Bug 21564 - graphicsmagick new security issues CVE-2017-1293[5-7]
Summary: graphicsmagick new security issues CVE-2017-1293[5-7]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-32-OK MGA6-64-OK MGA5-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-08-18 23:56 CEST by David Walser
Modified: 2017-08-23 17:43 CEST (History)
12 users (show)

See Also:
Source RPM: graphicsmagick-1.3.26-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-08-18 23:56:40 CEST
Three security issues fixed upstream in graphicsmagick have been announced:
http://openwall.com/lists/oss-security/2017/08/18/4
http://openwall.com/lists/oss-security/2017/08/18/3
http://openwall.com/lists/oss-security/2017/08/18/5

The commit links with the fixes are linked in the messages above.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-08-18 23:56:49 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-08-19 07:41:57 CEST
Assigning to all packagers collectively, since there is no registered maintainer. CC'ing some committers.

CC: (none) => mageia, makowski.mageia, marja11, nicolas.salguero, olav, rverschelde
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2017-08-19 20:58:50 CEST
pushed in updates_testing

src.rpm:
        graphicsmagick-1.3.26-1.1.mga6
        graphicsmagick-1.3.26-1.2.mga5

Version: Cauldron => 6
CC: (none) => mageia
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Nicolas Lécureuil 2017-08-19 20:59:04 CEST

Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2017-08-19 21:21:17 CEST
The Mageia 5 package has a higher release tag.

CC: (none) => qa-bugs
Assignee: qa-bugs => mageia

Comment 4 Nicolas Lécureuil 2017-08-19 21:30:53 CEST
Fixed :)

Assignee: mageia => qa-bugs

Comment 5 David Walser 2017-08-19 21:44:17 CEST
Advisory:
========================

Updated graphicsmagick packages fix security vulnerabilities:

Invalid memory read in SetImageColorCallBack() in image.c (CVE-2017-12935).

Use-after-free in ReadWMFImage() in wmf.c (CVE-2017-12936).

Heap-based buffer overflow in ReadSUNImage() in sun.c (CVE-2017-12937).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12935
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12937
http://openwall.com/lists/oss-security/2017/08/18/4
http://openwall.com/lists/oss-security/2017/08/18/3
http://openwall.com/lists/oss-security/2017/08/18/5
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.26-1.2.mga5
libgraphicsmagick3-1.3.26-1.2.mga5
libgraphicsmagick++12-1.3.26-1.2.mga5
libgraphicsmagickwand2-1.3.26-1.2.mga5
libgraphicsmagick-devel-1.3.26-1.2.mga5
perl-Graphics-Magick-1.3.26-1.2.mga5
graphicsmagick-doc-1.3.26-1.2.mga5
graphicsmagick-1.3.26-1.3.mga6
libgraphicsmagick3-1.3.26-1.3.mga6
libgraphicsmagick++12-1.3.26-1.3.mga6
libgraphicsmagickwand2-1.3.26-1.3.mga6
libgraphicsmagick-devel-1.3.26-1.3.mga6
perl-Graphics-Magick-1.3.26-1.3.mga6
graphicsmagick-doc-1.3.26-1.3.mga6

from SRPMS:
graphicsmagick-1.3.26-1.2.mga5.src.rpm
graphicsmagick-1.3.26-1.3.mga6.src.rpm

CC: qa-bugs => (none)

Comment 6 Herman Viaene 2017-08-22 11:13:18 CEST
MGA5-32 on Asus A6000VM Xfce
Refer to QA procedure for this package.
Not everything as successful as one could expect.
At CLI:
$ gm display 001.tif 
is OK
$  gm convert 1973.pnm 1973.jpg
resulting jpg displays OK in ristretto, but
$  gm convert 1973.jpg 1973.tif
gm convert: 1973.tif: Invalid tag "BadFaxLines" (not supported by codec). (_TIFFVGetField).
thus converting a jpg which is the result of gm convert fails
$  gm convert 1973.pnm 1973.tif
So converting my original pnm to tif is OK.
$ gm identify 1973.jpg 
1973.jpg JPEG 2904x4208+0+0 DirectClass 8-bit 483.2Ki 0.000u 0m:0.000005s
seems OK
$ gm montage 1062.jpg 1973.jpg P7212389.jpg montage.jpg
resulting montage.jpg displays OK in gm display and in ristretto.
Leaving OK for someone else to judge on the prblem above.

CC: (none) => herman.viaene

Comment 7 Len Lawrence 2017-08-22 17:05:03 CEST
I have seen that BadFaxLines message several times before but have ignored it (I think) because the conversions have succeeded.  Had not thought to try converting back.  Again it might be worth posting a bug on this.

I shall try 64-bits and decide after that.

CC: (none) => tarazed25

Comment 8 Len Lawrence 2017-08-22 18:04:16 CEST
Testing on mga6, x86_64

Found reproducer files for the three CVEs and ran them without benefit of the ASAN framework.  $FILE represents the file indicated against the CVE.  The original ASAN tests ended with Abort.

CVE-2017-12935  00303-graphicsmagick-invalidread-SetImageColorCallBack
$ gm convert -clip -negate $FILE out
gm convert: abort due to signal 7 (SIGBUS) "Bus Error"...
Aborted (core dumped)

CVE-2017-12936  00302-graphicsmagick-UAF-ReadWMFImage
$ gm convert -negate -clip $FILE out
ERROR: player.c (159): Unexpected EOF!
gm convert: Failed to scan file (00302-graphicsmagick-UAF-ReadWMFImage).

CVE-2017-12937  00304-graphicsmagick-heapoverflow-ReadSUNImage
$ gm convert -clip -negate $FILE out
gm convert: Invalid colormap index (index 1 >= 1 colors, 00304-graphicsmagick-heapoverflow-ReadSUNImage).

Forgot to change the name of the output file.
$ file out
out: Sun raster image data, 24 x 4, 1-bit, no colormap
gm display showed a horizontal white bar, 4 pixels high.

Update tests later.
Comment 9 Len Lawrence 2017-08-22 18:40:34 CEST
Installed the updates

- graphicsmagick-1.3.26-1.3.mga6.x86_64
- graphicsmagick-doc-1.3.26-1.3.mga6.noarch
- lib64graphicsmagick++12-1.3.26-1.3.mga6.x86_64
- lib64graphicsmagick-devel-1.3.26-1.3.mga6.x86_64
- lib64graphicsmagick3-1.3.26-1.3.mga6.x86_64
- lib64graphicsmagickwand2-1.3.26-1.3.mga6.x86_64
- perl-Graphics-Magick-1.3.26-1.3.mga6.x86_64

Tried the PoCs:
$ gm convert -clip -negate 00303-graphicsmagick-invalidread-SetImageColorCallBack out1
gm convert: Improper image header (00303-graphicsmagick-invalidread-SetImageColorCallBack).

$ gm convert -clip -negate 00302-graphicsmagick-UAF-ReadWMFImage out2
ERROR: player.c (159): Unexpected EOF!
gm convert: Failed to scan file (00302-graphicsmagick-UAF-ReadWMFImage).

$ gm convert -clip -negate 00304-graphicsmagick-heapoverflow-ReadSUNImage out3
gm convert: Invalid colormap index (index 1 >= 1 colors, 00304-graphicsmagick-heapoverflow-ReadSUNImage).

