diff options
Diffstat (limited to 'community')
| -rw-r--r-- | community/graphicsmagick/APKBUILD | 25 | ||||
| -rw-r--r-- | community/graphicsmagick/CVE-2017-13063-13064-13065.patch (renamed from community/graphicsmagick/CVE-2017-13063-13064.patch) | 0 | ||||
| -rw-r--r-- | community/graphicsmagick/CVE-2017-13648.patch | 23 | ||||
| -rw-r--r-- | community/graphicsmagick/CVE-2017-14042.patch | 77 | ||||
| -rw-r--r-- | community/graphicsmagick/CVE-2017-14103.patch | 137 | ||||
| -rw-r--r-- | community/graphicsmagick/CVE-2017-14165.patch | 68 |
6 files changed, 325 insertions, 5 deletions
diff --git a/community/graphicsmagick/APKBUILD b/community/graphicsmagick/APKBUILD index a04220609b..14788a2351 100644 --- a/community/graphicsmagick/APKBUILD +++ b/community/graphicsmagick/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Francesco Colista <fcolista@alpinelinux.org> pkgname=graphicsmagick pkgver=1.3.26 -pkgrel=4 +pkgrel=5 pkgdesc="Image processing system" url="http://www.graphicsmagick.org/" arch="all" @@ -15,13 +15,24 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname/$pkgver/GraphicsMagic CVE-2017-12935.patch CVE-2017-12936.patch CVE-2017-12937.patch - CVE-2017-13063-13064.patch + CVE-2017-13063-13064-13065.patch + CVE-2017-13648.patch CVE-2017-13775.patch - CVE-2017-13776-13777.patch" + CVE-2017-13776-13777.patch + CVE-2017-14103.patch + CVE-2017-14042.patch + CVE-2017-14165.patch" options="libtool !check" builddir="$srcdir"/GraphicsMagick-$pkgver # security fixes: +# 1.3.26-r5: +# - CVE-2017-13065 +# - CVE-2017-13648 +# - CVE-2017-14042 +# - CVE-2017-14103 +# - CVE-2017-14165 + # 1.3.26-r3: # - CVE-2017-13775 # - CVE-2017-13776 @@ -68,6 +79,10 @@ f9167ad79f54fc3881d81b9b5cb5b84f38e847103c6945af4fda516d6696ff8e95ec48cbae84161f 2cb2ee3f88a835dff63c903bd215abb09c1812fedecbbb19c228fd2680c5762c6a20e6be1497c0fc3ed7a9b16eac6e7fe7f0fc9da4f6ef3e90fe75a049085ca7 CVE-2017-12935.patch b78b61d7b29c2316ecefe69c473b1aa1e93185e0da245f7cf2d351566ff737bce8e560e9b471334549e4ab76bc8752717f403e7afa9d393bdd64e191f8abbb9c CVE-2017-12936.patch 508ceee0aa73744e9b36c6e60b071d4dc4a5254b4d5265c4ee2bde317713b831db8958667fac44aa1e89b3cc8094027cade368f10f7f5f3d1a2980c2a70d516d CVE-2017-12937.patch -262434bab04541c276728111c9ec5d92abbb68e980813a50712d03505f3d3c4681b4daf02fd22e4ba11ed0daf5b553e4a47291c43f4c146554f1809292b73441 CVE-2017-13063-13064.patch +262434bab04541c276728111c9ec5d92abbb68e980813a50712d03505f3d3c4681b4daf02fd22e4ba11ed0daf5b553e4a47291c43f4c146554f1809292b73441 CVE-2017-13063-13064-13065.patch +01cebf614e38f4a80dea508ac03f9a6bba9113fba0bcf66cd6808257ba18957e54e21d728c6c6f201513682696939cde5a29791e42d8eae4bbbca2a787543ecd CVE-2017-13648.patch b15d1c71a4f7e15cbc6a6a83590c99dfaf20d25f08e07a1ea8ff08f9e0f92d55da3a0afc86a259f88cae01ec0fa21c9b555a9085aae24f4bf3d36c48b29d56e5 CVE-2017-13775.patch -f23c5e7d8e5c9e670ceb27b7e027910f181107033ec86538ce9778a2d37c29964008d5d8774bf59d4b45126b36630d73dc460636bfc55ab72ca64eefaae1768e CVE-2017-13776-13777.patch" +f23c5e7d8e5c9e670ceb27b7e027910f181107033ec86538ce9778a2d37c29964008d5d8774bf59d4b45126b36630d73dc460636bfc55ab72ca64eefaae1768e CVE-2017-13776-13777.patch +7abbd2edcd3dc029b359ad19e0f9eb406805ee4d5d4847f36f3709e0ed43164c20105b3fae7ef22a8dc2c89804f708ba41e7f800cfe5d2bf47dfbb19683978ef CVE-2017-14103.patch +d19741e0e6ae181ab74f0a5a9b8fc72b69eb4107bb34573a34d6e701622dffe73e3d723dd512ba24aae9ca321897a91e0715c74617aa74500deac867c6bbe852 CVE-2017-14042.patch +91df1ec37345fe054f190dc1a0fef759380502b9a211bd61a1c48f7efcebbbf31a6abc8e64c7e3180af559800defdde03e4cfa14c6bf42afb8e5a1088ad44cb9 CVE-2017-14165.patch" diff --git a/community/graphicsmagick/CVE-2017-13063-13064.patch b/community/graphicsmagick/CVE-2017-13063-13064-13065.patch index ce35e0623c..ce35e0623c 100644 --- a/community/graphicsmagick/CVE-2017-13063-13064.patch +++ b/community/graphicsmagick/CVE-2017-13063-13064-13065.patch diff --git a/community/graphicsmagick/CVE-2017-13648.patch b/community/graphicsmagick/CVE-2017-13648.patch new file mode 100644 index 0000000000..f27c313ce1 --- /dev/null +++ b/community/graphicsmagick/CVE-2017-13648.patch @@ -0,0 +1,23 @@ + +# HG changeset patch +# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> +# Date 1505397055 18000 +# Node ID a0e598438aa970f237fa9b35edce0728cc144f29 +# Parent cadd4b0522fa8b6b6e8ea6a5a9b4a5baebc1b011 +MAT: Fix under-sized allocation leading to heap overflow. + +diff -r cadd4b0522fa -r a0e598438aa9 coders/mat.c +--- a/coders/mat.c Wed Sep 13 10:28:42 2017 -0400 ++++ b/coders/mat.c Thu Sep 14 08:50:55 