[Pkg-gmagick-im-team] Bug#878544: imagemagick: CVE-2017-14528
Salvatore Bonaccorso
carnil at debian.org
Sat Oct 14 13:08:28 UTC 2017
Source: imagemagick
Version: 8:6.9.7.4+dfsg-11
Severity: important
Tags: security upstream
Forwarded: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32560
Hi,
the following vulnerability was published for imagemagick.
CVE-2017-14528[0]:
| The TIFFSetProfiles function in coders/tiff.c in ImageMagick 7.0.6 has
| incorrect expectations about whether LibTIFF TIFFGetField return values
| imply that data validation has occurred, which allows remote attackers
| to cause a denial of service (use-after-free after an invalid call to
| TIFFSetField, and application crash) via a crafted file.
According to [2] this is something which should be handled on
imagemagick side. With current unstable version (8:6.9.7.4+dfsg-16)
under valgrind:
==2853== Memcheck, a memory error detector
==2853== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2853== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==2853== Command: convert 810.tif /dev/null
==2853==
==2853== Invalid read of size 8
==2853== at 0x4C30180: memcpy at GLIBC_2.2.5 (vg_replace_strmem.c:1021)
==2853== by 0x9881CF4: _TIFFVSetField (tif_dir.c:627)
==2853== by 0x98832D3: TIFFSetField (tif_dir.c:798)
==2853== by 0x966300E: TIFFSetProfiles (tiff.c:2972)
==2853== by 0x966300E: WriteTIFFImage (tiff.c:3670)
==2853== by 0x4EC6F1B: WriteImage (constitute.c:1193)
==2853== by 0x4EC7861: WriteImages (constitute.c:1342)
==2853== by 0x53451A5: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x108918: ConvertMain (convert.c:81)
==2853== by 0x108918: main (convert.c:92)
==2853== Address 0x9377f90 is 0 bytes inside a block of size 7,640 free'd
==2853== at 0x4C2DE0F: realloc (vg_replace_malloc.c:785)
==2853== by 0x4F70ECF: ResizeMagickMemory (memory.c:1190)
==2853== by 0x4E8FA92: SeekBlob (blob.c:4027)
==2853== by 0x966BE35: ReadPSDChannel (psd.c:1336)
==2853== by 0x966BE35: ReadPSDLayer (psd.c:1406)
==2853== by 0x966F657: ReadPSDLayers (psd.c:1770)
==2853== by 0x96686B7: TIFFReadPhotoshopLayers (tiff.c:1070)
==2853== by 0x96686B7: ReadTIFFImage (tiff.c:2128)
==2853== by 0x4EC59B7: ReadImage (constitute.c:551)
==2853== by 0x4EC6A8A: ReadImages (constitute.c:860)
==2853== by 0x5343515: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x108918: ConvertMain (convert.c:81)
==2853== by 0x108918: main (convert.c:92)
==2853== Block was alloc'd at
==2853== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==2853== by 0x4FF2220: AcquireStringInfo (string.c:179)
==2853== by 0x4FF22A7: CloneStringInfo (string.c:327)
==2853== by 0x4F9897B: SetImageProfileInternal (profile.c:1655)
==2853== by 0x9664DCE: ReadProfile (tiff.c:530)
==2853== by 0x9665B9E: TIFFGetProfiles (tiff.c:614)
==2853== by 0x9665B9E: ReadTIFFImage (tiff.c:1342)
==2853== by 0x4EC59B7: ReadImage (constitute.c:551)
==2853== by 0x4EC6A8A: ReadImages (constitute.c:860)
==2853== by 0x5343515: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x108918: ConvertMain (convert.c:81)
==2853== by 0x108918: main (convert.c:92)
==2853==
==2853== Invalid read of size 8
==2853== at 0x4C3018E: memcpy at GLIBC_2.2.5 (vg_replace_strmem.c:1021)
==2853== by 0x9881CF4: _TIFFVSetField (tif_dir.c:627)
==2853== by 0x98832D3: TIFFSetField (tif_dir.c:798)
==2853== by 0x966300E: TIFFSetProfiles (tiff.c:2972)
==2853== by 0x966300E: WriteTIFFImage (tiff.c:3670)
==2853== by 0x4EC6F1B: WriteImage (constitute.c:1193)
==2853== by 0x4EC7861: WriteImages (constitute.c:1342)
==2853== by 0x53451A5: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x108918: ConvertMain (convert.c:81)
==2853== by 0x108918: main (convert.c:92)
==2853== Address 0x9377fa0 is 16 bytes inside a block of size 7,640 free'd
==2853== at 0x4C2DE0F: realloc (vg_replace_malloc.c:785)
==2853== by 0x4F70ECF: ResizeMagickMemory (memory.c:1190)
==2853== by 0x4E8FA92: SeekBlob (blob.c:4027)
==2853== by 0x966BE35: ReadPSDChannel (psd.c:1336)
==2853== by 0x966BE35: ReadPSDLayer (psd.c:1406)
==2853== by 0x966F657: ReadPSDLayers (psd.c:1770)
==2853== by 0x96686B7: TIFFReadPhotoshopLayers (tiff.c:1070)
==2853== by 0x96686B7: ReadTIFFImage (tiff.c:2128)
