-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ImageMagick 7.0.11-14 Memory Leak Vulnerability #3767
Comments
We fix memory leaks when valgrind reports |
Hi touch lol.png POC file can be downloaded through attached link Although, valgrind reveals definitely lost and possibly lost bytes and blocks as 0 Please confirm if you're able to reproduce the issue or if need further assistance. Regards |
We reproduced the issue before we commented. Again, definitely lost is a high priority and you can expect a fix within 48 hours. Probably lost is a lower priority and we'll fix the issue someday, maybe. |
Hi, |
As stated before we will fix the issue someday, maybe. And when/if we do that we will update this issue. |
@dlemstra @urban-warrior does ImageMagick team consider this to be a security vulnerability? I'm not clear on the actual attack vector here. Someone submits a empty file to magick-cli, and it eventually exits without freeing memory... How would this be exploited by a bad actor? |
We would treat this differently if we would consider this a security vulnerability. |
Since this is not a security issue I asked MITRE to review it and in case they agree, they will withdraw CVE-2021-34183. |
Thanks. I was going to do the same. CVEs are supposed to be for actual vulnerabilities. Memory leaks can be a component of a vulnerability in certain circumstances, but that doesn't mean "hey I found a memory leak, it's automatically an exploitable vuln." I wish the community was more aware of this at times, but better safe than sorry. |
Prerequisites
ImageMagick version
7.0.11-14
Operating system
Linux
Operating system, version and so on
Ubuntu 20.04.1 LTS x86_64
Description
Hi Team
Memory leak vulnerability is observed in ImageMagick 7.0.11-14 in AcquireSemaphoreMemory and AcquireMagickMemory
HEAP SUMMARY:
in use at exit: 224 bytes in 4 blocks
total heap usage: 1,840 allocs, 1,836 frees, 2,069,964 bytes allocated
64 bytes in 1 blocks are still reachable in loss record 2 of 4
at 0x483E0F0: memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x483E212: posix_memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x182E6C: AcquireSemaphoreMemory (semaphore.c:154)
by 0x182E6C: AcquireSemaphoreInfo (semaphore.c:200)
by 0x182FB4: ActivateSemaphoreInfo (semaphore.c:105)
by 0x476823: AcquireWandId (wand.c:83)
by 0x45B460: AcquireMagickCLI (wandcli.c:94)
by 0x404734: MagickImageCommand (magick-cli.c:703)
by 0x407BCB: MagickCommandGenesis (mogrify.c:191)
by 0x14652E: MagickMain (magick.c:149)
by 0x565E0B2: (below main) (libc-start.c:308)
64 bytes in 1 blocks are still reachable in loss record 3 of 4
at 0x483E0F0: memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x483E212: posix_memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x182E6C: AcquireSemaphoreMemory (semaphore.c:154)
by 0x182E6C: AcquireSemaphoreInfo (semaphore.c:200)
by 0x18508A: NewSplayTree (splay-tree.c:1159)
by 0x476838: AcquireWandId (wand.c:86)
by 0x45B460: AcquireMagickCLI (wandcli.c:94)
by 0x404734: MagickImageCommand (magick-cli.c:703)
by 0x407BCB: MagickCommandGenesis (mogrify.c:191)
by 0x14652E: MagickMain (magick.c:149)
by 0x565E0B2: (below main) (libc-start.c:308)
88 bytes in 1 blocks are still reachable in loss record 4 of 4
at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x15A91C: AcquireMagickMemory (memory.c:558)
by 0x15A91C: AcquireCriticalMemory (memory.c:634)
by 0x185050: NewSplayTree (splay-tree.c:1148)
by 0x476838: AcquireWandId (wand.c:86)
by 0x45B460: AcquireMagickCLI (wandcli.c:94)
by 0x404734: MagickImageCommand (magick-cli.c:703)
by 0x407BCB: MagickCommandGenesis (mogrify.c:191)
by 0x14652E: MagickMain (magick.c:149)
by 0x565E0B2: (below main) (libc-start.c:308)
8 bytes in 1 blocks are still reachable in loss record 1 of 4
at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x549524C: ??? (in /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0)
by 0x54A5B9A: ??? (in /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0)
by 0x5493679: ??? (in /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0)
by 0x4011B89: call_init.part.0 (dl-init.c:72)
by 0x4011C90: call_init (dl-init.c:30)
by 0x4011C90: _dl_init (dl-init.c:119)
by 0x4001139: ??? (in /usr/lib/x86_64-linux-gnu/ld-2.31.so)
by 0x2: ???
by 0x1FFF0002AA: ???
by 0x1FFF0002B3: ???
by 0x1FFF0002CD: ???
LEAK SUMMARY:
definitely lost: 0 bytes in 0 blocks
indirectly lost: 0 bytes in 0 blocks
possibly lost: 0 bytes in 0 blocks
still reachable: 224 bytes in 4 blocks
suppressed: 0 bytes in 0 blocks
Steps to Reproduce
Step 1: touch lol.png
Step 2: ./magick POC lol.png
Download POC
Output: -----
Error: /undefined in 9
Operand stack:
Execution stack:
%interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push 1990 1 3 %oparray_pop 1989 1 3 %oparray_pop 1977 1 3 %oparray_pop 1833 1 3 %oparray_pop --nostringval-- %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval--
Dictionary stack:
--dict:734/1123(ro)(G)-- --dict:0/20(G)-- --dict:76/200(L)--
Current allocation mode is local
Current file position is 42
GPL Ghostscript 9.50: Unrecoverable error, exit code 1
Error: /undefined in 9
Operand stack:
Execution stack:
%interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push 1990 1 3 %oparray_pop 1989 1 3 %oparray_pop 1977 1 3 %oparray_pop 1833 1 3 %oparray_pop --nostringval-- %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval--
Dictionary stack:
--dict:734/1123(ro)(G)-- --dict:0/20(G)-- --dict:76/200(L)--
Current allocation mode is local
Current file position is 42
GPL Ghostscript 9.50: Unrecoverable error, exit code 1
magick: UnableToOpenConfigureFile
delegates.xml' @ warning/configure.c/GetConfigureOptions/702. magick: FailedToExecuteCommand
'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -g612x792 '-sOutputFile=/tmp/magick-ONcQKce9diFSZu5z0zZ7zZ85585GAsFR%d' '-f/tmp/magick-3VuKl5XdeVHlc4cJyacxRK5c2a76iFIT' '-f/tmp/magick-2mbiNvl-JBnTKcgiVWGrdbXKUq3UMPQR'' (256) @ error/ghostscript-private.h/ExecuteGhostscriptCommand/74.magick: FailedToExecuteCommand `'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -g612x792 '-sOutputFile=/tmp/magick-ONcQKce9diFSZu5z0zZ7zZ85585GAsFR%d' '-f/tmp/magick-3VuKl5XdeVHlc4cJyacxRK5c2a76iFIT' '-f/tmp/magick-2mbiNvl-JBnTKcgiVWGrdbXKUq3UMPQR' -c showpage' (256) @ error/ghostscript-private.h/ExecuteGhostscriptCommand/74.
To analyse and verify the issue use following command with valgrind --
valgrind --leak-check=full --show-leak-kinds=all ./magick POC lol.png
Images
The text was updated successfully, but these errors were encountered: