Arch Linux Security Advisory ASA-201801-7
=========================================

Severity: High
Date    : 2018-01-08
CVE-ID  : CVE-2017-11403 CVE-2017-12935 CVE-2017-12936 CVE-2017-12937
          CVE-2017-13063 CVE-2017-13064 CVE-2017-13065 CVE-2017-13066
          CVE-2017-13134 CVE-2017-13776 CVE-2017-13777 CVE-2017-14165
          CVE-2017-15930 CVE-2017-16547
Package : graphicsmagick
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-355

Summary
=======

The package graphicsmagick before version 1.3.27-1 is vulnerable to
multiple issues including arbitrary code execution and denial of
service.

Resolution
==========

Upgrade to 1.3.27-1.

# pacman -Syu "graphicsmagick>=1.3.27-1"

The problems have been fixed upstream in version 1.3.27.

Workaround
==========

None.

Description
===========

- CVE-2017-11403 (arbitrary code execution)

The ReadMNGImage function in coders/png.c in GraphicsMagick before
1.3.27 has an out-of-order CloseBlob call, resulting in a use-after-
free via a crafted file.

- CVE-2017-12935 (arbitrary code execution)

The ReadMNGImage function in coders/png.c in GraphicsMagick before
1.3.27 mishandles large MNG images, leading to an invalid memory read
in the SetImageColorCallBack function in magick/image.c.

- CVE-2017-12936 (arbitrary code execution)

The ReadWMFImage function in coders/wmf.c in GraphicsMagick before
1.3.27 has a use-after-free issue for data associated with exception
reporting.

- CVE-2017-12937 (arbitrary code execution)

The ReadSUNImage function in coders/sun.c in GraphicsMagick before
1.3.27 has a colormap heap-based buffer over-read.

- CVE-2017-13063 (arbitrary code execution)

A heap buffer overflow vulnerability was found in the function
GetStyleTokens in GraphicsMagick before 1.3.27, which allow attackers
to cause a denial of service, or possible remote code execution via a
crafted file.

- CVE-2017-13064 (arbitrary code execution)

A heap buffer overflow vulnerability was found in function
GetStyleTokens in GraphicsMagick before 1.3.27, which allow attackers
to cause a denial of service or possible remote code execution via a
crafted file.

- CVE-2017-13065 (denial of service)

A null pointer dereference vulnerability was found in function
SVGStartElement in GraphicsMagick before 1.3.27, which allow attackers
to cause a denial of service via a crafted file.

- CVE-2017-13066 (denial of service)

A memory leak vulnerability was found in function CloneImage in
magick/image.c in GraphicsMagick before 1.3.27, which allow attackers
to cause a denial of service via a crafted file.

- CVE-2017-13134 (denial of service)

In ImageMagick 6.9.9.1, 7.0.6.7 and GraphicsMagick before 1.3.27, a
heap-based buffer over-read was found in the function SFWScan in
coders/sfw.c, which allows attackers to cause a denial of service via a
crafted file.

- CVE-2017-13776 (denial of service)

GraphicsMagick before 1.3.27 has a denial of service issue in
ReadXBMImage() in a coders/xbm.c "Read hex image data" version!=10 case
that results in the reader not returning; it would cause large amounts
of CPU and memory consumption although the crafted file itself does not
request it.

- CVE-2017-13777 (denial of service)

GraphicsMagick before 1.3.27 has a denial of service issue in
ReadXBMImage() in a coders/xbm.c "Read hex image data" version==10 case
that results in the reader not returning; it would cause large amounts
of CPU and memory consumption although the crafted file itself does not
request it.

- CVE-2017-14165 (denial of service)

The ReadSUNImage function in coders/sun.c in GraphicsMagick before
1.3.27 has an issue where memory allocation is excessive because it
depends only on a length field in a header. This may lead to remote
denial of service in the MagickMalloc function in magick/memory.c.

- CVE-2017-15930 (denial of service)

In ReadOneJNGImage in coders/png.c in GraphicsMagick before 1.3.27, a
null pointer dereference occurs while transferring JPEG scanlines,
related to a PixelPacket pointer.

- CVE-2017-16547 (denial of service)

The DrawImage function in magick/render.c in GraphicsMagick before
1.3.27 does not properly look for pop keywords that are associated with
push keywords, which allows remote attackers to cause a denial of
service (negative strncpy and application crash) or possibly have
unspecified other impact via a crafted file.

Impact
======

A remote attacker is able to read sensitive information, crash the
application or execute arbitrary code on the host by providing a
maliciously-crafted input to GraphicsMagick's convert.

References
==========

https://blogs.gentoo.org/ago/2017/07/12/graphicsmagick-use-after-free-in-closeblob-blob-c/
http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37
https://marc.info/?l=oss-security&m=150306448426399
https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-invalid-memory-read-in-setimagecolorcallback-image-c/
http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188
http://www.openwall.com/lists/oss-security/2017/08/18/3
https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-use-after-free-in-readwmfimage-wmf-c/
http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd
https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-heap-based-buffer-overflow-in-readsunimage-sun-c/
http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978
http://seclists.org/oss-sec/2017/q3/325
https://sourceforge.net/p/graphicsmagick/bugs/434/
http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a
https://sourceforge.net/p/graphicsmagick/bugs/436/
https://sourceforge.net/p/graphicsmagick/bugs/435/
https://sourceforge.net/p/graphicsmagick/bugs/430/
http://www.securityfocus.com/bid/100463
https://github.com/ImageMagick/ImageMagick/issues/670
https://github.com/ImageMagick/ImageMagick/commit/5304ae14655a67b9a3db00563fe44d9abd6de4f0
http://hg.code.sf.net/p/graphicsmagick/code/rev/1b47e0078e05
http://openwall.com/lists/oss-security/2017/08/31/2
http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5e
http://openwall.com/lists/oss-security/2017/08/31/1
https://blogs.gentoo.org/ago/2017/09/06/graphicsmagick-memory-allocation-failure-in-magickmalloc-memory-c-2/
http://hg.code.sf.net/p/graphicsmagick/code/rev/493da54370aa
https://sourceforge.net/p/graphicsmagick/bugs/518/
http://hg.code.sf.net/p/graphicsmagick/code/rev/da135eaedc3b
http://hg.code.sf.net/p/graphicsmagick/code/rev/6fc54b6d2be8
https://sourceforge.net/p/graphicsmagick/bugs/517/
http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc
https://security.archlinux.org/CVE-2017-11403
https://security.archlinux.org/CVE-2017-12935
https://security.archlinux.org/CVE-2017-12936
https://security.archlinux.org/CVE-2017-12937
https://security.archlinux.org/CVE-2017-13063
https://security.archlinux.org/CVE-2017-13064
https://security.archlinux.org/CVE-2017-13065
https://security.archlinux.org/CVE-2017-13066
https://security.archlinux.org/CVE-2017-13134
https://security.archlinux.org/CVE-2017-13776
https://security.archlinux.org/CVE-2017-13777
https://security.archlinux.org/CVE-2017-14165
https://security.archlinux.org/CVE-2017-15930
https://security.archlinux.org/CVE-2017-16547