2017 -0500 +@@ -1050,9 +1050,10 @@ + } + + /* ----- Load raster data ----- */ +- BImgBuff = MagickAllocateMemory(unsigned char *,(size_t) (ldblk)); /* Ldblk was set in the check phase */ ++ BImgBuff = MagickAllocateArray(unsigned char *,(size_t) (ldblk),sizeof(double)); /* Ldblk was set in the check phase */ + if (BImgBuff == NULL) + goto NoMemory; ++ (void) memset(BImgBuff,0,ldblk*sizeof(double)); + + if (CellType==miDOUBLE) /* Find Min and Max Values for floats */ + { diff --git a/community/graphicsmagick/CVE-2017-14042.patch b/community/graphicsmagick/CVE-2017-14042.patch new file mode 100644 index 0000000000..524632a1ed --- /dev/null +++ b/community/graphicsmagick/CVE-2017-14042.patch @@ -0,0 +1,77 @@ + +# HG changeset patch +# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> +# Date 1503268616 18000 +# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072 +# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3 +PNM: For binary formats, verify sufficient backing file data before memory request. + +diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c +--- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500 ++++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500 +@@ -569,7 +569,7 @@ + (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u", + image->colors); + } +- number_pixels=image->columns*image->rows; ++ number_pixels=MagickArraySize(image->columns,image->rows); + if (number_pixels == 0) + ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image); + if (image->storage_class == PseudoClass) +@@ -858,14 +858,14 @@ + if (1 == bits_per_sample) + { + /* PBM */ +- bytes_per_row=((image->columns+7) >> 3); ++ bytes_per_row=((image->columns+7U) >> 3); + import_options.grayscale_miniswhite=MagickTrue; + quantum_type=GrayQuantum; + } + else + { + /* PGM & XV_332 */ +- bytes_per_row=((bits_per_sample+7)/8)*image->columns; ++ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns); + if (XV_332_Format == format) + { + quantum_type=IndexQuantum; +@@ -878,7 +878,8 @@ + } + else + { +- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns; ++ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel), ++ image->columns); + if (3 == samples_per_pixel) + { + /* PPM */ +@@ -915,6 +916,28 @@ + is_monochrome=MagickFalse; + } + } ++ ++ /* Validate file size before allocating memory */ ++ if (BlobIsSeekable(image)) ++ { ++ const magick_off_t file_size = GetBlobSize(image); ++ const magick_off_t current_offset = TellBlob(image); ++ if ((file_size > 0) && ++ (current_offset > 0) && ++ (file_size > current_offset)) ++ { ++ const magick_off_t remaining = file_size-current_offset; ++ const magick_off_t needed = (magick_off_t) image->rows * ++ (magick_off_t) bytes_per_row; ++ if ((remaining < (magick_off_t) bytes_per_row) || ++ (remaining < needed)) ++ { ++ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile, ++ image->filename); ++ break; ++ } ++ } ++ } + + scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1); + if (scanline_set == (ThreadViewDataSet *) NULL) + diff --git a/community/graphicsmagick/CVE-2017-14103.patch b/community/graphicsmagick/CVE-2017-14103.patch new file mode 100644 index 0000000000..dbcaea1343 --- /dev/null +++ b/community/graphicsmagick/CVE-2017-14103.patch @@ -0,0 +1,137 @@ +http://www.openwall.com/lists/oss-security/2017/09/01/6 + +CVE-2017-11403: +http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37 + +CVE-2017-14103: +http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f + +some changes were made to make the patch apply + +# HG changeset patch +# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com> +# Date 1503875721 14400 +# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2 +# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad +Attempt to fix Issue 440. + +diff -ru a/coders/png.c b/coders/png.c +--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500 ++++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400 +@@ -3106,7 +3106,9 @@ + if (length > PNG_MAX_UINT || count == 0) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(CorruptImageError,CorruptImage,image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "chunk length (%lu) > PNG_MAX_UINT",length); ++ return ((Image*)NULL); + } + + chunk=(unsigned char *) NULL; +@@ -3117,13 +3119,16 @@ + if (chunk == (unsigned char *) NULL) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " Could not allocate chunk memory"); ++ return ((Image*)NULL); + } + if (ReadBlob(image,length,chunk) < length) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(CorruptImageError,CorruptImage,image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " chunk reading was incomplete"); ++ return ((Image*)NULL); + } + p=chunk; + } +@@ -3198,7 +3203,7 @@ + jng_width, jng_height); + MagickFreeMemory(chunk); + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(CorruptImageError,ImproperImageHeader,image); ++ return ((Image *)NULL); + } + + /* Temporarily set width and height resources to match JHDR */ +@@ -3233,8 +3238,9 @@ + if (color_image == (Image *) NULL) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not open color_image blob"); ++ return ((Image *)NULL); + } + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +@@ -3245,7 +3251,9 @@ + if (status == MagickFalse) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(CoderError,UnableToOpenBlob,color_image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not open color_image blob"); ++ return ((Image *)NULL); + } + + if (!image_info->ping && jng_color_type >= 12) +@@ -3255,17 +3263,18 @@ + if (alpha_image_info == (ImageInfo *) NULL) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(ResourceLimitError, +- MemoryAllocationFailed, image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate alpha_image_info",length); ++ return ((Image *)NULL); + } + GetImageInfo(alpha_image_info); + alpha_image=AllocateImage(alpha_image_info); + if (alpha_image == (Image *) NULL) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(ResourceLimitError, +- MemoryAllocationFailed, +- alpha_image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate alpha_image"); ++ return ((Image *)NULL); + } + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +@@ -3277,7 +3286,9 @@ + { + DestroyJNGInfo(color_image_info,alpha_image_info); + DestroyImage(alpha_image); +- ThrowReaderException(CoderError,UnableToOpenBlob,image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate alpha_image blob"); ++ return ((Image *)NULL); + } + if (jng_alpha_compression_method == 0) + { +@@ -3613,6 +3624,8 @@ + alpha_image = (Image *)NULL; + DestroyImageInfo(alpha_image_info); + alpha_image_info = (ImageInfo *)NULL; ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " Destroy the JNG image"); + DestroyImage(jng_image); + jng_image = (Image *)NULL; + } +@@ -5146,8 +5159,8 @@ + + if (image == (Image *) NULL) + { +- DestroyImageList(previous); + CloseBlob(previous); ++ DestroyImageList(previous); + MngInfoFreeStruct(mng_info,&have_mng_structure); + return((Image *) NULL); + } diff --git a/community/graphicsmagick/CVE-2017-14165.patch b/community/graphicsmagick/CVE-2017-14165.patch new file mode 100644 index 0000000000..67e6ef807e --- /dev/null +++ b/community/graphicsmagick/CVE-2017-14165.patch @@ -0,0 +1,68 @@ + +# HG changeset patch +# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> +# Date 1503257388 18000 +# Node ID 493da54370aa42cb430c52a69eb75db0001a5589 +# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f +SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions. + +diff -r f87246749079 -r 493da54370aa coders/sun.c +--- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200 ++++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500 +@@ -498,6 +498,12 @@ + if (sun_info.depth < 8) + image->depth=sun_info.depth; + ++ if (image_info->ping) ++ { ++ CloseBlob(image); ++ return(image); ++ } ++ + /* + Compute bytes per line and bytes per image for an unencoded + image. +@@ -522,15 +528,37 @@ + if (bytes_per_image > sun_info.length) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); + +- if (image_info->ping) +- { +- CloseBlob(image); +- return(image); +- } + if (sun_info.type == RT_ENCODED) + sun_data_length=(size_t) sun_info.length; + else + sun_data_length=bytes_per_image; ++ ++ /* ++ Verify that data length claimed by header is supported by file size ++ */ ++ if (sun_info.type == RT_ENCODED) ++ { ++ if (sun_data_length < bytes_per_image/255U) ++ { ++ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); ++ } ++ } ++ if (BlobIsSeekable(image)) ++ { ++ const magick_off_t file_size = GetBlobSize(image); ++ const magick_off_t current_offset = TellBlob(image); ++ if ((file_size > 0) && ++ (current_offset > 0) && ++ (file_size > current_offset)) ++ { ++ const magick_off_t remaining = file_size-current_offset; ++ if (remaining < (magick_off_t) sun_data_length) ++ { ++ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); ++ } ++ } ++ } ++ + sun_data=MagickAllocateMemory(unsigned char *,sun_data_length); + if (sun_data == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); + |