rpms
/
GraphicsMagick
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CVE-2016-7800 (#1381148)

Browse Source 
CVE-2016-7996, CVE-2016-7997 (#1383223)
CVE-2016-8682, CVE-2016-8683, CVE-2016-8684 (#1385583)
epel9
Rex Dieter 8 years ago
parent bb1d55df29
commit e17fc1dda9
7 changed files with 379 additions and 3 deletions
Show Stats Download Patch File Download Diff File

58
GraphicsMagick-CVE-2016-7800.patch
Unescape View File

@ -0,0 +1,58 @@
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1475336055 18000
# Sat Oct 01 10:34:15 2016 -0500
# Node ID 5c7b6d6094a25e99c57f8b18343914ebfd8213ef
# Parent 623b741873230aaf0aaa767f14f4241f9d56a0f6
Fix unsigned underflow leading to heap overflow when parsing 8BIM chunk.
diff --git a/coders/meta.c b/coders/meta.c
--- a/coders/meta.c
+++ b/coders/meta.c
@@ -396,10 +396,17 @@
{
if (brkused && next > 0)
{
+ size_t
+ codes_len;
+
char
*s = &token[next-1];
- len -= convertHTMLcodes(s, strlen(s));
+ codes_len = convertHTMLcodes(s, strlen(s));
+ if (codes_len > len)
+ len = 0;
+ else
+ len -= codes_len;
}
}
@@ -450,7 +457,7 @@
next=0;
outputlen += len;
while (len--)
- (void) WriteBlobByte(ofile,token[next++]); /* boom */
+ (void) WriteBlobByte(ofile,token[next++]);
if (outputlen & 1)
{
@@ -682,10 +689,17 @@
{
if (brkused && next > 0)
{
+ size_t
+ codes_len;
+
char
*s = &token[next-1];
- len -= convertHTMLcodes(s, strlen(s));
+ codes_len = convertHTMLcodes(s, strlen(s));
+ if (codes_len > len)
+ len = 0;
+ else
+ len -= codes_len;
}
}

47
GraphicsMagick-CVE-2016-7996.patch
Unescape View File

@ -0,0 +1,47 @@
# HG changeset patch
# User fojtik
# Date 1475404477 -7200
# Sun Oct 02 12:34:37 2016 +0200
# Node ID 17e89d5d40c96f7cee22f1c661d47b016ea2579f
# Parent 5c7b6d6094a25e99c57f8b18343914ebfd8213ef
* coders/wpg.c Add sanity check for palette.
diff --git a/coders/wpg.c b/coders/wpg.c
--- a/coders/wpg.c
+++ b/coders/wpg.c
@@ -1210,7 +1210,7 @@
Header.DataOffset=TellBlob(image)+Rec2.RecordLength;
- if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
+ if(logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
"Parsing object: %X", Rec2.RecType);
switch(Rec2.RecType)
@@ -1224,18 +1224,20 @@
WPG_Palette.StartIndex=ReadBlobLSBShort(image);
WPG_Palette.NumOfEntries=ReadBlobLSBShort(image);
+ /* Sanity check for amount of palette entries. */
+ if( (WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) > (Rec2.RecordLength-2-2) / 3)
+ ThrowReaderException(CorruptImageError,InvalidColormapIndex,image);
+
image->colors=WPG_Palette.NumOfEntries;
if (!AllocateImageColormap(image,image->colors))
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
+
for (i=WPG_Palette.StartIndex;
i < (int)WPG_Palette.NumOfEntries; i++)
{
- image->colormap[i].red=
- ScaleCharToQuantum(ReadBlobByte(image));
- image->colormap[i].green=
- ScaleCharToQuantum(ReadBlobByte(image));
- image->colormap[i].blue=
- ScaleCharToQuantum(ReadBlobByte(image));
+ image->colormap[i].red=ScaleCharToQuantum(ReadBlobByte(image));
+ image->colormap[i].green=ScaleCharToQuantum(ReadBlobByte(image));
+ image->colormap[i].blue=ScaleCharToQuantum(ReadBlobByte(image));
(void) ReadBlobByte(image); /*Opacity??*/
}
break;

63
GraphicsMagick-CVE-2016-7997.patch
Unescape View File

@ -0,0 +1,63 @@
# HG changeset patch
# User fojtik
# Date 1475430071 -7200
# Sun Oct 02 19:41:11 2016 +0200
# Node ID 1cf5808339d9e7e6f10840311e82dc40b0cd8ec6
# Parent 2db735de2bea758981ea130abffc85aaf7893d73
* coders/wpg.c Correctly flip image->blob and rotated_image->blob.
diff --git a/coders/wpg.c b/coders/wpg.c
--- a/coders/wpg.c
+++ b/coders/wpg.c
@@ -935,6 +935,7 @@
unsigned char
*BImgBuff;
+ BlobInfo *TmpBlob;
tCTM CTM; /*current transform matrix*/
@@ -1133,8 +1134,9 @@
rotated_image = FlopImage(image, exception);
if (rotated_image != (Image *) NULL)
{
+ BlobInfo *TmpBlob = rotated_image->blob;
rotated_image->blob = image->blob;
- image->blob = NULL;
+ image->blob = TmpBlob;
(void) RemoveLastImageFromList(&image);
AppendImageToList(&image,rotated_image);
}
@@ -1145,8 +1147,9 @@
rotated_image = FlipImage(image, exception);
if (rotated_image != (Image *) NULL)
{
+ BlobInfo *TmpBlob = rotated_image->blob;
rotated_image->blob = image->blob;
- image->blob = NULL;
+ image->blob = TmpBlob;
(void) RemoveLastImageFromList(&image);
AppendImageToList(&image,rotated_image);
}
@@ -1160,8 +1163,9 @@
exception);
if (rotated_image != (Image *) NULL)
{
+ BlobInfo *TmpBlob = rotated_image->blob;
rotated_image->blob = image->blob;
- image->blob = NULL;
+ image->blob = TmpBlob;
(void) RemoveLastImageFromList(&image);
AppendImageToList(&image,rotated_image);
}
@@ -1316,8 +1320,9 @@
rotated_image = FlopImage(image, exception);
if (rotated_image != (Image *) NULL)
{
+ BlobInfo *TmpBlob = rotated_image->blob;
rotated_image->blob = image->blob;
- image->blob = NULL;
+ image->blob = TmpBlob;
(void) RemoveLastImageFromList(&image);
AppendImageToList(&image,rotated_image);
}

24
GraphicsMagick-CVE-2016-8682.patch
Unescape View File

@ -0,0 +1,24 @@
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1473538865 18000
# Node ID 0a0dfa81906d1317895de9374ef5132710c3831c
# Parent 3161d55d0c2f73df109a6d184074f39aca78ae8f
SCT: Fix stack-buffer read overflow while reading file header.
diff -r 3161d55d0c2f -r 0a0dfa81906d coders/sct.c
--- a/coders/sct.c Sat Sep 10 13:17:49 2016 -0500
+++ b/coders/sct.c Sat Sep 10 15:21:05 2016 -0500
@@ -188,9 +188,11 @@
break;
if (ReadBlob(image,14,(char *) buffer) != 14)
break;
+ buffer[14]='\0';
image->rows=MagickAtoL(buffer) & 0x7FFFFFFF;
if (ReadBlob(image,14,(char *) buffer) != 14)
break;
+ buffer[14]='\0';
image->columns=MagickAtoL(buffer) & 0x7FFFFFFF;
if (ReadBlob(image,196,(char *) buffer) != 196)
break;

