Bug 1074969 - (CVE-2018-5247) VUL-0: CVE-2018-5247: ImageMagick: memory leaks in ReadRLAImage incoders/rla.c could lead to denial of service
(CVE-2018-5247)
VUL-0: CVE-2018-5247: ImageMagick: memory leaks in ReadRLAImage incoders/rla....
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/197754/
CVSSv3:SUSE:CVE-2018-5247:6.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-08 09:01 UTC by Victor Pereira
Modified: 2018-02-10 11:56 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Petr Gajdos 2018-01-09 11:13:29 UTC
BEFORE

12/ImageMagick

$ valgrind -q --leak-check=full montage poc.rla /dev/null
montage: improper image header `poc.rla' @ error/rla.c/ReadRLAImage/281.
montage: missing an image filename `/dev/null' @ error/montage.c/MontageImageCommand/1780.
==25157== 8 bytes in 1 blocks are definitely lost in loss record 2 of 12
==25157==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==25157==    by 0x8417440: ???
==25157==    by 0x4EBFE1A: ReadImage (constitute.c:601)
==25157==    by 0x4EC0EDA: ReadImages (constitute.c:907)
==25157==    by 0x53B306F: MontageImageCommand (montage.c:425)
==25157==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==25157==    by 0x400836: MontageMain (montage.c:77)
==25157==    by 0x400836: main (montage.c:88)
==25157== 
==25157== 8,332 (4,224 direct, 4,108 indirect) bytes in 1 blocks are definitely lost in loss record 12 of 12
==25157==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==25157==    by 0x4F5FF97: CloneMontageInfo (montage.c:107)
==25157==    by 0x53B28AC: MontageImageCommand (montage.c:353)
==25157==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==25157==    by 0x400836: MontageMain (montage.c:77)
==25157==    by 0x400836: main (montage.c:88)
==25157== 
$
[8-bytes leak is relevant to this bug]

11/ImageMagick

$ valgrind -q --leak-check=full montage poc.rla /dev/null
montage: Improper image header `poc.rla'.
montage: missing an image filename `/dev/null'.
==25172== 
==25172== 8 bytes in 1 blocks are definitely lost in loss record 1 of 4
==25172==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25172==    by 0x9F084D9: ???
==25172==    by 0x4E94D87: ReadImage (constitute.c:441)
==25172==    by 0x53257C1: MontageImageCommand (montage.c:399)
==25172==    by 0x400C6B: main (montage.c:100)
==25172== 
==25172== 
==25172== 8,332 (4,224 direct, 4,108 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4
==25172==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25172==    by 0x4F24337: CloneMontageInfo (montage.c:107)
==25172==    by 0x53251BF: MontageImageCommand (montage.c:329)
==25172==    by 0x400C6B: main (montage.c:100)
$
[8-bytes leak is relevant to this bug]

11/GraphicsMagick

$ valgrind -q --leak-check=full gm montage poc.rla /dev/null
gm montage: Improper image header (poc.rla).
==25237== 
==25237== 6,283 (2,160 direct, 4,123 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 4
==25237==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25237==    by 0x4EF5439: CloneMontageInfo (montage.c:86)
==25237==    by 0x4E7B14D: MontageImageCommand (command.c:12516)
==25237==    by 0x4E73673: MagickCommand (command.c:7654)
==25237==    by 0x4E737EE: GMCommand (command.c:15278)
==25237==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==25237== 
==25237== 
==25237== 22,633 (16,448 direct, 6,185 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4
==25237==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25237==    by 0x4F29E9C: ExpandFilenames (utility.c:895)
==25237==    by 0x4E7B0E2: MontageImageCommand (command.c:12499)
==25237==    by 0x4E73673: MagickCommand (command.c:7654)
==25237==    by 0x4E737EE: GMCommand (command.c:15278)
==25237==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
$
[the leak in rla decoder does not reproduce with this testcase]

