Bug 19668 - graphicsmagick several (possible) new security issues
Summary: graphicsmagick several (possible) new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5TOO MGA5-64-OK MGA6-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-10-27 14:28 CEST by David Walser
Modified: 2017-07-30 17:59 CEST (History)
13 users (show)

See Also:
Source RPM: graphicsmagick-1.3.25-4.mga6.src.rpm
CVE:
Status comment:


Attachments
A selection of utility tests for GraphicsMagick (5.69 KB, text/plain)
2017-07-25 18:46 CEST, Len Lawrence
Details
Notes jotted down while researching CVEs (4.73 KB, text/plain)
2017-07-28 17:25 CEST, Len Lawrence
Details
List of test results for the reproducers before the updates (5.47 KB, text/plain)
2017-07-28 17:26 CEST, Len Lawrence
Details
List of test results after the updates (4.07 KB, text/plain)
2017-07-28 17:29 CEST, Len Lawrence
Details

Description David Walser 2016-10-27 14:28:38 CEST
openSUSE has issued advisories on October 26:
https://lists.opensuse.org/opensuse-updates/2016-10/msg00094.html
https://lists.opensuse.org/opensuse-updates/2016-10/msg00097.html

They list several CVEs I haven't seen before:
http://lwn.net/Vulnerabilities/704704/
http://lwn.net/Vulnerabilities/704711/

I don't know where they came from or if we have already fixed them.
Comment 1 Marja Van Waes 2016-10-27 18:38:45 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => cjw, fundawang, jani.valimaa, mageia, mageia, makowski.mageia, marja11, nicolas.salguero, olav, thierry.vignaud
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2016-11-18 17:32:07 CET
openSUSE has issued an advisory on November 17:
https://lists.opensuse.org/opensuse-updates/2016-11/msg00073.html

This has another new CVE.  LWN reference:
http://lwn.net/Vulnerabilities/706851/
Comment 3 David Walser 2016-12-05 20:03:09 CET
CVE-2016-9830 has been assigned for another security issue fixed upstream:
http://openwall.com/lists/oss-security/2016/12/05/5
Comment 4 David Walser 2016-12-06 19:09:14 CET
openSUSE has issued an advisory today (December 6):
https://lists.opensuse.org/opensuse-updates/2016-12/msg00042.html

LWN reference for one of the CVEs:
https://lwn.net/Vulnerabilities/708243/
Comment 5 David Walser 2016-12-22 17:44:25 CET
CVE-2016-9830:
https://lwn.net/Vulnerabilities/709987/
Comment 6 David Walser 2017-02-07 12:16:27 CET
CVE-2016-10048 CVE-2016-10050 CVE-2016-10051 CVE-2016-10052 CVE-2016-10068 CVE-2016-10070:
https://lwn.net/Vulnerabilities/713786/

CVE-2016-10059 CVE-2016-10064 CVE-2016-10065 CVE-2016-10069:
https://lwn.net/Vulnerabilities/713787/

openSUSE has issued advisories for this on February 6:
https://lists.opensuse.org/opensuse-updates/2017-02/msg00028.html
https://lists.opensuse.org/opensuse-updates/2017-02/msg00031.html
Comment 7 David Walser 2017-02-24 11:56:51 CET
Another security issue has been fixed upstream:
http://openwall.com/lists/oss-security/2017/02/24/1

The upstream commit and a minimal patch with a fix are in the message above.
Comment 8 David Walser 2017-03-01 03:05:07 CET
(In reply to David Walser from comment #7)
> Another security issue has been fixed upstream:
> http://openwall.com/lists/oss-security/2017/02/24/1
> 
> The upstream commit and a minimal patch with a fix are in the message above.