71
GraphicsMagick-CVE-2016-8683.patch
Unescape View File

@ -0,0 +1,71 @@
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1473544878 18000
# Node ID b9edafd479b9d2e0976f184a259747efb198dc46
# Parent c53725cb5449ac885536a6a98dc911d8b21a3c54
PCX: Check that filesize is reasonable given header.
--- a/coders/pcx.c Sat Sep 10 16:48:12 2016 -0500
+++ b/coders/pcx.c Sat Sep 10 17:01:18 2016 -0500
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003 - 2015 GraphicsMagick Group
+% Copyright (C) 2003 - 2016 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
@@ -251,6 +251,9 @@
size_t
pcx_packets;
+ magick_off_t
+ file_size;
+
/*
Open image file.
*/
@@ -292,6 +295,7 @@
if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET)
== -1)
ThrowPCXReaderException(CorruptImageError,ImproperImageHeader,image);
+ file_size=GetBlobSize(image);
count=ReadBlob(image,1,(char *) &pcx_info.identifier);
for (id=1; id < 1024; id++)
{
@@ -455,6 +459,34 @@
if (CheckImagePixelLimits(image, exception) != MagickPass)
ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
+
+ /*
+ Check that filesize is reasonable given header
+ */
+ {
+ double
+ uncompressed_size;
+
+ uncompressed_size=((double) image->rows*pcx_info.bytes_per_line*pcx_info.planes);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Uncompressed size: %.0f", uncompressed_size);
+ if (pcx_info.encoding == 0)
+ {
+ /* Not compressed */
+ if (uncompressed_size > file_size)
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+ image);
+ }
+ else
+ {
+ /* RLE compressed */
+ if (uncompressed_size > file_size*254.0)
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+ image);
+ }
+ }
+
+
/*
Read image data.
*/

93
GraphicsMagick-CVE-2016-8684.patch
Unescape View File

@ -0,0 +1,93 @@
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1473544092 18000
# Node ID c53725cb5449ac885536a6a98dc911d8b21a3c54
# Parent 0a0dfa81906d1317895de9374ef5132710c3831c
SGI: Check that filesize is reasonable given header.
diff -r 0a0dfa81906d -r c53725cb5449 coders/sct.c
--- a/coders/sct.c Sat Sep 10 15:21:05 2016 -0500
+++ b/coders/sct.c Sat Sep 10 16:48:12 2016 -0500
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003-2015 GraphicsMagick Group
+% Copyright (C) 2003-2016 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
diff -r 0a0dfa81906d -r c53725cb5449 coders/sgi.c
--- a/coders/sgi.c Sat Sep 10 15:21:05 2016 -0500
+++ b/coders/sgi.c Sat Sep 10 16:48:12 2016 -0500
@@ -299,6 +299,9 @@
size_t
bytes_per_pixel;
+ magick_off_t
+ file_size;
+
/*
Open image file.
*/
@@ -314,6 +317,7 @@
Read SGI raster header.
*/
iris_info.magic=ReadBlobMSBShort(image);
+ file_size=GetBlobSize(image);
do
{
/*
@@ -342,7 +346,8 @@
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
" Header: Storage=%u, BPC=%u, Dimension=%u, "
"XSize=%u, YSize=%u, ZSize=%u, PixMin=%u, "
- "PixMax=%u, image_name=\"%.79s\", color_map=%u",
+ "PixMax=%u, image_name=\"%.79s\", color_map=%u, "
+ "file_size=%" MAGICK_OFF_F "d",
(unsigned int) iris_info.storage,
(unsigned int) iris_info.bytes_per_pixel,
(unsigned int) iris_info.dimension,
@@ -352,7 +357,8 @@
iris_info.pix_min,
iris_info.pix_max,
iris_info.image_name,
- iris_info.color_map);
+ iris_info.color_map,
+ file_size);
/*
Validate image header and set image attributes.
@@ -492,6 +498,33 @@
ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
/*
+ Check that filesize is reasonable given header
+ */
+ {
+ double
+ uncompressed_size;
+
+ uncompressed_size=((double) (iris_info.dimension == 3 ? iris_info.zsize : 1)*
+ image->columns*image->rows*iris_info.bytes_per_pixel);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Uncompressed size: %.0f", uncompressed_size);
+ if (iris_info.storage != 0x01)
+ {
+ /* Not compressed */
+ if (uncompressed_size > file_size)
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+ image);
+ }
+ else
+ {
+ /* RLE compressed */
+ if (uncompressed_size > file_size*254.0)
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+ image);
+ }
+ }
+
+ /*
Allocate SGI pixels.
*/
bytes_per_pixel=iris_info.bytes_per_pixel;