==2853== by 0x4EC59B7: ReadImage (constitute.c:551)
==2853== by 0x4EC6A8A: ReadImages (constitute.c:860)
==2853== by 0x5343515: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x108918: ConvertMain (convert.c:81)
==2853== by 0x108918: main (convert.c:92)
==2853== Block was alloc'd at
==2853== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==2853== by 0x4FF2220: AcquireStringInfo (string.c:179)
==2853== by 0x4FF22A7: CloneStringInfo (string.c:327)
==2853== by 0x4F9897B: SetImageProfileInternal (profile.c:1655)
==2853== by 0x9664DCE: ReadProfile (tiff.c:530)
==2853== by 0x9665B9E: TIFFGetProfiles (tiff.c:614)
==2853== by 0x9665B9E: ReadTIFFImage (tiff.c:1342)
==2853== by 0x4EC59B7: ReadImage (constitute.c:551)
==2853== by 0x4EC6A8A: ReadImages (constitute.c:860)
==2853== by 0x5343515: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x108918: ConvertMain (convert.c:81)
==2853== by 0x108918: main (convert.c:92)
==2853==
==2853== Invalid free() / delete / delete[] / realloc()
==2853== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
==2853== by 0x4F70AAE: RelinquishMagickMemory (memory.c:1003)
==2853== by 0x4FF2967: DestroyStringInfo (string.c:839)
==2853== by 0x4FE2453: DestroySplayTree (splay-tree.c:710)
==2853== by 0x4F98684: DestroyImageProfiles (profile.c:212)
==2853== by 0x4F5A2C0: DestroyImage (image.c:1209)
==2853== by 0x4F674F7: DestroyImageList (list.c:450)
==2853== by 0x5345206: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x108918: ConvertMain (convert.c:81)
==2853== by 0x108918: main (convert.c:92)
==2853== Address 0x9377f90 is 0 bytes inside a block of size 7,640 free'd
==2853== at 0x4C2DE0F: realloc (vg_replace_malloc.c:785)
==2853== by 0x4F70ECF: ResizeMagickMemory (memory.c:1190)
==2853== by 0x4E8FA92: SeekBlob (blob.c:4027)
==2853== by 0x966BE35: ReadPSDChannel (psd.c:1336)
==2853== by 0x966BE35: ReadPSDLayer (psd.c:1406)
==2853== by 0x966F657: ReadPSDLayers (psd.c:1770)
==2853== by 0x96686B7: TIFFReadPhotoshopLayers (tiff.c:1070)
==2853== by 0x96686B7: ReadTIFFImage (tiff.c:2128)
==2853== by 0x4EC59B7: ReadImage (constitute.c:551)
==2853== by 0x4EC6A8A: ReadImages (constitute.c:860)
==2853== by 0x5343515: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x108918: ConvertMain (convert.c:81)
==2853== by 0x108918: main (convert.c:92)
==2853== Block was alloc'd at
==2853== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==2853== by 0x4FF2220: AcquireStringInfo (string.c:179)
==2853== by 0x4FF22A7: CloneStringInfo (string.c:327)
==2853== by 0x4F9897B: SetImageProfileInternal (profile.c:1655)
==2853== by 0x9664DCE: ReadProfile (tiff.c:530)
==2853== by 0x9665B9E: TIFFGetProfiles (tiff.c:614)
==2853== by 0x9665B9E: ReadTIFFImage (tiff.c:1342)
==2853== by 0x4EC59B7: ReadImage (constitute.c:551)
==2853== by 0x4EC6A8A: ReadImages (constitute.c:860)
==2853== by 0x5343515: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0)
==2853== by 0x108918: ConvertMain (convert.c:81)
==2853== by 0x108918: main (convert.c:92)
==2853==
convert-im6.q16: Incorrect value for "ICC Profile"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/912.
convert-im6.q16: unable to decompress image `810.tif' @ error/psd.c/ReadPSDChannel/1342.
==2853==
==2853== HEAP SUMMARY:
==2853== in use at exit: 88,061 bytes in 17 blocks
==2853== total heap usage: 5,591 allocs, 5,575 frees, 1,213,310 bytes allocated
==2853==
==2853== LEAK SUMMARY:
==2853== definitely lost: 69,121 bytes in 1 blocks
==2853== indirectly lost: 0 bytes in 0 blocks
==2853== possibly lost: 0 bytes in 0 blocks
==2853== still reachable: 18,940 bytes in 16 blocks
==2853== suppressed: 0 bytes in 0 blocks
==2853== Rerun with --leak-check=full to see details of leaked memory
==2853==
==2853== For counts of detected and suppressed errors, rerun with: -v
==2853== ERROR SUMMARY: 444 errors from 3 contexts (suppressed: 0 from 0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14528
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14528
[1] https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32560
[2] http://bugzilla.maptools.org/show_bug.cgi?id=2730
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-gmagick-im-team
mailing list