'[oss-security] =?UTF-8?B?Q1ZFLTIwMTctMTM3NzU6IEdyYXBoaWNzTWFnaWNrIDEuMy4yNiBEZW5pYWwgb2YgU2Vydmlj?= '

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] =?UTF-8?B?Q1ZFLTIwMTctMTM3NzU6IEdyYXBoaWNzTWFnaWNrIDEuMy4yNiBEZW5pYWwgb2YgU2Vydmlj?= 
From:       "=?UTF-8?B?5a2Z5rWp?=" <tony.sh () alibaba-inc ! com>
Date:       2017-08-31 1:54:01
Message-ID: de6ce21e-1bd5-4fac-9222-e916e92943c1.tony.sh () alibaba-inc ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

Hi all.
Description:graphicsmagick is a collection of tools and libraries for many image formats.
We found a denial of service (DoS) issue in jnx.c at line 326, GraphicsMagick-1.3.26.The \
vulnerable code snippet is shown as below.    326       for (j = 0; j < \
JNXLevelInfo[i].TileCount; j++)  327         {
    328           PositionList[j].TileBounds.NorthEast.lat = ReadBlobLSBLong(image);
    329           PositionList[j].TileBounds.NorthEast.lon = ReadBlobLSBLong(image);
    330           PositionList[j].TileBounds.SouthWest.lat = ReadBlobLSBLong(image);
    331           PositionList[j].TileBounds.SouthWest.lon = ReadBlobLSBLong(image);
    332           PositionList[j].PicWidth = ReadBlobLSBShort(image);
    333           PositionList[j].PicHeight = ReadBlobLSBShort(image);
    334           PositionList[j].PicSize = ReadBlobLSBLong(image);
    335           PositionList[j].PicOffset = ReadBlobLSBLong(image);
    336         }When a crafted JNX image file, which claims large TileCount but does not \
contain sufficient backing data, is provided,the loop at line 326 would consume huge CPU and \
memroy resources, since there is no EOF (End of File) check inside the loop.In our test, we \
used a machine with Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 4 CPU cores and 16GB RAM.This \
bug caused 100% CPU and up to 4GB RAM consumption.This process lasted for about 4 minutes. \
Affected version: 1.3.26

Fixed version:
N/A

Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/b037d79b6ccd
Credit:
This bug was discovered by Xiaohei and Wangchu from Alibaba Security Team.

CVE:
CVE-2017-13775

Reproducer:
https://github.com/shqking/graphicsmagick-poc/blob/master/poc.jnxThe command we was using is    \
gm convert poc.jnx test.jpg

Timeline:
2017-08-24: bug discovered and reported to upstream privately
2017-08-26: upstream released a fix
2017-08-30: CVE assigned



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic