[ASA-201801-7] graphicsmagick: multiple issues
Santiago Torres-Arias
santiago at archlinux.org
Tue Jan 9 15:55:29 UTC 2018
Arch Linux Security Advisory ASA-201801-7
=========================================
Severity: High
Date : 2018-01-08
CVE-ID : CVE-2017-11403 CVE-2017-12935 CVE-2017-12936 CVE-2017-12937
CVE-2017-13063 CVE-2017-13064 CVE-2017-13065 CVE-2017-13066
CVE-2017-13134 CVE-2017-13776 CVE-2017-13777 CVE-2017-14165
CVE-2017-15930 CVE-2017-16547
Package : graphicsmagick
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-355
Summary
=======
The package graphicsmagick before version 1.3.27-1 is vulnerable to
multiple issues including arbitrary code execution and denial of
service.
Resolution
==========
Upgrade to 1.3.27-1.
# pacman -Syu "graphicsmagick>=1.3.27-1"
The problems have been fixed upstream in version 1.3.27.
Workaround
==========
None.
Description
===========
- CVE-2017-11403 (arbitrary code execution)
The ReadMNGImage function in coders/png.c in GraphicsMagick before
1.3.27 has an out-of-order CloseBlob call, resulting in a use-after-
free via a crafted file.
- CVE-2017-12935 (arbitrary code execution)
The ReadMNGImage function in coders/png.c in GraphicsMagick before
1.3.27 mishandles large MNG images, leading to an invalid memory read
in the SetImageColorCallBack function in magick/image.c.
- CVE-2017-12936 (arbitrary code execution)
The ReadWMFImage function in coders/wmf.c in GraphicsMagick before
1.3.27 has a use-after-free issue for data associated with exception
reporting.
- CVE-2017-12937 (arbitrary code execution)
The ReadSUNImage function in coders/sun.c in GraphicsMagick before
1.3.27 has a colormap heap-based buffer over-read.
- CVE-2017-13063 (arbitrary code execution)
A heap buffer overflow vulnerability was found in the function
GetStyleTokens in GraphicsMagick before 1.3.27, which allow attackers
to cause a denial of service, or possible remote code execution via a
crafted file.
- CVE-2017-13064 (arbitrary code execution)
A heap buffer overflow vulnerability was found in function
GetStyleTokens in GraphicsMagick before 1.3.27, which allow attackers
to cause a denial of service or possible remote code execution via a
crafted file.
- CVE-2017-13065 (denial of service)
A null pointer dereference vulnerability was found in function
SVGStartElement in GraphicsMagick before 1.3.27, which allow attackers
to cause a denial of service via a crafted file.
- CVE-2017-13066 (denial of service)
A memory leak vulnerability was found in function CloneImage in
magick/image.c in GraphicsMagick before 1.3.27, which allow attackers
to cause a denial of service via a crafted file.
- CVE-2017-13134 (denial of service)
In ImageMagick 6.9.9.1, 7.0.6.7 and GraphicsMagick before 1.3.27, a
heap-based buffer over-read was found in the function SFWScan in
coders/sfw.c, which allows attackers to cause a denial of service via a
crafted file.
- CVE-2017-13776 (denial of service)
GraphicsMagick before 1.3.27 has a denial of service issue in
ReadXBMImage() in a coders/xbm.c "Read hex image data" version!=10 case
that results in the reader not returning; it would cause large amounts
of CPU and memory consumption although the crafted file itself does not
request it.
- CVE-2017-13777 (denial of service)
GraphicsMagick before 1.3.27 has a denial of service issue in
ReadXBMImage() in a coders/xbm.c "Read hex image data" version==10 case
that results in the reader not returning; it would cause large amounts
of CPU and memory consumption although the crafted file itself does not
request it.
- CVE-2017-14165 (denial of service)
The ReadSUNImage function in coders/sun.c in GraphicsMagick before
1.3.27 has an issue where memory allocation is excessive because it
depends only on a length field in a header. This may lead to remote
denial of service in the MagickMalloc function in magick/memory.c.
- CVE-2017-15930 (denial of service)
In ReadOneJNGImage in coders/png.c in GraphicsMagick before 1.3.27, a
null pointer dereference occurs while transferring JPEG scanlines,
related to a PixelPacket pointer.
- CVE-2017-16547 (denial of service)
The DrawImage function in magick/render.c in GraphicsMagick before
1.3.27 does not properly look for pop keywords that are associated with
push keywords, which allows remote attackers to cause a denial of
service (negative strncpy and application crash) or possibly have
unspecified other impact via a crafted file.
Impact
======
A remote attacker is able to read sensitive information, crash the
application or execute arbitrary code on the host by providing a
maliciously-crafted input to GraphicsMagick's convert.
References
==========
https://blogs.gentoo.org/ago/2017/07/12/graphicsmagick-use-after-free-in-closeblob-blob-c/
http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37
https://marc.info/?l=oss-security&m=150306448426399
https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-invalid-memory-read-in-setimagecolorcallback-image-c/
http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188
http://www.openwall.com/lists/oss-security/2017/08/18/3
https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-use-after-free-in-readwmfimage-wmf-c/
http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd
https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-heap-based-buffer-overflow-in-readsunimage-sun-c/
http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978
http://seclists.org/oss-sec/2017/q3/325
https://sourceforge.net/p/graphicsmagick/bugs/434/
http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a
https://sourceforge.net/p/graphicsmagick/bugs/436/
https://sourceforge.net/p/graphicsmagick/bugs/435/
https://sourceforge.net/p/graphicsmagick/bugs/430/
http://www.securityfocus.com/bid/100463
https://github.com/ImageMagick/ImageMagick/issues/670
https://github.com/ImageMagick/ImageMagick/commit/5304ae14655a67b9a3db00563fe44d9abd6de4f0
http://hg.code.sf.net/p/graphicsmagick/code/rev/1b47e0078e05
http://openwall.com/lists/oss-security/2017/08/31/2
http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5e
http://openwall.com/lists/oss-security/2017/08/31/1
https://blogs.gentoo.org/ago/2017/09/06/graphicsmagick-memory-allocation-failure-in-magickmalloc-memory-c-2/
http://hg.code.sf.net/p/graphicsmagick/code/rev/493da54370aa
https://sourceforge.net/p/graphicsmagick/bugs/518/
http://hg.code.sf.net/p/graphicsmagick/code/rev/da135eaedc3b
http://hg.code.sf.net/p/graphicsmagick/code/rev/6fc54b6d2be8
https://sourceforge.net/p/graphicsmagick/bugs/517/
http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc
https://security.archlinux.org/CVE-2017-11403
https://security.archlinux.org/CVE-2017-12935
https://security.archlinux.org/CVE-2017-12936
https://security.archlinux.org/CVE-2017-12937
https://security.archlinux.org/CVE-2017-13063
https://security.archlinux.org/CVE-2017-13064
https://security.archlinux.org/CVE-2017-13065
https://security.archlinux.org/CVE-2017-13066
https://security.archlinux.org/CVE-2017-13134
https://security.archlinux.org/CVE-2017-13776
https://security.archlinux.org/CVE-2017-13777
https://security.archlinux.org/CVE-2017-14165
https://security.archlinux.org/CVE-2017-15930
https://security.archlinux.org/CVE-2017-16547
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20180109/9f8be0d6/attachment.asc>
More information about the arch-security
mailing list