rpms
/
GraphicsMagick
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

1.3.26

Browse Source 
CVE-2017-10794 (#1467655)
CVE-2017-10799 (#1467372)
CVE-2017-10800 (#1467381)
epel9
Rex Dieter 8 years ago
parent 84e37ef121
commit 327e7b3d94
10 changed files with 10 additions and 411 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape View File

@ -1 +1,2 @@
/GraphicsMagick-1.3.25.tar.xz
/GraphicsMagick-1.3.26.tar.xz

58
GraphicsMagick-CVE-2016-7800.patch
Unescape View File

@ -1,58 +0,0 @@
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1475336055 18000
# Sat Oct 01 10:34:15 2016 -0500
# Node ID 5c7b6d6094a25e99c57f8b18343914ebfd8213ef
# Parent 623b741873230aaf0aaa767f14f4241f9d56a0f6
Fix unsigned underflow leading to heap overflow when parsing 8BIM chunk.
diff --git a/coders/meta.c b/coders/meta.c
--- a/coders/meta.c
+++ b/coders/meta.c
@@ -396,10 +396,17 @@
{
if (brkused && next > 0)
{
+ size_t
+ codes_len;
+
char
*s = &token[next-1];
- len -= convertHTMLcodes(s, strlen(s));
+ codes_len = convertHTMLcodes(s, strlen(s));
+ if (codes_len > len)
+ len = 0;
+ else
+ len -= codes_len;
}
}
@@ -450,7 +457,7 @@
next=0;
outputlen += len;
while (len--)
- (void) WriteBlobByte(ofile,token[next++]); /* boom */
+ (void) WriteBlobByte(ofile,token[next++]);
if (outputlen & 1)
{
@@ -682,10 +689,17 @@
{
if (brkused && next > 0)
{
+ size_t
+ codes_len;
+
char
*s = &token[next-1];
- len -= convertHTMLcodes(s, strlen(s));
+ codes_len = convertHTMLcodes(s, strlen(s));
+ if (codes_len > len)
+ len = 0;
+ else
+ len -= codes_len;
}
}

47
GraphicsMagick-CVE-2016-7996.patch
Unescape View File

@ -1,47 +0,0 @@
# HG changeset patch
# User fojtik
# Date 1475404477 -7200
# Sun Oct 02 12:34:37 2016 +0200
# Node ID 17e89d5d40c96f7cee22f1c661d47b016ea2579f
# Parent 5c7b6d6094a25e99c57f8b18343914ebfd8213ef
* coders/wpg.c Add sanity check for palette.
diff --git a/coders/wpg.c b/coders/wpg.c
--- a/coders/wpg.c
+++ b/coders/wpg.c
@@ -1210,7 +1210,7 @@
Header.DataOffset=TellBlob(image)+Rec2.RecordLength;
- if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
+ if(logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
"Parsing object: %X", Rec2.RecType);
switch(Rec2.RecType)
@@ -1224,18 +1224,20 @@
WPG_Palette.StartIndex=ReadBlobLSBShort(image);
WPG_Palette.NumOfEntries=ReadBlobLSBShort(image);
+ /* Sanity check for amount of palette entries. */
+ if( (WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) > (Rec2.RecordLength-2-2) / 3)
+ ThrowReaderException(CorruptImageError,InvalidColormapIndex,image);
+
image->colors=WPG_Palette.NumOfEntries;
if (!AllocateImageColormap(image,image->colors))
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
+
for (i=WPG_Palette.StartIndex;
i < (int)WPG_Palette.NumOfEntries; i++)
{
- image->colormap[i].red=
- ScaleCharToQuantum(ReadBlobByte(image));
- image->colormap[i].green=
- ScaleCharToQuantum(ReadBlobByte(image));
- image->colormap[i].blue=
- ScaleCharToQuantum(ReadBlobByte(image));
+ image->colormap[i].red=ScaleCharToQuantum(ReadBlobByte(image));
+ image->colormap[i].green=ScaleCharToQuantum(ReadBlobByte(image));
+ image->colormap[i].blue=ScaleCharToQuantum(ReadBlobByte(image));
(void) ReadBlobByte(image); /*Opacity??*/
}
break;

63
GraphicsMagick-CVE-2016-7997.patch
Unescape View File

@ -1,63 +0,0 @@
# HG changeset patch
# User fojtik
# Date 1475430071 -7200
# Sun Oct 02 19:41:11 2016 +0200
# Node ID 1cf5808339d9e7e6f10840311e82dc40b0cd8ec6
# Parent 2db735de2bea758981ea130abffc85aaf7893d73
* coders/wpg.c Correctly flip image->blob and rotated_image->blob.
diff --git a/coders/wpg.c b/coders/wpg.c
--- a/coders/wpg.c
+++ b/coders/wpg.c
@@ -935,6 +935,7 @@
unsigned char
*BImgBuff;
+ BlobInfo *TmpBlob;
tCTM CTM; /*current transform matrix*/
@@ -1133,8 +1134,9 @@
rotated_image = FlopImage(image, exception);
if (rotated_image != (Image *) NULL)
{
+ BlobInfo *TmpBlob = rotated_image->blob;
rotated_image->blob = image->blob;
- image->blob = NULL;
+ image->blob = TmpBlob;
(void) RemoveLastImageFromList(&image);
AppendImageToList(&image,rotated_image);
}
@@ -1145,8 +1147,9 @@
rotated_image = FlipImage(image, exception);
if (rotated_image != (Image *) NULL)
{
+ BlobInfo *TmpBlob = rotated_image->blob;
rotated_image->blob = image->blob;
- image->blob = NULL;
+ image->blob = TmpBlob;
(void) RemoveLastImageFromList(&image);
AppendImageToList(&image,rotated_image);
}
@@ -1160,8 +1163,9 @@
exception);
if (rotated_image != (Image *) NULL)
{
+ BlobInfo *TmpBlob = rotated_image->blob;
rotated_image->blob = image->blob;
- image->blob = NULL;
+ image->blob = TmpBlob;
(void) RemoveLastImageFromList(&image);
AppendImageToList(&image,rotated_image);
}
@@ -1316,8 +1320,9 @@
rotated_image = FlopImage(image, exception);
if (rotated_image != (Image *) NULL)
{
+ BlobInfo *TmpBlob = rotated_image->blob;
rotated_image->blob = image->blob;
- image->blob = NULL;
+ image->blob = TmpBlob;
(void) RemoveLastImageFromList(&image);
AppendImageToList(&image,rotated_image);
}

24
GraphicsMagick-CVE-2016-8682.patch
Unescape View File

@ -1,24 +0,0 @@
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1473538865 18000
# Node ID 0a0dfa81906d1317895de9374ef5132710c3831c
# Parent 3161d55d0c2f73df109a6d184074f39aca78ae8f
SCT: Fix stack-buffer read overflow while reading file header.
diff -r 3161d55d0c2f -r 0a0dfa81906d coders/sct.c
--- a/coders/sct.c Sat Sep 10 13:17:49 2016 -0500
+++ b/coders/sct.c Sat Sep 10 15:21:05 2016 -0500
@@ -188,9 +188,11 @@
break;
if (ReadBlob(image,14,(char *) buffer) != 14)
break;
+ buffer[14]='\0';
image->rows=MagickAtoL(buffer) & 0x7FFFFFFF;
if (ReadBlob(image,14,(char *) buffer) != 14)
break;
+ buffer[14]='\0';
image->columns=MagickAtoL(buffer) & 0x7FFFFFFF;
if (ReadBlob(image,196,(char *) buffer) != 196)
break;

