aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrancesco Colista <fcolista@alpinelinux.org>2017-09-05 12:27:22 +0000
committerFrancesco Colista <fcolista@alpinelinux.org>2017-09-05 12:27:28 +0000
commit4e1efd4523532a706d2af48c1a6f6740cb2d2edb (patch)
tree1c78b459cdaad503e078ab6dc5d8d9bf3d13d86e
parent49794390171fe37829d0f4f162823b43917116dc (diff)
downloadaports-4e1efd4523532a706d2af48c1a6f6740cb2d2edb.tar.bz2
aports-4e1efd4523532a706d2af48c1a6f6740cb2d2edb.tar.xz
community/graphicsmagick: secfixes for CVE-2017-13775, CVE-2017-13776, CVE-2017-13777. Fixes #7789
-rw-r--r--community/graphicsmagick/APKBUILD29
-rw-r--r--community/graphicsmagick/CVE-2017-13775.patch182
-rw-r--r--community/graphicsmagick/CVE-2017-13776-13777.patch165
3 files changed, 363 insertions, 13 deletions
diff --git a/community/graphicsmagick/APKBUILD b/community/graphicsmagick/APKBUILD
index 778e0cbb0f..1ac42c64f5 100644
--- a/community/graphicsmagick/APKBUILD
+++ b/community/graphicsmagick/APKBUILD
@@ -2,15 +2,12 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=graphicsmagick
pkgver=1.3.26
-pkgrel=2
+pkgrel=3
pkgdesc="Image processing system"
url="http://www.graphicsmagick.org/"
arch="all"
license="MIT"
-depends=""
-depends_dev="jasper-dev libpng-dev tiff-dev libxml2-dev libwmf-dev"
-makedepends="$depends_dev libtool libltdl"
-install=""
+makedepends="jasper-dev libpng-dev tiff-dev libxml2-dev libwmf-dev libtool libltdl"
subpackages="$pkgname-dev $pkgname-doc"
source="http://downloads.sourceforge.net/$pkgname/$pkgname/$pkgver/GraphicsMagick-$pkgver.tar.xz
CVE-2017-11642.patch
@@ -18,12 +15,17 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname/$pkgver/GraphicsMagic
CVE-2017-12935.patch
CVE-2017-12936.patch
CVE-2017-12937.patch
- CVE-2017-13063-13064.patch"
-options="libtool"
-
+ CVE-2017-13063-13064.patch
+ CVE-2017-13775.patch
+ CVE-2017-13776-13777.patch"
+options="libtool !check"
builddir="$srcdir"/GraphicsMagick-$pkgver
# security fixes:
+# 1.3.26-r3:
+# - CVE-2017-13775
+# - CVE-2017-13776
+# - CVE-2017-13777
# 1.3.26-r2:
# - CVE-2017-11642
# - CVE-2017-11722
@@ -50,14 +52,13 @@ build() {
--with-modules \
--with-threads \
--with-gs-font-dir=/usr/share/fonts/Type1 \
- --with-quantum-depth=16 \
- || return 1
- make || return 1
+ --with-quantum-depth=16
+ make
}
package() {
cd "$builddir"
- make DESTDIR="$pkgdir" install || return 1
+ make DESTDIR="$pkgdir" install
}
sha512sums="b33ca0f1c858428693aee27a9089acff9e63d1110f85fa036894cfefe6274e7b2422758ea39852f94fdb4823c9c3f3c44b0d8906627503301f5928096f739f22 GraphicsMagick-1.3.26.tar.xz
@@ -66,4 +67,6 @@ f9167ad79f54fc3881d81b9b5cb5b84f38e847103c6945af4fda516d6696ff8e95ec48cbae84161f
2cb2ee3f88a835dff63c903bd215abb09c1812fedecbbb19c228fd2680c5762c6a20e6be1497c0fc3ed7a9b16eac6e7fe7f0fc9da4f6ef3e90fe75a049085ca7 CVE-2017-12935.patch
b78b61d7b29c2316ecefe69c473b1aa1e93185e0da245f7cf2d351566ff737bce8e560e9b471334549e4ab76bc8752717f403e7afa9d393bdd64e191f8abbb9c CVE-2017-12936.patch
508ceee0aa73744e9b36c6e60b071d4dc4a5254b4d5265c4ee2bde317713b831db8958667fac44aa1e89b3cc8094027cade368f10f7f5f3d1a2980c2a70d516d CVE-2017-12937.patch
-262434bab04541c276728111c9ec5d92abbb68e980813a50712d03505f3d3c4681b4daf02fd22e4ba11ed0daf5b553e4a47291c43f4c146554f1809292b73441 CVE-2017-13063-13064.patch"
+262434bab04541c276728111c9ec5d92abbb68e980813a50712d03505f3d3c4681b4daf02fd22e4ba11ed0daf5b553e4a47291c43f4c146554f1809292b73441 CVE-2017-13063-13064.patch
+b15d1c71a4f7e15cbc6a6a83590c99dfaf20d25f08e07a1ea8ff08f9e0f92d55da3a0afc86a259f88cae01ec0fa21c9b555a9085aae24f4bf3d36c48b29d56e5 CVE-2017-13775.patch
+f23c5e7d8e5c9e670ceb27b7e027910f181107033ec86538ce9778a2d37c29964008d5d8774bf59d4b45126b36630d73dc460636bfc55ab72ca64eefaae1768e CVE-2017-13776-13777.patch"
diff --git a/community/graphicsmagick/CVE-2017-13775.patch b/community/graphicsmagick/CVE-2017-13775.patch
new file mode 100644
index 0000000000..d627db2743
--- /dev/null
+++ b/community/graphicsmagick/CVE-2017-13775.patch
@@ -0,0 +1,182 @@
+diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c
+--- a/coders/jnx.c Tue Aug 22 08:08:30 2017 -0500
++++ b/coders/jnx.c Sat Aug 26 14:14:13 2017 -0500
+@@ -1,5 +1,5 @@
+ /*
+-% Copyright (C) 2012-2015 GraphicsMagick Group
++% Copyright (C) 2012-2017 GraphicsMagick Group
+ %
+ % This program is covered by multiple licenses, which are described in
+ % Copyright.txt. You should have received a copy of Copyright.txt with this
+@@ -100,6 +100,7 @@
+
+ char img_label_str[MaxTextExtent];
+
++
+ alloc_size = TileInfo->PicSize + 2;
+
+ if (image->logging)
+@@ -242,6 +243,9 @@
+ total_tiles,
+ current_tile;
+
++ magick_off_t
++ file_size;
++
+ /* Open image file. */
+ assert(image_info != (const ImageInfo *) NULL);
+ assert(image_info->signature == MagickSignature);
+@@ -254,9 +258,8 @@
+ if (status == False)
+ ThrowReaderException(FileOpenError, UnableToOpenFile, image);
+
+- memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
+-
+ /* Read JNX image header. */
++ (void) memset(&JNXHeader, 0, sizeof(JNXHeader));
+ JNXHeader.Version = ReadBlobLSBLong(image);
+ if (JNXHeader.Version > 4)
+ ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
+@@ -266,8 +269,6 @@
+ JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image);
+ JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image);
+ JNXHeader.Levels = ReadBlobLSBLong(image);
+- if (JNXHeader.Levels > 20)
+- ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
+ JNXHeader.Expiration = ReadBlobLSBLong(image);
+ JNXHeader.ProductID = ReadBlobLSBLong(image);
+ JNXHeader.CRC = ReadBlobLSBLong(image);
+@@ -279,7 +280,41 @@
+ if (EOFBlob(image))
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+
++ file_size = GetBlobSize(image);
++
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "JNX Header:\n"
++ " Version: %u\n"
++ " DeviceSN: %u\n"
++ " MapBounds:\n"
++ " NorthEast: lat = %u, lon = %u\n"
++ " SouthWest: lat = %u, lon = %u\n"
++ " Levels: %u\n"
++ " Expiration: %u\n"
++ " ProductID: %u\n"
++ " CRC: %u\n"
++ " SigVersion: %u\n"
++ " SigOffset: %u\n"
++ " ZOrder: %u",
++ JNXHeader.Version,
++ JNXHeader.DeviceSN,
++ JNXHeader.MapBounds.NorthEast.lat,
++ JNXHeader.MapBounds.NorthEast.lon,
++ JNXHeader.MapBounds.SouthWest.lat,
++ JNXHeader.MapBounds.SouthWest.lon,
++ JNXHeader.Levels,
++ JNXHeader.Expiration,
++ JNXHeader.ProductID,
++ JNXHeader.CRC,
++ JNXHeader.SigVersion,
++ JNXHeader.SigOffset,
++ JNXHeader.ZOrder);
++
++ if (JNXHeader.Levels > 20)
++ ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
++
+ /* Read JNX image level info. */
++ memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
+ total_tiles = 0;
+ current_tile = 0;
+ for (i = 0; i < JNXHeader.Levels; i++)
+@@ -302,11 +337,23 @@
+ {
+ JNXLevelInfo[i].Copyright = NULL;
+ }
++
++ if (EOFBlob(image))
++ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
++
++ if (image->logging)
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "Level[%u] Info:"
++ " TileCount: %4u"
++ " TilesOffset: %6u"
++ " Scale: %04u",
++ i,
++ JNXLevelInfo[i].TileCount,
++ JNXLevelInfo[i].TilesOffset,
++ JNXLevelInfo[i].Scale
++ );
+ }
+
+- if (EOFBlob(image))
+- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+-
+ /* Get the current limit */
+ SaveLimit = GetMagickResourceLimit(MapResource);
+
+@@ -316,11 +363,32 @@
+ /* Read JNX image data. */
+ for (i = 0; i < JNXHeader.Levels; i++)
+ {
++ /*
++ Validate TileCount against remaining file data
++ */
++ const magick_off_t current_offset = TellBlob(image);
++ const size_t pos_list_entry_size =
++ sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) +
++ sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) +
++ sizeof(magick_uint32_t) + sizeof(magick_uint32_t);
++ const magick_off_t remaining = file_size-current_offset;
++ const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount);
++
++ if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed))
++ {
++ (void) SetMagickResourceLimit(MapResource, SaveLimit);
++ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
++ }
++
+ PositionList = MagickAllocateArray(TJNXTileInfo *,
+ JNXLevelInfo[i].TileCount,
+ sizeof(TJNXTileInfo));
+ if (PositionList == NULL)
+- continue;
++ {
++ (void) SetMagickResourceLimit(MapResource, SaveLimit);
++ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
++ image);
++ }
+
+ (void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET);
+ for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
+@@ -333,12 +401,15 @@
+ PositionList[j].PicHeight = ReadBlobLSBShort(image);
+ PositionList[j].PicSize = ReadBlobLSBLong(image);
+ PositionList[j].PicOffset = ReadBlobLSBLong(image);
+- }
+
+- if (EOFBlob(image))
+- {
+- MagickFreeMemory(PositionList);
+- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
++ if (EOFBlob(image) ||
++ ((magick_off_t) PositionList[j].PicOffset +
++ PositionList[j].PicSize > file_size))
++ {
++ (void) SetMagickResourceLimit(MapResource, SaveLimit);
++ MagickFreeMemory(PositionList);
++ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
++ }
+ }
+
+ for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
+@@ -351,6 +422,9 @@
+ image = ExtractTileJPG(image, image_info, PositionList+j, exception);
+ (void) SetMonitorHandler(previous_handler);
+
++ if (exception->severity >= ErrorException)
++ break;
++
+ current_tile++;
+ if (QuantumTick(current_tile,total_tiles))
+ if (!MagickMonitorFormatted(current_tile,total_tiles,exception,
diff --git a/community/graphicsmagick/CVE-2017-13776-13777.patch b/community/graphicsmagick/CVE-2017-13776-13777.patch
new file mode 100644
index 0000000000..d1ecbba678
--- /dev/null
+++ b/community/graphicsmagick/CVE-2017-13776-13777.patch
@@ -0,0 +1,165 @@
+diff -r b037d79b6ccd -r 233a720bfd5e coders/xbm.c
+--- a/coders/xbm.c Sat Aug 26 14:14:13 2017 -0500
++++ b/coders/xbm.c Sat Aug 26 15:26:15 2017 -0500
+@@ -1,5 +1,5 @@
+ /*
+-% Copyright (C) 2003 -2012 GraphicsMagick Group
++% Copyright (C) 2003-2017 GraphicsMagick Group
+ % Copyright (C) 2002 ImageMagick Studio
+ % Copyright 1991-1999 E. I. du Pont de Nemours and Company
+ %
+@@ -121,13 +121,15 @@
+
+ static int XBMInteger(Image *image,short int *hex_digits)
+ {
++ unsigned int
++ flag;
++
+ int
+ c,
+- flag,
+ value;
+
+ value=0;
+- flag=0;
++ flag=0U;
+ for ( ; ; )
+ {
+ c=ReadBlobByte(image);
+@@ -158,18 +160,14 @@
+ Image
+ *image;
+
+- int
+- bit;
+-
+- long
+- y;
+-
+ register IndexPacket
+ *indexes;
+
+- register long
++ register size_t
++ bytes_per_line,
+ i,
+- x;
++ x,
++ y;
+
+ register PixelPacket
+ *q;
+@@ -177,22 +175,24 @@
+ register unsigned char
+ *p;
+
+- short int
+- hex_digits[256];
+-
+ unsigned char
+ *data;
+
+ unsigned int
++ bit,
++ byte,
++ padding,
++ version;
++
++ int
++ value;
++
++ short int
++ hex_digits[256];
++
++ MagickPassFail
+ status;
+
+- unsigned long
+- byte,
+- bytes_per_line,
+- padding,
+- value,
+- version;
+-
+ /*
+ Open image file.
+ */
+@@ -207,6 +207,8 @@
+ /*
+ Read X bitmap header.
+ */
++ (void) memset(buffer,0,sizeof(buffer));
++ name[0]='\0';
+ while (ReadBlobString(image,buffer) != (char *) NULL)
+ if (sscanf(buffer,"#define %s %lu",name,&image->columns) == 2)
+ if ((strlen(name) >= 6) &&
+@@ -278,6 +280,8 @@
+ /*
+ Initialize hex values.
+ */
++ for (i = 0; i < sizeof(hex_digits)/sizeof(hex_digits[0]); i++)
++ hex_digits[i]=(-1);
+ hex_digits['0']=0;
+ hex_digits['1']=1;
+ hex_digits['2']=2;
+@@ -311,40 +315,50 @@
+ */
+ p=data;
+ if (version == 10)
+- for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2))
++ for (i=0; i < (bytes_per_line*image->rows); (i+=2))
+ {
+ value=XBMInteger(image,hex_digits);
++ if (value < 0)
++ {
++ MagickFreeMemory(data);
++ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
++ }
+ *p++=(unsigned char) value;
+ if (!padding || ((i+2) % bytes_per_line))
+ *p++=(unsigned char) (value >> 8);
+ }
+ else
+- for (i=0; i < (long) (bytes_per_line*image->rows); i++)
++ for (i=0; i < (bytes_per_line*image->rows); i++)
+ {
+ value=XBMInteger(image,hex_digits);
++ if (value < 0)
++ {
++ MagickFreeMemory(data);
++ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
++ }
+ *p++=(unsigned char) value;
+ }
+ /*
+ Convert X bitmap image to pixel packets.
+ */
+ p=data;
+- for (y=0; y < (long) image->rows; y++)
++ for (y=0; y < image->rows; y++)
+ {
+ q=SetImagePixels(image,0,y,image->columns,1);
+ if (q == (PixelPacket *) NULL)
+ break;
+ indexes=AccessMutableIndexes(image);
+- bit=0;
+- byte=0;
+- for (x=0; x < (long) image->columns; x++)
++ bit=0U;
++ byte=0U;
++ for (x=0; x < image->columns; x++)
+ {
+- if (bit == 0)
++ if (bit == 0U)
+ byte=(*p++);
+ indexes[x]=byte & 0x01 ? 0x01 : 0x00;
+ bit++;
+- byte>>=1;
+- if (bit == 8)
+- bit=0;
++ byte>>=1U;
++ if (bit == 8U)
++ bit=0U;
+ }
+ if (!SyncImagePixels(image))
+ break;