Mageia Bugzilla – Attachment 9526 Details for
Bug 19668
graphicsmagick several (possible) new security issues
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Notes jotted down while researching CVEs
cve-notes (text/plain), 4.73 KB, created by
Len Lawrence
on 2017-07-28 17:25:11 CEST
(
hide
)
Description:
Notes jotted down while researching CVEs
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2017-07-28 17:25:11 CEST
Size:
4.73 KB
patch
obsolete
>Most of these test images should be tested with 'gm identify <file>' > >CVEs with an asterisk are on Rémi's "clear" list. > >PoC finder on github: >https://github.com/bestshow/p0cs/find/7ad0abd02fa7c73021ebca5c2cfc6427c9ed6e40 >Most of the AFL reproducers for the bugs which affect IM, GM or both are listed by SUSE: >https://lists.opensuse.org/opensuse-updates/2016-10/msg00094.html >There are indications that both IM and GM need the same patches in some cases, which is an indication of a common code base. >------------------------------------------------------------------------------ > >CVE-2015-8957 >https://www.suse.com/security/cve/CVE-2015-8957.html >SuSE says FIXED - >GraphicsMagick >= 1.2.5-4.46.1 for some releases >and GraphicsMagick >= 1.3.20-12.1 for openSUSE 13.2 >poc: 4a1d6a6d > >CVE-2015-8958 >coders/sun.c >https://www.suse.com/security/cve/CVE-2015-8958/ >poc: 68e4a715 >$ convert 68e4a715 test.bmp >Aborted (core dumped) > >CVE-2016-5688 >poc: imagemagick-heapoverflow-SetPixelIndex.wpg >poc: imagemagick-invalid-write-ScaleCharToQuantum.wpg >poc: imagemagick-invalid-write-SetPixelIndex.wpg > >CVE-2016-6823 >poc: CVE-2016-6823.ppm > >CVE-2016-7101 >poc: CVE-2016-7101.sgi > >CVE-2016-7446 > >CVE-2016-7515 >For future reference re ASAN testing:- >#Configure command: >CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --with-bzlib=no --with-djvu=no --with-dps=no --with-fftw=no --with-fpx=no --with-fontconfig=no --with-freetype=no --with-gvc=no --with-jbig=no --with-jpeg=no --with-lcms=no --with-lqr=no --with-ltdl=no --with-lzma=no --with-openexr=no --with-openjp2=no --with-pango=no --with-png=no --with-tiff=no --with-wmf=no --with-x=no --with-xml=no --with-zlib=no --enable-hdri=no --enable-shared=no >#Make command: >CC=afl-clang-fast CXX=afl-clang-fast++ make >poc: id_000019,sig_06,src_000452,op_arith16,pos_10,val_-10 > >CVE-2016-7516 >poc: id_000071,sig_06,src_002008,op_flip1,pos_580 >The two testcases referred to on the discussion page are actually the same file. > >CVE-2016-7517 >poc: id_000045,sig_06,src_001710,op_int16,pos_562,val_+32 > >CVE-2016-7519 >poc: id_000019,sig_06,src_000452,op_arith16,pos_10,val_-10 > >CVE-2016-7522 >poc: id_000125,sig_06,src_003820,op_havoc,rep_2 > >CVE-2016-7524 >poc: id_000147,sig_06,src_004628,op_havoc,rep_128 > >CVE-2016-7526 >poc: id_000002,sig_06,src_000001,op_flip1,pos_866 >poc: id_000004,sig_06,src_000001,op_int8,pos_864,val_+1 >poc: id_000081,sig_06,src_000197,op_ext_AO,pos_686 > >CVE-2016-7527 >poc: id_000346,sig_06,src_005762,op_havoc,rep_32 > >CVE-2016-7528 >poc: id_000225,sig_06,src_000141+002191,op_splice,rep_64 > >CVE-2016-7529 >poc: id_000081,sig_06,src_000075,op_havoc,rep_16 >$ convert id:000081,sig:06,src:000075,op:havoc,rep:16 /dev/null >convert: magick/quantum.c:267: DestroyQuantumPixels: Assertion `quantum_info->pixels[i][extent] == 0xab' failed. >Aborted (core dumped) >GraphicsMagick reports 'gm convert: Improper image header (test).'