[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] =?UTF-8?B?Q1ZFLTIwMTctMTM3NzY6IEdyYXBoaWNzTWFnaWNrIDEuMy4yNiBEZW5pYWwgb2YgU2Vydmlj?= 
From:       "=?UTF-8?B?5a2Z5rWp?=" <tony.sh () alibaba-inc ! com>
Date:       2017-08-31 2:03:29
Message-ID: 99e7d55b-3743-4237-9d98-58e0f674c70b.tony.sh () alibaba-inc ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

Hi all.
Description:graphicsmagick is a collection of tools and libraries for many image formats.
We found a denial of service (DoS) issue in xbm.c at line 322, GraphicsMagick-1.3.26.The \
vulnerable code snippet is shown as below.    322     for (i=0; i < (long) \
(bytes_per_line*image->rows); i++)  323     {
    324       value=XBMInteger(image,hex_digits);
    325       *p++=(unsigned char) value;
    326     }When a crafted XBM image file, which claims large image->rows and image->columns \
but does not contains sufficient backing data, is provided,the  loop at line 322 would consume \
huge CPU and memroy  resources, since there is no EOF (End of File) check inside the loop.It is \
worth noting that variable bytes_per_line is computed based on image->columns earlier.In our \
test, we used a machine with Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 4 CPU cores and 16GB \
RAM.This bug casued 100% CPU and up to 2GB RAM consumption. This process lasted for about 6 \
minutes. Affected version:
1.3.26

Fixed version:
N/A

Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5eCredit:
This bug was discovered by Xiaohei and Wangchu from Alibaba Security Team.

CVE:
CVE-2017-13776

Reproducer:
https://github.com/shqking/graphicsmagick-poc/blob/master/poc-322.xbmThe command we was using \
is     gm convert poc-322.xbm test.jpg

Timeline:
2017-08-24: bug discovered and reported to upstream privately
2017-08-26: upstream released a fix
2017-08-30: CVE assigned



[prev in list] [next in list] [prev in thread] [next in thread]