From 327e7b3d944fc870611fb4a5377319fd79185295 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Wed, 5 Jul 2017 06:23:17 -0500 Subject: [PATCH] 1.3.26 CVE-2017-10794 (#1467655) CVE-2017-10799 (#1467372) CVE-2017-10800 (#1467381) --- .gitignore | 1 + GraphicsMagick-CVE-2016-7800.patch | 58 ------------------- GraphicsMagick-CVE-2016-7996.patch | 47 --------------- GraphicsMagick-CVE-2016-7997.patch | 63 -------------------- GraphicsMagick-CVE-2016-8682.patch | 24 -------- GraphicsMagick-CVE-2016-8683.patch | 71 ----------------------- GraphicsMagick-CVE-2016-8684.patch | 93 ------------------------------ GraphicsMagick-CVE-2017-6335.patch | 37 ------------ GraphicsMagick.spec | 25 +++----- sources | 2 +- 10 files changed, 10 insertions(+), 411 deletions(-) delete mode 100644 GraphicsMagick-CVE-2016-7800.patch delete mode 100644 GraphicsMagick-CVE-2016-7996.patch delete mode 100644 GraphicsMagick-CVE-2016-7997.patch delete mode 100644 GraphicsMagick-CVE-2016-8682.patch delete mode 100644 GraphicsMagick-CVE-2016-8683.patch delete mode 100644 GraphicsMagick-CVE-2016-8684.patch delete mode 100644 GraphicsMagick-CVE-2017-6335.patch diff --git a/.gitignore b/.gitignore index 427f25f..450e94d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /GraphicsMagick-1.3.25.tar.xz +/GraphicsMagick-1.3.26.tar.xz diff --git a/GraphicsMagick-CVE-2016-7800.patch b/GraphicsMagick-CVE-2016-7800.patch deleted file mode 100644 index f26da32..0000000 --- a/GraphicsMagick-CVE-2016-7800.patch +++ /dev/null @@ -1,58 +0,0 @@ -# HG changeset patch -# User Bob Friesenhahn -# Date 1475336055 18000 -# Sat Oct 01 10:34:15 2016 -0500 -# Node ID 5c7b6d6094a25e99c57f8b18343914ebfd8213ef -# Parent 623b741873230aaf0aaa767f14f4241f9d56a0f6 -Fix unsigned underflow leading to heap overflow when parsing 8BIM chunk. - -diff --git a/coders/meta.c b/coders/meta.c ---- a/coders/meta.c -+++ b/coders/meta.c -@@ -396,10 +396,17 @@ - { - if (brkused && next > 0) - { -+ size_t -+ codes_len; -+ - char - *s = &token[next-1]; - -- len -= convertHTMLcodes(s, strlen(s)); -+ codes_len = convertHTMLcodes(s, strlen(s)); -+ if (codes_len > len) -+ len = 0; -+ else -+ len -= codes_len; - } - } - -@@ -450,7 +457,7 @@ - next=0; - outputlen += len; - while (len--) -- (void) WriteBlobByte(ofile,token[next++]); /* boom */ -+ (void) WriteBlobByte(ofile,token[next++]); - - if (outputlen & 1) - { -@@ -682,10 +689,17 @@ - { - if (brkused && next > 0) - { -+ size_t -+ codes_len; -+ - char - *s = &token[next-1]; - -- len -= convertHTMLcodes(s, strlen(s)); -+ codes_len = convertHTMLcodes(s, strlen(s)); -+ if (codes_len > len) -+ len = 0; -+ else -+ len -= codes_len; - } - } - diff --git a/GraphicsMagick-CVE-2016-7996.patch b/GraphicsMagick-CVE-2016-7996.patch deleted file mode 100644 index 548a13a..0000000 --- a/GraphicsMagick-CVE-2016-7996.patch +++ /dev/null @@ -1,47 +0,0 @@ -# HG changeset patch -# User fojtik -# Date 1475404477 -7200 -# Sun Oct 02 12:34:37 2016 +0200 -# Node ID 17e89d5d40c96f7cee22f1c661d47b016ea2579f -# Parent 5c7b6d6094a25e99c57f8b18343914ebfd8213ef -* coders/wpg.c Add sanity check for palette. - -diff --git a/coders/wpg.c b/coders/wpg.c ---- a/coders/wpg.c -+++ b/coders/wpg.c -@@ -1210,7 +1210,7 @@ - - Header.DataOffset=TellBlob(image)+Rec2.RecordLength; - -- if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(), -+ if(logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(), - "Parsing object: %X", Rec2.RecType); - - switch(Rec2.RecType) -@@ -1224,18 +1224,20 @@ - WPG_Palette.StartIndex=ReadBlobLSBShort(image); - WPG_Palette.NumOfEntries=ReadBlobLSBShort(image); - -+ /* Sanity check for amount of palette entries. */ -+ if( (WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) > (Rec2.RecordLength-2-2) / 3) -+ ThrowReaderException(CorruptImageError,InvalidColormapIndex,image); -+ - image->colors=WPG_Palette.NumOfEntries; - if (!AllocateImageColormap(image,image->colors)) - ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); -+ - for (i=WPG_Palette.StartIndex; - i < (int)WPG_Palette.NumOfEntries; i++) - { -- image->colormap[i].red= -- ScaleCharToQuantum(ReadBlobByte(image)); -- image->colormap[i].green= -- ScaleCharToQuantum(ReadBlobByte(image)); -- image->colormap[i].blue= -- ScaleCharToQuantum(ReadBlobByte(image)); -+ image->colormap[i].red=ScaleCharToQuantum(ReadBlobByte(image)); -+ image->colormap[i].green=ScaleCharToQuantum(ReadBlobByte(image)); -+ image->colormap[i].blue=ScaleCharToQuantum(ReadBlobByte(image)); - (void) ReadBlobByte(image); /*Opacity??*/ - } - break; diff --git a/GraphicsMagick-CVE-2016-7997.patch b/GraphicsMagick-CVE-2016-7997.patch deleted file mode 100644 index 69c86d8..0000000 --- a/GraphicsMagick-CVE-2016-7997.patch +++ /dev/null @@ -1,63 +0,0 @@ -# HG changeset patch -# User fojtik -# Date 1475430071 -7200 -# Sun Oct 02 19:41:11 2016 +0200 -# Node ID 1cf5808339d9e7e6f10840311e82dc40b0cd8ec6 -# Parent 2db735de2bea758981ea130abffc85aaf7893d73 -* coders/wpg.c Correctly flip image->blob and rotated_image->blob. - -diff --git a/coders/wpg.c b/coders/wpg.c ---- a/coders/wpg.c -+++ b/coders/wpg.c -@@ -935,6 +935,7 @@ - - unsigned char - *BImgBuff; -+ BlobInfo *TmpBlob; - - tCTM CTM; /*current transform matrix*/ - -@@ -1133,8 +1134,9 @@ - rotated_image = FlopImage(image, exception); - if (rotated_image != (Image *) NULL) - { -+ BlobInfo *TmpBlob = rotated_image->blob; - rotated_image->blob = image->blob; -- image->blob = NULL; -+ image->blob = TmpBlob; - (void) RemoveLastImageFromList(&image); - AppendImageToList(&image,rotated_image); - } -@@ -1145,8 +1147,9 @@ - rotated_image = FlipImage(image, exception); - if (rotated_image != (Image *) NULL) - { -+ BlobInfo *TmpBlob = rotated_image->blob; - rotated_image->blob = image->blob; -- image->blob = NULL; -+ image->blob = TmpBlob; - (void) RemoveLastImageFromList(&image); - AppendImageToList(&image,rotated_image); - } -@@ -1160,8 +1163,9 @@ - exception); - if (rotated_image != (Image *) NULL) - { -+ BlobInfo *TmpBlob = rotated_image->blob; - rotated_image->blob = image->blob; -- image->blob = NULL; -+ image->blob = TmpBlob; - (void) RemoveLastImageFromList(&image); - AppendImageToList(&image,rotated_image); - } -@@ -1316,8 +1320,9 @@ - rotated_image = FlopImage(image, exception); - if (rotated_image != (Image *) NULL) - { -+ BlobInfo *TmpBlob = rotated_image->blob; - rotated_image->blob = image->blob; -- image->blob = NULL; -+ image->blob = TmpBlob; - (void) RemoveLastImageFromList(&image); - AppendImageToList(&image,rotated_image); - } diff --git a/GraphicsMagick-CVE-2016-8682.patch b/GraphicsMagick-CVE-2016-8682.patch deleted file mode 100644 index f127470..0000000 --- a/GraphicsMagick-CVE-2016-8682.patch +++ /dev/null @@ -1,24 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn -# Date 1473538865 18000 -# Node ID 0a0dfa81906d1317895de9374ef5132710c3831c -# Parent 3161d55d0c2f73df109a6d184074f39aca78ae8f -SCT: Fix stack-buffer read overflow while reading file header. - -diff -r 3161d55d0c2f -r 0a0dfa81906d coders/sct.c ---- a/coders/sct.c Sat Sep 10 13:17:49 2016 -0500 -+++ b/coders/sct.c Sat Sep 10 15:21:05 2016 -0500 -@@ -188,9 +188,11 @@ - break; - if (ReadBlob(image,14,(char *) buffer) != 14) - break; -+ buffer[14]='\0'; - image->rows=MagickAtoL(buffer) & 0x7FFFFFFF; - if (ReadBlob(image,14,(char *) buffer) != 14) - break; -+ buffer[14]='\0'; - image->columns=MagickAtoL(buffer) & 0x7FFFFFFF; - if (ReadBlob(image,196,(char *) buffer) != 