. >Another poc: >poc: id_000012,sig_06,src_000016,op_flip1,pos_26 >input file to trigger crash > >CVE-2016-7531 >poc: id_000000,sig_06,src_000000,op_flip1,pos_119 >poc: id_000122,sig_06,src_000277,op_havoc,rep_8 >poc: id_000338,sig_06,src_005458,op_havoc,rep_8 > >CVE-2016-7533 > > >CVE-2016-7537 >poc: id_000419,sig_06,src_001803+004110,op_splice,rep_2 >poc: 'id&%000067,sig&%06,src&%000833,op&%havoc,rep&%2' > >CVE-2016-7800 >nothing found > >CVE-2016-8682 * >stack-based buffer overflow in ReadSCTImage - sct.c >nothing found > >CVE-2016-8683 * >nothing found > >CVE-2016-8684 * >nothing found > >CVE-2016-9830 * >poc: 00096-graphicsmagick-memalloc-MagickRealloc >Linked from: >https://blogs.gentoo.org/ago/2016/12/01/graphicsmagick-memory-allocation-failure-in-magickrealloc-memory-c/ > >CVE-2017-6335 * >Fix out of bounds access when reading CMYKA tiff which claims wrong samples/pixel. >A reproducer is mentioned, stored at a dropbox address. Could not access it. > >CVE-2017-8350 * >poc: memory-leak-in-ReadJNGImage-8.jng >ImageMagick 'png.c' Denial of Service Vulnerability >https://github.com/ImageMagick/ImageMagick/issues/447 > >CVE-2017-8351 >poc: memory-leak-in-ReadPCDImage-9.pcd > >CVE-2017-8353 >poc: memory-leak-in-ReadPICTImage-16.pict > >CVE-2017-8355 >SuSE says: >In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows attackers to cause a denial of service (memory leak) via a crafted file. >https://bugzilla.suse.com/show_bug.cgi?id=1036990 >poc: memory-leak-in-ReadMTVImage-11.mtv >Don't know if running this PoC will resolve the "fixed or not" issue for 1.3.25/26. > >CVE-2017-10794 * >buffer overflow in QuantumTransferMode >https://bugzilla.redhat.com/show_bug.cgi?id=1467372 >An issue was discovered in GraphicsMagick 1.3.25. When a DPX image is processed (with metadata indicating a large width) in coders/dpx.c, an out of memory denial of service can occur in ReadDPXImage(). > >CVE-2017-10799 * >ReadDPXImage again - DOS vulnerability > >CVE-2017-10800 * >DOS - mat.c - object size overflow check
Most of these test images should be tested with 'gm identify <file>' CVEs with an asterisk are on Rémi's "clear" list. PoC finder on github: https://github.com/bestshow/p0cs/find/7ad0abd02fa7c73021ebca5c2cfc6427c9ed6e40 Most of the AFL reproducers for the bugs which affect IM, GM or both are listed by SUSE: https://lists.opensuse.org/opensuse-updates/2016-10/msg00094.html There are indications that both IM and GM need the same patches in some cases, which is an indication of a common code base. ------------------------------------------------------------------------------ CVE-2015-8957 https://www.suse.com/security/cve/CVE-2015-8957.html SuSE says FIXED - GraphicsMagick >= 1.2.5-4.46.1 for some releases and GraphicsMagick >= 1.3.20-12.1 for openSUSE 13.2 poc: 4a1d6a6d CVE-2015-8958 coders/sun.c https://www.suse.com/security/cve/CVE-2015-8958/ poc: 68e4a715 $ convert 68e4a715 test.bmp Aborted (core dumped) CVE-2016-5688 poc: imagemagick-heapoverflow-SetPixelIndex.wpg poc: imagemagick-invalid-write-ScaleCharToQuantum.wpg poc: imagemagick-invalid-write-SetPixelIndex.wpg CVE-2016-6823 poc: CVE-2016-6823.ppm CVE-2016-7101 poc: CVE-2016-7101.sgi CVE-2016-7446 CVE-2016-7515 For future reference re ASAN testing:- #Configure command: CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --with-bzlib=no --with-djvu=no --with-dps=no --with-fftw=no --with-fpx=no --with-fontconfig=no --with-freetype=no --with-gvc=no --with-jbig=no --with-jpeg=no --with-lcms=no --with-lqr=no --with-ltdl=no --with-lzma=no --with-openexr=no --with-openjp2=no --with-pango=no --with-png=no --with-tiff=no --with-wmf=no --with-x=no --with-xml=no --with-zlib=no --enable-hdri=no --enable-shared=no #Make command: CC=afl-clang-fast CXX=afl-clang-fast++ make poc: id_000019,sig_06,src_000452,op_arith16,pos_10,val_-10 CVE-2016-7516 poc: id_000071,sig_06,src_002008,op_flip1,pos_580 The two testcases referred to on the discussion page are actually the same file. CVE-2016-7517 poc: id_000045,sig_06,src_001710,op_int16,pos_562,val_+32 CVE-2016-7519 poc: id_000019,sig_06,src_000452,op_arith16,pos_10,val_-10 CVE-2016-7522 poc: id_000125,sig_06,src_003820,op_havoc,rep_2 CVE-2016-7524 poc: id_000147,sig_06,src_004628,op_havoc,rep_128 CVE-2016-7526 poc: id_000002,sig_06,src_000001,op_flip1,pos_866 poc: id_000004,sig_06,src_000001,op_int8,pos_864,val_+1 poc: id_000081,sig_06,src_000197,op_ext_AO,pos_686 CVE-2016-7527 poc: id_000346,sig_06,src_005762,op_havoc,rep_32 CVE-2016-7528 poc: id_000225,sig_06,src_000141+002191,op_splice,rep_64 CVE-2016-7529 poc: id_000081,sig_06,src_000075,op_havoc,rep_16 $ convert id:000081,sig:06,src:000075,op:havoc,rep:16 /dev/null convert: magick/quantum.c:267: DestroyQuantumPixels: Assertion `quantum_info->pixels[i][extent] == 0xab' failed. Aborted (core dumped) GraphicsMagick reports 'gm convert: Improper image header (test).'. Another poc: poc: id_000012,sig_06,src_000016,op_flip1,pos_26 input file to trigger crash CVE-2016-7531 poc: id_000000,sig_06,src_000000,op_flip1,pos_119 poc: id_000122,sig_06,src_000277,op_havoc,rep_8 poc: id_000338,sig_06,src_005458,op_havoc,rep_8 CVE-2016-7533 CVE-2016-7537 poc: id_000419,sig_06,src_001803+004110,op_splice,rep_2 poc: 'id&%000067,sig&%06,src&%000833,op&%havoc,rep&%2' CVE-2016-7800 nothing found CVE-2016-8682 * stack-based buffer overflow in ReadSCTImage - sct.c nothing found CVE-2016-8683 * nothing found CVE-2016-8684 * nothing found CVE-2016-9830 * poc: 00096-graphicsmagick-memalloc-MagickRealloc Linked from: https://blogs.gentoo.org/ago/2016/12/01/graphicsmagick-memory-allocation-failure-in-magickrealloc-memory-c/ CVE-2017-6335 * Fix out of bounds access when reading CMYKA tiff which claims wrong samples/pixel. A reproducer is mentioned, stored at a dropbox address. Could not access it. CVE-2017-8350 * poc: memory-leak-in-ReadJNGImage-8.jng ImageMagick 'png.c' Denial of Service Vulnerability https://github.com/ImageMagick/ImageMagick/issues/447 CVE-2017-8351 poc: memory-leak-in-ReadPCDImage-9.pcd CVE-2017-8353 poc: memory-leak-in-ReadPICTImage-16.pict CVE-2017-8355 SuSE says: In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows attackers to cause a denial of service (memory leak) via a crafted file. https://bugzilla.suse.com/show_bug.cgi?id=1036990 poc: memory-leak-in-ReadMTVImage-11.mtv Don't know if running this PoC will resolve the "fixed or not" issue for 1.3.25/26. CVE-2017-10794 * buffer overflow in QuantumTransferMode https://bugzilla.redhat.com/show_bug.cgi?id=1467372 An issue was discovered in GraphicsMagick 1.3.25. When a DPX image is processed (with metadata indicating a large width) in coders/dpx.c, an out of memory denial of service can occur in ReadDPXImage(). CVE-2017-10799 * ReadDPXImage again - DOS vulnerability CVE-2017-10800 * DOS - mat.c - object size overflow check
View Attachment As Raw
Actions:
View
Attachments on
bug 19668
:
9518
| 9526 |
9527
|
9528