Bug 1074975 - (CVE-2017-18022) VUL-0: CVE-2017-18022: ImageMagick: memory leaks in MontageImageCommand inMagickWand/montage.c could lead to denial of service
(CVE-2017-18022)
VUL-0: CVE-2017-18022: ImageMagick: memory leaks in MontageImageCommand inMag...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/197749/
CVSSv3:SUSE:CVE-2017-18022:5.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-08 09:12 UTC by Victor Pereira
Modified: 2018-02-10 11:56 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Petr Gajdos 2018-01-09 11:59:50 UTC
See also bug 1074969; the testcase from there evinces the same results.

BEFORE

12/ImageMagick

$ valgrind -q --leak-check=full montage poc /dev/null
montage: no decode delegate for this image format `poc' @ error/constitute.c/ReadImage/555.
montage: missing an image filename `/dev/null' @ error/montage.c/MontageImageCommand/1780.
==15732== 8,332 (4,224 direct, 4,108 indirect) bytes in 1 blocks are definitely lost in loss record 10 of 10
==15732==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==15732==    by 0x4F5FF97: CloneMontageInfo (montage.c:107)
==15732==    by 0x53B28AC: MontageImageCommand (montage.c:353)
==15732==    by 0x5385C52: MagickCommandGenesis (mogrify.c:166)
==15732==    by 0x400836: MontageMain (montage.c:77)
==15732==    by 0x400836: main (montage.c:88)
==15732== 
$

11/ImageMagick

$ valgrind -q --leak-check=full montage poc /dev/null
montage: no decode delegate for this image format `poc'.
montage: missing an image filename `/dev/null'.
==15758== 
==15758== 8,332 (4,224 direct, 4,108 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 2
==15758==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==15758==    by 0x4F24337: CloneMontageInfo (montage.c:107)
==15758==    by 0x53251BF: MontageImageCommand (montage.c:329)
==15758==    by 0x400C6B: main (montage.c:100)
$

11/GraphicsMagick

$ valgrind -q --leak-check=full gm montage poc /dev/null
gm montage: No decode delegate for this image format (poc).
==15780== 
==15780== 6,283 (2,160 direct, 4,123 indirect) bytes in 1 blocks are definitely lost in loss record 1 of 3
==15780==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==15780==    by 0x4EF5439: CloneMontageInfo (montage.c:86)
==15780==    by 0x4E7B14D: MontageImageCommand (command.c:12516)
==15780==    by 0x4E73673: MagickCommand (command.c:7654)
==15780==    by 0x4E737EE: GMCommand (command.c:15278)
==15780==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
==15780== 
==15780== 
==15780== 22,629 (16,448 direct, 6,181 indirect) bytes in 1 blocks are definitely lost in loss record 3 of 3
==15780==    at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==15780==    by 0x4F29E9C: ExpandFilenames (utility.c:895)
==15780==    by 0x4E7B0E2: MontageImageCommand (command.c:12499)
==15780==    by 0x4E73673: MagickCommand (command.c:7654)
==15780==    by 0x4E737EE: GMCommand (command.c:15278)
==15780==    by 0x76E3585: (below main) (in /lib64/libc-2.9.so)
$

42.x/GraphicsMagick

$ valgrind -q --leak-check=full gm montage poc /dev/null
gm montage: No decode delegate for this image format (poc).
==15843== 2,688 (2,176 direct, 512 indirect) bytes in 1 blocks are definitely lost in loss record 14 of 15
==15843==    at 0x4C29160: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==15843==    by 0x4F06503: CloneMontageInfo (montage.c:87)
==15843==    by 0x4EAC881: MontageImageCommand (command.c:14015)
==15843==    by 0x4E8F884: MagickCommand (command.c:8865)
==15843==    by 0x4E9099D: GMCommandSingle (command.c:17379)
==15843==    by 0x4EB40AD: GMCommand (command.c:17432)
==15843==    by 0x54426E4: (below main) (in /lib64/libc-2.22.so)
==15843== 
==15843== 8,238 (8,216 direct, 22 indirect) bytes in 1 blocks are definitely lost in loss record 15 of 15
==15843==    at 0x4C29160: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==15843==    by 0x4F41B52: ExpandFilenames (utility.c:927)
==15843==    by 0x4EAC836: MontageImageCommand (command.c:14008)
==15843==    by 0x4E8F884: MagickCommand (command.c:8865)
==15843==    by 0x4E9099D: GMCommandSingle (command.c:17379)
==15843==    by 0x4EB40AD: GMCommand (command.c:17432)
==15843==    by 0x54426E4: (below main) (in /lib64/libc-2.22.so)
==15843== 
$

HG/GraphicsMagick

$ valgrind -q --leak-check=full gm montage poc /dev/null
gm montage: No decode delegate for this image format (poc).
$

PATCH

https://github.com/ImageMagick/ImageMagick/commit/8cf0676455929a067257400e8020dea6ca94c1a4
http://hg.code.sf.net/p/graphicsmagick/code/diff/c8a67d5ba503/magick/command.c

AFTER

12/ImageMagick

$ valgrind -q --leak-check=full montage poc /dev/null
montage: no decode delegate for this image format `poc' @ error/constitute.c/ReadImage/555.
montage: missing an image filename `/dev/null' @ error/montage.c/MontageImageCommand/1782.
$

11/ImageMagick

$ valgrind -q --leak-check=full montage poc /dev/null
montage: no decode delegate for this image format `poc'.
montage: missing an image filename `/dev/null'.
$

11/GraphicsMagick

$ valgrind -q --leak-check=full gm montage poc /dev/null
gm montage: Request did not return an image.
$