26
GraphicsMagick.spec
Unescape View File

@ -24,6 +24,7 @@
# trim changelog included in binary rpms # trim changelog included in binary rpms
%global _changelog_trimtime %(date +%s -d "1 year ago") %global _changelog_trimtime %(date +%s -d "1 year ago")
## FIXME/TODO: update to new style filtering
%{?filter_setup: %{?filter_setup:
%filter_provides_in %{_libdir}/GraphicsMagick-%{version} %filter_provides_in %{_libdir}/GraphicsMagick-%{version}
%filter_setup %filter_setup
@ -32,7 +33,7 @@
Summary: An ImageMagick fork, offering faster image generation and better quality Summary: An ImageMagick fork, offering faster image generation and better quality
Name: GraphicsMagick Name: GraphicsMagick
Version: 1.3.25 Version: 1.3.25
Release: 4%{?dist} Release: 5%{?dist}
License: MIT License: MIT
Group: Applications/Multimedia Group: Applications/Multimedia
@ -40,13 +41,20 @@ Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMag
Url: http://www.graphicsmagick.org/ Url: http://www.graphicsmagick.org/
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
## downstream patches
# workaround multilib conflicts with GraphicsMagick-config # workaround multilib conflicts with GraphicsMagick-config
Patch1: GraphicsMagick-1.3.16-multilib.patch Patch100: GraphicsMagick-1.3.16-multilib.patch
## upstreamable patches ## upstreamable patches
Patch50: GraphicsMagick-1.3.14-perl_linkage.patch Patch50: GraphicsMagick-1.3.14-perl_linkage.patch
## upstream patches ## upstream patches
Patch1: GraphicsMagick-CVE-2016-7800.patch
Patch2: GraphicsMagick-CVE-2016-7996.patch
Patch3: GraphicsMagick-CVE-2016-7997.patch
Patch4: GraphicsMagick-CVE-2016-8682.patch
Patch5: GraphicsMagick-CVE-2016-8683.patch
Patch6: GraphicsMagick-CVE-2016-8684.patch
BuildRequires: bzip2-devel BuildRequires: bzip2-devel
BuildRequires: freetype-devel BuildRequires: freetype-devel
@ -160,8 +168,15 @@ however.
%prep %prep
%setup -q %setup -q
%patch1 -p1 -b .multilib %patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch50 -p1 -b .perl_linkage %patch50 -p1 -b .perl_linkage
%patch100 -p1 -b .multilib
for f in ChangeLog.{2006,2008,2009,2012} NEWS.txt ; do for f in ChangeLog.{2006,2008,2009,2012} NEWS.txt ; do
iconv -f iso-8859-2 -t utf8 < $f > $f.utf8 iconv -f iso-8859-2 -t utf8 < $f > $f.utf8
@ -320,6 +335,11 @@ rm -rf %{buildroot}
%changelog %changelog
* Thu Mar 02 2017 Rex Dieter <rdieter@fedoraproject.org> - 1.3.25-5
- CVE-2016-7800 (#1381148)
- CVE-2016-7996, CVE-2016-7997 (#1383223)
- CVE-2016-8682, CVE-2016-8683, CVE-2016-8684 (#1385583)
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.25-4 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.25-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

Write Preview
Loading…
Cancel
Save