From 056f22f48af40a0d8f8b6011afc25b6f8bd512d6 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Thu, 27 Jul 2017 21:33:28 -0500 Subject: [PATCH] CVE-2017-11102 (#1473728) CVE-2017-11139 (#1473739) CVE-2017-11140 (#1473750) CVE-2017-11636 (#1475456) CVE-2017-11637 (#1475452) CVE-2017-11638 (#1475708) CVE-2017-11641 (#1475489) --- GraphicsMagick-CVE-2017-11102-1.patch | 30 ++++ GraphicsMagick-CVE-2017-11102-2.patch | 192 ++++++++++++++++++++++++++ GraphicsMagick-CVE-2017-11139.patch | 23 +++ GraphicsMagick-CVE-2017-11140.patch | 80 +++++++++++ GraphicsMagick-CVE-2017-11636.patch | 155 +++++++++++++++++++++ GraphicsMagick-CVE-2017-11637.patch | 54 ++++++++ GraphicsMagick-CVE-2017-11638.patch | 43 ++++++ GraphicsMagick-CVE-2017-11641.patch | 42 ++++++ GraphicsMagick.spec | 28 +++- 9 files changed, 646 insertions(+), 1 deletion(-) create mode 100644 GraphicsMagick-CVE-2017-11102-1.patch create mode 100644 GraphicsMagick-CVE-2017-11102-2.patch create mode 100644 GraphicsMagick-CVE-2017-11139.patch create mode 100644 GraphicsMagick-CVE-2017-11140.patch create mode 100644 GraphicsMagick-CVE-2017-11636.patch create mode 100644 GraphicsMagick-CVE-2017-11637.patch create mode 100644 GraphicsMagick-CVE-2017-11638.patch create mode 100644 GraphicsMagick-CVE-2017-11641.patch diff --git a/GraphicsMagick-CVE-2017-11102-1.patch b/GraphicsMagick-CVE-2017-11102-1.patch new file mode 100644 index 0000000..6ffc037 --- /dev/null +++ b/GraphicsMagick-CVE-2017-11102-1.patch @@ -0,0 +1,30 @@ + +# HG changeset patch +# User Glenn Randers-Pehrson +# Date 1499262082 14400 +# Node ID dea93a690fc125f70fb8688a0ff3035b96b0045e +# Parent a42ae8447fe7a457790bf699371a1a6f3c6d4e57 +Stop crash due to zero-length color_image while reading a JNG + +diff -r a42ae8447fe7 -r dea93a690fc1 coders/png.c +--- a/coders/png.c Tue Jul 04 16:33:37 2017 -0500 ++++ b/coders/png.c Wed Jul 05 09:41:22 2017 -0400 +@@ -3314,12 +3314,13 @@ + + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +- " Copying JDAT chunk data" +- " to color_blob."); +- if (color_image != (Image *)NULL) ++ " Copying %lu bytes of JDAT chunk data" ++ " to color_blob.",length); ++ if (length && color_image != (Image *)NULL) ++ { + (void) WriteBlob(color_image,length,(char *) chunk); +- if (length) + MagickFreeMemory(chunk); ++ } + continue; + } + + diff --git a/GraphicsMagick-CVE-2017-11102-2.patch b/GraphicsMagick-CVE-2017-11102-2.patch new file mode 100644 index 0000000..9ed271d --- /dev/null +++ b/GraphicsMagick-CVE-2017-11102-2.patch @@ -0,0 +1,192 @@ + +# HG changeset patch +# User Glenn Randers-Pehrson +# Date 1499352170 14400 +# Node ID d445af60a8d50c4c6f063c7e65fea255b6db2b33 +# Parent dea93a690fc125f70fb8688a0ff3035b96b0045e +coders/png.c: Consolidate JNG cleanup into a new DestroyJNG() function. + +diff -r dea93a690fc1 -r d445af60a8d5 coders/png.c +--- a/coders/png.c Wed Jul 05 09:41:22 2017 -0400 ++++ b/coders/png.c Thu Jul 06 10:42:50 2017 -0400 +@@ -2924,18 +2924,20 @@ + + #if defined(JNG_SUPPORTED) + +- + void +-DestroyJNGInfo(ImageInfo *color_image_info, ImageInfo *alpha_image_info) ++DestroyJNG(unsigned char *chunk,Image *color_image,ImageInfo *color_image_info, ++ Image *alpha_image,ImageInfo *alpha_image_info) + { +- if (color_image_info != (ImageInfo *)NULL) +- { +- DestroyImageInfo(color_image_info); +- } +- if (alpha_image_info != (ImageInfo *)NULL) +- { +- DestroyImageInfo(alpha_image_info); +- } ++ if (chunk) ++ MagickFreeMemory(chunk); ++ if (color_image_info) ++ DestroyImageInfo(color_image_info); ++ if (alpha_image_info) ++ DestroyImageInfo(alpha_image_info); ++ if (color_image) ++ DestroyImage(color_image); ++ if (alpha_image) ++ DestroyImage(alpha_image); + } + /* + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +@@ -3105,7 +3107,8 @@ + + if (length > PNG_MAX_UINT || count == 0) + { +- DestroyJNGInfo(color_image_info,alpha_image_info); ++ DestroyJNG(NULL,color_image,color_image_info, ++ alpha_image,alpha_image_info); + ThrowReaderException(CorruptImageError,CorruptImage,image); + } + +@@ -3116,13 +3119,15 @@ + chunk=MagickAllocateMemory(unsigned char *,length); + if (chunk == (unsigned char *) NULL) + { +- DestroyJNGInfo(color_image_info,alpha_image_info); ++ DestroyJNG(chunk,color_image,color_image_info, ++ alpha_image,alpha_image_info); + ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, + image); + } + if (ReadBlob(image,length,chunk) < length) + { +- DestroyJNGInfo(color_image_info,alpha_image_info); ++ DestroyJNG(chunk,color_image,color_image_info, ++ alpha_image,alpha_image_info); + ThrowReaderException(CorruptImageError,CorruptImage,image); + } + p=chunk; +@@ -3133,8 +3138,8 @@ + { + if (length != 16) + { +- DestroyJNGInfo(color_image_info,alpha_image_info); +- MagickFreeMemory(chunk); ++ DestroyJNG(chunk,color_image,color_image_info, ++ alpha_image,alpha_image_info); + (void) ThrowException2(&image->exception,CoderWarning, + "Invalid JHDR chunk length",(char *) NULL); + return (MagickFail); +@@ -3196,8 +3201,8 @@ + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " JNG width or height too large: (%lu x %lu)", + jng_width, jng_height); +- MagickFreeMemory(chunk); +- DestroyJNGInfo(color_image_info,alpha_image_info); ++ DestroyJNG(chunk,color_image,color_image_info, ++ alpha_image,alpha_image_info); + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); + } + +@@ -3224,7 +3229,8 @@ + color_image_info=MagickAllocateMemory(ImageInfo *,sizeof(ImageInfo)); + if (color_image_info == (ImageInfo *) NULL) + { +- DestroyJNGInfo(color_image_info,alpha_image_info); ++ DestroyJNG(chunk,color_image,color_image_info, ++ alpha_image,alpha_image_info); + ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, + image); + } +@@ -3232,7 +3238,8 @@ + color_image=AllocateImage(color_image_info); + if (color_image == (Image *) NULL) + { +- DestroyJNGInfo(color_image_info,alpha_image_info); ++ DestroyJNG(chunk,color_image,color_image_info, ++ alpha_image,alpha_image_info); + ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, + image); + } +@@ -3244,7 +3251,8 @@ + exception); + if (status == MagickFalse) + { +- DestroyJNGInfo(color_image_info,alpha_image_info); ++ DestroyJNG(chunk,color_image,color_image_info, ++ alpha_image,alpha_image_info); + ThrowReaderException(CoderError,UnableToOpenBlob,color_image); + } + +@@ -3254,7 +3262,8 @@ + sizeof(ImageInfo)); + if (alpha_image_info == (ImageInfo *) NULL) + { +- DestroyJNGInfo(color_image_info,alpha_image_info); ++ DestroyJNG(chunk,color_image,color_image_info, ++ alpha_image,alpha_image_info); + ThrowReaderException(ResourceLimitError, + MemoryAllocationFailed, image); + } +@@ -3262,7 +3271,8 @@ + alpha_image=AllocateImage(alpha_image_info); + if (alpha_image == (Image *) NULL) + { +- DestroyJNGInfo(color_image_info,alpha_image_info); ++ DestroyJNG(chunk,color_image,color_image_info, ++ alpha_image,alpha_image_info); + ThrowReaderException(ResourceLimitError, + MemoryAllocationFailed, + alpha_image); +@@ -3275,8 +3285,8 @@ + exception); + if (status == MagickFalse) + { +- DestroyJNGInfo(color_image_info,alpha_image_info); +- DestroyImage(alpha_image); ++ DestroyJNG(chunk,color_image,color_image_info, ++ alpha_image,alpha_image_info); + ThrowReaderException(CoderError,UnableToOpenBlob,image); + } + if (jng_alpha_compression_method == 0) +@@ -3496,7 +3506,7 @@ + } + + +- /* IEND found */ ++ /* IEND found or loop ended */ + + /* + Finish up reading image data: +@@ -3610,10 +3620,8 @@ + break; + } + (void) LiberateUniqueFileResource(alpha_image->filename); +- DestroyImage(alpha_image); +- alpha_image = (Image *)NULL; +- DestroyImageInfo(alpha_image_info); +- alpha_image_info = (ImageInfo *)NULL; ++ DestroyJNG(NULL,color_image,color_image_info, ++ alpha_image,alpha_image_info); + DestroyImage(jng_image); + jng_image = (Image *)NULL; + } +@@ -3636,13 +3644,8 @@ + + /* Clean up in case we didn't earlier */ + +- DestroyJNGInfo(color_image_info,alpha_image_info); +- +- if (alpha_image != (Image *)NULL) +- { +- (void) LiberateUniqueFileResource(alpha_image->filename); +- DestroyImage(alpha_image); +- } ++ DestroyJNG(NULL,color_image,color_image_info, ++ alpha_image,alpha_image_info); + + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + diff --git a/GraphicsMagick-CVE-2017-11139.patch b/GraphicsMagick-CVE-2017-11139.patch new file mode 100644 index 0000000..e7fba03 --- /dev/null +++ b/GraphicsMagick-CVE-2017-11139.patch @@ -0,0 +1,23 @@ + +# HG changeset patch +# User Bob Friesenhahn +# Date 1499536785 18000 +# Node ID 4d0baa77245b386754cd65bbdb7b0937088cb3de +# Parent b4139088b49afaad8ac76b74f8a10ad5a63d3f3b +JNG: Fix double frees caused by changeset 15060:d445af60a8d5 commited on 2017-07-06 + +diff -r b4139088b49a -r 4d0baa77245b coders/png.c +--- a/coders/png.c Sat Jul 08 09:20:58 2017 -0500 ++++ b/coders/png.c Sat Jul 08 12:59:45 2017 -0500 +@@ -3622,6 +3622,10 @@ + (void) LiberateUniqueFileResource(alpha_image->filename); + DestroyJNG(NULL,color_image,color_image_info, + alpha_image,alpha_image_info); ++ color_image = (Image *)NULL; ++ color_image_info = (ImageInfo *) NULL; ++ alpha_image = (Image *)NULL; ++ alpha_image_info = (ImageInfo *) NULL; + DestroyImage(jng_image); + jng_image = (Image *)NULL; + } + diff --git a/GraphicsMagick-CVE-2017-11140.patch b/GraphicsMagick-CVE-2017-11140.patch new file mode 100644 index 0000000..74ce17a --- /dev/null +++ b/GraphicsMagick-CVE-2017-11140.patch @@ -0,0 +1,80 @@ + +# HG changeset patch +# User Bob Friesenhahn +# Date 1499523658 18000 +# Node ID b4139088b49afaad8ac76b74f8a10ad5a63d3f3b +# Parent c94d4172aca78ff942c0b6bd5537275873acb408 +Defer creating pixel cache until first scanline. Classify some libjpeg warnings as errors. + +diff -r c94d4172aca7 -r b4139088b49a coders/jpeg.c +--- a/coders/jpeg.c Thu Jul 06 18:54:30 2017 -0500 ++++ b/coders/jpeg.c Sat Jul 08 09:20:58 2017 -0500 +@@ -240,10 +240,34 @@ + err->msg_parm.i[4], err->msg_parm.i[5], + err->msg_parm.i[6], err->msg_parm.i[7]); + } +- if ((err->num_warnings == 0) || +- (err->trace_level >= 3)) +- ThrowBinaryException2(CorruptImageWarning,(char *) message, ++ /* ++ Treat some "warnings" as errors ++ */ ++ switch (err->msg_code) ++ { ++ case JWRN_HIT_MARKER: /* Corrupt JPEG data: premature end of data segment */ ++ case JWRN_JPEG_EOF: /* Premature end of JPEG file */ ++ { ++ ThrowBinaryException2(CorruptImageError,(char *) message, ++ image->filename); ++ break; ++ } ++ case JWRN_HUFF_BAD_CODE: /* Corrupt JPEG data: bad Huffman code */ ++ case JWRN_MUST_RESYNC: /* Corrupt JPEG data: found marker 0x%02x instead of RST%d */ ++ case JWRN_NOT_SEQUENTIAL: /* "Invalid SOS parameters for sequential JPEG */ ++ { ++ ThrowBinaryException2(CorruptImageError,(char *) message, + image->filename); ++ break; ++ } ++ default: ++ { ++ if ((err->num_warnings == 0) || ++ (err->trace_level >= 3)) ++ ThrowBinaryException2(CorruptImageWarning,(char *) message, ++ image->filename); ++ } ++ } + err->num_warnings++; + } + else +@@ -1350,6 +1374,16 @@ + register PixelPacket + *q; + ++ /* ++ Read scanlines. Stop at first serious error. ++ */ ++ if ((jpeg_read_scanlines(&jpeg_info,scanline,1) != 1) || ++ (image->exception.severity >= ErrorException)) ++ { ++ status=MagickFail; ++ break; ++ } ++ + q=SetImagePixels(image,0,y,image->columns,1); + if (q == (PixelPacket *) NULL) + { +@@ -1358,12 +1392,6 @@ + } + indexes=AccessMutableIndexes(image); + +- if (jpeg_read_scanlines(&jpeg_info,scanline,1) != 1) +- { +- status=MagickFail; +- break; +- } +- + p=jpeg_pixels; + + if (jpeg_info.output_components == 1) + diff --git a/GraphicsMagick-CVE-2017-11636.patch b/GraphicsMagick-CVE-2017-11636.patch new file mode 100644 index 0000000..cd62c2e --- /dev/null +++ b/GraphicsMagick-CVE-2017-11636.patch @@ -0,0 +1,155 @@ + +# HG changeset patch +# User Bob Friesenhahn +# Date 1500755964 18000 +# Node ID 39961adf974c7e284e3f95d2fc1609da4461d3ff +# Parent d00b74315a716a62386de06732afdd2822b9f1fd +RGB: Fixed heap overflow with multiple frames with varying widths. + +diff -r d00b74315a71 -r 39961adf974c coders/rgb.c +--- a/coders/rgb.c Sat Jul 22 15:39:14 2017 -0500 ++++ b/coders/rgb.c Sat Jul 22 15:39:24 2017 -0500 +@@ -1,5 +1,5 @@ + /* +-% Copyright (C) 2003 - 2015 GraphicsMagick Group ++% Copyright (C) 2003 - 2017 GraphicsMagick Group + % Copyright (C) 2002 ImageMagick Studio + % Copyright 1991-1999 E. I. du Pont de Nemours and Company + % +@@ -570,19 +570,20 @@ + */ + static unsigned int WriteRGBImage(const ImageInfo *image_info,Image *image) + { +- int ++ long + y; + + register const PixelPacket + *p; + + unsigned char +- *pixels; ++ *pixels = (unsigned char *) NULL; + + unsigned int + status; + + unsigned int ++ depth, + packet_size, + quantum_size, + scene; +@@ -593,27 +594,11 @@ + ExportPixelAreaInfo + export_info; + +- /* +- Allocate memory for pixels. +- */ + assert(image_info != (const ImageInfo *) NULL); + assert(image_info->signature == MagickSignature); + assert(image != (Image *) NULL); + assert(image->signature == MagickSignature); + +- if (image->depth <= 8) +- quantum_size=8; +- else if (image->depth <= 16) +- quantum_size=16; +- else +- quantum_size=32; +- +- packet_size=(quantum_size*3)/8; +- if (LocaleCompare(image_info->magick,"RGBA") == 0) +- packet_size=(quantum_size*4)/8; +- pixels=MagickAllocateArray(unsigned char *,packet_size,image->columns); +- if (pixels == (unsigned char *) NULL) +- ThrowWriterException(ResourceLimitError,MemoryAllocationFailed,image); + if (image_info->interlace != PartitionInterlace) + { + /* +@@ -623,30 +608,70 @@ + if (status == False) + ThrowWriterException(FileOpenError,UnableToOpenFile,image); + } ++ ++ /* ++ Support depth in multiples of 8 bits. ++ */ ++ if (image->depth > 16) ++ depth=32; ++ else if (image->depth > 8) ++ depth=16; ++ else ++ depth=8; ++ ++ if (depth <= 8) ++ quantum_size=8; ++ else if (depth <= 16) ++ quantum_size=16; ++ else ++ quantum_size=32; ++ ++ packet_size=(quantum_size*3)/8; ++ if (LocaleCompare(image_info->magick,"RGBA") == 0) ++ packet_size=(quantum_size*4)/8; ++ + scene=0; +- /* +- Initialize export options. +- */ +- ExportPixelAreaOptionsInit(&export_options); +- if (image->endian != UndefinedEndian) +- export_options.endian=image->endian; +- else if (image_info->endian != UndefinedEndian) +- export_options.endian=image_info->endian; +- if (image->logging) +- (void) LogMagickEvent(CoderEvent,GetMagickModule(), +- "Depth %u bits, Endian %s, Interlace %s", +- quantum_size, +- EndianTypeToString(export_options.endian), +- InterlaceTypeToString(image_info->interlace)); + do + { + /* ++ Allocate memory for pixels. ++ */ ++ MagickReallocMemory(unsigned char *,pixels, ++ MagickArraySize(packet_size,image->columns)); ++ if (pixels == (unsigned char *) NULL) ++ ThrowWriterException(ResourceLimitError,MemoryAllocationFailed,image); ++ ++ /* ++ Initialize export options. ++ */ ++ ExportPixelAreaOptionsInit(&export_options); ++ if (image->endian != UndefinedEndian) ++ export_options.endian=image->endian; ++ else if (image_info->endian != UndefinedEndian) ++ export_options.endian=image_info->endian; ++ ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "%lu: " ++ "Geometry %lux%lu, " ++ "Depth %u bits, " ++ "Endian %s, " ++ "Packet Size %u, " ++ "Row bytes %" MAGICK_SIZE_T_F "u", ++ image->scene, ++ image->columns,image->rows, ++ quantum_size, ++ EndianTypeToString(export_options.endian), ++ packet_size, ++ (MAGICK_SIZE_T) MagickArraySize(packet_size,image->columns)); ++ ++ /* + Convert MIFF to RGB raster pixels. + */ + (void) TransformColorspace(image,RGBColorspace); + if (LocaleCompare(image_info->magick,"RGBA") == 0) + if (!image->matte) + SetImageOpacity(image,OpaqueOpacity); ++ + switch (image_info->interlace) + { + case NoInterlace: + diff --git a/GraphicsMagick-CVE-2017-11637.patch b/GraphicsMagick-CVE-2017-11637.patch new file mode 100644 index 0000000..be74ad8 --- /dev/null +++ b/GraphicsMagick-CVE-2017-11637.patch @@ -0,0 +1,54 @@ + +# HG changeset patch +# User Bob Friesenhahn +# Date 1500771092 18000 +# Node ID f3ffc5541257cfbbe1dc93e3f0775cc8d2de96fd +# Parent db732abd9318246cca5b07b56b58a22f39d342e0 +PCL: Fix null pointer dereference in writing monochrome images. + +diff -r db732abd9318 -r f3ffc5541257 coders/pcl.c +--- a/coders/pcl.c Sat Jul 22 17:56:27 2017 -0500 ++++ b/coders/pcl.c Sat Jul 22 19:51:32 2017 -0500 +@@ -1010,7 +1010,16 @@ + for (x=0; x < (long) image->columns; x++) + { + byte<<=1; +- if (indexes[x] == blk_ind) byte |= 1; ++ if (image->storage_class == PseudoClass) ++ { ++ if (indexes[x] == blk_ind) ++ byte |= 1; ++ } ++ else ++ { ++ if (p[x].red == 0) ++ byte |= 1; ++ } + bit++; + if (bit == 8) + { +@@ -1028,10 +1037,20 @@ + /* + 8 bit PseudoClass row + */ +- indexes=AccessImmutableIndexes(image); +- for (x=0; x < (long) image->columns; x++) ++ if (image->storage_class == PseudoClass) + { +- *q++=indexes[x]; ++ indexes=AccessImmutableIndexes(image); ++ for (x=0; x < (long) image->columns; x++) ++ { ++ *q++=indexes[x]; ++ } ++ } ++ else ++ { ++ for (x=0; x < (long) image->columns; x++) ++ { ++ *q++=PixelIntensityRec601(&p[x]); ++ } + } + } + else + diff --git a/GraphicsMagick-CVE-2017-11638.patch b/GraphicsMagick-CVE-2017-11638.patch new file mode 100644 index 0000000..144ed78 --- /dev/null +++ b/GraphicsMagick-CVE-2017-11638.patch @@ -0,0 +1,43 @@ + +# HG changeset patch +# User Bob Friesenhahn +# Date 1500758975 18000 +# Node ID 29550606d8b9bf74f9aea0637d11d19fe706871b +# Parent 30cd2b31f7e045de4861b102e3f8d83db579bc7a +MAP: Fix null pointer dereference or SEGV if input is not colormapped. + +diff -r 30cd2b31f7e0 -r 29550606d8b9 coders/map.c +--- a/coders/map.c Sat Jul 22 15:40:00 2017 -0500 ++++ b/coders/map.c Sat Jul 22 16:29:35 2017 -0500 +@@ -18,7 +18,7 @@ + % M M A A P % + % % + % % +-% Read/Write Image Colormaps As An Image File % ++% Read/Write Image Colormaps And Image File % + % % + % % + % Software Design % +@@ -349,16 +349,17 @@ + /* + Allocate colormap. + */ +- if (!IsPaletteImage(image,&image->exception)) +- (void) SetImageType(image,PaletteType); ++ if (SetImageType(image,PaletteType) == MagickFail) ++ ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image); + packet_size=image->depth > 8 ? 2 : 1; +- pixels=MagickAllocateMemory(unsigned char *,image->columns*packet_size); ++ pixels=MagickAllocateArray(unsigned char *,image->columns,packet_size); + if (pixels == (unsigned char *) NULL) + ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image); + packet_size=image->colors > 256 ? 