71
GraphicsMagick-CVE-2016-8683.patch
Unescape View File

@ -1,71 +0,0 @@
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1473544878 18000
# Node ID b9edafd479b9d2e0976f184a259747efb198dc46
# Parent c53725cb5449ac885536a6a98dc911d8b21a3c54
PCX: Check that filesize is reasonable given header.
--- a/coders/pcx.c Sat Sep 10 16:48:12 2016 -0500
+++ b/coders/pcx.c Sat Sep 10 17:01:18 2016 -0500
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003 - 2015 GraphicsMagick Group
+% Copyright (C) 2003 - 2016 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
@@ -251,6 +251,9 @@
size_t
pcx_packets;
+ magick_off_t
+ file_size;
+
/*
Open image file.
*/
@@ -292,6 +295,7 @@
if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET)
== -1)
ThrowPCXReaderException(CorruptImageError,ImproperImageHeader,image);
+ file_size=GetBlobSize(image);
count=ReadBlob(image,1,(char *) &pcx_info.identifier);
for (id=1; id < 1024; id++)
{
@@ -455,6 +459,34 @@
if (CheckImagePixelLimits(image, exception) != MagickPass)
ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
+
+ /*
+ Check that filesize is reasonable given header
+ */
+ {
+ double
+ uncompressed_size;
+
+ uncompressed_size=((double) image->rows*pcx_info.bytes_per_line*pcx_info.planes);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Uncompressed size: %.0f", uncompressed_size);
+ if (pcx_info.encoding == 0)
+ {
+ /* Not compressed */
+ if (uncompressed_size > file_size)
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+ image);
+ }
+ else
+ {
+ /* RLE compressed */
+ if (uncompressed_size > file_size*254.0)
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+ image);
+ }
+ }
+
+
/*
Read image data.
*/

93
GraphicsMagick-CVE-2016-8684.patch
Unescape View File

@ -1,93 +0,0 @@
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1473544092 18000
# Node ID c53725cb5449ac885536a6a98dc911d8b21a3c54
# Parent 0a0dfa81906d1317895de9374ef5132710c3831c
SGI: Check that filesize is reasonable given header.
diff -r 0a0dfa81906d -r c53725cb5449 coders/sct.c
--- a/coders/sct.c Sat Sep 10 15:21:05 2016 -0500
+++ b/coders/sct.c Sat Sep 10 16:48:12 2016 -0500
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003-2015 GraphicsMagick Group
+% Copyright (C) 2003-2016 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
diff -r 0a0dfa81906d -r c53725cb5449 coders/sgi.c
--- a/coders/sgi.c Sat Sep 10 15:21:05 2016 -0500
+++ b/coders/sgi.c Sat Sep 10 16:48:12 2016 -0500
@@ -299,6 +299,9 @@
size_t
bytes_per_pixel;
+ magick_off_t
+ file_size;
+
/*
Open image file.
*/
@@ -314,6 +317,7 @@
Read SGI raster header.
*/
iris_info.magic=ReadBlobMSBShort(image);
+ file_size=GetBlobSize(image);
do
{
/*
@@ -342,7 +346,8 @@
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
" Header: Storage=%u, BPC=%u, Dimension=%u, "
"XSize=%u, YSize=%u, ZSize=%u, PixMin=%u, "
- "PixMax=%u, image_name=\"%.79s\", color_map=%u",
+ "PixMax=%u, image_name=\"%.79s\", color_map=%u, "
+ "file_size=%" MAGICK_OFF_F "d",
(unsigned int) iris_info.storage,
(unsigned int) iris_info.bytes_per_pixel,
(unsigned int) iris_info.dimension,
@@ -352,7 +357,8 @@
iris_info.pix_min,
iris_info.pix_max,
iris_info.image_name,
- iris_info.color_map);
+ iris_info.color_map,
+ file_size);
/*
Validate image header and set image attributes.
@@ -492,6 +498,33 @@
ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
/*
+ Check that filesize is reasonable given header
+ */
+ {
+ double
+ uncompressed_size;
+
+ uncompressed_size=((double) (iris_info.dimension == 3 ? iris_info.zsize : 1)*
+ image->columns*image->rows*iris_info.bytes_per_pixel);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Uncompressed size: %.0f", uncompressed_size);
+ if (iris_info.storage != 0x01)
+ {
+ /* Not compressed */
+ if (uncompressed_size > file_size)
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+ image);
+ }
+ else
+ {
+ /* RLE compressed */
+ if (uncompressed_size > file_size*254.0)
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+ image);
+ }
+ }
+
+ /*
Allocate SGI pixels.
*/
bytes_per_pixel=iris_info.bytes_per_pixel;