CVE-2017-6335:
http://openwall.com/lists/oss-security/2017/02/28/2
Comment 9 David Walser 2017-03-10 03:50:08 CET
Fedora has issued an advisory today (March 9):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2DLPLLMLNBNAT7YWOSVGDII4AM3IADJP/

They have some new CVEs (CVE-2016-7800, CVE-2016-799[67], CVE-2016-868[2-4]).
Comment 10 David Walser 2017-04-01 03:00:50 CEST
(In reply to David Walser from comment #8)
> (In reply to David Walser from comment #7)
> > Another security issue has been fixed upstream:
> > http://openwall.com/lists/oss-security/2017/02/24/1
> > 
> > The upstream commit and a minimal patch with a fix are in the message above.
> 
> CVE-2017-6335:
> http://openwall.com/lists/oss-security/2017/02/28/2

openSUSE has issued an advisory for this today (March 31):
https://lists.opensuse.org/opensuse-updates/2017-03/msg00116.html
Comment 11 Nicolas Lécureuil 2017-05-01 22:12:36 CEST
Fixed in cauldron and pushed in mga5 updates_testing

src.rpm:  graphicsmagick-1.3.25-1.4.mga5

CC: (none) => mageia
Version: Cauldron => 5
CVE: (none) => CVE-2017-6335
Assignee: pkg-bugs => qa-bugs

Comment 12 David Walser 2017-05-02 01:47:10 CEST
Nicolas, you only patched one CVE.  There are several here.

Whiteboard: (none) => MGA5TOO
Assignee: qa-bugs => pkg-bugs
Version: 5 => Cauldron

Comment 13 David Walser 2017-05-03 13:32:53 CEST
List of CVEs we need to fix:
CVE-2015-8957 CVE-2015-8958 CVE-2016-5688
CVE-2016-6823 CVE-2016-7101 CVE-2016-7446
CVE-2016-7515 CVE-2016-7516 CVE-2016-7517
CVE-2016-7519 CVE-2016-7522 CVE-2016-7524
CVE-2016-7526 CVE-2016-7527 CVE-2016-7528
CVE-2016-7529 CVE-2016-7531 CVE-2016-7533
CVE-2016-7537 CVE-2016-8862 CVE-2016-9830
CVE-2016-9556 CVE-2016-9559 CVE-2016-10048
CVE-2016-10050 CVE-2016-10051 CVE-2016-10052
CVE-2016-10059 CVE-2016-10064 CVE-2016-10065
CVE-2016-10068 CVE-2016-10069 CVE-2016-10070
CVE-2016-10146 CVE-2017-5511 CVE-2017-6335
CVE-2016-7800, CVE-2016-799[67], CVE-2016-868[2-4]
Comment 14 Rémi Verschelde 2017-05-03 13:59:18 CEST
As discussed on IRC, it might be simpler to package a snapshot of the current mercurial branch to benefit from all upstream security fixes since 1.3.25.

The changelog since 1.3.25 (see https://sourceforge.net/p/graphicsmagick/code/ci/default/tree/ChangeLog.2016 and https://sourceforge.net/p/graphicsmagick/code/ci/default/tree/ChangeLog) show mostly security bugfixes, some code sanitization and only a few "feature" commits.

Might be worth suggesting to the upstream developer to make a formal new release in parallel.
Rémi Verschelde 2017-05-03 14:05:24 CEST

Status: NEW => ASSIGNED
Assignee: pkg-bugs => rverschelde

Comment 15 David Walser 2017-05-06 01:16:41 CEST
Add CVE-2017-7941 to the list.

openSUSE has issued an advisory on on May 4:
https://lists.opensuse.org/opensuse-updates/2017-05/msg00008.html
Comment 16 David Walser 2017-05-26 16:59:43 CEST
openSUSE has issued an advisory today (May 26):
https://lists.opensuse.org/opensuse-updates/2017-05/msg00085.html

It fixes four new CVEs: CVE-2017-835[0135].
Comment 17 David Walser 2017-06-10 02:43:21 CEST
openSUSE has issued an advisory on June 8:
https://lists.opensuse.org/opensuse-updates/2017-06/msg00023.html

It fixes a new CVE: CVE-2017-9142.
David Walser 2017-07-07 04:23:33 CEST

Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO

Comment 18 David Walser 2017-07-07 04:38:33 CEST
openSUSE has issued an advisory today (July 6):
https://lists.opensuse.org/opensuse-updates/2017-07/msg00028.html

It has an additional fix related to CVE-2017-8350.
Comment 19 David Walser 2017-07-09 03:10:49 CEST
Fedora has issued an advisory today (July 8):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MNLOUPX5V6JWQH244LAOXC353ALXBL5J/

They updated to the new upstream release 1.3.26.
Comment 20 David Walser 2017-07-17 12:12:17 CEST
graphicsmagick-1.3.26-1.mga7 uploaded for Cauldron by Rémi.

