Date: Fri, 27 May 2016 09:37:38 -0500 (CDT) From: Bob Friesenhahn <bfriesen@...ple.dallas.tx.us> To: oss-security@...ts.openwall.com Subject: Security issues addressed in GraphicsMagick SVG reader =========================================== SVG Security Improvements in GraphicsMagick =========================================== This is a summary of security improvements made to development GraphicsMagick's SVG reader since the 1.3.23 release. These improvements were made in response to fuzz testing by Gustavo Grieco (using Quickfuzz) which and which resulted in CVE-2016-2317 and CVE-2016-2318. We are thankful that Gustavo has been willing to continue fuzz testing as improvements have been made. While several implementation flaws were found and fixed, the most serious issue which has been addressed is that the SVG reader was doing no parameter value validation whatsoever. Some algorithms are unstable given improper inputs (e.g. negative number). Luckily, the SVG specification is very helpful with noting parameters which have restricted value ranges and this can be used as a guide. The SVG renderer in GraphicsMagick (and the built-in SVG renderer in ImageMagick from which it originated) are based on a design where a SVG pre-processor translates from SVG XML syntax into a simpler internal textual form known as Magick Vector Graphics (MVG). In most cases the pre-processor acts as a translator/re-formatter, but in some cases (e.g. for viewbox and affine transformations) it performs computations. Validation checks are added to the SVG pre-processor whenever a value is used by computations. Otherwise validation checks are primarily added at the MVG level. These improvements were made: * Validate that parameter token text was actually consumed and that the token text does not overflow its buffer. * Correctly estimate memory requirements required by the roundRectangle primitive. * Validate stroke path arguments. In particular, reject negative length values. * Validate stroke dash pattern arguments. In particular, reject negative length values. * Validate stroke-miterlimit values (must be >= 1.0) * Validate radialGradient angle values. * Check rectangle arguments for appropriate ranges (e.g. reject negative width/height). * Check rounded rectangle arguments for appropriate ranges (e.g. reject negative width/height/radius). * Check ellipse arguments for appropriate range (e.g. reject negative radius). * Check viewbox arguments for appropriate ranges (e.g. reject negative width/height). * Prohibit use of Magick-specific file name prefixes and suffix arguments in SVG URLs. * Limit the allowed size of clip-path and gradient images. * Added drawing recursion detection. This avoids hangs and stack exhaustion given self-referential URLs in the SVG. * Fix usages of uninitialized memory discovered with some SVG files. Fuzz testing is an on-going process and we will continue to address any issues discovered. Bob -- Bob Friesenhahn bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.