diff --git a/GraphicsMagick-CVE-2012-3438.patch b/GraphicsMagick-CVE-2012-3438.patch new file mode 100644 index 0000000..bacf70e --- /dev/null +++ b/GraphicsMagick-CVE-2012-3438.patch @@ -0,0 +1,65 @@ + +# HG changeset patch +# User Glenn Randers-Pehrson +# Date 1343491548 18000 +# Node ID d6e469d02cd260b6531e86a8a6c8a5a2b9ff51cb +# Parent fe9e2eb655ce8b85abfd9b88d20a8a1648ad71e7 +coders/png.c: Some typecasts were inconsistent with libpng-1.4 and later. + +diff -r fe9e2eb655ce -r d6e469d02cd2 coders/png.c +--- a/coders/png.c Thu Jul 26 20:24:26 2012 -0500 ++++ b/coders/png.c Sat Jul 28 11:05:48 2012 -0500 +@@ -1360,7 +1360,11 @@ + } + + #ifdef PNG_USER_MEM_SUPPORTED +-static png_voidp png_IM_malloc(png_structp png_ptr,png_uint_32 size) ++#if PNG_LIBPNG_VER >= 14000 ++static png_voidp png_IM_malloc(png_structp png_ptr,png_alloc_size_t size) ++#else ++static png_voidp png_IM_malloc(png_structp png_ptr,png_size_t size) ++#endif + { + (void) png_ptr; + return MagickAllocateMemory(png_voidp,(size_t) size); +@@ -6169,12 +6173,22 @@ + (void) printf("writing raw profile: type=%.1024s, length=%lu\n", + profile_type, (unsigned long)length); + } +- text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text)); ++#if PNG_LIBPNG_VER >= 14000 ++ text=(png_textp) png_malloc(ping,(png_alloc_size_t) sizeof(png_text)); ++#else ++ text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text)); ++#endif + description_length=strlen((const char *) profile_description); + allocated_length=(png_uint_32) (length*2 + (length >> 5) + 20 + + description_length); +- text[0].text=(png_charp) png_malloc(ping,allocated_length); +- text[0].key=(png_charp) png_malloc(ping, (png_uint_32) 80); ++#if PNG_LIBPNG_VER >= 14000 ++ text[0].text=(png_charp) png_malloc(ping, ++ (png_alloc_size_t) allocated_length); ++ text[0].key=(png_charp) png_malloc(ping, (png_alloc_size_t) 80); ++#else ++ text[0].text=(png_charp) png_malloc(ping, (png_size_t) allocated_length); ++ text[0].key=(png_charp) png_malloc(ping, (png_size_t) 80); ++#endif + text[0].key[0]='\0'; + (void) strcat(text[0].key, "Raw profile type "); + (void) strncat(text[0].key, (const char *) profile_type, 61); +@@ -7620,7 +7634,12 @@ + + if (*attribute->key == '[') + continue; +- text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text)); ++#if PNG_LIBPNG_VER >= 14000 ++ text=(png_textp) png_malloc(ping, ++ (png_alloc_size_t) sizeof(png_text)); ++#else ++ text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text)); ++#endif + text[0].key=attribute->key; + text[0].text=attribute->value; + text[0].text_length=strlen(attribute->value); + diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec index 8261918..c6feb32 100644 --- a/GraphicsMagick.spec +++ b/GraphicsMagick.spec @@ -8,7 +8,7 @@ Summary: An ImageMagick fork, offering faster image generation and better quality Name: GraphicsMagick Version: 1.3.16 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Group: Applications/Multimedia Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz @@ -21,6 +21,11 @@ Patch1: GraphicsMagick-1.3.16-multilib.patch ## upstreamable patches Patch50: GraphicsMagick-1.3.14-perl_linkage.patch +## upstream patches +# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3438 +# http://graphicsmagick.hg.sourceforge.net/hgweb/graphicsmagick/graphicsmagick/rev/d6e469d02cd2 +Patch100: GraphicsMagick-CVE-2012-3438.patch + BuildRequires: bzip2-devel BuildRequires: freetype-devel BuildRequires: jasper-devel @@ -110,6 +115,7 @@ however. %patch1 -p1 -b .multilib %patch50 -p1 -b .perl_linkage +%patch100 -p1 -b .CVE-2012-3438 iconv -f iso-8859-2 -t utf8 < ChangeLog > ChangeLog.utf8 mv -f ChangeLog.utf8 ChangeLog @@ -263,6 +269,9 @@ rm -rf %{buildroot} %changelog +* Mon Aug 20 2012 Rex Dieter 1.3.16-5 +- CVE-2012-3438 GraphicsMagick: png_IM_malloc() size argument (#844106, #844107) + * Mon Aug 20 2012 Rex Dieter 1.3.16-4 - link GraphicsMagick against lcms2 instead of lcms1 (#849778)