42.x/GraphicsMagick

$ valgrind -q --leak-check=full gm montage poc.rla /dev/null
gm montage: Improper image header (poc.rla).
==15858== 2,688 (2,176 direct, 512 indirect) bytes in 1 blocks are definitely lost in loss record 15 of 16
==15858==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==15858==    by 0x4F06503: CloneMontageInfo (montage.c:87)
==15858==    by 0x4EAC881: MontageImageCommand (command.c:14015)
==15858==    by 0x4E8F884: MagickCommand (command.c:8865)
==15858==    by 0x4E9099D: GMCommandSingle (command.c:17379)
==15858==    by 0x4EB40AD: GMCommand (command.c:17432)
==15858==    by 0x54426E4: (below main) (in /lib64/libc-2.22.so)
==15858== 
==15858== 8,242 (8,216 direct, 26 indirect) bytes in 1 blocks are definitely lost in loss record 16 of 16
==15858==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==15858==    by 0x4F41B52: ExpandFilenames (utility.c:927)
==15858==    by 0x4EAC836: MontageImageCommand (command.c:14008)
==15858==    by 0x4E8F884: MagickCommand (command.c:8865)
==15858==    by 0x4E9099D: GMCommandSingle (command.c:17379)
==15858==    by 0x4EB40AD: GMCommand (command.c:17432)
==15858==    by 0x54426E4: (below main) (in /lib64/libc-2.22.so)
==15858== 
$
[the leak in rla decoder does not reproduce with this testcase]

HG/GraphicsMagick

$ valgrind -q --leak-check=full gm montage poc.rla /dev/null
gm montage: Improper image header (poc.rla).
$

PATCH

ImageMagick
https://github.com/ImageMagick/ImageMagick/commit/0ecb22aa909e52d86b4545aa7a51f7a0922147e6

GraphicsMagick
11/GraphicsMagick: scanlines variable is not correctly freed, will patch
42.x/GraphicsMagick: scanlines are freed by ThrowRLAReaderException():
http://hg.code.sf.net/p/graphicsmagick/code/diff/f09816eb6b97/coders/rla.c

MontageImageCommand() related leaks are fixed via CVE-2017-18022, bug 1074975.

AFTER

12/ImageMagick

$ valgrind -q --leak-check=full montage poc.rla /dev/null
montage: improper image header `poc.rla' @ error/rla.c/ReadRLAImage/283.
montage: missing an image filename `/dev/null' @ error/montage.c/MontageImageCommand/1780.
==15455== 8,332 (4,224 direct, 4,108 indirect) bytes in 1 blocks are definitely lost in loss record 11 of 11
==15455==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==15455==    by 0x4F5FF97: CloneMontageInfo (montage.c:107)
==15455==    by 0x53B28AC: MontageImageCommand (montage.c:353)
==15455==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==15455==    by 0x400836: MontageMain (montage.c:77)
==15455==    by 0x400836: main (montage.c:88)
==15455== 
$
[the small leak vanished]

11/ImageMagick

$ valgrind -q --leak-check=full montage poc.rla /dev/null
montage: Improper image header `poc.rla'.
montage: missing an image filename `/dev/null'.
==6783== 
==6783== 8,332 (4,224 direct, 4,108 indirect) bytes in 1 blocks are definitely lost in loss record 3 of 3
==6783==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==6783==    by 0x4F24337: CloneMontageInfo (montage.c:107)
==6783==    by 0x53251BF: MontageImageCommand (montage.c:329)
==6783==    by 0x400C6B: main (montage.c:100)
$
[the small leak vanished]