Tests 2 and 3 are equivocal compared with the earlier report but none of them produce an output file, indicating that the patches have worked.
Comment 10 David Walser 2017-08-22 19:16:42 CEST
Rémi, the previous update said we fixed CVE-2017-11403, but what about the other CVEs in this SUSE advisory from today (August 22)?
https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00059.html
Comment 11 William Kenney 2017-08-22 20:37:06 CEST
Test procedure: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick

gm convert image4.jpg image4.png
gm convert image4.jpg image4.tiff
gm convert image4.jpg image4.pdf
gm convert -rotate +90 image4.jpg filename4_rotate.jpg
gm display filename4_rotate.jpg
gm display -flip image4.tiff
gm identify image4.jpg
execute "perl gmtest.pl" ( creates an animated gif from 4 images )

In VirtualBox, M6, MATE, 32-bit

Package(s) under test:
graphicsmagick perl-Graphics-Magick libgraphicsmagick3

default install of graphicsmagick perl-Graphics-Magick & libgraphicsmagick3

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.26-1.1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.26-1.1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi libgraphicsmagick3
Package libgraphicsmagick3-1.3.26-1.1.mga6.i586 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF
viewable in Firefox

install graphicsmagick perl-Graphics-Magick & libgraphicsmagick3 from updates_testing

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.26-1.3.mga6.i586 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.26-1.3.mga6.i586 is already installed
[root@localhost wilcal]# urpmi libgraphicsmagick3
Package libgraphicsmagick3-1.3.26-1.3.mga6.i586 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF
viewable in Firefox

CC: (none) => wilcal.int

William Kenney 2017-08-22 21:22:52 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA6-32-OK

Comment 12 William Kenney 2017-08-22 22:37:08 CEST
In VirtualBox, M6, MATE, 64-bit

Package(s) under test:
graphicsmagick perl-Graphics-Magick lib64graphicsmagick3

default install of graphicsmagick perl-Graphics-Magick & lib64graphicsmagick3

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.26-1.1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.26-1.1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64graphicsmagick3
Package lib64graphicsmagick3-1.3.26-1.1.mga6.x86_64 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF
that is viewable in Firefox

install graphicsmagick perl-Graphics-Magick & lib64graphicsmagick3 from updates_testing

[root@localhost graphicsmagick_test]# urpmi graphicsmagick
Package graphicsmagick-1.3.26-1.3.mga6.x86_64 is already installed
[root@localhost graphicsmagick_test]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.26-1.3.mga6.x86_64 is already installed
[root@localhost graphicsmagick_test]# urpmi lib64graphicsmagick3
Package lib64graphicsmagick3-1.3.26-1.3.mga6.x86_64 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF
that is viewable in Firefox

Whiteboard: MGA5TOO MGA6-32-OK => MGA5TOO MGA6-32-OK MGA6-64-OK

Comment 13 William Kenney 2017-08-22 23:01:42 CEST
In VirtualBox, M6, KDE, 32-bit

Package(s) under test:
graphicsmagick perl-Graphics-Magick libgraphicsmagick3

default install of graphicsmagick perl-Graphics-Magick & libgraphicsmagick3

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.26-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.26-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libgraphicsmagick3
Package libgraphicsmagick3-1.3.26-1.1.mga5.i586 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF
that is viewable in Firefox

install graphicsmagick perl-Graphics-Magick & libgraphicsmagick3 from updates_testing

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.26-1.2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.26-1.2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libgraphicsmagick3
Package libgraphicsmagick3-1.3.26-1.2.mga5.i586 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF
viewable in Firefox

Whiteboard: MGA5TOO MGA6-32-OK MGA6-64-OK => MGA5TOO MGA6-32-OK MGA6-64-OK MGA5-32-OK

Comment 14 William Kenney 2017-08-22 23:22:09 CEST
1st line in Comment 13 s/b:

In VirtualBox, M5.1, KDE, 32-bit
Comment 15 William Kenney 2017-08-22 23:23:53 CEST
In VirtualBox, M5.1, KDE, 64-bit

Package(s) under test:
graphicsmagick perl-Graphics-Magick lib64graphicsmagick3

default install of graphicsmagick perl-Graphics-Magick & lib64graphicsmagick3

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.26-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.26-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64graphicsmagick3
Package lib64graphicsmagick3-1.3.26-1.1.mga5.x86_64 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF
that is viewable in Firefox

install graphicsmagick perl-Graphics-Magick & lib64graphicsmagick3 from updates_testing

