Description:
graphicsmagick is a collection of tools and libraries for many image formats.
The complete ASan output of the issue:
# gm convert -clip -negate $FILE out
==11324==ERROR: AddressSanitizer: SEGV on unknown address 0x7f9ccac18000 (pc 0x7f9dbacf58ce bp 0x7ffec95349c0 sp 0x7ffec9534980 T0)
#0 0x7f9dbacf58cd in SetImageColorCallBack /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/image.c:2090:15
#1 0x7f9dbaf16bbd in .omp_outlined..4 /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/pixel_iterator.c:378:23
#2 0x7f9dbaf11873 in PixelIterateMonoModifyImplementation /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/pixel_iterator.c:348:33
#3 0x7f9dbaf111be in PixelIterateMonoSet /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/pixel_iterator.c:415:10
#4 0x7f9dbacf379b in SetImageEx /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/image.c:2125:10
#5 0x7f9db448bc86 in ReadMNGImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/coders/png.c:5016:26
#6 0x7f9dbaa14e88 in ReadImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/constitute.c:1607:13
#7 0x7f9dba8a7f18 in ConvertImageCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:4348:22
#8 0x7f9dba8e40c5 in MagickCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:8869:17
#9 0x7f9dba98f85b in GMCommandSingle /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:17396:10
#10 0x7f9dba98c991 in GMCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:17449:16
#11 0x7f9db91f7680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
#12 0x419cd8 in _init (/usr/bin/gm+0x419cd8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/image.c:2090:15 in SetImageColorCallBack
==11324==ABORTING
Affected version:
1.3.26
Fixed version:
N/A
Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-12935
Reproducer:
https://github.com/asarubbo/poc/blob/master/00303-graphicsmagick-invalidread-SetImageColorCallBack
Timeline:
2017-07-12: bug discovered and reported to upstream
2017-07-26: upstream released a fix
2017-08-05: blog post about the issue
2017-08-18: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.
Permalink:
graphicsmagick: invalid memory read in SetImageColorCallBack (image.c)
Pingback: CVE-2017-12935 – 安百科技
Pingback: SB17-233: Vulnerability Summary for the Week of August 14, 2017 : Eye on Spam