Bug 1011136 - (CVE-2016-9559) VUL-0: CVE-2016-9559: ImageMagick, GraphicsMagick: null pointer must never be null (tiff.c)
(CVE-2016-9559)
VUL-0: CVE-2016-9559: ImageMagick, GraphicsMagick: null pointer must never be...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-9559:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-19 18:13 UTC by Mikhail Kasimov
Modified: 2017-05-19 06:42 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-11-19 18:13:40 UTC
Reference: http://seclists.org/oss-sec/2016/q4/472
===================================================
Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap 
images.

A fuzz on an updated version with the undefined behavior sanitizer enabled, 
revealed a null pointer which is declared to never be null.

The complete UBSan output:

# identify $FILE
coders/tiff.c:655:39: runtime error: null pointer passed as argument 2, which 
is declared to never be null
MagickCore/string_.h:76:23: note: nonnull attribute specified here

Affected version:
7.0.3.6

Fixed version:
7.0.3.7

Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/b61d35eaccc0a7ddeff8a1c3abfcd0a43ccf210b

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00049-imagemagick-pointernerverbenull

Timeline:
2016-11-09: bug discovered and reported to upstream
2016-11-09: upstream released a patch
2016-11-15: upstream released 7.0.3.7
2016-11-19: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/11/19/imagemagick-null-pointer-must-never-be-null-tiff-c

-- 
Agostino Sarubbo
Gentoo Linux Developer
===================================================
Comment 1 Swamp Workflow Management 2016-11-19 22:59:56 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-11-28 10:41:24 UTC
For the testcase, I get:

ImageMagick (all versions, except 11 -- does not have tiff delegate):

$ identify  00049-imagemagick-pointernerverbenull 
00049-imagemagick-pointernerverbenull TIFF64 1x1 1x1+0+0 8-bit sRGB 1.85KB 0.000u 0:00.000
identify: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/857.
identify: Unknown field with tag 32781 (0x800d) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/857.
identify: Unknown field with tag 10 (0xa) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/857.
identify: Unknown field with tag 228 (0xe4) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/857.
identify: TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/857.
$

No valgrind errors.

GraphicsMagick (all versions, except 11 -- does not have tiff delegate):

$ gm identify 00049-imagemagick-pointernerverbenull 
00049-imagemagick-pointernerverbenull BIGTIFF 1x1+0+0 DirectClass 8-bit 1.8K 0.000u 0:01
$

No valgrind errors.
Comment 3 Petr Gajdos 2016-11-28 11:34:18 UTC
(In reply to Petr Gajdos from comment #2)
> ImageMagick (all versions, except 11 -- does not have tiff delegate):
> GraphicsMagick (all versions, except 11 -- does not have tiff delegate):

They have actually -- they just had do not recognized the format, of testcases.
Comment 4 Petr Gajdos 2016-11-28 11:59:37 UTC
The patch fits to every version of ImageMagick and every version of GraphicsMagick.
Comment 5 Petr Gajdos 2016-11-28 12:07:08 UTC
AFTER:

same as BEFORE for both GraphicsMagick and ImageMagick
Comment 6 Petr Gajdos 2016-11-28 12:14:42 UTC
Packages submitted.
Comment 7 Bernhard Wiedemann 2016-11-28 13:00:24 UTC
This is an autogenerated message for OBS integration:
This bug (1011136) was mentioned in
https://build.opensuse.org/request/show/442364 13.2 / GraphicsMagick
https://build.opensuse.org/request/show/442365 13.2 / ImageMagick
https://build.opensuse.org/request/show/442366 42.1 / GraphicsMagick
Comment 10 Swamp Workflow Management 2016-12-06 15:07:30 UTC
openSUSE-SU-2016:3024-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1011130,1011136
CVE References: CVE-2016-9556,CVE-2016-9559
Sources used:
openSUSE Leap 42.1 (src):    GraphicsMagick-1.3.21-20.1
Comment 11 Swamp Workflow Management 2016-12-06 15:10:36 UTC
openSUSE-SU-2016:3026-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1011130,1011136
CVE References: CVE-2016-9556,CVE-2016-9559
Sources used:
openSUSE 13.2 (src):    GraphicsMagick-1.3.20-18.1
Comment 12 Swamp Workflow Management 2016-12-06 15:11:05 UTC
openSUSE-SU-2016:3027-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1011130,1011136
CVE References: CVE-2016-9556,CVE-2016-9559
Sources used:
openSUSE 13.2 (src):    ImageMagick-6.8.9.8-42.1
Comment 14 Swamp Workflow Management 2016-12-23 15:08:27 UTC
SUSE-SU-2016:3256-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1009318,1011130,1011136,1013376,1014159
CVE References: CVE-2016-7530,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.60.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.60.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.60.1
Comment 15 Swamp Workflow Management 2016-12-23 15:10:07 UTC
SUSE-SU-2016:3258-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1009318,1011130,1011136,1013376,1014159
CVE References: CVE-2014-9848,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Server 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-54.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ImageMagick-6.8.8.1-54.1
Comment 17 Swamp Workflow Management 2017-01-04 17:08:20 UTC
openSUSE-SU-2017:0023-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1009318,1011130,1011136,1013376,1014159
CVE References: CVE-2014-9848,CVE-2016-8707,CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9773
Sources used:
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-25.1
openSUSE Leap 42.1 (src):    ImageMagick-6.8.8.1-27.1
Comment 18 Marcus Meissner 2017-01-16 12:32:45 UTC
released
Comment 19 Swamp Workflow Management 2017-01-27 21:11:22 UTC
SUSE-SU-2017:0305-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1009318,1011130,1011136,1013640,1017421
CVE References: CVE-2016-8866,CVE-2016-9556,CVE-2016-9559,CVE-2016-9830
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.59.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.59.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.59.1