[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] =?UTF-8?B?Q1ZFLTIwMTctMTM3NzU6IEdyYXBoaWNzTWFnaWNrIDEuMy4yNiBEZW5pYWwgb2YgU2Vydmlj?=
From: "=?UTF-8?B?5a2Z5rWp?=" <tony.sh () alibaba-inc ! com>
Date: 2017-08-31 1:54:01
Message-ID: de6ce21e-1bd5-4fac-9222-e916e92943c1.tony.sh () alibaba-inc ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi all.
Description:graphicsmagick is a collection of tools and libraries for many image formats.
We found a denial of service (DoS) issue in jnx.c at line 326, GraphicsMagick-1.3.26.The \
vulnerable code snippet is shown as below. 326 for (j = 0; j < \
JNXLevelInfo[i].TileCount; j++) 327 {
328 PositionList[j].TileBounds.NorthEast.lat = ReadBlobLSBLong(image);
329 PositionList[j].TileBounds.NorthEast.lon = ReadBlobLSBLong(image);
330 PositionList[j].TileBounds.SouthWest.lat = ReadBlobLSBLong(image);
331 PositionList[j].TileBounds.SouthWest.lon = ReadBlobLSBLong(image);
332 PositionList[j].PicWidth = ReadBlobLSBShort(image);
333 PositionList[j].PicHeight = ReadBlobLSBShort(image);
334 PositionList[j].PicSize = ReadBlobLSBLong(image);
335 PositionList[j].PicOffset = ReadBlobLSBLong(image);
336 }When a crafted JNX image file, which claims large TileCount but does not \
contain sufficient backing data, is provided,the loop at line 326 would consume huge CPU and \
memroy resources, since there is no EOF (End of File) check inside the loop.In our test, we \
used a machine with Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 4 CPU cores and 16GB RAM.This \
bug caused 100% CPU and up to 4GB RAM consumption.This process lasted for about 4 minutes. \
Affected version: 1.3.26
Fixed version:
N/A
Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/b037d79b6ccd
Credit:
This bug was discovered by Xiaohei and Wangchu from Alibaba Security Team.
CVE:
CVE-2017-13775
Reproducer:
https://github.com/shqking/graphicsmagick-poc/blob/master/poc.jnxThe command we was using is \
gm convert poc.jnx test.jpg
Timeline:
2017-08-24: bug discovered and reported to upstream privately
2017-08-26: upstream released a fix
2017-08-30: CVE assigned
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic