Attachment 9526 Details for Bug 19668 – Notes jotted down while researching CVEs

Notes jotted down while researching CVEs

cve-notes (text/plain), 4.73 KB, created by Len Lawrence on 2017-07-28 17:25:11 CEST

(hide)

Description:

Filename:

MIME Type:

Creator: Len Lawrence

Created: 2017-07-28 17:25:11 CEST

Size: 4.73 KB

patch

obsolete

>Most of these test images should be tested with 'gm identify <file>'
>
>CVEs with an asterisk are on RÃ©mi's "clear" list.
>
>PoC finder on github:
>https://github.com/bestshow/p0cs/find/7ad0abd02fa7c73021ebca5c2cfc6427c9ed6e40
>Most of the AFL reproducers for the bugs which affect IM, GM or both are listed by SUSE:
>https://lists.opensuse.org/opensuse-updates/2016-10/msg00094.html
>There are indications that both IM and GM need the same patches in some cases, which is an indication of a common code base.
>------------------------------------------------------------------------------
>
>CVE-2015-8957
>https://www.suse.com/security/cve/CVE-2015-8957.html
>SuSE says FIXED -
>GraphicsMagick >= 1.2.5-4.46.1 for some releases
>and GraphicsMagick >= 1.3.20-12.1 for openSUSE 13.2
>poc: 4a1d6a6d
>
>CVE-2015-8958
>coders/sun.c
>https://www.suse.com/security/cve/CVE-2015-8958/
>poc: 68e4a715
>$ convert 68e4a715 test.bmp
>Aborted (core dumped)
>
>CVE-2016-5688
>poc: imagemagick-heapoverflow-SetPixelIndex.wpg
>poc: imagemagick-invalid-write-ScaleCharToQuantum.wpg
>poc: imagemagick-invalid-write-SetPixelIndex.wpg
>
>CVE-2016-6823
>poc: CVE-2016-6823.ppm
>
>CVE-2016-7101
>poc: CVE-2016-7101.sgi
>
>CVE-2016-7446
>
>CVE-2016-7515
>For future reference re ASAN testing:-
>#Configure command:
>CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --with-bzlib=no --with-djvu=no --with-dps=no --with-fftw=no --with-fpx=no --with-fontconfig=no --with-freetype=no --with-gvc=no --with-jbig=no --with-jpeg=no --with-lcms=no --with-lqr=no --with-ltdl=no --with-lzma=no --with-openexr=no --with-openjp2=no --with-pango=no --with-png=no --with-tiff=no --with-wmf=no --with-x=no --with-xml=no --with-zlib=no --enable-hdri=no --enable-shared=no
>#Make command:
>CC=afl-clang-fast CXX=afl-clang-fast++ make
>poc: id_000019,sig_06,src_000452,op_arith16,pos_10,val_-10
>
>CVE-2016-7516
>poc: id_000071,sig_06,src_002008,op_flip1,pos_580
>The two testcases referred to on the discussion page are actually the same file.
>
>CVE-2016-7517
>poc: id_000045,sig_06,src_001710,op_int16,pos_562,val_+32
>
>CVE-2016-7519
>poc: id_000019,sig_06,src_000452,op_arith16,pos_10,val_-10
>
>CVE-2016-7522
>poc: id_000125,sig_06,src_003820,op_havoc,rep_2
>
>CVE-2016-7524
>poc: id_000147,sig_06,src_004628,op_havoc,rep_128
>
>CVE-2016-7526
>poc: id_000002,sig_06,src_000001,op_flip1,pos_866
>poc: id_000004,sig_06,src_000001,op_int8,pos_864,val_+1
>poc: id_000081,sig_06,src_000197,op_ext_AO,pos_686
>
>CVE-2016-7527
>poc: id_000346,sig_06,src_005762,op_havoc,rep_32
>
>CVE-2016-7528
>poc: id_000225,sig_06,src_000141+002191,op_splice,rep_64
>
>CVE-2016-7529
>poc: id_000081,sig_06,src_000075,op_havoc,rep_16
>$ convert id:000081,sig:06,src:000075,op:havoc,rep:16 /dev/null
>convert: magick/quantum.c:267: DestroyQuantumPixels: Assertion `quantum_info->pixels[i][extent] == 0xab' failed.
>Aborted (core dumped)
>GraphicsMagick reports 'gm convert: Improper image header (test).'.
>Another poc:
>poc: id_000012,sig_06,src_000016,op_flip1,pos_26
>input file to trigger crash
>
>CVE-2016-7531
>poc: id_000000,sig_06,src_000000,op_flip1,pos_119
>poc: id_000122,sig_06,src_000277,op_havoc,rep_8
>poc: id_000338,sig_06,src_005458,op_havoc,rep_8
>
>CVE-2016-7533
>
>
>CVE-2016-7537
>poc: id_000419,sig_06,src_001803+004110,op_splice,rep_2
>poc: 'id&%000067,sig&%06,src&%000833,op&%havoc,rep&%2'
>
>CVE-2016-7800
>nothing found
>
>CVE-2016-8682 *
>stack-based buffer overflow in ReadSCTImage - sct.c
>nothing found
>
>CVE-2016-8683 *
>nothing found
>
>CVE-2016-8684 *
>nothing found
>
>CVE-2016-9830 *
>poc: 00096-graphicsmagick-memalloc-MagickRealloc
>Linked from:
>https://blogs.gentoo.org/ago/2016/12/01/graphicsmagick-memory-allocation-failure-in-magickrealloc-memory-c/
>
>CVE-2017-6335 *
>Fix out of bounds access when reading CMYKA tiff which claims wrong samples/pixel.
>A reproducer is mentioned, stored at a dropbox address.  Could not access it.
>
>CVE-2017-8350 *
>poc: memory-leak-in-ReadJNGImage-8.jng
>ImageMagick 'png.c' Denial of Service Vulnerability
>https://github.com/ImageMagick/ImageMagick/issues/447
>
>CVE-2017-8351
>poc: memory-leak-in-ReadPCDImage-9.pcd
>
>CVE-2017-8353
>poc: memory-leak-in-ReadPICTImage-16.pict
>
>CVE-2017-8355
>SuSE says:
>In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows attackers to cause a denial of service (memory leak) via a crafted file.
>https://bugzilla.suse.com/show_bug.cgi?id=1036990
>poc: memory-leak-in-ReadMTVImage-11.mtv
>Don't know if running this PoC will resolve the "fixed or not" issue for 1.3.25/26.
>
>CVE-2017-10794 *
>buffer overflow in QuantumTransferMode
>https://bugzilla.redhat.com/show_bug.cgi?id=1467372
>An issue was discovered in GraphicsMagick 1.3.25. When a DPX image is processed (with metadata indicating a large width) in coders/dpx.c, an out of memory denial of service can occur in ReadDPXImage().
>
>CVE-2017-10799 *
>ReadDPXImage again - DOS vulnerability
>
>CVE-2017-10800 *
>DOS - mat.c - object size overflow check

