oss-sec mailing list archives
CVE-2017-13776: GraphicsMagick 1.3.26 Denial of Service issue in ReadXBMImage() in coders/xbm.c
From: "孙浩" <tony.sh () alibaba-inc com>
Date: Thu, 31 Aug 2017 10:03:29 +0800
Hi all. Description:graphicsmagick is a collection of tools and libraries for many image formats. We found a denial of service (DoS) issue in xbm.c at line 322, GraphicsMagick-1.3.26.The vulnerable code snippet is shown as below. 322 for (i=0; i < (long) (bytes_per_line*image->rows); i++) 323 { 324 value=XBMInteger(image,hex_digits); 325 *p++=(unsigned char) value; 326 }When a crafted XBM image file, which claims large image->rows and image->columns but does not contains sufficient backing data, is provided,the loop at line 322 would consume huge CPU and memroy resources, since there is no EOF (End of File) check inside the loop.It is worth noting that variable bytes_per_line is computed based on image->columns earlier.In our test, we used a machine with Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 4 CPU cores and 16GB RAM.This bug casued 100% CPU and up to 2GB RAM consumption. This process lasted for about 6 minutes. Affected version: 1.3.26 Fixed version: N/A Commit fix: http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5eCredit: This bug was discovered by Xiaohei and Wangchu from Alibaba Security Team. CVE: CVE-2017-13776 Reproducer: https://github.com/shqking/graphicsmagick-poc/blob/master/poc-322.xbmThe command we was using is gm convert poc-322.xbm test.jpg Timeline: 2017-08-24: bug discovered and reported to upstream privately 2017-08-26: upstream released a fix 2017-08-30: CVE assigned
Current thread:
- CVE-2017-13776: GraphicsMagick 1.3.26 Denial of Service issue in ReadXBMImage() in coders/xbm.c 孙浩 (Aug 30)