Bug 1011136 – VUL-0: CVE-2016-9559: ImageMagick, GraphicsMagick: null pointer must never be null (tiff.c)

Bug 1011136 - (CVE-2016-9559) VUL-0: CVE-2016-9559: ImageMagick, GraphicsMagick: null pointer must never be null (tiff.c)

(CVE-2016-9559)
Summary:	VUL-0: CVE-2016-9559: ImageMagick, GraphicsMagick: null pointer must never be...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	unspecified
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2016-9559:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-11-19 18:13 UTC by Mikhail Kasimov
Modified:	2017-05-19 06:42 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail Kasimov 2016-11-19 18:13:40 UTC

Reference: http://seclists.org/oss-sec/2016/q4/472
===================================================
Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap 
images.

A fuzz on an updated version with the undefined behavior sanitizer enabled, 
revealed a null pointer which is declared to never be null.

The complete UBSan output:

# identify $FILE
coders/tiff.c:655:39: runtime error: null pointer passed as argument 2, which 
is declared to never be null
MagickCore/string_.h:76:23: note: nonnull attribute specified here

Affected version:
7.0.3.6

Fixed version:
7.0.3.7

Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/b61d35eaccc0a7ddeff8a1c3abfcd0a43ccf210b

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00049-imagemagick-pointernerverbenull

Timeline:
2016-11-09: bug discovered and reported to upstream
2016-11-09: upstream released a patch
2016-11-15: upstream released 7.0.3.7
2016-11-19: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/11/19/imagemagick-null-pointer-must-never-be-null-tiff-c

-- 
Agostino Sarubbo
Gentoo Linux Developer
===================================================

Comment 1 Swamp Workflow Management 2016-11-19 22:59:56 UTC

bugbot adjusting priority

Comment 2 Petr Gajdos 2016-11-28 10:41:24 UTC

For the testcase, I get:

ImageMagick (all versions, except 11 -- does not have tiff delegate):

$ identify  00049-imagemagick-pointernerverbenull 
00049-imagemagick-pointernerverbenull TIFF64 1x1 1x1+0+0 8-bit sRGB 1.85KB 0.000u 0:00.000
identify: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/857.
identify: Unknown field with tag 32781 (0x800d) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/857.
identify: Unknown field with tag 10 (0xa) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/857.
identify: Unknown field with tag 228 (0xe4) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/857.
identify: TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/857.
$

No valgrind errors.

GraphicsMagick (all versions, except 11 -- does not have tiff delegate):

$ gm identify 00049-imagemagick-pointernerverbenull 
00049-imagemagick-pointernerverbenull BIGTIFF 1x1+0+0 DirectClass 8-bit 1.8K 0.000u 0:01
$

No valgrind errors.

Comment 3 Petr Gajdos 2016-11-28 11:34:18 UTC

(In reply to Petr Gajdos from comment #2)
> ImageMagick (all versions, except 11 -- does not have tiff delegate):
> GraphicsMagick (all versions, except 11 -- does not have tiff delegate):

They have actually -- they just had do not recognized the format, of testcases.

Comment 4 Petr Gajdos 2016-11-28 11:59:37 UTC

The patch fits to every version of ImageMagick and every version of GraphicsMagick.

Comment 5 Petr Gajdos 2016-11-28 12:07:08 UTC

AFTER:

same as BEFORE for both GraphicsMagick and ImageMagick

Comment 6 Petr Gajdos 2016-11-28 12:14:42 UTC

Packages submitted.

Comment 7 Bernhard Wiedemann 2016-11-28 13:00:24 UTC

This is an autogenerated message for OBS integration:
This bug (1011136) was mentioned in
https://build.opensuse.org/request/show/442364 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/442365 13.2 / ImageMagick
https://build.opensuse.org/request/show/442366 42.1 / GraphicsMagick

Comment 10 Swamp Workflow Management 2016-12-06 15:07:30 UTC

openSUSE-SU-2016:3024-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1011130,1011136
CVE References: CVE-2016-9556,CVE-2016-9559
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-20.1

Comment 11 Swamp Workflow Management 2016-12-06 15:10:36 UTC

openSUSE-SU-2016:3026-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1011130,1011136
CVE References: CVE-2016-9556,CVE-2016-9559
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-18.1

Comment 12 Swamp Workflow Management 2016-12-06 15:11:05 UTC

openSUSE-SU-2016:3027-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1011130,1011136
CVE References: CVE-2016-9556,CVE-2016-9559
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-42.1

Comment 14 Swamp Workflow Management 2016-12-23 15:08:27 UTC

SUSE-SU-2016:3256-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1009318,1011130,1011136,1013376,1014159
CVE References: CVE-2016-7530,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.60.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.60.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.60.1

Comment 15 Swamp Workflow Management 2016-12-23 15:10:07 UTC

SUSE-SU-2016:3258-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1009318,1011130,1011136,1013376,1014159
CVE References: CVE-2014-9848,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-54.1

Comment 17 Swamp Workflow Management 2017-01-04 17:08:20 UTC

openSUSE-SU-2017:0023-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1009318,1011130,1011136,1013376,1014159
CVE References: CVE-2014-9848,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773
Sources used:
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-25.1
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-27.1

Comment 18 Marcus Meissner 2017-01-16 12:32:45 UTC

released

Comment 19 Swamp Workflow Management 2017-01-27 21:11:22 UTC

SUSE-SU-2017:0305-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1009318,1011130,1011136,1013640,1017421
CVE References: CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9830
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.59.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.59.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.59.1