Source: imagemagick Version: 8:6.9.7.4+dfsg-11 Severity: important Tags: security upstream Forwarded: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32560
Hi, the following vulnerability was published for imagemagick. CVE-2017-14528[0]: | The TIFFSetProfiles function in coders/tiff.c in ImageMagick 7.0.6 has | incorrect expectations about whether LibTIFF TIFFGetField return values | imply that data validation has occurred, which allows remote attackers | to cause a denial of service (use-after-free after an invalid call to | TIFFSetField, and application crash) via a crafted file. According to [2] this is something which should be handled on imagemagick side. With current unstable version (8:6.9.7.4+dfsg-16) under valgrind: ==2853== Memcheck, a memory error detector ==2853== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==2853== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==2853== Command: convert 810.tif /dev/null ==2853== ==2853== Invalid read of size 8 ==2853== at 0x4C30180: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1021) ==2853== by 0x9881CF4: _TIFFVSetField (tif_dir.c:627) ==2853== by 0x98832D3: TIFFSetField (tif_dir.c:798) ==2853== by 0x966300E: TIFFSetProfiles (tiff.c:2972) ==2853== by 0x966300E: WriteTIFFImage (tiff.c:3670) ==2853== by 0x4EC6F1B: WriteImage (constitute.c:1193) ==2853== by 0x4EC7861: WriteImages (constitute.c:1342) ==2853== by 0x53451A5: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x108918: ConvertMain (convert.c:81) ==2853== by 0x108918: main (convert.c:92) ==2853== Address 0x9377f90 is 0 bytes inside a block of size 7,640 free'd ==2853== at 0x4C2DE0F: realloc (vg_replace_malloc.c:785) ==2853== by 0x4F70ECF: ResizeMagickMemory (memory.c:1190) ==2853== by 0x4E8FA92: SeekBlob (blob.c:4027) ==2853== by 0x966BE35: ReadPSDChannel (psd.c:1336) ==2853== by 0x966BE35: ReadPSDLayer (psd.c:1406) ==2853== by 0x966F657: ReadPSDLayers (psd.c:1770) ==2853== by 0x96686B7: TIFFReadPhotoshopLayers (tiff.c:1070) ==2853== by 0x96686B7: ReadTIFFImage (tiff.c:2128) ==2853== by 0x4EC59B7: ReadImage (constitute.c:551) ==2853== by 0x4EC6A8A: ReadImages (constitute.c:860) ==2853== by 0x5343515: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x108918: ConvertMain (convert.c:81) ==2853== by 0x108918: main (convert.c:92) ==2853== Block was alloc'd at ==2853== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299) ==2853== by 0x4FF2220: AcquireStringInfo (string.c:179) ==2853== by 0x4FF22A7: CloneStringInfo (string.c:327) ==2853== by 0x4F9897B: SetImageProfileInternal (profile.c:1655) ==2853== by 0x9664DCE: ReadProfile (tiff.c:530) ==2853== by 0x9665B9E: TIFFGetProfiles (tiff.c:614) ==2853== by 0x9665B9E: ReadTIFFImage (tiff.c:1342) ==2853== by 0x4EC59B7: ReadImage (constitute.c:551) ==2853== by 0x4EC6A8A: ReadImages (constitute.c:860) ==2853== by 0x5343515: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x108918: ConvertMain (convert.c:81) ==2853== by 0x108918: main (convert.c:92) ==2853== ==2853== Invalid read of size 8 ==2853== at 0x4C3018E: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1021) ==2853== by 0x9881CF4: _TIFFVSetField (tif_dir.c:627) ==2853== by 0x98832D3: TIFFSetField (tif_dir.c:798) ==2853== by 0x966300E: TIFFSetProfiles (tiff.c:2972) ==2853== by 0x966300E: WriteTIFFImage (tiff.c:3670) ==2853== by 0x4EC6F1B: WriteImage (constitute.c:1193) ==2853== by 0x4EC7861: WriteImages (constitute.c:1342) ==2853== by 0x53451A5: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x108918: ConvertMain (convert.c:81) ==2853== by 0x108918: main (convert.c:92) ==2853== Address 0x9377fa0 is 16 bytes inside a block of size 7,640 free'd ==2853== at 0x4C2DE0F: realloc (vg_replace_malloc.c:785) ==2853== by 0x4F70ECF: ResizeMagickMemory (memory.c:1190) ==2853== by 0x4E8FA92: SeekBlob (blob.c:4027) ==2853== by 0x966BE35: ReadPSDChannel (psd.c:1336) ==2853== by 0x966BE35: ReadPSDLayer (psd.c:1406) ==2853== by 0x966F657: ReadPSDLayers (psd.c:1770) ==2853== by 0x96686B7: TIFFReadPhotoshopLayers (tiff.c:1070) ==2853== by 0x96686B7: ReadTIFFImage (tiff.c:2128) ==2853== by 0x4EC59B7: ReadImage (constitute.c:551) ==2853== by 0x4EC6A8A: ReadImages (constitute.c:860) ==2853== by 