37
GraphicsMagick-CVE-2017-6335.patch
Unescape View File

@ -1,37 +0,0 @@
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1487905610 21600
# Thu Feb 23 21:06:50 2017 -0600
# Node ID 6156b4c2992d855ece6079653b3b93c3229fc4b8
# Parent 0392c4305a4369984ec8069055acc470c0a73647
Fix out of bounds access when reading CMYKA tiff which claims wrong samples/pixel.
diff --git a/coders/tiff.c b/coders/tiff.c
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1230,8 +1230,8 @@
case 0:
if (samples_per_pixel == 1)
*quantum_type=GrayQuantum;
- else
- *quantum_type=RedQuantum;
+ else
+ *quantum_type=RedQuantum;
break;
case 1:
*quantum_type=GreenQuantum;
@@ -1411,12 +1411,12 @@
}
else
{
- if (image->matte)
+ if (image->matte && samples_per_pixel >= 5)
{
*quantum_type=CMYKAQuantum;
*quantum_samples=5;
}
- else
+ else if (samples_per_pixel >= 4)
{
*quantum_type=CMYKQuantum;
*quantum_samples=4;

25
GraphicsMagick.spec
Unescape View File

@ -32,8 +32,8 @@
Summary: An ImageMagick fork, offering faster image generation and better quality
Name: GraphicsMagick
Version: 1.3.25
Release: 7%{?dist}
Version: 1.3.26
Release: 1%{?dist}
License: MIT
Group: Applications/Multimedia
@ -49,13 +49,6 @@ Patch100: GraphicsMagick-1.3.16-multilib.patch
Patch50: GraphicsMagick-1.3.14-perl_linkage.patch
## upstream patches
Patch1: GraphicsMagick-CVE-2016-7800.patch
Patch2: GraphicsMagick-CVE-2016-7996.patch
Patch3: GraphicsMagick-CVE-2016-7997.patch
Patch4: GraphicsMagick-CVE-2016-8682.patch
Patch5: GraphicsMagick-CVE-2016-8683.patch
Patch6: GraphicsMagick-CVE-2016-8684.patch
Patch7: GraphicsMagick-CVE-2017-6335.patch
BuildRequires: bzip2-devel
BuildRequires: freetype-devel
@ -169,14 +162,6 @@ however.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch50 -p1 -b .perl_linkage
%patch100 -p1 -b .multilib
@ -337,6 +322,12 @@ rm -rf %{buildroot}
%changelog
* Wed Jul 05 2017 Rex Dieter <rdieter@fedoraproject.org> - 1.3.26-1
- 1.3.26
- CVE-2017-10794 (#1467655)
- CVE-2017-10799 (#1467372)
- CVE-2017-10800 (#1467381)
* Sun Jun 04 2017 Jitka Plesnikova <jplesnik@redhat.com> - 1.3.25-7
- Perl 5.26 rebuild

2
sources
Unescape View File

@ -1 +1 @@
6eed966b22588fb068442319a8aa17f6 GraphicsMagick-1.3.25.tar.xz
SHA512 (GraphicsMagick-1.3.26.tar.xz) = b33ca0f1c858428693aee27a9089acff9e63d1110f85fa036894cfefe6274e7b2422758ea39852f94fdb4823c9c3f3c44b0d8906627503301f5928096f739f22

Write Preview
Loading…
Cancel
Save