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.26-1.2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.26-1.2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64graphicsmagick3
Package lib64graphicsmagick3-1.3.26-1.2.mga5.x86_64 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF
that is viewable in Firefox

Whiteboard: MGA5TOO MGA6-32-OK MGA6-64-OK MGA5-32-OK => MGA5TOO MGA6-32-OK MGA6-64-OK MGA5-32-OK MGA5-64-OK

Comment 16 William Kenney 2017-08-22 23:24:47 CEST
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 17 Len Lawrence 2017-08-23 00:54:32 CEST
GraphicsMagick utility tests
There are a lot of clever things that can be done with GM but lets just stay with the simple ones.

Animation:
$ gm animate duck*.gif
That displayed the moving duck - a series of 16 frames.

Create a thumbnail:
$ gm convert -size 100x100 saturn_cassini.jpg -resize 100x100 +profile "*" saturn.png
Too big?  Shrink it in place.
$ gm mogrify -resize 60% saturn.png

Inspect image files:
$ gm identify saturn_cassini.jpg
saturn_cassini.jpg JPEG 1024x1024+0+0 DirectClass 8-bit 54.1Ki 0.000u 0m:0.000001s
$ gm identify saturn.png
saturn.png PNG 60x60+0+0 DirectClass 8-bit 2.4Ki 0.000u 0m:0.000001s

Add a coloured border to an image:
$ gm convert -border 30x30 -bordercolor OliveDrab Enceladus_cross-section_1.jpg bordermoon.jpg

Flip image upside-down:
$ gm convert -flip bordermoon.jpg flipped.jpg

Create a montage from a set of images:
$ gm montage duck*.gif ducks.png

Tried display with various image formats; jpg, gif, png already confirmed.
ppm, bmp, pnm, jpc and targa all OK.
$ gm identify PIA13706_fig1.tif 
PIA13706_fig1.tif TIFF 8192x7051+0+0 DirectClass 8-bit 13.0Mi 0.000u 0m:0.000002s
$ gm display PIA13706_fig1.tif
No problem with that or an icon fatbot.tif.
$ gm convert -resize 40% PIA13706_fig1.tif mars_crater.tif
gm convert: mars_crater.tif: Invalid tag "BadFaxLines" (not supported by codec). (_TIFFVGetField).
$ gm display mars_crater.tif 
The resized image displayed fine.
$ gm convert -resize 40% mars_crater.tif SantaMaria.png
$ gm display SantaMaria.png 
Perfectly OK.
$ gm identify SantaMaria.png 
SantaMaria.png PNG 1311x1128+0+0 DirectClass 8-bit 932.1Ki 0.000u 0m:0.000002s
$ gm convert SantaMaria.png SantaMaria.tiff
gm convert: SantaMaria.tiff: Invalid tag "BadFaxLines" (not supported by codec). (_TIFFVGetField).
$ gm identify SantaMaria.tiff
SantaMaria.tiff TIFF 1311x1128+0+0 DirectClass 8-bit 1.0Mi 0.000u 0m:0.000002s
$ gm display SantaMaria.tiff
That looked fina as well.

So, no real problems, although I could not figure out how to annotate an image using -label, -font, -fill etc.

Without going any further I would say that GraphicsMagick is functional.
@Herman: you should go ahead and OK i586.

Oops - I see wilcal has preempted me.
Dave Hodgins 2017-08-23 02:53:01 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA5TOO MGA6-32-OK MGA6-64-OK MGA5-32-OK MGA5-64-OK => MGA5TOO MGA6-32-OK MGA6-64-OK MGA5-32-OK MGA5-64-OK advisory

Comment 18 Mageia Robot 2017-08-23 17:43:48 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0297.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.