Subject: [ASA-201801-7] graphicsmagick: multiple issues Arch Linux Security Advisory ASA-201801-7 ========================================= Severity: High Date : 2018-01-08 CVE-ID : CVE-2017-11403 CVE-2017-12935 CVE-2017-12936 CVE-2017-12937 CVE-2017-13063 CVE-2017-13064 CVE-2017-13065 CVE-2017-13066 CVE-2017-13134 CVE-2017-13776 CVE-2017-13777 CVE-2017-14165 CVE-2017-15930 CVE-2017-16547 Package : graphicsmagick Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-355 Summary ======= The package graphicsmagick before version 1.3.27-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 1.3.27-1. # pacman -Syu "graphicsmagick>=1.3.27-1" The problems have been fixed upstream in version 1.3.27. Workaround ========== None. Description =========== - CVE-2017-11403 (arbitrary code execution) The ReadMNGImage function in coders/png.c in GraphicsMagick before 1.3.27 has an out-of-order CloseBlob call, resulting in a use-after- free via a crafted file. - CVE-2017-12935 (arbitrary code execution) The ReadMNGImage function in coders/png.c in GraphicsMagick before 1.3.27 mishandles large MNG images, leading to an invalid memory read in the SetImageColorCallBack function in magick/image.c. - CVE-2017-12936 (arbitrary code execution) The ReadWMFImage function in coders/wmf.c in GraphicsMagick before 1.3.27 has a use-after-free issue for data associated with exception reporting. - CVE-2017-12937 (arbitrary code execution) The ReadSUNImage function in coders/sun.c in GraphicsMagick before 1.3.27 has a colormap heap-based buffer over-read. - CVE-2017-13063 (arbitrary code execution) A heap buffer overflow vulnerability was found in the function GetStyleTokens in GraphicsMagick before 1.3.27, which allow attackers to cause a denial of service, or possible remote code execution via a crafted file. - CVE-2017-13064 (arbitrary code execution) A heap buffer overflow vulnerability was found in function GetStyleTokens in GraphicsMagick before 1.3.27, which allow attackers to cause a denial of service or possible remote code execution via a crafted file. - CVE-2017-13065 (denial of service) A null pointer dereference vulnerability was found in function SVGStartElement in GraphicsMagick before 1.3.27, which allow attackers to cause a denial of service via a crafted file. - CVE-2017-13066 (denial of service) A memory leak vulnerability was found in function CloneImage in magick/image.c in GraphicsMagick before 1.3.27, which allow attackers to cause a denial of service via a crafted file. - CVE-2017-13134 (denial of service) In ImageMagick 6.9.9.1, 7.0.6.7 and GraphicsMagick before 1.3.27, a heap-based buffer over-read was found in the function SFWScan in coders/sfw.c, which allows attackers to cause a denial of service via a crafted file. - CVE-2017-13776 (denial of service) GraphicsMagick before 1.3.27 has a denial of service issue in ReadXBMImage() in a coders/xbm.c "Read hex image data" version!=10 case that results in the reader not returning; it would cause large amounts of CPU and memory consumption although the crafted file itself does not request it. - CVE-2017-13777 (denial of service) GraphicsMagick before 1.3.27 has a denial of service issue in ReadXBMImage() in a coders/xbm.c "Read hex image data" version==10 case that results in the reader not returning; it would cause large amounts of CPU and memory consumption although the crafted file itself does not request it. - CVE-2017-14165 (denial of service) The ReadSUNImage function in coders/sun.c in GraphicsMagick before 1.3.27 has an issue where memory allocation is excessive because it depends only on a length field in a header. This may lead to remote denial of service in the MagickMalloc function in magick/memory.c. - CVE-2017-15930 (denial of service) In ReadOneJNGImage in coders/png.c in GraphicsMagick before 1.3.27, a null pointer dereference occurs while transferring JPEG scanlines, related to a PixelPacket pointer. - CVE-2017-16547 (denial of service) The DrawImage function in magick/render.c in GraphicsMagick before 1.3.27 does not properly look for pop keywords that are associated with push keywords, which allows remote attackers to cause a denial of service (negative strncpy and application crash) or possibly have unspecified other impact via a crafted file. Impact ====== A remote attacker is able to read sensitive information, crash the application or execute arbitrary code on the host by providing a maliciously-crafted input to GraphicsMagick's convert. References ========== https://blogs.gentoo.org/ago/2017/07/12/graphicsmagick-use-after-free-in-closeblob-blob-c/ http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37 https://marc.info/?l=oss-security&m=150306448426399 https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-invalid-memory-read-in-setimagecolorcallback-image-c/ http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188 http://www.openwall.com/lists/oss-security/2017/08/18/3 https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-use-after-free-in-readwmfimage-wmf-c/ http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-heap-based-buffer-overflow-in-readsunimage-sun-c/ http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978 http://seclists.org/oss-sec/2017/q3/325 https://sourceforge.net/p/graphicsmagick/bugs/434/ http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a https://sourceforge.net/p/graphicsmagick/bugs/436/ https://sourceforge.net/p/graphicsmagick/bugs/435/ https://sourceforge.net/p/graphicsmagick/bugs/430/ http://www.securityfocus.com/bid/100463 https://github.com/ImageMagick/ImageMagick/issues/670 https://github.com/ImageMagick/ImageMagick/commit/5304ae14655a67b9a3db00563fe44d9abd6de4f0 http://hg.code.sf.net/p/graphicsmagick/code/rev/1b47e0078e05 http://openwall.com/lists/oss-security/2017/08/31/2 http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5e http://openwall.com/lists/oss-security/2017/08/31/1 https://blogs.gentoo.org/ago/2017/09/06/graphicsmagick-memory-allocation-failure-in-magickmalloc-memory-c-2/ http://hg.code.sf.net/p/graphicsmagick/code/rev/493da54370aa https://sourceforge.net/p/graphicsmagick/bugs/518/ http://hg.code.sf.net/p/graphicsmagick/code/rev/da135eaedc3b http://hg.code.sf.net/p/graphicsmagick/code/rev/6fc54b6d2be8 https://sourceforge.net/p/graphicsmagick/bugs/517/ http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc https://security.archlinux.org/CVE-2017-11403 https://security.archlinux.org/CVE-2017-12935 https://security.archlinux.org/CVE-2017-12936 https://security.archlinux.org/CVE-2017-12937 https://security.archlinux.org/CVE-2017-13063 https://security.archlinux.org/CVE-2017-13064 https://security.archlinux.org/CVE-2017-13065 https://security.archlinux.org/CVE-2017-13066 https://security.archlinux.org/CVE-2017-13134 https://security.archlinux.org/CVE-2017-13776 https://security.archlinux.org/CVE-2017-13777 https://security.archlinux.org/CVE-2017-14165 https://security.archlinux.org/CVE-2017-15930 https://security.archlinux.org/CVE-2017-16547