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 21 Rémi Verschelde 2017-07-17 13:29:37 CEST
Uploaded graphicsmagick-1.3.26-1.mga5 and graphicsmagick-1.3.26-1.mga6 to Mageia 5 & 6 core/updates_testing.

Advisory yet to come, but here's the list of fixed CVEs I could gather:
- CVE-2016-7800
- CVE-2016-7996
- CVE-2016-7997
- CVE-2016-8682 (not mentioned but our patch was from upstream)
- CVE-2016-8683 (not mentioned but our patch was from upstream)
- CVE-2016-8684 (not mentioned but our patch was from upstream)
- CVE-2016-9830
- CVE-2017-6335
- CVE-2017-8350
- CVE-2017-10794
- CVE-2017-10799
- CVE-2017-10800

Unclear:
- CVE-2015-8957
- CVE-2015-8958
- CVE-2016-5688
- CVE-2016-6823
- CVE-2016-7101
- CVE-2016-7446
- CVE-2016-751[5679]
- CVE-2016-752[246789]
- CVE-2016-753[137]
- CVE-2016-8862
- CVE-2016-955[69]
- CVE-2016-10048
- CVE-2016-1005[0129]
- CVE-2016-1006[4589]
- CVE-2016-10070
- CVE-2016-10146
- CVE-2017-5511
- CVE-2017-7941 https://lists.opensuse.org/opensuse-updates/2017-05/msg00008.html
- CVE-2017-9142 https://lists.opensuse.org/opensuse-updates/2017-06/msg00023.html
- CVE-2017-835[135] https://lists.opensuse.org/opensuse-updates/2017-05/msg00085.html

I believe that many of the "unclear" CVEs might have been fixed in 1.3.26 and some maybe in 1.3.25, as many changelog entries are security fixes with no mentioned CVE number.

As this is becoming a very hairy mess, I propose that we:
- push the pristine 1.3.26 and trust upstream for having done its job well (that's what Fedora did)
- continue monitoring SUSE who seems particularly eager to patch gazillions of CVEs without making sure that those will be properly referenced upstream - currently they still ship 1.3.25 with scores of patches, let's check what they keep when they upgrade to 1.3.26.
Comment 22 David Walser 2017-07-18 03:19:12 CEST
Rémi, I agree with your proposal here and with what you said on IRC.  This will just have a generic advisory saying it fixes several unspecified security issues.
Comment 23 David Walser 2017-07-18 12:09:42 CEST
CVE-2017-11403:
http://openwall.com/lists/oss-security/2017/07/18/1

The message above contains a link to the upstream fix.
Comment 24 David Walser 2017-07-23 21:56:21 CEST
(In reply to David Walser from comment #23)
> CVE-2017-11403:
> http://openwall.com/lists/oss-security/2017/07/18/1
> 
> The message above contains a link to the upstream fix.

Fedora has issued an advisory for this today (July 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GFIL5ZM7IEMGCD4RC2FMV3VLRUTSNJX5/

I think we can update to 1.3.26 plus this patch.
Comment 25 Rémi Verschelde 2017-07-24 08:13:45 CEST
I've added a patch for CVE-2017-11403, so those packages are ready for testing:


Mageia 5:
=========

SRPM: graphicsmagick-1.3.26-1.1.mga5

graphicsmagick-1.3.26-1.1.mga5
lib(64)graphicsmagick3-1.3.26-1.1.mga5
lib(64)graphicsmagick++12-1.3.26-1.1.mga5
lib(64)graphicsmagickwand2-1.3.26-1.1.mga5
lib(64)graphicsmagick-devel-1.3.26-1.1.mga5
perl-Graphics-Magick-1.3.26-1.1.mga5
graphicsmagick-doc-1.3.26-1.1.mga5.noarch

