Bug 1052253 - (CVE-2017-12431) VUL-2: CVE-2017-12431: GraphicsMagick, ImageMagick: Use-after-free in ReadWMFImage in coders/wmf.c, which allows attackers to cause DoS
(CVE-2017-12431)
VUL-2: CVE-2017-12431: GraphicsMagick, ImageMagick: Use-after-free in ReadWMF...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/189605/
CVSSv2:SUSE:CVE-2017-12431:7.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-04 12:40 UTC by Johannes Segitz
Modified: 2020-07-27 02:07 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Reproducer (171 bytes, image/x-wmf)
2017-08-04 12:40 UTC, Johannes Segitz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-08-04 12:40:42 UTC
Created attachment 735284 [details]
Reproducer

CVE-2017-12431

In ImageMagick 7.0.6-1, a use-after-free vulnerability was found in the
function ReadWMFImage in coders/wmf.c, which allows attackers to cause
a denial of service.

Reproducer doesn't trigger. Vulnerable code present. Due to it being a use-after-free RCE can't be ruled out, please include this one in the already requested update.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12431
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12431
Comment 1 Petr Gajdos 2017-08-15 11:11:28 UTC
ImageMagick issue

https://github.com/ImageMagick/ImageMagick/issues/555
Comment 3 Petr Gajdos 2017-08-15 12:30:33 UTC
I do not know how to test with the testcase. Both GraphicsMagick and ImageMagick bail out with 'no decode delegate for this image format', that means program control does not reach ReadWMFImage() at all, if I understand correctly.
Comment 4 Petr Gajdos 2017-08-15 12:32:30 UTC
(Yes, I have wmf.so installed.)
Comment 5 Petr Gajdos 2017-08-15 13:04:59 UTC
Patch is applicable on: 12/ImageMagick, 11/ImageMagick

I think GraphicsMagick is not affected.
Comment 6 Petr Gajdos 2017-08-15 13:13:24 UTC
Hmm, no. I tought I get it but I do not. Could you please help me understand what and how this patch is fixing?
Comment 7 Marcus Meissner 2017-08-17 13:17:37 UTC
The wmf.so coder is in SLE12 only in ImageMagick-extra, which is not shipped there.

The problem seems to be introduced 3 (three) days before the fix.

commit b2b48d50300a9fbcd0aa0d9230fd6d7a08f7671e
Author: Cristy <urban-warrior@imagemagick.org>
Date:   Thu Jul 6 06:12:37 2017 -0400

    https://github.com/ImageMagick/ImageMagick/issues/544

diff --git a/coders/wmf.c b/coders/wmf.c
index b8f37a65f..6f6939a18 100644
--- a/coders/wmf.c
+++ b/coders/wmf.c
@@ -2679,6 +2679,11 @@ static Image *ReadWMFImage(const ImageInfo *image_info,ExceptionInfo *exception)
   if (wmf_error != wmf_E_None)
     {
       wmf_api_destroy(API);
+      if (ddata->draw_info != (DrawInfo *) NULL)
+        {
+          DestroyDrawInfo(ddata->draw_info);
+          ddata->draw_info=(DrawInfo *)NULL;
+        }
       if (image->debug != MagickFalse)
         {
           (void) LogMagickEvent(CoderEvent,GetMagickModule(),

I queried the issue in github.
Comment 8 Marcus Meissner 2017-09-29 07:01:40 UTC
(does not seem to affect us)
Comment 9 Petr Gajdos 2017-10-23 14:48:26 UTC
Actually, I get for both GraphicsMagick and ImageMagick, no matter which version I tried (11 to 42.3):

ERROR: player.c (137): wmf_scan: max_rec_size too big!
identify: Failed to scan file `use-after-free-in-ReadWMFImage'.

No valgrind errors.
Comment 10 Petr Gajdos 2017-10-23 15:12:14 UTC
Given comment 9 and comment 8 and also comment 7:

The point of the patch seem to be:

Introduce double free 
https://github.com/ImageMagick/ImageMagick/commit/b2b48d50300a9fbcd0aa0d9230fd6d7a08f7671e

This is actually bug #1052249 (CVE CVE-2017-12428).

Fix it
https://github.com/ImageMagick/ImageMagick/commit/784fcac688161aeaea221e00b706c88b08196945

Therefore, ImageMagick-6 commit from comment 2 contains fix for bug #1052249 and this bug.
Comment 11 Petr Gajdos 2017-10-24 11:43:59 UTC
While bug #1052249 affects only 12/ImageMagick, this bug also affects just 12/ImageMagick (comment 7, comment 10).
Comment 12 Petr Gajdos 2017-10-24 12:04:59 UTC
BEFORE (even before the fix for bug 1052249)

$ valgrind -q --leak-check=full identify use-after-free-in-ReadWMFImage 
ERROR: player.c (137): wmf_scan: max_rec_size too big!
identify: failed to scan file `use-after-free-in-ReadWMFImage' @ error/wmf.c/ReadWMFImage/2705.
==25649== 720 bytes in 1 blocks are definitely lost in loss record 10 of 10
==25649==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==25649==    by 0x4EFC5B7: CloneDrawInfo (draw.c:252)
==25649==    by 0x841B239: ???
==25649==    by 0x4EBF2BA: ReadImage (constitute.c:601)
==25649==    by 0x4FD0B68: ReadStream (stream.c:974)
==25649==    by 0x4EBEE00: PingImage (constitute.c:278)
==25649==    by 0x4EBF03A: PingImages (constitute.c:373)
==25649==    by 0x535852B: IdentifyImageCommand (identify.c:322)
==25649==    by 0x5385C72: MagickCommandGenesis (mogrify.c:166)
==25649==    by 0x400971: IdentifyMain (identify.c:80)
==25649==    by 0x400971: main (identify.c:93)
==25649== 
$

AFTER

$ valgrind -q identify use-after-free-in-ReadWMFImage 
ERROR: player.c (137): wmf_scan: max_rec_size too big!
identify: failed to scan file `use-after-free-in-ReadWMFImage' @ error/wmf.c/ReadWMFImage/2725.
$

Testcase seem to exhibit the same issue as that one from bug 1052249.
Comment 13 Petr Gajdos 2017-10-25 12:28:18 UTC
I believe all fixed.
Comment 16 Swamp Workflow Management 2017-11-08 11:18:25 UTC
SUSE-SU-2017:2949-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1049379,1050135,1052249,1052253,1052545,1054924,1055219,1055430,1061873
CVE References: CVE-2016-7530,CVE-2017-11446,CVE-2017-11534,CVE-2017-12428,CVE-2017-12431,CVE-2017-12433,CVE-2017-13133,CVE-2017-13139,CVE-2017-15033
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.12.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.12.1
Comment 17 Swamp Workflow Management 2017-11-12 17:12:12 UTC
openSUSE-SU-2017:2999-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1049379,1050135,1052249,1052253,1052545,1054924,1055219,1055430,1061873
CVE References: CVE-2016-7530,CVE-2017-11446,CVE-2017-11534,CVE-2017-12428,CVE-2017-12431,CVE-2017-12433,CVE-2017-13133,CVE-2017-13139,CVE-2017-15033
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-37.1
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.9.1
Comment 18 Marcus Meissner 2018-02-09 15:23:23 UTC
released