Bug 1000399 - (CVE-2016-7529) VUL-0: CVE-2016-7529: ImageMagick: out of bound in quantum handling
(CVE-2016-7529)
VUL-0: CVE-2016-7529: ImageMagick: out of bound in quantum handling
Status: RESOLVED FIXED
: CVE-2016-7530 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Victor Pereira
Security Team bot
https://smash.suse.de/issue/172862/
CVSSv2:RedHat:CVE-2016-7529:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-22 11:01 UTC by Victor Pereira
Modified: 2017-08-30 10:11 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-09-22 11:01:47 UTC
CVE-2016-7529

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick version Tested on git commit 8bc3ab67d818204fe5f0fe1dc29b873d37360461

Command: magick id:000081,sig:06,src:000075,op:havoc,rep:16 /dev/null



References:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1539053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7529
http://seclists.org/oss-sec/2016/q3/590
https://github.com/ImageMagick/ImageMagick/commit/3ab016764c7f787829d9065440d86f5609765110
Comment 1 Swamp Workflow Management 2016-09-22 22:01:42 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-09-26 10:47:04 UTC
(In reply to Victor Pereira from comment #0)
> Command: magick id:000081,sig:06,src:000075,op:havoc,rep:16 /dev/null

Note that there is no 'magick' command.
Comment 3 Petr Gajdos 2016-09-26 10:50:04 UTC
(In reply to Victor Pereira from comment #0)
> https://github.com/ImageMagick/ImageMagick/commit/
> 3ab016764c7f787829d9065440d86f5609765110
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This does not seem to be correct commit. Following looks better:

https://github.com/ImageMagick/ImageMagick/commit/a2e1064f288a353bc5fef7f79ccb7683759e775c

Am I right?
Comment 5 Petr Gajdos 2016-09-26 11:33:58 UTC
For 13.2/ImageMagick and 12/ImageMagick I can demonstrate with:

$ convert id:000081,sig:06,src:000075,op:havoc,rep:16 /dev/null
convert: magick/quantum.c:267: DestroyQuantumPixels: Assertion `quantum_info->pixels[i][extent] == 0xab' failed.
Aborted (core dumped)
$

11/ImageMagick does not recognize the image format.

11/GraphicsMagick reports 'gm convert: Improper image header (test).'.

13.2/GraphicsMagick and 42.1/GraphicsMagick report valgrind errors.
Comment 6 Petr Gajdos 2016-09-26 12:35:19 UTC
This report is bogus. From oss-security:

-----------------------8<------------------
    out of bound access in xcf file coder:
          Debian Bug: https://bugs.debian.org/832504
          Additional references:
          ----------------------
          https://bugs.launchpad.net/bugs/1539051
          https://bugs.launchpad.net/bugs/1539052
          https://github.com/ImageMagick/ImageMagick/issues/104
          https://github.com/ImageMagick/ImageMagick/issues/103
          https://github.com/ImageMagick/ImageMagick/commit/a2e1064f288a353bc5fef7f79ccb7683759e775c
    AddressSanitizer: heap-buffer-overflow
    READ of size 1


Use CVE-2016-7529. 
----------------------->8-------------------

The comment 0 of this bug including links are pointing to another problem.
Comment 7 Petr Gajdos 2016-09-26 12:44:18 UTC
If I am not mistaken, correct testcases for CVE-2016-7529 can be found in
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1539051
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1539052
Comment 8 Petr Gajdos 2016-09-26 14:49:04 UTC
valgrind errors seems to be present even after patching (probably another bug is manifesting), so not sure how to demonstrate the problem with the testcases.

The code seem to be everyhere, considering affected all GM and IM versions.
Comment 9 Petr Gajdos 2016-09-26 14:49:38 UTC
(even subject is wrong, obviously)
Comment 10 Petr Gajdos 2016-09-27 06:18:23 UTC
*** Bug 1000703 has been marked as a duplicate of this bug. ***
Comment 11 Petr Gajdos 2016-09-27 07:21:39 UTC
Now CVE-2016-7530, aka 'out of bound in quantum handling'.

For testcase see comment 4, result of it before is in comment 5.