11/GraphicsMagick
$ valgrind -q --leak-check=full gm montage poc.rla /dev/null
gm montage: Improper image header (poc.rla).
==2642== 
==2642== 6,283 (2,160 direct, 4,123 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 4
==2642==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==2642==    by 0x4EF5439: CloneMontageInfo (montage.c:86)
==2642==    by 0x4E7B14D: MontageImageCommand (command.c:12516)
==2642==    by 0x4E73673: MagickCommand (command.c:7654)
==2642==    by 0x4E737EE: GMCommand (command.c:15278)
==2642==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==2642== 
==2642== 
==2642== 22,633 (16,448 direct, 6,185 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4
==2642==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==2642==    by 0x4F29E9C: ExpandFilenames (utility.c:895)
==2642==    by 0x4E7B0E2: MontageImageCommand (command.c:12499)
==2642==    by 0x4E73673: MagickCommand (command.c:7654)
==2642==    by 0x4E737EE: GMCommand (command.c:15278)
==2642==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
$
[result is the same]
Comment 2 Petr Gajdos 2018-01-09 12:01:26 UTC
Will submit for: 12/ImageMagick, 11/ImageMagick and 11/GraphicsMagick.
Comment 3 Petr Gajdos 2018-01-09 12:41:00 UTC
I believe all fixed.
Comment 5 Swamp Workflow Management 2018-01-18 14:10:25 UTC
SUSE-SU-2018:0130-1: An update that fixes 21 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047044,1047898,1050120,1050606,1051446,1052468,1052550,1052710,1052720,1052731,1052732,1055065,1055323,1055434,1055855,1058640,1059751,1074123,1074969,1074973,1074975
CVE References: CVE-2017-10800,CVE-2017-11141,CVE-2017-11529,CVE-2017-11644,CVE-2017-11724,CVE-2017-12434,CVE-2017-12564,CVE-2017-12667,CVE-2017-12670,CVE-2017-12672,CVE-2017-12675,CVE-2017-13060,CVE-2017-13146,CVE-2017-13648,CVE-2017-13658,CVE-2017-14326,CVE-2017-14533,CVE-2017-17881,CVE-2017-18022,CVE-2018-5246,CVE-2018-5247
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.26.1
Comment 6 Swamp Workflow Management 2018-01-18 14:16:17 UTC
SUSE-SU-2018:0132-1: An update that fixes 31 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042948,1047044,1047898,1049373,1050120,1050606,1051412,1051446,1052252,1052468,1052550,1052710,1052720,1052731,1052732,1052771,1055065,1055323,1055434,1055855,1058082,1058640,1059751,1072902,1074122,1074123,1074425,1074610,1074969,1074973,1074975
CVE References: CVE-2017-1000445,CVE-2017-1000476,CVE-2017-10800,CVE-2017-11141,CVE-2017-11449,CVE-2017-11529,CVE-2017-11644,CVE-2017-11724,CVE-2017-11751,CVE-2017-12430,CVE-2017-12434,CVE-2017-12564,CVE-2017-12642,CVE-2017-12667,CVE-2017-12670,CVE-2017-12672,CVE-2017-12675,CVE-2017-13060,CVE-2017-13146,CVE-2017-13648,CVE-2017-13658,CVE-2017-14249,CVE-2017-14326,CVE-2017-14533,CVE-2017-17680,CVE-2017-17881,CVE-2017-17882,CVE-2017-18022,CVE-2017-9409,CVE-2018-5246,CVE-2018-5247
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.22.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.22.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.22.1
Comment 7 Swamp Workflow Management 2018-01-20 17:14:37 UTC
openSUSE-SU-2018:0155-1: An update that fixes 21 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047044,1047898,1050120,1050606,1051446,1052468,1052550,1052710,1052720,1052731,1052732,1055065,1055323,1055434,1055855,1058640,1059751,1074123,1074969,1074973,1074975
CVE References: CVE-2017-10800,CVE-2017-11141,CVE-2017-11529,CVE-2017-11644,CVE-2017-11724,CVE-2017-12434,CVE-2017-12564,CVE-2017-12667,CVE-2017-12670,CVE-2017-12672,CVE-2017-12675,CVE-2017-13060,CVE-2017-13146,CVE-2017-13648,CVE-2017-13658,CVE-2017-14326,CVE-2017-14533,CVE-2017-17881,CVE-2017-18022,CVE-2018-5246,CVE-2018-5247
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-49.1
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.21.1
Comment 8 Swamp Workflow Management 2018-01-24 20:14:44 UTC
SUSE-SU-2018:0197-1: An update that fixes 23 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047044,1047054,1048457,1049373,1050129,1051412,1051847,1052252,1052460,1052758,1052764,1052771,1055063,1056550,1057723,1058082,1058422,1060577,1061587,1063050,1067177,1074969,1074975
CVE References: CVE-2017-10799,CVE-2017-10800,CVE-2017-11188,CVE-2017-11449,CVE-2017-11532,CVE-2017-12140,CVE-2017-12430,CVE-2017-12563,CVE-2017-12642,CVE-2017-12644,CVE-2017-12662,CVE-2017-12691,CVE-2017-13061,CVE-2017-14042,CVE-2017-14174,CVE-2017-14249,CVE-2017-14343,CVE-2017-14733,CVE-2017-14994,CVE-2017-15277,CVE-2017-16547,CVE-2017-18022,CVE-2018-5247
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.28.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.28.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.28.2
Comment 9 Marcus Meissner 2018-02-10 11:56:33 UTC
released