather than 
patching only the issues which were assigned CVEs.

Bob
-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Send a report that this bug log contains spam.