From oss-sec:

------------------------8<-----------------
    out of bound in quantum handling:
          Debian Bug: https://bugs.debian.org/832506
          Additional references:
          ----------------------
          https://bugs.launchpad.net/bugs/1539067
          https://bugs.launchpad.net/bugs/1539053
          https://github.com/ImageMagick/ImageMagick/issues/105
          https://github.com/ImageMagick/ImageMagick/commit/63346f34f9d19179599b5b256e5e8d3dda46435c
          https://github.com/ImageMagick/ImageMagick/commit/c4e63ad30bc42da691f2b5f82a24516dd6b4dc70
          https://github.com/ImageMagick/ImageMagick/issues/110
          https://github.com/ImageMagick/ImageMagick/commit/b5ed738f8060266bf4ae521f7e3ed145aa4498a3
    AddressSanitizer: heap-buffer-overflow
    WRITE of size 1


Use CVE-2016-7530.

--------------------------->8----------------
Comment 12 Petr Gajdos 2016-09-27 09:05:29 UTC
(In reply to Petr Gajdos from comment #5)
> For 13.2/ImageMagick and 12/ImageMagick I can demonstrate with:
> 
> $ convert id:000081,sig:06,src:000075,op:havoc,rep:16 /dev/null
> convert: magick/quantum.c:267: DestroyQuantumPixels: Assertion
> `quantum_info->pixels[i][extent] == 0xab' failed.
> Aborted (core dumped)
> $

For 13.2/ImageMagick and 12/ImageMagick this went away:

$ convert *16 /dev/null
$

Memory errors remained. 

> 11/ImageMagick does not recognize the image format.
> 
> 11/GraphicsMagick reports 'gm convert: Improper image header (test).'.
> 
> 13.2/GraphicsMagick and 42.1/GraphicsMagick report valgrind errors.

Memory errors seem to be not good measure, the code looks differently. Considering these unaffected.
Comment 13 Petr Gajdos 2016-09-27 09:36:12 UTC
(In reply to Petr Gajdos from comment #12)
> (In reply to Petr Gajdos from comment #5)
> Memory errors remained. 
> 
> > 11/ImageMagick does not recognize the image format.
> > 
> > 11/GraphicsMagick reports 'gm convert: Improper image header (test).'.
> > 
> > 13.2/GraphicsMagick and 42.1/GraphicsMagick report valgrind errors.
> 
> Memory errors seem to be not good measure, the code looks differently.
> Considering these unaffected.

