Bug 1453124 (CVE-2017-9098)
Summary: | CVE-2017-9098 ImageMagick: use of uninitialized memory in RLE decoder | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abhgupta, cperry, ethan, jhorak, kseifried, nmurray, pahan, sardella, slawomir, tiwillia |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
It was discovered that ImageMagick does not properly guarantee that initialized memory is used when reading RLE images. A remote attacker could possibly exploit this flaw to disclose potentially sensitive memory contents by, for example, tricking ImageMagick into converting a specially crafted RLE image into another format.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-05-24 16:41:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1453125 | ||
Bug Blocks: | 1453129 |
Description
Adam Mariš
2017-05-22 08:38:26 UTC
Created ImageMagick tracking bugs for this issue: Affects: fedora-all [bug 1453125] References: http://seclists.org/oss-sec/2017/q2/302 When reading RLE images, ImageMagick uses a chunk of heap memory to store the image's pixel values. The problem is that this chunk of memory is not properly initialized (for example reset to only contain 0 bytes) before being used, thus said chunk could contain "live" heap memory instead of data loaded from the RLE image file. This can be a problem, as subsequent processing (e.g. storing it back on disk) could lead to the disclosure of heap memory contents, if the resulting image is shared with the attacker or other untrusted parties. The exact impact depends on the circumstances and the way ImageMagick is used: - If you do not allow RLE images to be processed you are not affected. - If you only process images from trusted sources, or do not disclose any of the images created by ImageMagick outside of trusted parties, the leak should be contained by those trust boundaries. - If you spawn a new process for every image processed (for example, you run the "convert" binary for each image) and don't do anything special apart from that, it's unlikely that anything of interest will be leaked. - If you use ImageMagick as part of a longer running process and ImageMagick image processing shares the heap memory with your application, it's possible that heap memory contents could be disclosed. The exact impact then depends on what exactly is stored in the heap memory. Mitigation: Forcefully disable the RLE decoder from being used, for example by renaming ImageMagick's rle.so library: RHEL6 mitigation: 32bit: mv /usr/lib/ImageMagick-6.7.2/modules-Q16/coders/rle.so /usr/lib/ImageMagick-6.7.2/modules-Q16/coders/rle.so.CVE-2017-9098 64bit: mv /usr/lib64/ImageMagick-6.7.2/modules-Q16/coders/rle.so /usr/lib64/ImageMagick-6.7.2/modules-Q16/coders/rle.so.CVE-2017-9098 RHEL7 mitigation: 32bit: mv /usr/lib/ImageMagick-6.7.8/modules-Q16/coders/rle.so /usr/lib/ImageMagick-6.7.8/modules-Q16/coders/rle.so.CVE-2017-9098 64bit: mv /usr/lib64/ImageMagick-6.7.8/modules-Q16/coders/rle.so /usr/lib64/ImageMagick-6.7.8/modules-Q16/coders/rle.so.CVE-2017-9098 If you are using the glibc heap implementation (default), it may also be possible to set the "MALLOC_PERTURB_" environment variable to a non-zero value before launching the process using ImageMagick. This should forcefully initialize the memory, but may reduce performance. Ensure proper testing before using these methods. Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |