Bugzilla – Bug 1011130
VUL-0: CVE-2016-9556: ImageMagick, GraphicsMagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h)
Last modified: 2017-08-16 14:01:07 UTC
Reference: http://seclists.org/oss-sec/2016/q4/469 ==================================================== Description: imagemagick is a software suite to create, edit, compose, or convert bitmap images. A fuzz on an updated version revealed another overflow. The complete ASan output: # identify $FILE ================================================================= ==696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009700 at pc 0x7f300036c9a3 bp 0x7fff6e225970 sp 0x7fff6e225968 READ of size 4 at 0x611000009700 thread T0 #0 0x7f300036c9a2 in IsPixelGray /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/./MagickCore/pixel- accessor.h:507:30 #1 0x7f300036c9a2 in IdentifyImageGray /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:677 #2 0x7f300036f0dd in IdentifyImageType /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:821:7 #3 0x7f300090c1da in IdentifyImage /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/identify.c:527:8 #4 0x7f2fff364075 in IdentifyImageCommand /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/identify.c:336:22 #5 0x7f2fff4afeca in MagickCommandGenesis /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/mogrify.c:183:14 #6 0x50a339 in MagickMain /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:145:10 #7 0x50a339 in main /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:176 #8 0x7f2ffd99c61f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #9 0x419d28 in _init (/usr/bin/magick+0x419d28) 0x611000009700 is located 0 bytes to the right of 192-byte region [0x611000009640,0x611000009700) allocated by thread T0 here: #0 0x4d3685 in posix_memalign /tmp/portage/sys-devel/llvm-3.9.0- r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:130 #1 0x7f3000a466b0 in AcquireAlignedMemory /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/memory.c:258:7 #2 0x7f300043addf in AcquireCacheNexusPixels /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache.c:4636:33 #3 0x7f3000402030 in SetPixelCacheNexusPixels /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache.c:4748:14 #4 0x7f30003e7d2d in GetVirtualPixelsFromNexus /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache.c:2629:10 #5 0x7f3000444e53 in GetCacheViewVirtualPixels /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache- view.c:664:10 #6 0x7f300036b27c in IdentifyImageGray /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:672:7 #7 0x7f300036f0dd in IdentifyImageType /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:821:7 #8 0x7f300090c1da in IdentifyImage /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/identify.c:527:8 #9 0x7f2fff364075 in IdentifyImageCommand /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/identify.c:336:22 #10 0x7f2fff4afeca in MagickCommandGenesis /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/mogrify.c:183:14 #11 0x50a339 in MagickMain /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:145:10 #12 0x50a339 in main /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:176 #13 0x7f2ffd99c61f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media- gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/./MagickCore/pixel- accessor.h:507:30 in IsPixelGray Shadow bytes around the buggy address: 0x0c227fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff92d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c227fff92e0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff9300: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c227fff9310: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff9320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==696==ABORTING Affected version: 7.0.3.6 Fixed version: 7.0.3.8 (not yet released) Commit fix: https://github.com/ImageMagick/ImageMagick/commit/ce98a7acbcfca7f0a178f4b1e7b957e419e0cc99 Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00051-imagemagick-heapoverflow-IsPixelGray Timeline: 2016-11-16: bug discovered and reported to upstream 2016-11-17: upstream released a patch 2016-11-19: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2016/11/19/imagemagick-heap-based-buffer-overflow-in-ispixelgray-pixel-accessor-h -- Agostino Sarubbo Gentoo Linux Developer
bugbot adjusting priority
For the testcase, I get: ImageMagick (all versions): $ identify 00051-imagemagick-heapoverflow-IsPixelGray 00051-imagemagick-heapoverflow-IsPixelGray SGI 15x3 15x3+0+0 8-bit sRGB 550B 0.000u 0:00.000 identify: unexpected end-of-file `00051-imagemagick-heapoverflow-IsPixelGray': No such file or directory @ error/sgi.c/ReadSGIImage/726. $ No valgrind errors. GraphicsMagick (all versions): $ gm identify 00051-imagemagick-heapoverflow-IsPixelGray gm identify: Improper image header (00051-imagemagick-heapoverflow-IsPixelGray). gm identify: Request did not return an image. $ No valgrind errors.
The check fits in all versions of ImageMagick and all versions of GraphicsMagick.
AFTER: ImageMagick $ identify 00051-imagemagick-heapoverflow-IsPixelGray identify 00051-imagemagick-heapoverflow-IsPixelGray identify: Improper image header `00051-imagemagick-heapoverflow-IsPixelGray'. $ GraphicsMagick Same as before.
Packages submitted.
This is an autogenerated message for OBS integration: This bug (1011130) was mentioned in https://build.opensuse.org/request/show/442364 13.2 / GraphicsMagick https://build.opensuse.org/request/show/442365 13.2 / ImageMagick https://build.opensuse.org/request/show/442366 42.1 / GraphicsMagick
up! http://seclists.org/oss-sec/2016/q4/550
imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h) (Incomplete fix for CVE-2016-9556) -- see boo#1013376
openSUSE-SU-2016:3024-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1011130,1011136 CVE References: CVE-2016-9556,CVE-2016-9559 Sources used: openSUSE Leap 42.1 (src): GraphicsMagick-1.3.21-20.1
openSUSE-SU-2016:3026-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1011130,1011136 CVE References: CVE-2016-9556,CVE-2016-9559 Sources used: openSUSE 13.2 (src): GraphicsMagick-1.3.20-18.1
openSUSE-SU-2016:3027-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1011130,1011136 CVE References: CVE-2016-9556,CVE-2016-9559 Sources used: openSUSE 13.2 (src): ImageMagick-6.8.9.8-42.1
openSUSE-SU-2016:3060-1: An update that fixes 31 vulnerabilities is now available. Category: security (important) Bug References: 1000399,1000434,1000689,1000698,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,1007245,1011130,982178,983521,983752,983794,983799,984145,984150,984166,984372,984375,984394,984400,984436 CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9809,CVE-2014-9815,CVE-2014-9817,CVE-2014-9820,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9845,CVE-2014-9846,CVE-2014-9853,CVE-2016-5118,CVE-2016-6823,CVE-2016-7101,CVE-2016-7515,CVE-2016-7522,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862,CVE-2016-9556 Sources used: openSUSE Leap 42.2 (src): GraphicsMagick-1.3.25-3.1
SUSE-SU-2016:3256-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1009318,1011130,1011136,1013376,1014159 CVE References: CVE-2016-7530,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ImageMagick-6.4.3.6-7.60.1 SUSE Linux Enterprise Server 11-SP4 (src): ImageMagick-6.4.3.6-7.60.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ImageMagick-6.4.3.6-7.60.1
SUSE-SU-2016:3258-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1009318,1011130,1011136,1013376,1014159 CVE References: CVE-2014-9848,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): ImageMagick-6.8.8.1-54.1 SUSE Linux Enterprise Workstation Extension 12-SP1 (src): ImageMagick-6.8.8.1-54.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): ImageMagick-6.8.8.1-54.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): ImageMagick-6.8.8.1-54.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): ImageMagick-6.8.8.1-54.1 SUSE Linux Enterprise Server 12-SP2 (src): ImageMagick-6.8.8.1-54.1 SUSE Linux Enterprise Server 12-SP1 (src): ImageMagick-6.8.8.1-54.1 SUSE Linux Enterprise Desktop 12-SP2 (src): ImageMagick-6.8.8.1-54.1 SUSE Linux Enterprise Desktop 12-SP1 (src): ImageMagick-6.8.8.1-54.1
openSUSE-SU-2017:0023-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1009318,1011130,1011136,1013376,1014159 CVE References: CVE-2014-9848,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773 Sources used: openSUSE Leap 42.2 (src): ImageMagick-6.8.8.1-25.1 openSUSE Leap 42.1 (src): ImageMagick-6.8.8.1-27.1
SUSE-SU-2017:0305-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1009318,1011130,1011136,1013640,1017421 CVE References: CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9830 Sources used: SUSE Studio Onsite 1.3 (src): GraphicsMagick-1.2.5-4.59.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): GraphicsMagick-1.2.5-4.59.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): GraphicsMagick-1.2.5-4.59.1
fixed and released.
GraphicsMagick master: it is fixed by: iris_info.dimension=ReadBlobMSBShort(image) & 0xFFFF; [..] /* We only support zsize up to 4. Code further on assumes that. */ if (iris_info.zsize > 4U) ThrowReaderException(CorruptImageError,ImproperImageHeader,image)