Bug 1487194 (CVE-2017-12935, CVE-2017-12936, CVE-2017-12937, CVE-2017-13063, CVE-2017-13064, CVE-2017-13065, CVE-2017-13648, CVE-2017-14042) - CVE-2017-12935 CVE-2017-12936 CVE-2017-12937 CVE-2017-13063 CVE-2017-13064 CVE-2017-13065 CVE-2017-13648 CVE-2017-14042 GraphicsMagick: Multiple vulnerabilities
Summary: CVE-2017-12935 CVE-2017-12936 CVE-2017-12937 CVE-2017-13063 CVE-2017-13064 CV...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2017-12935, CVE-2017-12936, CVE-2017-12937, CVE-2017-13063, CVE-2017-13064, CVE-2017-13065, CVE-2017-13648, CVE-2017-14042
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20170805,reported=2...
Depends On: 1475494 1475495
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-31 12:19 UTC by Andrej Nemec
Modified: 2019-06-08 22:16 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 03:23:14 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-08-31 12:19:37 UTC
CVE-2017-12935

The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26
mishandles large MNG images, leading to an invalid memory read in the
SetImageColorCallBack function in magick/image.c.

http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978
https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-heap-based-buffer-overflow-in-readsunimage-sun-c/

CVE-2017-12936

The ReadWMFImage function in coders/wmf.c in GraphicsMagick 1.3.26 has
a use-after-free issue for data associated with exception reporting.

http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd
https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-use-after-free-in-readwmfimage-wmf-c/

CVE-2017-12937

The ReadSUNImage function in coders/sun.c in GraphicsMagick 1.3.26 has
a colormap heap-based buffer over-read.

http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188
https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-invalid-memory-read-in-setimagecolorcallback-image-c/

Comment 1 Andrej Nemec 2017-08-31 12:20:26 UTC
Created GraphicsMagick tracking bugs for this issue:

Affects: epel-all [bug 1475494]
Affects: fedora-all [bug 1475495]

Comment 2 Andrej Nemec 2017-08-31 14:40:35 UTC
CVE-2017-13063

GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability in the function GetStyleTokens in coders/svg.c:314:12. 

https://sourceforge.net/p/graphicsmagick/bugs/434/
http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a

CVE-2017-13064

GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability in the function GetStyleTokens in coders/svg.c:311:12. 

https://sourceforge.net/p/graphicsmagick/bugs/436/
http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a

CVE-2017-13065

GraphicsMagick 1.3.26 has a NULL pointer dereference vulnerability in the function SVGStartElement in coders/svg.c. 

https://sourceforge.net/p/graphicsmagick/bugs/435/
http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a

Comment 3 Andrej Nemec 2017-08-31 14:43:37 UTC
CVE-2017-13648

In GraphicsMagick 1.3.26, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c. 

https://sourceforge.net/p/graphicsmagick/bugs/433/

Comment 4 Andrej Nemec 2017-08-31 15:02:17 UTC
CVE-2017-14042

A memory allocation failure was discovered in the ReadPNMImage function in coders/pnm.c in GraphicsMagick 1.3.26. The vulnerability causes a big memory allocation, which may lead to remote denial of service in the MagickRealloc function in magick/memory.c. 

http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d
https://blogs.gentoo.org/ago/2017/08/28/graphicsmagick-memory-allocation-failure-in-magickrealloc-memory-c-2/

Comment 5 Product Security DevOps Team 2019-06-08 03:23:14 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.