[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] =?UTF-8?B?Q1ZFLTIwMTctMTM3NzY6IEdyYXBoaWNzTWFnaWNrIDEuMy4yNiBEZW5pYWwgb2YgU2Vydmlj?=
From: "=?UTF-8?B?5a2Z5rWp?=" <tony.sh () alibaba-inc ! com>
Date: 2017-08-31 2:03:29
Message-ID: 99e7d55b-3743-4237-9d98-58e0f674c70b.tony.sh () alibaba-inc ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi all.
Description:graphicsmagick is a collection of tools and libraries for many image formats.
We found a denial of service (DoS) issue in xbm.c at line 322, GraphicsMagick-1.3.26.The \
vulnerable code snippet is shown as below. 322 for (i=0; i < (long) \
(bytes_per_line*image->rows); i++) 323 {
324 value=XBMInteger(image,hex_digits);
325 *p++=(unsigned char) value;
326 }When a crafted XBM image file, which claims large image->rows and image->columns \
but does not contains sufficient backing data, is provided,the loop at line 322 would consume \
huge CPU and memroy resources, since there is no EOF (End of File) check inside the loop.It is \
worth noting that variable bytes_per_line is computed based on image->columns earlier.In our \
test, we used a machine with Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 4 CPU cores and 16GB \
RAM.This bug casued 100% CPU and up to 2GB RAM consumption. This process lasted for about 6 \
minutes. Affected version:
1.3.26
Fixed version:
N/A
Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5eCredit:
This bug was discovered by Xiaohei and Wangchu from Alibaba Security Team.
CVE:
CVE-2017-13776
Reproducer:
https://github.com/shqking/graphicsmagick-poc/blob/master/poc-322.xbmThe command we was using \
is gm convert poc-322.xbm test.jpg
Timeline:
2017-08-24: bug discovered and reported to upstream privately
2017-08-26: upstream released a fix
2017-08-30: CVE assigned
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic