Bug 630256 (CVE-2017-14172, CVE-2017-14173, CVE-2017-14174, CVE-2017-14175)

Summary:	<media-gfx/imagemagick-{6.9.9.18,7.0.7.6}: Multiple Vulnerabilities (CVE-2017-{14172,14173,14174,14175})
Product:	Gentoo Security	Reporter:	D'juan McDonald (domhnall) <flopwiki>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	graphics+disabled
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/ImageMagick/ImageMagick/issues/
Whiteboard:	B3 [glsa cve]
Package list:		Runtime testing required:	---

Description D'juan McDonald (domhnall) 2017-09-07 15:34:38 UTC

From ${URL}:

In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted PSD file, which claims a large "extent" field in the header but does not contain sufficient backing data, is provided, the loop over "length" would consume huge CPU resources, since there is no EOF check inside the loop.

Upstrea:(https://github.com/ImageMagick/ImageMagick/issues/715)

Patch:https://github.com/ImageMagick/ImageMagick/commit/8598a497e2d1f556a34458cf54b40ba40674734c

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14172

 
In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10, an integer overflow might occur for the addition operation "GetQuantumRange(depth)+1" when "depth" is large, producing a smaller value than expected. As a result, an infinite loop would occur for a crafted TXT file that claims a very large "max_value" value.

Patch:https://github.com/ImageMagick/ImageMagick/commit/48bcf7c39302cdf9b0d9202ad03bf1b95152c44d

Upstream:(https://github.com/ImageMagick/ImageMagick/issues/713)

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14173

In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSDLayersInternal() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted PSD file, which claims a large "length" field in the header but does not contain sufficient backing data, is provided, the loop over "length" would consume huge CPU resources, since there is no EOF check inside the loop.

Patch: 2/2
https://github.com/ImageMagick/ImageMagick/commit/04a567494786d5bb50894fc8bb8fea0cf496bea8
https://github.com/ImageMagick/ImageMagick/commit/f68a98a9d385838a1c73ec960a14102949940a64

Upstream:(https://github.com/ImageMagick/ImageMagick/issues/714)

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14174

In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted XBM file, which claims large rows and columns fields in the header but does not contain sufficient backing data, is provided, the loop over the rows would consume huge CPU resources, since there is no EOF check inside the loop.

Upstream:(https://github.com/ImageMagick/ImageMagick/issues/712)

Patch:https://github.com/ImageMagick/ImageMagick/commit/b8c63b156bf26b52e710b1a0643c846a6cd01e56

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14175


@maintainer(s), after bump, please call for stabilization if needed, thank you.

Daj Uan (jmbailey/mbailey_j)
Gentoo Security Padawan

Comment 1 D'juan McDonald (domhnall) 2017-09-07 15:48:51 UTC

@maintainer(s), further research points to multiple patches for each cve , located at upstream /issues/#.

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2017-10-23 17:10:02 UTC

CVE-2017-14175 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14175):
  In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() due to
  lack of an EOF (End of File) check might cause huge CPU consumption. When a
  crafted XBM file, which claims large rows and columns fields in the header
  but does not contain sufficient backing data, is provided, the loop over the
  rows would consume huge CPU resources, since there is no EOF check inside
  the loop.

CVE-2017-14174 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14174):
  In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSDLayersInternal()
  due to lack of an EOF (End of File) check might cause huge CPU consumption.
  When a crafted PSD file, which claims a large "length" field in the header
  but does not contain sufficient backing data, is provided, the loop over
  "length" would consume huge CPU resources, since there is no EOF check
  inside the loop.

CVE-2017-14173 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14173):
  In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10, an
  integer overflow might occur for the addition operation
  "GetQuantumRange(depth)+1" when "depth" is large, producing a smaller value
  than expected. As a result, an infinite loop would occur for a crafted TXT
  file that claims a very large "max_value" value.

CVE-2017-14172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14172):
  In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due to
  lack of an EOF (End of File) check might cause huge CPU consumption. When a
  crafted PSD file, which claims a large "extent" field in the header but does
  not contain sufficient backing data, is provided, the loop over "length"
  would consume huge CPU resources, since there is no EOF check inside the
  loop.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-10-28 15:39:46 UTC

Fixed in Gentoo via https://github.com/gentoo/gentoo/commit/e55c500d5efec48f8fb7aa3da8b27b9dc0b30dbf#diff-c3da9b5318c1a67d6927fb8032d46fe5

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2017-11-11 14:17:58 UTC

This issue was resolved and addressed in
 GLSA 201711-07 at https://security.gentoo.org/glsa/201711-07
by GLSA coordinator Aaron Bauman (b-man).