From f981a6cc3d5dda72cfa45f7506165247959f2597 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Mon, 23 Jan 2006 14:15:13 +0000 Subject: [PATCH] fix a format string vuln. --- ImageMagick-6.2.5-format-string-again.patch | 202 ++++++++++++++++++++ ImageMagick.spec | 11 +- 2 files changed, 210 insertions(+), 3 deletions(-) create mode 100644 ImageMagick-6.2.5-format-string-again.patch diff --git a/ImageMagick-6.2.5-format-string-again.patch b/ImageMagick-6.2.5-format-string-again.patch new file mode 100644 index 0000000..987c514 --- /dev/null +++ b/ImageMagick-6.2.5-format-string-again.patch @@ -0,0 +1,202 @@ +diff -r 8a3cbd342315 magick/animate.c +--- a/magick/animate.c Tue Jan 10 12:11:55 2006 +0100 ++++ b/magick/animate.c Tue Jan 10 16:55:22 2006 +0100 +@@ -604,7 +604,7 @@ + /* + Form filename for multi-part images. + */ +- (void) FormatMagickString(filename,MaxTextExtent, ++ (void) FormatMagickStringNumeric(filename,MaxTextExtent, + image_info->filename,scene); + if (LocaleCompare(filename,image_info->filename) == 0) + (void) FormatMagickString(filename,MaxTextExtent,"%s[%lu]", +diff -r 8a3cbd342315 magick/blob.c +--- a/magick/blob.c Tue Jan 10 12:11:55 2006 +0100 ++++ b/magick/blob.c Tue Jan 10 16:55:22 2006 +0100 +@@ -2120,25 +2120,8 @@ + /* + Form filename for multi-part images. + */ +- (void) CopyMagickString(filename,image->filename,MaxTextExtent); +- for (p=strchr(filename,'%'); p != (char *) NULL; p=strchr(p+1,'%')) +- { +- char +- *q; +- +- q=p+1; +- if (*q == '0') +- (void) strtol(q,&q,10); +- if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x')) +- { +- char +- format[MaxTextExtent]; +- +- (void) CopyMagickString(format,p,MaxTextExtent); +- (void) FormatMagickString(p,MaxTextExtent,format,image->scene); +- break; +- } +- } ++ (void) FormatMagickStringNumeric(filename,MaxTextExtent,image->filename, ++ image->scene); + if (image_info->adjoin == MagickFalse) + if ((image->previous != (Image *) NULL) || + (GetNextImageInList(image) != (Image *) NULL)) +diff -r 8a3cbd342315 magick/display.c +--- a/magick/display.c Tue Jan 10 12:11:55 2006 +0100 ++++ b/magick/display.c Tue Jan 10 16:55:22 2006 +0100 +@@ -1984,7 +1984,7 @@ + /* + Form filename for multi-part images. + */ +- (void) FormatMagickString(filename,MaxTextExtent, ++ (void) FormatMagickStringNumeric(filename,MaxTextExtent, + image_info->filename,scene); + if (LocaleCompare(filename,image_info->filename) == 0) + (void) FormatMagickString(filename,MaxTextExtent,"%s.%lu", +diff -r 8a3cbd342315 magick/image.c +--- a/magick/image.c Tue Jan 10 12:11:55 2006 +0100 ++++ b/magick/image.c Tue Jan 10 16:55:22 2006 +0100 +@@ -2869,25 +2869,8 @@ + /* + Rectify multi-image file support. + */ +- (void) CopyMagickString(filename,image_info->filename,MaxTextExtent); +- for (p=strchr(filename,'%'); p != (char *) NULL; p=strchr(p+1,'%')) +- { +- char +- *q; +- +- q=(char *) p+1; +- if (*q == '0') +- (void) strtol(q,&q,10); +- if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x')) +- { +- char +- format[MaxTextExtent]; +- +- (void) CopyMagickString(format,p,MaxTextExtent); +- (void) FormatMagickString(p,MaxTextExtent,format,image_info->scene); +- break; +- } +- } ++ (void) FormatMagickStringNumeric(filename,MaxTextExtent, ++ image_info->filename,image_info->scene); + if ((LocaleCompare(filename,image_info->filename) != 0) && + (strchr(filename,'%') == (char *) NULL)) + image_info->adjoin=MagickFalse; +diff -r 8a3cbd342315 magick/log.c +--- a/magick/log.c Tue Jan 10 12:11:55 2006 +0100 ++++ b/magick/log.c Tue Jan 10 16:55:22 2006 +0100 +@@ -914,8 +914,8 @@ + char + filename[MaxTextExtent]; + +- (void) FormatMagickString(filename,MaxTextExtent,log_info->filename, +- log_info->generation % log_info->generations); ++ (void) FormatMagickStringNumeric(filename,MaxTextExtent, ++ log_info->filename,log_info->generation % log_info->generations); + log_info->file=fopen(filename,"w"); + if (log_info->file == (FILE *) NULL) + { +diff -r 8a3cbd342315 magick/montage.c +--- a/magick/montage.c Tue Jan 10 12:11:55 2006 +0100 ++++ b/magick/montage.c Tue Jan 10 16:55:22 2006 +0100 +@@ -530,7 +530,7 @@ + /* + Form filename for multi-part images. + */ +- (void) FormatMagickString(filename,MaxTextExtent, ++ (void) FormatMagickStringNumeric(filename,MaxTextExtent, + image_info->filename,scene); + if (LocaleCompare(filename,image_info->filename) == 0) + (void) FormatMagickString(filename,MaxTextExtent,"%s.%lu", +diff -r 8a3cbd342315 magick/string.c +--- a/magick/string.c Tue Jan 10 12:11:55 2006 +0100 ++++ b/magick/string.c Tue Jan 10 16:55:22 2006 +0100 +@@ -953,6 +953,75 @@ + return((StringInfo *) NULL); + } + return(string_info); ++} ++ ++/* ++%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ++% % ++% % ++% % ++% F o r m a t M a g i c k S t r i n g N u m e r i c % ++% % ++% % ++% % ++%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ++% ++% Method FormatMagickStringNumeric formats output for a single numeric ++% argument. It takes into account that the format string given might be ++% untrusted user input, and returns the length of the formatted string. ++% ++% The format of the FormatMagickStringNumeric method is: ++% ++% long FormatMagickStringNumeric(char *string,const size_t length, ++% const char *format,int value) ++% ++% A description of each parameter follows. ++% ++% o string: FormatMagickStringNumeric() returns the formatted string in this ++% character buffer. ++% ++% o length: The maximum length of the string. ++% ++% o format: A string describing the format to use to write the numeric ++% argument. Only the first numeric format identifier is replaced. ++% ++% o value: Numeric value to substitute into format string. ++% ++% ++*/ ++MagickExport long FormatMagickStringNumeric(char *string,const size_t length,const char *format,int value) ++{ ++ char ++ *p; ++ ++ (void) CopyMagickString(string, format, length); ++ ++ for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%')) ++ { ++ char ++ *q; ++ ++ q=(char *) p+1; ++ if (*q == '0') ++ (void) strtol(q,&q,10); ++ if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x')) ++ { ++ char ++ c; ++ ++ q++; ++ c=*q; ++ *q='\0'; ++ (void) snprintf(string+(p-format),length-(p-format),p,value); ++ *q=c; ++ (void) ConcatenateMagickString(string,q,length); ++ if (*(q-1) == '%') ++ p++; ++ else ++ break; ++ } ++ } ++ return (long)strlen(string); + } + + /* +diff -r 8a3cbd342315 magick/string_.h +--- a/magick/string_.h Tue Jan 10 12:11:55 2006 +0100 ++++ b/magick/string_.h Tue Jan 10 16:55:22 2006 +0100 +@@ -60,6 +60,7 @@ + magick_attribute((format (printf,3,4))), + FormatMagickStringList(char *,const size_t,const char *,va_list) + magick_attribute((format (printf,3,0))), ++ FormatMagickStringNumeric(char *,const size_t,const char *,int), + LocaleCompare(const char *,const char *), + LocaleNCompare(const char *,const char *,const size_t); + diff --git a/ImageMagick.spec b/ImageMagick.spec index 5b97cf9..d4f47b9 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -9,7 +9,7 @@ Version: %{VER}.%{Patchlevel} %else Version: %{VER} %endif -Release: 1.1 +Release: 2 License: freeware Group: Applications/Multimedia %if "%{Patchlevel}" != "" @@ -18,7 +18,8 @@ Source: ftp://ftp.ImageMagick.org/pub/ImageMagick/ImageMagick-%{VER}-%{Patchleve Source: ftp://ftp.ImageMagick.org/pub/ImageMagick/ImageMagick-%{version}.tar.bz2 %endif Source1: magick_small.png -Patch4: ImageMagick-6.2.1-local_doc.patch +Patch1: ImageMagick-6.2.1-local_doc.patch +Patch2: ImageMagick-6.2.5-format-string-again.patch Url: http://www.imagemagick.org/ Buildroot: %{_tmppath}/%{name}-%{version}-root @@ -111,7 +112,8 @@ however. %prep %setup -q -n %{name}-%{VER} -%patch4 -p1 -b .local_doc +%patch1 -p1 -b .local_doc +%patch2 -p1 -b .format-string-again %build %configure --enable-shared \ @@ -222,6 +224,9 @@ rm -rf $RPM_BUILD_ROOT %doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt %changelog +* Mon Jan 9 2006 Matthias Clasen 6.2.5.4-2 +- fix a format string vulnerability (CVE-2006-0082) + * Fri Dec 09 2005 Jesse Keating - rebuilt