Mageia Bugzilla – Attachment 10119 Details for
Bug 22988
graphicsmagick several (possible) new security issues
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Results of running the reproducers before updating GM
before.22988 (text/plain), 4.26 KB, created by
Len Lawrence
on 2018-05-04 01:40:36 CEST
(
hide
)
Description:
Results of running the reproducers before updating GM
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2018-05-04 01:40:36 CEST
Size:
4.26 KB
patch
obsolete
>PoC tests before the update >--------------------------------------------------------------------------- >CVE-2017-11524 * >$ gm convert assertion-failed-in-WriteBlob-blob5171_7_0_5_10 out.mvg >gm convert: Insufficient image data in file (assertion-failed-in-WriteBlob-blob5171_7_0_5_10). > >CVE-2017-11532 >$ valgrind -q --leak-check=full gm convert imagemagick_output_mpc_memory_leak_WriteMPCImage output.mpc >$ ls output.mpc >output.mpc > >CVE-2017-11533 >$ valgrind -q convert heap-buffer-overflow-READ-0x7fd806e82db2_output_uil_1500210468.72 out.uil >$ ls out.uil >out.uil >/* UIL */ >value > out_ct : color_table( > color('#303030',background) = ' ', > color('#585858',background) = '.', > color('#9C1C14',background) = 'X', > color('#FC3C0C',background) = 'o', > color('#0CCCCC',foreground) = 'O', > color('#0CFCFC',foreground) = '+', > color('#FC9C9C',foreground) = '@', > color('#F0F0F0',foreground) = '#', > color('#000000',background) = '$', > background color = '%'); > out_icon : icon(color_table = out_ct, > "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%", > "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% >.................................. > >which looks like a valid bitmap file. > >CVE-2017-11637 >$ gm convert fixed-gm_1.3.26_convert_output_pcl_WritePCLImage_null_point_reference pcl:out.pcl >$ file out.pcl >out.pcl: HP PCL printer data >$ gm identify fixed-gm_1.3.26_convert_output_pcl_WritePCLImage_null_point_reference >fixed-gm_1.3.26_convert_output_pcl_WritePCLImage_null_point_reference CALS 235x148+0+0 DirectClass 1-bit 1.2Ki 0.000u 0m:0.000002s > >CVE-2017-13063 * >$ gm convert -negate -clip 00302-graphicsmagick-UAF-ReadWMFImage out >ERROR: player.c (159): Unexpected EOF! >gm convert: Failed to scan file (00302-graphicsmagick-UAF-ReadWMFImage). > >CVE-2017-13066 * >$ valgrind -q --leak-check=full gm identify memory-leak-in-ReadPICTImage-16.pict >gm identify: Improper image header (memory-leak-in-ReadPICTImage-16.pict). >gm identify: Request did not return an image. > >CVE-2017-14060 * >$ valgrind -q gm montage poc.gray /dev/null >gm montage: Tile is not bounded by image dimensions (poc.gray). > >CVE-2017-17500 * >$ gm montage poc.rgb /dev/null >gm montage: Tile is not bounded by image dimensions (poc.rgb). > >CVE-2017-16353 >$ valgrind -q gm identify -verbose readexploit.miff >Image: readexploit.miff > Format: MIFF (Magick Image File Format) > Geometry: 1x1 > Class: DirectClass > Type: true color > Depth: 8 bits-per-pixel component > Channel Depths: > Red: 8 bits >..................... > Profile-iptc: 8 bytes > Montage: 1x1+0+0 > Directory: > DIR > Tainted: False > User Time: 0.020u > Elapsed Time: 0m:0.022823s > Pixels Per Second: 43 > >The file description/summary looks perfectly OK. > >CVE-2017-17502 * >$ valgrind -q gm montage poc.cmyk /dev/null >gm montage: Tile is not bounded by image dimensions (poc.cmyk). > >CVE-2017-17682 * >$ gm convert ReadWPGImage-cpu-exhaustion /dev/null > >This hangs forever, which is probably the desired result. > >CVE-2017-18219 * >$ gm convert allocation_failure_in_ReadOnePNGImage /dev/null >gm convert: Read Exception (allocation_failure_in_ReadOnePNGImage) [File exists]. > >CVE-2017-18220 * >$ valgrind -q gm identify gm_heap_use_after_free_in_CloseBlob >gm identify: Unable to open file (/tmp/gm5Eo2J6) [No such file or directory]. >gm identify: Request did not return an image. > >CVE-2017-18229 * >$ valgrind -q gm convert memory_exhaustion_in_ReadTIFFImage_1934 /dev/null >gm convert: Improper image header (memory_exhaustion_in_ReadTIFFImage_1934). > >CVE-2018-9018 * >$ gm identify graphicsmagick_1-3-28_identify_divide-by-zero_ReadMNGImage.mng >gm identify: abort due to signal 8 (SIGFPE) "Arithmetic Exception"... >Aborted (core dumped) > >CVE-2018-10177 * >$ gm convert imagemagick_7-0-7_convert_infinite-loop_ReadOneMNGImage.mng foo.png > >Hangs forever. > >------------------------------------------------------------------------------ >The CVEs marked with an asterisk at least return errors or detect errors. Some of the messages returned look suspiciously like what proper handling of the underlying faults should return, as if these are old bugs which have been fixed in the past.