Most of these test images should be tested with 'gm identify <file>'

CVEs with an asterisk are on RÃ©mi's "clear" list.

PoC finder on github:
https://github.com/bestshow/p0cs/find/7ad0abd02fa7c73021ebca5c2cfc6427c9ed6e40
Most of the AFL reproducers for the bugs which affect IM, GM or both are listed by SUSE:
https://lists.opensuse.org/opensuse-updates/2016-10/msg00094.html
There are indications that both IM and GM need the same patches in some cases, which is an indication of a common code base.
------------------------------------------------------------------------------

CVE-2015-8957
https://www.suse.com/security/cve/CVE-2015-8957.html
SuSE says FIXED -
GraphicsMagick >= 1.2.5-4.46.1 for some releases
and GraphicsMagick >= 1.3.20-12.1 for openSUSE 13.2
poc: 4a1d6a6d

CVE-2015-8958
coders/sun.c
https://www.suse.com/security/cve/CVE-2015-8958/
poc: 68e4a715
$ convert 68e4a715 test.bmp
Aborted (core dumped)

CVE-2016-5688
poc: imagemagick-heapoverflow-SetPixelIndex.wpg
poc: imagemagick-invalid-write-ScaleCharToQuantum.wpg
poc: imagemagick-invalid-write-SetPixelIndex.wpg

CVE-2016-6823
poc: CVE-2016-6823.ppm

CVE-2016-7101
poc: CVE-2016-7101.sgi

CVE-2016-7446

CVE-2016-7515
For future reference re ASAN testing:-
#Configure command:
CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --with-bzlib=no --with-djvu=no --with-dps=no --with-fftw=no --with-fpx=no --with-fontconfig=no --with-freetype=no --with-gvc=no --with-jbig=no --with-jpeg=no --with-lcms=no --with-lqr=no --with-ltdl=no --with-lzma=no --with-openexr=no --with-openjp2=no --with-pango=no --with-png=no --with-tiff=no --with-wmf=no --with-x=no --with-xml=no --with-zlib=no --enable-hdri=no --enable-shared=no
#Make command:
CC=afl-clang-fast CXX=afl-clang-fast++ make
poc: id_000019,sig_06,src_000452,op_arith16,pos_10,val_-10

CVE-2016-7516
poc: id_000071,sig_06,src_002008,op_flip1,pos_580
The two testcases referred to on the discussion page are actually the same file.