42.x/GraphicsMagick

$ valgrind -q --leak-check=full gm montage poc /dev/null
gm montage: Request did not return an image.
$
Comment 2 Petr Gajdos 2018-01-09 12:00:44 UTC
Will submit for 12/ImageMagick, 11/ImageMagick, 11/GraphicsMagick and 42.x/GraphicsMagick.
Comment 3 Petr Gajdos 2018-01-09 12:40:50 UTC
I believe all fixed.
Comment 4 Swamp Workflow Management 2018-01-09 13:10:49 UTC
This is an autogenerated message for OBS integration:
This bug (1074975) was mentioned in
https://build.opensuse.org/request/show/562871 42.3 / GraphicsMagick
https://build.opensuse.org/request/show/562872 42.2 / GraphicsMagick
Comment 6 Swamp Workflow Management 2018-01-15 14:09:47 UTC
openSUSE-SU-2018:0087-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1047044,1049373,1050129,1051412,1052468,1052710,1052720,1052731,1055065,1055434,1058640,1067177,1074123,1074975
CVE References: CVE-2017-10800,CVE-2017-11449,CVE-2017-11532,CVE-2017-12564,CVE-2017-12670,CVE-2017-12672,CVE-2017-12675,CVE-2017-13060,CVE-2017-13648,CVE-2017-14326,CVE-2017-16547,CVE-2017-17881,CVE-2017-18022
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-57.1
openSUSE Leap 42.2 (src):    GraphicsMagick-1.3.25-11.60.1
Comment 7 Swamp Workflow Management 2018-01-18 14:10:43 UTC
SUSE-SU-2018:0130-1: An update that fixes 21 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047044,1047898,1050120,1050606,1051446,1052468,1052550,1052710,1052720,1052731,1052732,1055065,1055323,1055434,1055855,1058640,1059751,1074123,1074969,1074973,1074975
CVE References: CVE-2017-10800,CVE-2017-11141,CVE-2017-11529,CVE-2017-11644,CVE-2017-11724,CVE-2017-12434,CVE-2017-12564,CVE-2017-12667,CVE-2017-12670,CVE-2017-12672,CVE-2017-12675,CVE-2017-13060,CVE-2017-13146,CVE-2017-13648,CVE-2017-13658,CVE-2017-14326,CVE-2017-14533,CVE-2017-17881,CVE-2017-18022,CVE-2018-5246,CVE-2018-5247
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.26.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.26.1
Comment 8 Swamp Workflow Management 2018-01-18 14:16:34 UTC
SUSE-SU-2018:0132-1: An update that fixes 31 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042948,1047044,1047898,1049373,1050120,1050606,1051412,1051446,1052252,1052468,1052550,1052710,1052720,1052731,1052732,1052771,1055065,1055323,1055434,1055855,1058082,1058640,1059751,1072902,1074122,1074123,1074425,1074610,1074969,1074973,1074975
CVE References: CVE-2017-1000445,CVE-2017-1000476,CVE-2017-10800,CVE-2017-11141,CVE-2017-11449,CVE-2017-11529,CVE-2017-11644,CVE-2017-11724,CVE-2017-11751,CVE-2017-12430,CVE-2017-12434,CVE-2017-12564,CVE-2017-12642,CVE-2017-12667,CVE-2017-12670,CVE-2017-12672,CVE-2017-12675,CVE-2017-13060,CVE-2017-13146,CVE-2017-13648,CVE-2017-13658,CVE-2017-14249,CVE-2017-14326,CVE-2017-14533,CVE-2017-17680,CVE-2017-17881,CVE-2017-17882,CVE-2017-18022,CVE-2017-9409,CVE-2018-5246,CVE-2018-5247
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.22.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.22.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.22.1
Comment 9 Swamp Workflow Management 2018-01-20 17:14:58 UTC
openSUSE-SU-2018:0155-1: An update that fixes 21 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047044,1047898,1050120,1050606,1051446,1052468,1052550,1052710,1052720,1052731,1052732,1055065,1055323,1055434,1055855,1058640,1059751,1074123,1074969,1074973,1074975
CVE References: CVE-2017-10800,CVE-2017-11141,CVE-2017-11529,CVE-2017-11644,CVE-2017-11724,CVE-2017-12434,CVE-2017-12564,CVE-2017-12667,CVE-2017-12670,CVE-2017-12672,CVE-2017-12675,CVE-2017-13060,CVE-2017-13146,CVE-2017-13648,CVE-2017-13658,CVE-2017-14326,CVE-2017-14533,CVE-2017-17881,CVE-2017-18022,CVE-2018-5246,CVE-2018-5247
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-49.1
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.21.1
Comment 10 Swamp Workflow Management 2018-01-24 20:14:54 UTC
SUSE-SU-2018:0197-1: An update that fixes 23 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047044,1047054,1048457,1049373,1050129,1051412,1051847,1052252,1052460,1052758,1052764,1052771,1055063,1056550,1057723,1058082,1058422,1060577,1061587,1063050,1067177,1074969,1074975
CVE References: CVE-2017-10799,CVE-2017-10800,CVE-2017-11188,CVE-2017-11449,CVE-2017-11532,CVE-2017-12140,CVE-2017-12430,CVE-2017-12563,CVE-2017-12642,CVE-2017-12644,CVE-2017-12662,CVE-2017-12691,CVE-2017-13061,CVE-2017-14042,CVE-2017-14174,CVE-2017-14249,CVE-2017-14343,CVE-2017-14733,CVE-2017-14994,CVE-2017-15277,CVE-2017-16547,CVE-2017-18022,CVE-2018-5247
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-4.78.28.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.28.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-4.78.28.2
Comment 11 Marcus Meissner 2018-02-10 11:56:51 UTC
released