Bug 1011130 - (CVE-2016-9556) VUL-0: CVE-2016-9556: ImageMagick, GraphicsMagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h)
(CVE-2016-9556)
VUL-0: CVE-2016-9556: ImageMagick, GraphicsMagick: heap-based buffer overflow...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-9556:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-19 15:24 UTC by Mikhail Kasimov
Modified: 2017-08-16 14:01 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-11-19 15:24:40 UTC
Reference: http://seclists.org/oss-sec/2016/q4/469
====================================================

Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap 
images.

A fuzz on an updated version revealed another overflow.

The complete ASan output:

# identify $FILE
=================================================================
==696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009700 
at pc 0x7f300036c9a3 bp 0x7fff6e225970 sp 0x7fff6e225968
READ of size 4 at 0x611000009700 thread T0
    #0 0x7f300036c9a2 in IsPixelGray /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/./MagickCore/pixel-
accessor.h:507:30
    #1 0x7f300036c9a2 in IdentifyImageGray /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:677
    #2 0x7f300036f0dd in IdentifyImageType /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:821:7
    #3 0x7f300090c1da in IdentifyImage /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/identify.c:527:8
    #4 0x7f2fff364075 in IdentifyImageCommand /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/identify.c:336:22
    #5 0x7f2fff4afeca in MagickCommandGenesis /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/mogrify.c:183:14
    #6 0x50a339 in MagickMain /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:145:10
    #7 0x50a339 in main /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:176
    #8 0x7f2ffd99c61f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #9 0x419d28 in _init (/usr/bin/magick+0x419d28)

0x611000009700 is located 0 bytes to the right of 192-byte region 
[0x611000009640,0x611000009700)
allocated by thread T0 here:
    #0 0x4d3685 in posix_memalign /tmp/portage/sys-devel/llvm-3.9.0-
r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:130
    #1 0x7f3000a466b0 in AcquireAlignedMemory /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/memory.c:258:7
    #2 0x7f300043addf in AcquireCacheNexusPixels /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache.c:4636:33
    #3 0x7f3000402030 in SetPixelCacheNexusPixels /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache.c:4748:14
    #4 0x7f30003e7d2d in GetVirtualPixelsFromNexus /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache.c:2629:10
    #5 0x7f3000444e53 in GetCacheViewVirtualPixels /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache-
view.c:664:10
    #6 0x7f300036b27c in IdentifyImageGray /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:672:7
    #7 0x7f300036f0dd in IdentifyImageType /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:821:7
    #8 0x7f300090c1da in IdentifyImage /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/identify.c:527:8
    #9 0x7f2fff364075 in IdentifyImageCommand /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/identify.c:336:22
    #10 0x7f2fff4afeca in MagickCommandGenesis /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/mogrify.c:183:14
    #11 0x50a339 in MagickMain /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:145:10
    #12 0x50a339 in main /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:176
    #13 0x7f2ffd99c61f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-
gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/./MagickCore/pixel-
accessor.h:507:30 in IsPixelGray
Shadow bytes around the buggy address:
  0x0c227fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff92d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff92e0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9300: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c227fff9310: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff9320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==696==ABORTING

Affected version:
7.0.3.6

Fixed version:
7.0.3.8 (not yet released)

Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/ce98a7acbcfca7f0a178f4b1e7b957e419e0cc99

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00051-imagemagick-heapoverflow-IsPixelGray

Timeline:
2016-11-16: bug discovered and reported to upstream
2016-11-17: upstream released a patch
2016-11-19: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/11/19/imagemagick-heap-based-buffer-overflow-in-ispixelgray-pixel-accessor-h

-- 
Agostino Sarubbo
Gentoo Linux Developer
Comment 1 Swamp Workflow Management 2016-11-19 22:59:45 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-11-28 10:41:21 UTC
For the testcase, I get:

ImageMagick (all versions):

$ identify 00051-imagemagick-heapoverflow-IsPixelGray 
00051-imagemagick-heapoverflow-IsPixelGray SGI 15x3 15x3+0+0 8-bit sRGB 550B 0.000u 0:00.000
identify: unexpected end-of-file `00051-imagemagick-heapoverflow-IsPixelGray': No such file or directory @ error/sgi.c/ReadSGIImage/726.
$

No valgrind errors.

GraphicsMagick (all versions):

$ gm identify 00051-imagemagick-heapoverflow-IsPixelGray 
gm identify: Improper image header (00051-imagemagick-heapoverflow-IsPixelGray).
gm identify: Request did not return an image.
$

No valgrind errors.
Comment 3 Petr Gajdos 2016-11-28 11:03:35 UTC
The check fits in all versions of ImageMagick and all versions of GraphicsMagick.
Comment 4 Petr Gajdos 2016-11-28 12:04:51 UTC
AFTER:

ImageMagick

$ identify 00051-imagemagick-heapoverflow-IsPixelGray
identify 00051-imagemagick-heapoverflow-IsPixelGray 
identify: Improper image header `00051-imagemagick-heapoverflow-IsPixelGray'.
$

GraphicsMagick

Same as before.
Comment 5 Petr Gajdos 2016-11-28 12:14:22 UTC
Packages submitted.
Comment 6 Bernhard Wiedemann 2016-11-28 13:00:18 UTC
This is an autogenerated message for OBS integration:
This bug (1011130) was mentioned in
https://build.opensuse.org/request/show/442364 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/442365 13.2 / ImageMagick
https://build.opensuse.org/request/show/442366 42.1 / GraphicsMagick
Comment 8 Mikhail Kasimov 2016-12-01 15:27:32 UTC
up! http://seclists.org/oss-sec/2016/q4/550
Comment 9 Mikhail Kasimov 2016-12-02 18:54:09 UTC
imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h) (Incomplete fix for CVE-2016-9556) -- see boo#1013376
Comment 11 Swamp Workflow Management 2016-12-06 15:07:16 UTC
openSUSE-SU-2016:3024-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1011130,1011136
CVE References: CVE-2016-9556,CVE-2016-9559
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-20.1
Comment 12 Swamp Workflow Management 2016-12-06 15:10:25 UTC
openSUSE-SU-2016:3026-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1011130,1011136
CVE References: CVE-2016-9556,CVE-2016-9559
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-18.1
Comment 13 Swamp Workflow Management 2016-12-06 15:10:54 UTC
openSUSE-SU-2016:3027-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1011130,1011136
CVE References: CVE-2016-9556,CVE-2016-9559
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-42.1
Comment 14 Swamp Workflow Management 2016-12-08 17:12:40 UTC
openSUSE-SU-2016:3060-1: An update that fixes 31 vulnerabilities is now available.

Category: security (important)
Bug References: 1000399,1000434,1000689,1000698,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,1007245,1011130,982178,983521,983752,983794,983799,984145,984150,984166,984372,984375,984394,984400,984436
CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9809,CVE-2014-9815,CVE-2014-9817,CVE-2014-9820,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9845,CVE-2014-9846,CVE-2014-9853,CVE-2016-5118,CVE-2016-6823,CVE-2016-7101,CVE-2016-7515,CVE-2016-7522,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862,CVE-2016-9556
Sources used:
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-3.1
Comment 16 Swamp Workflow Management 2016-12-23 15:08:14 UTC
SUSE-SU-2016:3256-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1009318,1011130,1011136,1013376,1014159
CVE References: CVE-2016-7530,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.60.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.60.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.60.1
Comment 17 Swamp Workflow Management 2016-12-23 15:09:58 UTC
SUSE-SU-2016:3258-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1009318,1011130,1011136,1013376,1014159
CVE References: CVE-2014-9848,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
Comment 19 Swamp Workflow Management 2017-01-04 17:08:09 UTC
openSUSE-SU-2017:0023-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1009318,1011130,1011136,1013376,1014159
CVE References: CVE-2014-9848,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773
Sources used:
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-25.1
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-27.1
Comment 20 Swamp Workflow Management 2017-01-27 21:11:11 UTC
SUSE-SU-2017:0305-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1009318,1011130,1011136,1013640,1017421
CVE References: CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9830
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.59.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.59.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.59.1
Comment 21 Victor Pereira 2017-05-18 14:05:12 UTC
fixed and released.
Comment 22 Petr Gajdos 2017-08-16 14:01:07 UTC
GraphicsMagick master: it is fixed by:

iris_info.dimension=ReadBlobMSBShort(image) & 0xFFFF;
[..]

     /* We only support zsize up to 4. Code further on assumes that. */
      if (iris_info.zsize > 4U)
        ThrowReaderException(CorruptImageError,ImproperImageHeader,image)