6 : 3; +- colormap=MagickAllocateMemory(unsigned char *,packet_size*image->colors); ++ colormap=MagickAllocateArray(unsigned char *,packet_size,image->colors); + if (colormap == (unsigned char *) NULL) + ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image); ++ + /* + Write colormap to file. + */ + diff --git a/GraphicsMagick-CVE-2017-11641.patch b/GraphicsMagick-CVE-2017-11641.patch new file mode 100644 index 0000000..44f4db5 --- /dev/null +++ b/GraphicsMagick-CVE-2017-11641.patch @@ -0,0 +1,42 @@ + +# HG changeset patch +# User Bob Friesenhahn +# Date 1500764187 18000 +# Node ID db732abd9318246cca5b07b56b58a22f39d342e0 +# Parent 29550606d8b9bf74f9aea0637d11d19fe706871b +MPC: Fix memory leak while writing Magick Persistent Cache format. + +diff -r 29550606d8b9 -r db732abd9318 magick/pixel_cache.c +--- a/magick/pixel_cache.c Sat Jul 22 16:29:35 2017 -0500 ++++ b/magick/pixel_cache.c Sat Jul 22 17:56:27 2017 -0500 +@@ -3458,7 +3458,10 @@ + cache_info->type=DiskCache; + cache_info->offset=(*offset); + if (!OpenCache(clone_image,IOMode,exception)) +- return(MagickFail); ++ { ++ DestroyImage(clone_image); ++ return(MagickFail); ++ } + y=0; + { + ViewInfo +@@ -3495,11 +3498,13 @@ + CloseCacheView(image_view); + CloseCacheView(clone_view); + } +- cache_info=(CacheInfo*) ReferenceCache(cache_info); ++ if (y < (long) image->rows) ++ { ++ DestroyImage(clone_image); ++ return(MagickFail); ++ } ++ *offset+=cache_info->length+pagesize-(cache_info->length % pagesize); + DestroyImage(clone_image); +- if (y < (long) image->rows) +- return(MagickFail); +- *offset+=cache_info->length+pagesize-(cache_info->length % pagesize); + (void) LogMagickEvent(CacheEvent,GetMagickModule(),"Clone persistent cache"); + return(MagickPass); + } + diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec index 963d3f6..e8a06a2 100644 --- a/GraphicsMagick.spec +++ b/GraphicsMagick.spec @@ -28,7 +28,7 @@ Summary: An ImageMagick fork, offering faster image generation and better quality Name: GraphicsMagick Version: 1.3.26 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz @@ -43,6 +43,14 @@ Patch50: GraphicsMagick-1.3.14-perl_linkage.patch ## upstream patches Patch1: GraphicsMagick-CVE-2017-11403.patch +Patch2: GraphicsMagick-CVE-2017-11102-1.patch +Patch3: GraphicsMagick-CVE-2017-11102-2.patch +Patch4: GraphicsMagick-CVE-2017-11139.patch +Patch5: GraphicsMagick-CVE-2017-11140.patch +Patch6: GraphicsMagick-CVE-2017-11636.patch +Patch7: GraphicsMagick-CVE-2017-11637.patch +Patch8: GraphicsMagick-CVE-2017-11638.patch +Patch9: GraphicsMagick-CVE-2017-11641.patch BuildRequires: bzip2-devel BuildRequires: freetype-devel @@ -157,6 +165,15 @@ however. %setup -q %patch1 -p1 -b .CVE-2017-11403 +%patch2 -p1 -b .CVE-2017-11102-1 +%patch3 -p1 -b .CVE-2017-11102-2 +%patch4 -p1 -b .CVE-2017-11139 +%patch5 -p1 -b .CVE-2017-11140 +%patch6 -p1 -b .CVE-2017-11636 +%patch7 -p1 -b .CVE-2017-11637 +%patch8 -p1 -b .CVE-2017-11638 +%patch9 -p1 -b .CVE-2017-11641 + %patch50 -p1 -b .perl_linkage %patch100 -p1 -b .multilib @@ -310,6 +327,15 @@ exit 1 %changelog +* Thu Jul 27 2017 Rex Dieter - 1.3.26-6 +- CVE-2017-11102 (#1473728) +- CVE-2017-11139 (#1473739) +- CVE-2017-11140 (#1473750) +- CVE-2017-11636 (#1475456) +- CVE-2017-11637 (#1475452) +- CVE-2017-11638 (#1475708) +- CVE-2017-11641 (#1475489) + * Thu Jul 27 2017 Rex Dieter - 1.3.26-5 - .spec cleanup, drop deprecated stuff - update filtering