Mageia 6:
=========

SRPM: graphicsmagick-1.3.26-1.1.mga6

graphicsmagick-1.3.26-1.1.mga6
lib(64)graphicsmagick3-1.3.26-1.1.mga6
lib(64)graphicsmagick++12-1.3.26-1.1.mga6
lib(64)graphicsmagickwand2-1.3.26-1.1.mga6
lib(64)graphicsmagick-devel-1.3.26-1.1.mga6
perl-Graphics-Magick-1.3.26-1.1.mga6
graphicsmagick-doc-1.3.26-1.1.mga6.noarch


Advisory should come soon™, though with the unclear status on many of the CVEs I'm not sure exactly what should go in it.

CVE: CVE-2017-6335 => (none)
Assignee: rverschelde => qa-bugs

Comment 26 Len Lawrence 2017-07-24 21:51:01 CEST
Going to stay on this one.  It looks like a long haul.
Testing on mga5 x86_64 to start with.

Preupdate test for CVE-2017-11403

https://blogs.gentoo.org/ago/2017/07/12/graphicsmagick-use-after-free-in-closeblob-blob-c
provides a link to a reproducer.  The analysis is in terms of ASAN which we cannot emulate without performing a local build.  Having tried that route before and failed to enable ASAN I think I shall give it a miss and simply run the reproducer before and after the update.  An Abort is expected before it.

$ gm identify 00301-graphicsmagick-UAF-CloseBlob
gm: magick/blob.c:859: CloseBlob: Assertion `image->signature == 0xabacadabUL' failed.
gm identify: abort due to signal 6 (SIGABRT) "Abort"...
Aborted

CC: (none) => tarazed25

Comment 27 Len Lawrence 2017-07-24 23:32:18 CEST
Updated the seven packages for x86_64 and ran the earlier test.

$ gm identify 00301-graphicsmagick-UAF-CloseBlob
gm identify: Request did not return an image.

That clears CVE-2017-11403.

I am keeping the pre and post graphicsmagick libraries on separate workstations running mga5 and Mate to allow incremental testing with reference to the CVEs if this is a possibility and sharing any PoCs that may turn up, via NFS.
Comment 28 Len Lawrence 2017-07-25 10:59:59 CEST
Meanwhile, starting a search among the fixed CVEs for test cases and running use tests for the gm tools.
Comment 29 Len Lawrence 2017-07-25 18:44:00 CEST
No luck yet with test cases but the sample of utility tests ran successfully.  See attachment.
Comment 30 Len Lawrence 2017-07-25 18:46:32 CEST
Created attachment 9518 [details]
A selection of utility tests for GraphicsMagick
Comment 31 Len Lawrence 2017-07-26 09:43:21 CEST
Progress report: in the middle of accumulating testcases for the CVEs.  Later.
Comment 32 Len Lawrence 2017-07-28 17:25:11 CEST
Created attachment 9526 [details]
Notes jotted down while researching CVEs

This can be used to match up CVEs and reproducers.  Some CVEs have more than one test file.
Comment 33 Len Lawrence 2017-07-28 17:26:51 CEST
Created attachment 9527 [details]
List of test results for the reproducers before the updates
Comment 34 Len Lawrence 2017-07-28 17:29:36 CEST
Created attachment 9528 [details]
List of test results after the updates

An = sign after the test indicates no difference from 'before'.
*** indicates that the diagnostic messages differed from 'before'.
Len Lawrence 2017-07-28 17:30:49 CEST

Whiteboard: MGA5TOO => MGA5TOO feedback

Comment 35 Len Lawrence 2017-07-28 17:34:27 CEST
My apologies for the length of time this has taken.  There are 52 CVEs listed and for which it has been possible to track down 31 reproducers, most of which have been written for the AFL testing framework.  These have been tested with the 'gm identify' command and sometimes 'gm display' or 'gm convert'.

Tests were run before and after the updates.  Comparing these results shows very few differences which means that it is difficult to draw conclusions about the effectiveness of the patches.