CVE-2016-7517
poc: id_000045,sig_06,src_001710,op_int16,pos_562,val_+32

CVE-2016-7519
poc: id_000019,sig_06,src_000452,op_arith16,pos_10,val_-10

CVE-2016-7522
poc: id_000125,sig_06,src_003820,op_havoc,rep_2

CVE-2016-7524
poc: id_000147,sig_06,src_004628,op_havoc,rep_128

CVE-2016-7526
poc: id_000002,sig_06,src_000001,op_flip1,pos_866
poc: id_000004,sig_06,src_000001,op_int8,pos_864,val_+1
poc: id_000081,sig_06,src_000197,op_ext_AO,pos_686

CVE-2016-7527
poc: id_000346,sig_06,src_005762,op_havoc,rep_32

CVE-2016-7528
poc: id_000225,sig_06,src_000141+002191,op_splice,rep_64

CVE-2016-7529
poc: id_000081,sig_06,src_000075,op_havoc,rep_16
$ convert id:000081,sig:06,src:000075,op:havoc,rep:16 /dev/null
convert: magick/quantum.c:267: DestroyQuantumPixels: Assertion `quantum_info->pixels[i][extent] == 0xab' failed.
Aborted (core dumped)
GraphicsMagick reports 'gm convert: Improper image header (test).'.
Another poc:
poc: id_000012,sig_06,src_000016,op_flip1,pos_26
input file to trigger crash

CVE-2016-7531
poc: id_000000,sig_06,src_000000,op_flip1,pos_119
poc: id_000122,sig_06,src_000277,op_havoc,rep_8
poc: id_000338,sig_06,src_005458,op_havoc,rep_8

CVE-2016-7533


CVE-2016-7537
poc: id_000419,sig_06,src_001803+004110,op_splice,rep_2
poc: 'id&%000067,sig&%06,src&%000833,op&%havoc,rep&%2'

CVE-2016-7800
nothing found

CVE-2016-8682 *
stack-based buffer overflow in ReadSCTImage - sct.c
nothing found

CVE-2016-8683 *
nothing found

CVE-2016-8684 *
nothing found

CVE-2016-9830 *
poc: 00096-graphicsmagick-memalloc-MagickRealloc
Linked from:
https://blogs.gentoo.org/ago/2016/12/01/graphicsmagick-memory-allocation-failure-in-magickrealloc-memory-c/

CVE-2017-6335 *
Fix out of bounds access when reading CMYKA tiff which claims wrong samples/pixel.
A reproducer is mentioned, stored at a dropbox address.  Could not access it.

CVE-2017-8350 *
poc: memory-leak-in-ReadJNGImage-8.jng
ImageMagick 'png.c' Denial of Service Vulnerability
https://github.com/ImageMagick/ImageMagick/issues/447

CVE-2017-8351
poc: memory-leak-in-ReadPCDImage-9.pcd

CVE-2017-8353
poc: memory-leak-in-ReadPICTImage-16.pict

CVE-2017-8355
SuSE says:
In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows attackers to cause a denial of service (memory leak) via a crafted file.
https://bugzilla.suse.com/show_bug.cgi?id=1036990
poc: memory-leak-in-ReadMTVImage-11.mtv
Don't know if running this PoC will resolve the "fixed or not" issue for 1.3.25/26.

CVE-2017-10794 *
buffer overflow in QuantumTransferMode
https://bugzilla.redhat.com/show_bug.cgi?id=1467372
An issue was discovered in GraphicsMagick 1.3.25. When a DPX image is processed (with metadata indicating a large width) in coders/dpx.c, an out of memory denial of service can occur in ReadDPXImage().

CVE-2017-10799 *
ReadDPXImage again - DOS vulnerability

CVE-2017-10800 *
DOS - mat.c - object size overflow check

Actions: View

Attachments on bug 19668: 9518 | 9526 | 9527 | 9528