Actually, 11/ImageMagick/SetQuantumDepth() code looks similar. Considering partially affected, too.
Comment 14 Bernhard Wiedemann 2016-10-13 14:00:34 UTC
This is an autogenerated message for OBS integration:
This bug (1000399) was mentioned in
https://build.opensuse.org/request/show/434745 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/434746 13.2 / ImageMagick
https://build.opensuse.org/request/show/434747 42.1 / GraphicsMagick
Comment 17 Bernhard Wiedemann 2016-10-18 14:01:33 UTC
This is an autogenerated message for OBS integration:
This bug (1000399) was mentioned in
https://build.opensuse.org/request/show/435916 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/435917 13.2 / ImageMagick
https://build.opensuse.org/request/show/435919 42.1 / GraphicsMagick
Comment 19 Bernhard Wiedemann 2016-10-20 10:01:43 UTC
This is an autogenerated message for OBS integration:
This bug (1000399) was mentioned in
https://build.opensuse.org/request/show/436494 13.2 / ImageMagick
Comment 20 Swamp Workflow Management 2016-10-26 12:06:38 UTC
openSUSE-SU-2016:2641-1: An update that fixes 28 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000702,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,985442,999673
CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-12.1
Comment 21 Swamp Workflow Management 2016-10-26 12:16:12 UTC
openSUSE-SU-2016:2644-1: An update that fixes 23 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000689,1000693,1000695,1000698,1000700,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,999673
CVE References: CVE-2016-5688,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-14.1
Comment 22 Swamp Workflow Management 2016-10-28 16:07:43 UTC
SUSE-SU-2016:2667-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-40.1
Comment 23 Swamp Workflow Management 2016-10-28 19:06:39 UTC
openSUSE-SU-2016:2671-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000703,1000704,1000706,1000707,1000708,1000709,1000710,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7536,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-34.1
Comment 24 Swamp Workflow Management 2016-11-04 14:07:40 UTC
SUSE-SU-2016:2724-1: An update that fixes 26 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1000399,1000434,1000436,1000689,1000690,1000691,1000692,1000693,1000695,1000698,1000700,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,999673
CVE References: CVE-2015-8957,CVE-2015-8958,CVE-2016-6823,CVE-2016-7101,CVE-2016-7446,CVE-2016-7447,CVE-2016-7448,CVE-2016-7449,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7519,CVE-2016-7522,CVE-2016-7524,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.46.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.46.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.46.1
Comment 26 Swamp Workflow Management 2016-11-10 16:13:43 UTC
openSUSE-SU-2016:2770-1: An update that solves 41 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000394,1000399,1000434,1000436,1000686,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000696,1000697,1000698,1000699,1000700,1000701,1000702,1000703,1000704,1000706,1000707,1000708,1000709,1000711,1000712,1000713,1000714,1000715,1001066,1001221,1002206,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1005328
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-6823,CVE-2016-7101,CVE-2016-7513,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7520,CVE-2016-7521,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7532,CVE-2016-7533,CVE-2016-7534,CVE-2016-7535,CVE-2016-7537,CVE-2016-7538,CVE-2016-7539,CVE-2016-7540,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8677,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684
Sources used:
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-21.1
Comment 29 Bernhard Wiedemann 2016-11-29 17:00:20 UTC
This is an autogenerated message for OBS integration:
This bug (1000399) was mentioned in
https://build.opensuse.org/request/show/442718 42.2 / GraphicsMagick
Comment 30 Swamp Workflow Management 2016-12-01 17:08:01 UTC
SUSE-SU-2016:2964-1: An update that fixes 34 vulnerabilities is now available.

Category: security (important)
Bug References: 1000399,1000434,1000436,1000688,1000689,1000690,1000691,1000692,1000693,1000694,1000695,1000698,1000699,1000700,1000701,1000703,1000704,1000707,1000709,1000711,1000713,1000714,1001066,1001221,1002209,1002421,1002422,1003629,1005123,1005125,1005127,1007245
CVE References: CVE-2014-9907,CVE-2015-8957,CVE-2015-8958,CVE-2015-8959,CVE-2016-5687,CVE-2016-6823,CVE-2016-7101,CVE-2016-7514,CVE-2016-7515,CVE-2016-7516,CVE-2016-7517,CVE-2016-7518,CVE-2016-7519,CVE-2016-7522,CVE-2016-7523,CVE-2016-7524,CVE-2016-7525,CVE-2016-7526,CVE-2016-7527,CVE-2016-7528,CVE-2016-7529,CVE-2016-7530,CVE-2016-7531,CVE-2016-7533,CVE-2016-7535,CVE-2016-7537,CVE-2016-7799,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.54.1
Comment 31 Swamp Workflow Management 2016-12-08 17:09:27 UTC
openSUSE-SU-2016:3060-1: An update that fixes 31 vulnerabilities is now available.

Category: security (important)
Bug References: 1000399,1000434,1000689,1000698,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,1007245,1011130,982178,983521,983752,983794,983799,984145,984150,984166,984372,984375,984394,984400,984436
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9809,CVE-2014-9815,CVE-2014-9817,CVE-2014-9820,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9845,CVE-2014-9846,CVE-2014-9853,CVE-2016-5118,CVE-2016-6823,CVE-2016-7101,CVE-2016-7515,CVE-2016-7522,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862,CVE-2016-9556
Sources used:
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-3.1
Comment 32 Marcus Meissner 2016-12-22 12:10:38 UTC
released
Comment 33 Petr Gajdos 2017-08-30 10:11:29 UTC
CVE-2016-7529: in GraphicsMagick, the xcf issue is solved another way and fails right before allocation with:

gm convert: Corrupt image (Claimed tile data length is insufficient for tile data).

Considering unaffected.