Example:
$ gm identify memory-leak-in-ReadPICTImage-16.pict
gm identify: Improper image header (memory-leak-in-ReadPICTImage-16.pict).
gm identify: Request did not return an image.

That looks like a happy outcome even if the reports are identical but a result like the following might not be:
$ gm identify id_000419,sig_06,src_001803+004110,op_splice,rep_2 
id_000419,sig_06,src_001803+004110,op_splice,rep_2 PDB 4x30+0+0 PseudoClass 16c 8-bit 164 0.000u 0m:0.000002s

In cases like the latter it is often possible to display the test file as if it were a valid image.

The question is, are we wasting our time running reproducers which were originally written for and tested with the AFL framework?
 
Adding the feedback marker - some guidance would be appreciated.  Also posting summaries of the work so far.
Jani Välimaa 2017-07-28 17:38:18 CEST

CC: jani.valimaa => (none)

Comment 36 David Walser 2017-07-28 20:09:13 CEST
Most of the test cases are generated by fuzzers, which mostly result in invalid or corrupt files, so error messages are to be expected.  Mainly we just want to make sure they don't cause crashes.  Thanks for tracking down all of these test cases.
Len Lawrence 2017-07-29 09:09:44 CEST

Whiteboard: MGA5TOO feedback => MGA5TOO

Comment 37 Len Lawrence 2017-07-29 09:18:01 CEST
Thanks David.  On the basis that no crashes were observed and that there are no apparent regressions in the functionality tests, this gets the OK.

Writing the advisory could be a bit of a headache.  Maybe group the CVEs according to specific vulnerabilities rather than addressing them individually.  Willing to help there.
Len Lawrence 2017-07-29 09:18:30 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 38 Herman Viaene 2017-07-29 12:14:08 CEST
MGA-32 ON Asus A6000VM MATE
No installation issues.
Tested as per utilities.txt attached by Len, using an own .pmg file to start with. Stopped after some 15 tests. All result in displayable images, with some remarks:
The result of convert -average is a complete blur as the background of then images is also quite different.
The plain gm convert does not give any feedback, neither does the gm display of the resulting image.
The convert -border results in a higher resolution image, so the following convert -crop results in a real crop of the original image in this test.

All in all this seems OK.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-32-OK

Comment 39 Rémi Verschelde 2017-07-30 17:10:29 CEST
Advisory:
=========

Updated graphicsmagick packages fix security vulnerabilities

  New stable upstream release including security fixes for CVE-2016-7800,
  CVE-2017-10794, CVE-2016-7996, CVE-2016-7997, CVE-2016-8682, CVE-2016-8683,
  CVE-2016-8684, CVE-2016-9830, CVE-2017-6335, CVE-2017-8350, CVE-2017-10794,
  CVE-2017-10799, CVE-2017-10800, CVE-2017-11403 and possibly several other
  security issues with and without associated CVE number.

References:
 - http://www.graphicsmagick.org/NEWS.html#july-4-2017
 - https://bugzilla.redhat.com/show_bug.cgi?id=1472214
Comment 40 Rémi Verschelde 2017-07-30 17:14:30 CEST
Fixed a typo:

Advisory:
=========

Updated graphicsmagick packages fix security vulnerabilities

  New stable upstream release including security fixes for CVE-2016-7800,
  CVE-2016-7996, CVE-2016-7997, CVE-2016-8682, CVE-2016-8683, CVE-2016-8684,
  CVE-2016-9830, CVE-2017-6335, CVE-2017-8350, CVE-2017-10794, CVE-2017-10799,
  CVE-2017-10800, CVE-2017-11403 and possibly several other security issues
  with and without associated CVE number.

References:
 - http://www.graphicsmagick.org/NEWS.html#july-4-2017
 - https://bugzilla.redhat.com/show_bug.cgi?id=1472214
Comment 41 Rémi Verschelde 2017-07-30 17:15:15 CEST
Advisory uploaded, validating.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-64-OK MGA6-32-OK => advisory MGA5TOO MGA5-64-OK MGA6-32-OK
CC: (none) => sysadmin-bugs

Comment 42 Mageia Robot 2017-07-30 17:59:37 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0229.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.