PoC tests before the update --------------------------------------------------------------------------- CVE-2017-11524 * $ gm convert assertion-failed-in-WriteBlob-blob5171_7_0_5_10 out.mvg gm convert: Insufficient image data in file (assertion-failed-in-WriteBlob-blob5171_7_0_5_10). CVE-2017-11532 $ valgrind -q --leak-check=full gm convert imagemagick_output_mpc_memory_leak_WriteMPCImage output.mpc $ ls output.mpc output.mpc CVE-2017-11533 $ valgrind -q convert heap-buffer-overflow-READ-0x7fd806e82db2_output_uil_1500210468.72 out.uil $ ls out.uil out.uil /* UIL */ value out_ct : color_table( color('#303030',background) = ' ', color('#585858',background) = '.', color('#9C1C14',background) = 'X', color('#FC3C0C',background) = 'o', color('#0CCCCC',foreground) = 'O', color('#0CFCFC',foreground) = '+', color('#FC9C9C',foreground) = '@', color('#F0F0F0',foreground) = '#', color('#000000',background) = '$', background color = '%'); out_icon : icon(color_table = out_ct, "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%", "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% .................................. which looks like a valid bitmap file. CVE-2017-11637 $ gm convert fixed-gm_1.3.26_convert_output_pcl_WritePCLImage_null_point_reference pcl:out.pcl $ file out.pcl out.pcl: HP PCL printer data $ gm identify fixed-gm_1.3.26_convert_output_pcl_WritePCLImage_null_point_reference fixed-gm_1.3.26_convert_output_pcl_WritePCLImage_null_point_reference CALS 235x148+0+0 DirectClass 1-bit 1.2Ki 0.000u 0m:0.000002s CVE-2017-13063 * $ gm convert -negate -clip 00302-graphicsmagick-UAF-ReadWMFImage out ERROR: player.c (159): Unexpected EOF! gm convert: Failed to scan file (00302-graphicsmagick-UAF-ReadWMFImage). CVE-2017-13066 * $ valgrind -q --leak-check=full gm identify memory-leak-in-ReadPICTImage-16.pict gm identify: Improper image header (memory-leak-in-ReadPICTImage-16.pict). gm identify: Request did not return an image. CVE-2017-14060 * $ valgrind -q gm montage poc.gray /dev/null gm montage: Tile is not bounded by image dimensions (poc.gray). CVE-2017-17500 * $ gm montage poc.rgb /dev/null gm montage: Tile is not bounded by image dimensions (poc.rgb). CVE-2017-16353 $ valgrind -q gm identify -verbose readexploit.miff Image: readexploit.miff Format: MIFF (Magick Image File Format) Geometry: 1x1 Class: DirectClass Type: true color Depth: 8 bits-per-pixel component Channel Depths: Red: 8 bits ..................... Profile-iptc: 8 bytes Montage: 1x1+0+0 Directory: DIR Tainted: False User Time: 0.020u Elapsed Time: 0m:0.022823s Pixels Per Second: 43 The file description/summary looks perfectly OK. CVE-2017-17502 * $ valgrind -q gm montage poc.cmyk /dev/null gm montage: Tile is not bounded by image dimensions (poc.cmyk). CVE-2017-17682 * $ gm convert ReadWPGImage-cpu-exhaustion /dev/null This hangs forever, which is probably the desired result. CVE-2017-18219 * $ gm convert allocation_failure_in_ReadOnePNGImage /dev/null gm convert: Read Exception (allocation_failure_in_ReadOnePNGImage) [File exists]. CVE-2017-18220 * $ valgrind -q gm identify gm_heap_use_after_free_in_CloseBlob gm identify: Unable to open file (/tmp/gm5Eo2J6) [No such file or directory]. gm identify: Request did not return an image. CVE-2017-18229 * $ valgrind -q gm convert memory_exhaustion_in_ReadTIFFImage_1934 /dev/null gm convert: Improper image header (memory_exhaustion_in_ReadTIFFImage_1934). CVE-2018-9018 * $ gm identify graphicsmagick_1-3-28_identify_divide-by-zero_ReadMNGImage.mng gm identify: abort due to signal 8 (SIGFPE) "Arithmetic Exception"... Aborted (core dumped) CVE-2018-10177 * $ gm convert imagemagick_7-0-7_convert_infinite-loop_ReadOneMNGImage.mng foo.png Hangs forever. ------------------------------------------------------------------------------ The CVEs marked with an asterisk at least return errors or detect errors. Some of the messages returned look suspiciously like what proper handling of the underlying faults should return, as if these are old bugs which have been fixed in the past.
View Attachment As Raw
Actions:
View
Attachments on
bug 22988
:
10118
| 10119 |
10120
|
10122
|
10123
|
10124
|
10125
|
10126