[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] =?UTF-8?B?Q1ZFLTIwMTctMTM3Nzc6IEdyYXBoaWNzTWFnaWNrIDEuMy4yNiBEZW5pYWwgb2YgU2Vydmlj?= 
From:       "=?UTF-8?B?5a2Z5rWp?=" <tony.sh () alibaba-inc ! com>
Date:       2017-08-31 2:07:24
Message-ID: b2719aac-c013-4b29-ad19-c1aa26d298a5.tony.sh () alibaba-inc ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

Hi all.
Description:graphicsmagick is a collection of tools and libraries for many image formats.
We found a denial of service (DoS) issue in xbm.c at line 314, GraphicsMagick-1.3.26.The \
vulnerable code snippet is shown as below.    313   if (version == 10)  314     for (i=0; i < \
(long) (bytes_per_line*image->rows); (i+=2))  315     {
    316       value=XBMInteger(image,hex_digits);
    317       *p++=(unsigned char) value;
    318       if (!padding || ((i+2) % bytes_per_line))
    319         *p++=(unsigned char) (value >> 8);
    320     }When a crafted XBM image file, which claims large image->rows and image->columns \
but does not contains sufficient backing data, is provided,the  loop at line 314 would consume \
huge CPU and memroy  resources, since there is no EOF (End of File) check inside the loop.It is \
worth noting that variable bytes_per_line is computed based on image->columns earlier.In our \
test, we used a machine with Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 4 CPU cores and 16GB \
RAM.This bug casued 100% CPU and up to 4GB RAM consumption. This process lasted for more than 9 \
minutes. Affected version:
1.3.26

Fixed version:
N/A

Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5eCredit:
This bug was discovered by Xiaohei and Wangchu from Alibaba Security Team.

CVE:
CVE-2017-13777

Reproducer:
https://github.com/shqking/graphicsmagick-poc/blob/master/poc-314.xbmThe command we was using \
is     gm convert poc-314.xbm test.jpg

Timeline:
2017-08-24: bug discovered and reported to upstream privately
2017-08-26: upstream released a fix
2017-08-30: CVE assigned



[prev in list] [next in list] [prev in thread] [next in thread]