0x5343515: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x108918: ConvertMain (convert.c:81) ==2853== by 0x108918: main (convert.c:92) ==2853== Block was alloc'd at ==2853== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299) ==2853== by 0x4FF2220: AcquireStringInfo (string.c:179) ==2853== by 0x4FF22A7: CloneStringInfo (string.c:327) ==2853== by 0x4F9897B: SetImageProfileInternal (profile.c:1655) ==2853== by 0x9664DCE: ReadProfile (tiff.c:530) ==2853== by 0x9665B9E: TIFFGetProfiles (tiff.c:614) ==2853== by 0x9665B9E: ReadTIFFImage (tiff.c:1342) ==2853== by 0x4EC59B7: ReadImage (constitute.c:551) ==2853== by 0x4EC6A8A: ReadImages (constitute.c:860) ==2853== by 0x5343515: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x108918: ConvertMain (convert.c:81) ==2853== by 0x108918: main (convert.c:92) ==2853== ==2853== Invalid free() / delete / delete[] / realloc() ==2853== at 0x4C2CE1B: free (vg_replace_malloc.c:530) ==2853== by 0x4F70AAE: RelinquishMagickMemory (memory.c:1003) ==2853== by 0x4FF2967: DestroyStringInfo (string.c:839) ==2853== by 0x4FE2453: DestroySplayTree (splay-tree.c:710) ==2853== by 0x4F98684: DestroyImageProfiles (profile.c:212) ==2853== by 0x4F5A2C0: DestroyImage (image.c:1209) ==2853== by 0x4F674F7: DestroyImageList (list.c:450) ==2853== by 0x5345206: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x108918: ConvertMain (convert.c:81) ==2853== by 0x108918: main (convert.c:92) ==2853== Address 0x9377f90 is 0 bytes inside a block of size 7,640 free'd ==2853== at 0x4C2DE0F: realloc (vg_replace_malloc.c:785) ==2853== by 0x4F70ECF: ResizeMagickMemory (memory.c:1190) ==2853== by 0x4E8FA92: SeekBlob (blob.c:4027) ==2853== by 0x966BE35: ReadPSDChannel (psd.c:1336) ==2853== by 0x966BE35: ReadPSDLayer (psd.c:1406) ==2853== by 0x966F657: ReadPSDLayers (psd.c:1770) ==2853== by 0x96686B7: TIFFReadPhotoshopLayers (tiff.c:1070) ==2853== by 0x96686B7: ReadTIFFImage (tiff.c:2128) ==2853== by 0x4EC59B7: ReadImage (constitute.c:551) ==2853== by 0x4EC6A8A: ReadImages (constitute.c:860) ==2853== by 0x5343515: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x108918: ConvertMain (convert.c:81) ==2853== by 0x108918: main (convert.c:92) ==2853== Block was alloc'd at ==2853== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299) ==2853== by 0x4FF2220: AcquireStringInfo (string.c:179) ==2853== by 0x4FF22A7: CloneStringInfo (string.c:327) ==2853== by 0x4F9897B: SetImageProfileInternal (profile.c:1655) ==2853== by 0x9664DCE: ReadProfile (tiff.c:530) ==2853== by 0x9665B9E: TIFFGetProfiles (tiff.c:614) ==2853== by 0x9665B9E: ReadTIFFImage (tiff.c:1342) ==2853== by 0x4EC59B7: ReadImage (constitute.c:551) ==2853== by 0x4EC6A8A: ReadImages (constitute.c:860) ==2853== by 0x5343515: ConvertImageCommand (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x53B121D: MagickCommandGenesis (in /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3.0.0) ==2853== by 0x108918: ConvertMain (convert.c:81) ==2853== by 0x108918: main (convert.c:92) ==2853== convert-im6.q16: Incorrect value for "ICC Profile"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/912. convert-im6.q16: unable to decompress image `810.tif' @ error/psd.c/ReadPSDChannel/1342. ==2853== ==2853== HEAP SUMMARY: ==2853== in use at exit: 88,061 bytes in 17 blocks ==2853== total heap usage: 5,591 allocs, 5,575 frees, 1,213,310 bytes allocated ==2853== ==2853== LEAK SUMMARY: ==2853== definitely lost: 69,121 bytes in 1 blocks ==2853== indirectly lost: 0 bytes in 0 blocks ==2853== possibly lost: 0 bytes in 0 blocks ==2853== still reachable: 18,940 bytes in 16 blocks ==2853== suppressed: 0 bytes in 0 blocks ==2853== Rerun with --leak-check=full to see details of leaked memory ==2853== ==2853== For counts of detected and suppressed errors, rerun with: -v ==2853== ERROR SUMMARY: 444 errors from 3 contexts (suppressed: 0 from 0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14528 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14528 [1] https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32560 [2] http://bugzilla.maptools.org/show_bug.cgi?id=2730 Please adjust the affected versions in the BTS as needed. Regards, Salvatore _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
