Attachment 10120 Details for Bug 22988 – Results from running the PoC tests after updating GM

Results from running the PoC tests after updating GM

after.22988 (text/plain), 2.65 KB, created by Len Lawrence on 2018-05-04 01:41:45 CEST

(hide)

Description:

Filename:

MIME Type:

Creator: Len Lawrence

Created: 2018-05-04 01:41:45 CEST

Size: 2.65 KB

patch

obsolete

>Note that many of the CVEs cited in the references do not have reproducers and it may be that they are not covered by the patches anyway.  It is a forest.
>Some of the PoC files can be used to test the same issues in ImageMagick by the looks of it.
>
>CVE-2017-11524
>https://bugzilla.suse.com/show_bug.cgi?id=1050087
>$ gm convert assertion-failed-in-WriteBlob-blob5171_7_0_5_10 out.mvg
>
>CVE-2017-11532
>https://bugzilla.suse.com/show_bug.cgi?id=1050129
>$ valgrind -q --leak-check=full gm convert imagemagick_output_mpc_memory_leak_WriteMPCImage.bmp output.mpc
>
>CVE-2017-11533
>https://bugzilla.suse.com/show_bug.cgi?id=1050132
>heap-buffer-overflow-READ-0x7fd806e82db2_output_uil_1500210468.72
>$ valgrind -q convert heap-buffer-overflow-READ-0x7fd806e82db2_output_uil_1500210468.72 out.uil
>
>CVE-2017-11637
>https://bugzilla.suse.com/show_bug.cgi?id=1050669
>fixed-gm_1.3.26_convert_output_pcl_WritePCLImage_null_point_reference
>$ gm convert fixed-gm_1.3.26_convert_output_pcl_WritePCLImage_null_point_reference pcl:out.pcl
>$ gm identify fixed-gm_1.3.26_convert_output_pcl_WritePCLImage_null_point_reference
>
>CVE-2017-13063
>https://bugzilla.suse.com/show_bug.cgi?id=1054598
>$ gm convert -negate -clip 00302-graphicsmagick-UAF-ReadWMFImage out
>
>CVE-2017-13066
>A reopened bug?
>https://bugzilla.suse.com/show_bug.cgi?id=1036988
>$ valgrind --leak-check=full gm identify memory-leak-in-ReadPICTImage-16.pict
>
>CVE-2017-14060
>https://bugzilla.suse.com/show_bug.cgi?id=1072934
>$ valgrind gm montage poc.gray /dev/null
>
>CVE-2017-17500
>https://bugzilla.suse.com/show_bug.cgi?id=1077737
>Requires asan
>$ gm montage poc.rgb /dev/null
>
>CVE-2017-16353
>https://bugzilla.suse.com/show_bug.cgi?id=1066170
>$ valgrind -q gm identify -verbose readexploit.miff
>
>CVE-2017-17502
>https://bugzilla.suse.com/show_bug.cgi?id=1073081
>$ valgrind gm montage poc.cmyk /dev/null
>
>CVE-2017-17682
>https://bugzilla.suse.com/show_bug.cgi?id=1072898
>$ gm convert ReadWPGImage-cpu-exhaustion /dev/null
>
>CVE-2017-18219
>https://bugzilla.suse.com/show_bug.cgi?id=1084060
>$ gm convert allocation_failure_in_ReadOnePNGImage /dev/null
>
>CVE-2017-18220
>https://bugzilla.suse.com/show_bug.cgi?id=1084062
>$ valgrind -q gm identify gm_heap_use_after_free_in_CloseBlob
>
>CVE-2017-18229
>https://bugzilla.suse.com/show_bug.cgi?id=1076182
>$ valgrind -q gm convert memory_exhaustion_in_ReadTIFFImage_1934 /dev/null
>
>CVE-2018-9018
>Procedure at https://bugzilla.suse.com/show_bug.cgi?id=1086773
>PoC file at https://sourceforge.net/p/graphicsmagick/bugs/554/
>$ gm identify graphicsmagick_1-3-28_identify_divide-by-zero_ReadMNGImage.mng
>
>CVE-2018-10177
>https://bugzilla.suse.com/show_bug.cgi?id=1089781
>$ gm convert imagemagick_7-0-7_convert_infinite-loop_ReadOneMNGImage.mng foo.png
>

Note that many of the CVEs cited in the references do not have reproducers and it may be that they are not covered by the patches anyway.  It is a forest.
Some of the PoC files can be used to test the same issues in ImageMagick by the looks of it.

