Roundup: [oss-security] Re: GraphicsMagick heap out of bounds write issue

[grahamc]

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

• Update Graham's database

Info

Triage Indicator:

-needs-triage +roundup27 thread:0000000000003e08

• File Search: https://search.nix.gsc.io/?q=graphicsmagick&i=fosho&repos=nixos-nixpkgs
• GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=graphicsmagick+in%3Apath&type=Code

Should the search term be changed from graphicsmagick? Suggest a new package search by commenting:

-suggested:graphicsmagick +suggested:correctPackageName thread:0000000000003e08

Known CVEs: CVE-2017-6335

---

Skip to End

Thu, 23 Feb 2017 21:18:17 -0600 (CST) Bob Friesenhahn <bfriesen-at-simple.dallas.tx.us>, alpine.GSO.2.20.1702232109380.9710@freddy.simplesystems.org

GraphicsMagick versions up to 1.3.25 encounter a write beyond an 
allocated heap buffer when reading CMYKA TIFF files which claim to 
offer fewer samples per pixel than required.

This is the tiffinfo description of the problematic TIFF file:

TIFF Directory at offset 0x808 (2056)
   Image Width: 34 Image Length: 48
   Bits/Sample: 8
   Sample Format: unsigned integer
   Compression Scheme: None
   Photometric Interpretation: separated
   Extra Samples: 1<unassoc-alpha>
   Orientation: row 0 top, col 0 lhs
   Samples/Pixel: 2
   Rows/Strip: 32
   Planar Configuration: single image plane

The fix for this is Mercurial changeset 14998:6156b4c2992d which may 
be viewed at SourceForge via this link:

https://sourceforge.net/p/graphicsmagick/code/ci/6156b4c2992d855ece6079653b3b93c3229fc4b8/

A minimal patch to correct the problem is attached.

This issue was reported to us on February 15, 2017 by Valon Chu.

Bob
-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

tiff.c.patch

diff -r 0392c4305a43 -r 6156b4c2992d coders/tiff.c
--- a/coders/tiff.c	Sun Jan 29 10:04:57 2017 -0600
+++ b/coders/tiff.c	Thu Feb 23 21:06:50 2017 -0600
@@ -1230,8 +1230,8 @@
                   case 0:
                     if (samples_per_pixel == 1)
                       *quantum_type=GrayQuantum;
-                      else
-                        *quantum_type=RedQuantum;
+                    else
+                      *quantum_type=RedQuantum;
                     break;
                   case 1:
                     *quantum_type=GreenQuantum;
@@ -1411,12 +1411,12 @@
               }
             else
               {
-                if (image->matte)
+                if (image->matte && samples_per_pixel >= 5)
                   {
                     *quantum_type=CMYKAQuantum;
                     *quantum_samples=5;
                   }
-                else
+                else if (samples_per_pixel >= 4)
                   {
                     *quantum_type=CMYKQuantum;
                     *quantum_samples=4;

Skip to End

---

Fri, 24 Feb 2017 08:23:21 -0600 (CST) Bob Friesenhahn <bfriesen-at-simple.dallas.tx.us>, alpine.GSO.2.20.1702240821470.9710@freddy.simplesystems.org

I would like to ammend this report in that the situation is a read 
beyond an allocated heap buffer rather than a write beyond the end of 
an allocated heap buffer as was originally reported.  The application 
may crash but should not be otherwise compromised.

Bob

On Thu, 23 Feb 2017, Bob Friesenhahn wrote:

> GraphicsMagick versions up to 1.3.25 encounter a write beyond an allocated 
> heap buffer when reading CMYKA TIFF files which claim to offer fewer samples 
> per pixel than required.
>
> This is the tiffinfo description of the problematic TIFF file:
>
> TIFF Directory at offset 0x808 (2056)
>  Image Width: 34 Image Length: 48
>  Bits/Sample: 8
>  Sample Format: unsigned integer
>  Compression Scheme: None
>  Photometric Interpretation: separated
>  Extra Samples: 1<unassoc-alpha>
>  Orientation: row 0 top, col 0 lhs
>  Samples/Pixel: 2
>  Rows/Strip: 32
>  Planar Configuration: single image plane
>
> The fix for this is Mercurial changeset 14998:6156b4c2992d which may be 
> viewed at SourceForge via this link:
>
> https://sourceforge.net/p/graphicsmagick/code/ci/6156b4c2992d855ece6079653b3b93c3229fc4b8/
>
> A minimal patch to correct the problem is attached.
>
> This issue was reported to us on February 15, 2017 by Valon Chu.
>
> Bob
>

-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Skip to End

---

Tue, 28 Feb 2017 08:19:36 -0600 (CST) Bob Friesenhahn <bfriesen-at-simple.dallas.tx.us>, alpine.GSO.2.20.1702280817550.12318@freddy.simplesystems.org

This problem has been issued CVE-2017-6335.

The original reporter has tried to post CVE-assignment information to 
the list but the mail has not made it through yet.

Bob

On Fri, 24 Feb 2017, Bob Friesenhahn wrote:

> I would like to ammend this report in that the situation is a read beyond an 
> allocated heap buffer rather than a write beyond the end of an allocated heap 
> buffer as was originally reported.  The application may crash but should not 
> be otherwise compromised.
>
> Bob
>
> On Thu, 23 Feb 2017, Bob Friesenhahn wrote:
>
>> GraphicsMagick versions up to 1.3.25 encounter a write beyond an allocated 
>> heap buffer when reading CMYKA TIFF files which claim to offer fewer 
>> samples per pixel than required.
>> 
>> This is the tiffinfo description of the problematic TIFF file:
>> 
>> TIFF Directory at offset 0x808 (2056)
>>  Image Width: 34 Image Length: 48
>>  Bits/Sample: 8
>>  Sample Format: unsigned integer
>>  Compression Scheme: None
>>  Photometric Interpretation: separated
>>  Extra Samples: 1<unassoc-alpha>
>>  Orientation: row 0 top, col 0 lhs
>>  Samples/Pixel: 2
>>  Rows/Strip: 32
>>  Planar Configuration: single image plane
>> 
>> The fix for this is Mercurial changeset 14998:6156b4c2992d which may be 
>> viewed at SourceForge via this link:
>> 
>> https://sourceforge.net/p/graphicsmagick/code/ci/6156b4c2992d855ece6079653b3b93c3229fc4b8/
>> 
>> A minimal patch to correct the problem is attached.
>> 
>> This issue was reported to us on February 15, 2017 by Valon Chu.
>> 
>> Bob
>> 
>
>

-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Skip to End

---

[ndowens]

Working on
EDIT:
I couldn't get the patch to work, maybe someone else will have luck:
https://sources.debian.net/data/main/g/graphicsmagick/1.3.25-8/debian/patches/Fix_out_of_bounds_access_when_reading_CMYKA_tiff.patch

[7c6f434c]

Well, we just need to cut out more from the patch and bring it back to the mailing-list minimalistic glory!

fixed:

master: 7b706900e7dd3ec55eb46a366f0bc47858fb7633
release-16.09: 065343bf7cba327dc3873365da9e4f5775edd954
release-17.09: a8baac668faca19f1c42d1f01b2b2c12db1bbb7a

[grahamc]

I wonder if either of you saw that tiff.c.patch was listed here in this thread? Looks good!

[7c6f434c]

«mailing-list minimalistic glory» was an explicit reference to tiff.c.patch. I just decided to keep the Mercurial revision reference anyway.