On GraphicsMagick 1.3.26 2017-07-04 Q8 A memory leak vulnerability was found in function CloneImage in magick/image.c,which allow attackers to cause a denial of service via a crafted file. #./gm identify $FILE ================================================================= ==39635==ERROR: detected memory leaks Indirect leak of 6856 byte(s) in 1 object(s) allocated from: #0 0x4e96f6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66 #1 0x6e22e1 in CloneImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/image.c:941:15 #2 0x63f90d in ReadImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1607:13 #3 0x63ed64 in PingImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1370:9 #4 0x5b0232 in MagickCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8869:17 #5 0x5f621e in GMCommandSingle /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17396:10 #6 0x5f4aab in GMCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17449:16 #7 0x7fed6998cb34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274 Indirect leak of 4224 byte(s) in 1 object(s) allocated from: #0 0x4ea255 in posix_memalign /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:142 #1 0x71147b in MagickMallocAligned /home/test/Downloads/GraphicsMagick-1.3.26/magick/memory.c:217:7 #2 0x769a32 in GetCacheInfo /home/test/Downloads/GraphicsMagick-1.3.26/magick/pixel_cache.c:1986:14 Indirect leak of 128 byte(s) in 1 object(s) allocated from: #0 0x4e96f6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66 #1 0xef94c0 in CloneBlobInfo /home/test/Downloads/GraphicsMagick-1.3.26/magick/blob.c:808:14 #2 0x63f90d in ReadImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1607:13 #3 0x63ed64 in PingImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1370:9 #4 0x5b0232 in MagickCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8869:17 #5 0x5f621e in GMCommandSingle /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17396:10 #6 0x5f4aab in GMCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17449:16 #7 0x7fed6998cb34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274 Indirect leak of 128 byte(s) in 1 object(s) allocated from: #0 0x4ea255 in posix_memalign /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:142 #1 0x71147b in MagickMallocAligned /home/test/Downloads/GraphicsMagick-1.3.26/magick/memory.c:217:7 #2 0x7637f7 in AllocateCacheNexus /home/test/Downloads/GraphicsMagick-1.3.26/magick/pixel_cache.c:2507:14 #3 0x7637f7 in OpenCacheView /home/test/Downloads/GraphicsMagick-1.3.26/magick/pixel_cache.c:3332 Indirect leak of 64 byte(s) in 1 object(s) allocated from: #0 0x4ea255 in posix_memalign /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:142 #1 0x71147b in MagickMallocAligned /home/test/Downloads/GraphicsMagick-1.3.26/magick/memory.c:217:7 #2 0x7637cd in OpenCacheView /home/test/Downloads/GraphicsMagick-1.3.26/magick/pixel_cache.c:3326:8 ...... 11784 byte(s) leaked in 11 allocation(s). CVE Details:
CVE Details:https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13066
From ${URL}: Bob Friesenhahn - 2017-08-12 This issue was already fixed in GraphicsMagick Mercurial on August 11th. @maintainer(s), please follow procedure to close on this report, thank you. Daj'Uan (mbailey_j) Gentoo Security Scout
@maintainer(s), please clean the vulnerable version from the tree.
cleanup will be tracked in bug #640690 GLSA Vote: No