196) - break; - diff --git a/GraphicsMagick-CVE-2016-8683.patch b/GraphicsMagick-CVE-2016-8683.patch deleted file mode 100644 index 000f822..0000000 --- a/GraphicsMagick-CVE-2016-8683.patch +++ /dev/null @@ -1,71 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn -# Date 1473544878 18000 -# Node ID b9edafd479b9d2e0976f184a259747efb198dc46 -# Parent c53725cb5449ac885536a6a98dc911d8b21a3c54 -PCX: Check that filesize is reasonable given header. - ---- a/coders/pcx.c Sat Sep 10 16:48:12 2016 -0500 -+++ b/coders/pcx.c Sat Sep 10 17:01:18 2016 -0500 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2003 - 2015 GraphicsMagick Group -+% Copyright (C) 2003 - 2016 GraphicsMagick Group - % Copyright (C) 2002 ImageMagick Studio - % Copyright 1991-1999 E. I. du Pont de Nemours and Company - % -@@ -251,6 +251,9 @@ - size_t - pcx_packets; - -+ magick_off_t -+ file_size; -+ - /* - Open image file. - */ -@@ -292,6 +295,7 @@ - if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET) - == -1) - ThrowPCXReaderException(CorruptImageError,ImproperImageHeader,image); -+ file_size=GetBlobSize(image); - count=ReadBlob(image,1,(char *) &pcx_info.identifier); - for (id=1; id < 1024; id++) - { -@@ -455,6 +459,34 @@ - if (CheckImagePixelLimits(image, exception) != MagickPass) - ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image); - -+ -+ /* -+ Check that filesize is reasonable given header -+ */ -+ { -+ double -+ uncompressed_size; -+ -+ uncompressed_size=((double) image->rows*pcx_info.bytes_per_line*pcx_info.planes); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "Uncompressed size: %.0f", uncompressed_size); -+ if (pcx_info.encoding == 0) -+ { -+ /* Not compressed */ -+ if (uncompressed_size > file_size) -+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile, -+ image); -+ } -+ else -+ { -+ /* RLE compressed */ -+ if (uncompressed_size > file_size*254.0) -+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile, -+ image); -+ } -+ } -+ -+ - /* - Read image data. - */ - diff --git a/GraphicsMagick-CVE-2016-8684.patch b/GraphicsMagick-CVE-2016-8684.patch deleted file mode 100644 index e327b0b..0000000 --- a/GraphicsMagick-CVE-2016-8684.patch +++ /dev/null @@ -1,93 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn -# Date 1473544092 18000 -# Node ID c53725cb5449ac885536a6a98dc911d8b21a3c54 -# Parent 0a0dfa81906d1317895de9374ef5132710c3831c -SGI: Check that filesize is reasonable given header. - -diff -r 0a0dfa81906d -r c53725cb5449 coders/sct.c ---- a/coders/sct.c Sat Sep 10 15:21:05 2016 -0500 -+++ b/coders/sct.c Sat Sep 10 16:48:12 2016 -0500 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2003-2015 GraphicsMagick Group -+% Copyright (C) 2003-2016 GraphicsMagick Group - % Copyright (C) 2002 ImageMagick Studio - % Copyright 1991-1999 E. I. du Pont de Nemours and Company - % -diff -r 0a0dfa81906d -r c53725cb5449 coders/sgi.c ---- a/coders/sgi.c Sat Sep 10 15:21:05 2016 -0500 -+++ b/coders/sgi.c Sat Sep 10 16:48:12 2016 -0500 -@@ -299,6 +299,9 @@ - size_t - bytes_per_pixel; - -+ magick_off_t -+ file_size; -+ - /* - Open image file. - */ -@@ -314,6 +317,7 @@ - Read SGI raster header. - */ - iris_info.magic=ReadBlobMSBShort(image); -+ file_size=GetBlobSize(image); - do - { - /* -@@ -342,7 +346,8 @@ - (void) LogMagickEvent(CoderEvent,GetMagickModule(), - " Header: Storage=%u, BPC=%u, Dimension=%u, " - "XSize=%u, YSize=%u, ZSize=%u, PixMin=%u, " -- "PixMax=%u, image_name=\"%.79s\", color_map=%u", -+ "PixMax=%u, image_name=\"%.79s\", color_map=%u, " -+ "file_size=%" MAGICK_OFF_F "d", - (unsigned int) iris_info.storage, - (unsigned int) iris_info.bytes_per_pixel, - (unsigned int) iris_info.dimension, -@@ -352,7 +357,8 @@ - iris_info.pix_min, - iris_info.pix_max, - iris_info.image_name, -- iris_info.color_map); -+ iris_info.color_map, -+ file_size); - - /* - Validate image header and set image attributes. -@@ -492,6 +498,33 @@ - ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image); - - /* -+ Check that filesize is reasonable given header -+ */ -+ { -+ double -+ uncompressed_size; -+ -+ uncompressed_size=((double) (iris_info.dimension == 3 ? iris_info.zsize : 1)* -+ image->columns*image->rows*iris_info.bytes_per_pixel); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "Uncompressed size: %.0f", uncompressed_size); -+ if (iris_info.storage != 0x01) -+ { -+ /* Not compressed */ -+ if (uncompressed_size > file_size) -+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile, -+ image); -+ } -+ else -+ { -+ /* RLE compressed */ -+ if (uncompressed_size > file_size*254.0) -+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile, -+ image); -+ } -+ } -+ -+ /* - Allocate SGI pixels. - */ - bytes_per_pixel=iris_info.bytes_per_pixel; diff --git a/GraphicsMagick-CVE-2017-6335.patch b/GraphicsMagick-CVE-2017-6335.patch deleted file mode 100644 index de1e232..0000000 --- a/GraphicsMagick-CVE-2017-6335.patch +++ /dev/null @@ -1,37 +0,0 @@ -# HG changeset patch -# User Bob Friesenhahn -# Date 1487905610 21600 -# Thu Feb 23 21:06:50 2017 -0600 -# Node ID 6156b4c2992d855ece6079653b3b93c3229fc4b8 -# Parent 0392c4305a4369984ec8069055acc470c0a73647 -Fix out of bounds access when reading CMYKA tiff which claims wrong samples/pixel. - -diff --git a/coders/tiff.c b/coders/tiff.c ---- a/coders/tiff.c -+++ b/coders/tiff.c -@@ -1230,8 +1230,8 @@ - case 0: - if (samples_per_pixel == 1) - *quantum_type=GrayQuantum; -- else -- *quantum_type=RedQuantum; -+ else -+ *quantum_type=RedQuantum; - break; - case 1: - *quantum_type=GreenQuantum; -@@ -1411,12 +1411,12 @@ - } - else - { -- if (image->matte) -+ if (image->matte && samples_per_pixel >= 5) - { - *quantum_type=CMYKAQuantum; - *quantum_samples=5; - } -- else -+ else if (samples_per_pixel >= 4) - { - *quantum_type=CMYKQuantum; - *quantum_samples=4; diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec index 05685bf..de9057f 100644 --- a/GraphicsMagick.spec +++ b/GraphicsMagick.spec @@ -32,8 +32,8 @@ Summary: An ImageMagick fork, offering faster image generation and better quality Name: GraphicsMagick -Version: 1.3.25 -Release: 7%{?dist} +Version: 1.3.26 +Release: 1%{?dist} License: MIT Group: Applications/Multimedia @@ -49,13 +49,6 @@ Patch100: GraphicsMagick-1.3.16-multilib.patch Patch50: GraphicsMagick-1.3.14-perl_linkage.patch ## upstream patches -Patch1: GraphicsMagick-CVE-2016-7800.patch -Patch2: GraphicsMagick-CVE-2016-7996.patch -Patch3: GraphicsMagick-CVE-2016-7997.patch -Patch4: GraphicsMagick-CVE-2016-8682.patch -Patch5: GraphicsMagick-CVE-2016-8683.patch -Patch6: GraphicsMagick-CVE-2016-8684.patch -Patch7: GraphicsMagick-CVE-2017-6335.patch BuildRequires: bzip2-devel BuildRequires: freetype-devel @@ -169,14 +162,6 @@ however. %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 - %patch50 -p1 -b .perl_linkage %patch100 -p1 -b .multilib @@ -337,6 +322,12 @@ rm -rf %{buildroot} %changelog +* Wed Jul 05 2017 Rex Dieter - 1.3.26-1 +- 1.3.26 +- CVE-2017-10794 (#1467655) +- CVE-2017-10799 (#1467372) +- CVE-2017-10800 (#1467381) + * Sun Jun 04 2017 Jitka Plesnikova - 1.3.25-7 - Perl 5.26 rebuild diff --git a/sources b/sources index 3eb86f5..3e2832b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -6eed966b22588fb068442319a8aa17f6 GraphicsMagick-1.3.25.tar.xz +SHA512 (GraphicsMagick-1.3.26.tar.xz) = b33ca0f1c858428693aee27a9089acff9e63d1110f85fa036894cfefe6274e7b2422758ea39852f94fdb4823c9c3f3c44b0d8906627503301f5928096f739f22