CVE-2017-11524
https://bugzilla.suse.com/show_bug.cgi?id=1050087
$ gm convert assertion-failed-in-WriteBlob-blob5171_7_0_5_10 out.mvg

CVE-2017-11532
https://bugzilla.suse.com/show_bug.cgi?id=1050129
$ valgrind -q --leak-check=full gm convert imagemagick_output_mpc_memory_leak_WriteMPCImage.bmp output.mpc

CVE-2017-11533
https://bugzilla.suse.com/show_bug.cgi?id=1050132
heap-buffer-overflow-READ-0x7fd806e82db2_output_uil_1500210468.72
$ valgrind -q convert heap-buffer-overflow-READ-0x7fd806e82db2_output_uil_1500210468.72 out.uil

CVE-2017-11637
https://bugzilla.suse.com/show_bug.cgi?id=1050669
fixed-gm_1.3.26_convert_output_pcl_WritePCLImage_null_point_reference
$ gm convert fixed-gm_1.3.26_convert_output_pcl_WritePCLImage_null_point_reference pcl:out.pcl
$ gm identify fixed-gm_1.3.26_convert_output_pcl_WritePCLImage_null_point_reference

CVE-2017-13063
https://bugzilla.suse.com/show_bug.cgi?id=1054598
$ gm convert -negate -clip 00302-graphicsmagick-UAF-ReadWMFImage out

CVE-2017-13066
A reopened bug?
https://bugzilla.suse.com/show_bug.cgi?id=1036988
$ valgrind --leak-check=full gm identify memory-leak-in-ReadPICTImage-16.pict

CVE-2017-14060
https://bugzilla.suse.com/show_bug.cgi?id=1072934
$ valgrind gm montage poc.gray /dev/null

CVE-2017-17500
https://bugzilla.suse.com/show_bug.cgi?id=1077737
Requires asan
$ gm montage poc.rgb /dev/null

CVE-2017-16353
https://bugzilla.suse.com/show_bug.cgi?id=1066170
$ valgrind -q gm identify -verbose readexploit.miff

CVE-2017-17502
https://bugzilla.suse.com/show_bug.cgi?id=1073081
$ valgrind gm montage poc.cmyk /dev/null

CVE-2017-17682
https://bugzilla.suse.com/show_bug.cgi?id=1072898
$ gm convert ReadWPGImage-cpu-exhaustion /dev/null

CVE-2017-18219
https://bugzilla.suse.com/show_bug.cgi?id=1084060
$ gm convert allocation_failure_in_ReadOnePNGImage /dev/null

CVE-2017-18220
https://bugzilla.suse.com/show_bug.cgi?id=1084062
$ valgrind -q gm identify gm_heap_use_after_free_in_CloseBlob

CVE-2017-18229
https://bugzilla.suse.com/show_bug.cgi?id=1076182
$ valgrind -q gm convert memory_exhaustion_in_ReadTIFFImage_1934 /dev/null

CVE-2018-9018
Procedure at https://bugzilla.suse.com/show_bug.cgi?id=1086773
PoC file at https://sourceforge.net/p/graphicsmagick/bugs/554/
$ gm identify graphicsmagick_1-3-28_identify_divide-by-zero_ReadMNGImage.mng

CVE-2018-10177
https://bugzilla.suse.com/show_bug.cgi?id=1089781
$ gm convert imagemagick_7-0-7_convert_infinite-loop_ReadOneMNGImage.mng foo.png

Actions: View

Attachments on bug 22988: 10118 | 10119 | 10120 | 10122 | 10123 | 10124 | 10125 | 10126