Bug 1383223 (CVE-2016-7996, CVE-2016-7997)

Summary: CVE-2016-7996 CVE-2016-7997 GraphicsMagick: WPG Reader Issues
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andreas, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:59:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1383225, 1383226    
Bug Blocks:    

Description Andrej Nemec 2016-10-10 08:50:09 UTC 
Two security issues have been discovered in the WPG format reader in
GraphicsMagick 1.3.25 (and earlier):

1. CVE-2016-7996
   In a build with QuantumDepth=8 (the default), there is no check
   that the provided colormap is not larger than 256 entries,
   resulting in potential heap overflow.  This problem does not occur
   with larger QuantumDepth values.

2. CVE-2016-7997
   The assertion:

   ReferenceBlob: Assertion `blob != (BlobInfo *) NULL' failed.

   is thrown (causing a crash) for some files due to a logic error
   which leads to passing a NULL pointer where a NULL pointer is not
   allowed.

References (patch attached):

http://seclists.org/oss-sec/2016/q4/55
Comment 1 Andrej Nemec 2016-10-10 08:51:18 UTC 
Created GraphicsMagick tracking bugs for this issue:

Affects: fedora-all [bug 1383225]
Affects: epel-all [bug 1383226]
Comment 2 Rex Dieter 2017-03-02 14:31:11 UTC 
Fwiw, only el6's GraphicsMagick doesn't use --with-quantum-depth=16 build option, so I'm guessing that's the only one vulnerable here.
Comment 3 Rex Dieter 2017-03-02 14:50:12 UTC 
Sorry, that's (apparently) only issue 1.  I'll pull in both fixes
Comment 4 Product Security DevOps Team 2019-06-08 02:59:52 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.