From 887ce5de6251962b5d71a2d3af7a7f39871cf394 Mon Sep 17 00:00:00 2001 From: Francesco Colista Date: Thu, 24 Aug 2017 08:51:03 +0000 Subject: community/graphicsmagick: security fixes for various CVEs: * CVE-2017-11642 * CVE-2017-11722 * CVE-2017-12935 * CVE-2017-12936 * CVE-2017-12937 * CVE-2017-13063 * CVE-2017-13064 Fixes #7748 --- community/graphicsmagick/APKBUILD | 26 +++++- community/graphicsmagick/CVE-2017-11642.patch | 43 ++++++++++ community/graphicsmagick/CVE-2017-11722.patch | 33 ++++++++ community/graphicsmagick/CVE-2017-12935.patch | 35 ++++++++ community/graphicsmagick/CVE-2017-12936.patch | 23 ++++++ community/graphicsmagick/CVE-2017-12937.patch | 34 ++++++++ .../graphicsmagick/CVE-2017-13063-13064.patch | 96 ++++++++++++++++++++++ 7 files changed, 286 insertions(+), 4 deletions(-) create mode 100644 community/graphicsmagick/CVE-2017-11642.patch create mode 100644 community/graphicsmagick/CVE-2017-11722.patch create mode 100644 community/graphicsmagick/CVE-2017-12935.patch create mode 100644 community/graphicsmagick/CVE-2017-12936.patch create mode 100644 community/graphicsmagick/CVE-2017-12937.patch create mode 100644 community/graphicsmagick/CVE-2017-13063-13064.patch diff --git a/community/graphicsmagick/APKBUILD b/community/graphicsmagick/APKBUILD index cda8a6fdd3..778e0cbb0f 100644 --- a/community/graphicsmagick/APKBUILD +++ b/community/graphicsmagick/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Francesco Colista pkgname=graphicsmagick pkgver=1.3.26 -pkgrel=1 +pkgrel=2 pkgdesc="Image processing system" url="http://www.graphicsmagick.org/" arch="all" @@ -13,13 +13,26 @@ makedepends="$depends_dev libtool libltdl" install="" subpackages="$pkgname-dev $pkgname-doc" source="http://downloads.sourceforge.net/$pkgname/$pkgname/$pkgver/GraphicsMagick-$pkgver.tar.xz - CVE-2017-11403.patch" + CVE-2017-11642.patch + CVE-2017-11722.patch + CVE-2017-12935.patch + CVE-2017-12936.patch + CVE-2017-12937.patch + CVE-2017-13063-13064.patch" options="libtool" builddir="$srcdir"/GraphicsMagick-$pkgver # security fixes: -# 1.3.26-r1: +# 1.3.26-r2: +# - CVE-2017-11642 +# - CVE-2017-11722 +# - CVE-2017-12935 +# - CVE-2017-12936 +# - CVE-2017-12937 +# - CVE-2017-13063 +# - CVE-2017-13064 +# 1.3.25-r2: # - CVE-2017-11403 build() { @@ -48,4 +61,9 @@ package() { } sha512sums="b33ca0f1c858428693aee27a9089acff9e63d1110f85fa036894cfefe6274e7b2422758ea39852f94fdb4823c9c3f3c44b0d8906627503301f5928096f739f22 GraphicsMagick-1.3.26.tar.xz -00cb425b9cb6cc0c7b92a6c795150222edf2d16d513f4d4c803ff15cfb1917e81c6854109aee0ca845d3668e515cec06c4067155f82a9ea0abde30f6bbd1e8c2 CVE-2017-11403.patch" +1706f87cfa248bf08f2e7038ec2d3adf4ad0b9775a8787a48bb168d9bd04578e3ac01dcd384d4d961903dd738f748601619c0999b2a4b4b775e1b72489220336 CVE-2017-11642.patch +f9167ad79f54fc3881d81b9b5cb5b84f38e847103c6945af4fda516d6696ff8e95ec48cbae84161f3dbedca48cf1f3a2afbb0831b54c32363d263c0c1ad5d595 CVE-2017-11722.patch +2cb2ee3f88a835dff63c903bd215abb09c1812fedecbbb19c228fd2680c5762c6a20e6be1497c0fc3ed7a9b16eac6e7fe7f0fc9da4f6ef3e90fe75a049085ca7 CVE-2017-12935.patch +b78b61d7b29c2316ecefe69c473b1aa1e93185e0da245f7cf2d351566ff737bce8e560e9b471334549e4ab76bc8752717f403e7afa9d393bdd64e191f8abbb9c CVE-2017-12936.patch +508ceee0aa73744e9b36c6e60b071d4dc4a5254b4d5265c4ee2bde317713b831db8958667fac44aa1e89b3cc8094027cade368f10f7f5f3d1a2980c2a70d516d CVE-2017-12937.patch +262434bab04541c276728111c9ec5d92abbb68e980813a50712d03505f3d3c4681b4daf02fd22e4ba11ed0daf5b553e4a47291c43f4c146554f1809292b73441 CVE-2017-13063-13064.patch" diff --git a/community/graphicsmagick/CVE-2017-11642.patch b/community/graphicsmagick/CVE-2017-11642.patch new file mode 100644 index 0000000000..144ed78e7e --- /dev/null +++ b/community/graphicsmagick/CVE-2017-11642.patch @@ -0,0 +1,43 @@ + +# HG changeset patch +# User Bob Friesenhahn +# Date 1500758975 18000 +# Node ID 29550606d8b9bf74f9aea0637d11d19fe706871b +# Parent 30cd2b31f7e045de4861b102e3f8d83db579bc7a +MAP: Fix null pointer dereference or SEGV if input is not colormapped. + +diff -r 30cd2b31f7e0 -r 29550606d8b9 coders/map.c +--- a/coders/map.c Sat Jul 22 15:40:00 2017 -0500 ++++ b/coders/map.c Sat Jul 22 16:29:35 2017 -0500 +@@ -18,7 +18,7 @@ + % M M A A P % + % % + % % +-% Read/Write Image Colormaps As An Image File % ++% Read/Write Image Colormaps And Image File % + % % + % % + % Software Design % +@@ -349,16 +349,17 @@ + /* + Allocate colormap. + */ +- if (!IsPaletteImage(image,&image->exception)) +- (void) SetImageType(image,PaletteType); ++ if (SetImageType(image,PaletteType) == MagickFail) ++ ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image); + packet_size=image->depth > 8 ? 2 : 1; +- pixels=MagickAllocateMemory(unsigned char *,image->columns*packet_size); ++ pixels=MagickAllocateArray(unsigned char *,image->columns,packet_size); + if (pixels == (unsigned char *) NULL) + ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image); + packet_size=image->colors > 256 ? 6 : 3; +- colormap=MagickAllocateMemory(unsigned char *,packet_size*image->colors); ++ colormap=MagickAllocateArray(unsigned char *,packet_size,image->colors); + if (colormap == (unsigned char *) NULL) + ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image); ++ + /* + Write colormap to file. + */ + diff --git a/community/graphicsmagick/CVE-2017-11722.patch b/community/graphicsmagick/CVE-2017-11722.patch new file mode 100644 index 0000000000..f1ce0ad73f --- /dev/null +++ b/community/graphicsmagick/CVE-2017-11722.patch @@ -0,0 +1,33 @@ + +# HG changeset patch +# User Glenn Randers-Pehrson +# Date 1501028322 14400 +# Node ID f423ba88ca4ed01b7143520a7e00c360049aa823 +# Parent d1e56efb0162a836707d41182d6d658d1cad49e6 +coders/png.c: Fixed writer bug due to missing brackets + +diff -r d1e56efb0162 -r f423ba88ca4e coders/png.c +--- a/coders/png.c Tue Jul 25 19:38:39 2017 -0400 ++++ b/coders/png.c Tue Jul 25 20:18:42 2017 -0400 +@@ -7125,12 +7125,14 @@ + png_error(ping, "Could not allocate trans_alpha"); + + for (i=0; i<(int) number_colors; i++) +- if (trans_alpha[i] == 256) +- ping_trans_alpha[i]=255; +- else +- ping_trans_alpha[i]=(png_byte) trans_alpha[i]; +- (void) LogMagickEvent(CoderEvent, GetMagickModule(), +- " Alpha[%d]=%d",(int) i, (int) trans_alpha[i]); ++ { ++ if (trans_alpha[i] == 256) ++ ping_trans_alpha[i]=255; ++ else ++ ping_trans_alpha[i]=(png_byte) trans_alpha[i]; ++ (void) LogMagickEvent(CoderEvent, GetMagickModule(), ++ " Alpha[%d]=%d",(int) i, (int) trans_alpha[i]); ++ } + } + } + + diff --git a/community/graphicsmagick/CVE-2017-12935.patch b/community/graphicsmagick/CVE-2017-12935.patch new file mode 100644 index 0000000000..650c28d3df --- /dev/null +++ b/community/graphicsmagick/CVE-2017-12935.patch @@ -0,0 +1,35 @@ + +# HG changeset patch +# User Glenn Randers-Pehrson +# Date 1501123201 14400 +# Node ID cd699a44f188acf23493c969ef2d3f9fa7c8f8df +# Parent be898b7c97bd855fc6fa0cef983faae916bd0c93 +Reject MNG with too-large dimensions (over 65535) + +diff -r be898b7c97bd -r cd699a44f188 coders/png.c +--- a/coders/png.c Wed Jul 26 19:47:56 2017 -0500 ++++ b/coders/png.c Wed Jul 26 22:40:01 2017 -0400 +@@ -4084,11 +4084,17 @@ + mng_info->image=image; + } + +- if ((mng_info->mng_width > 65535L) || (mng_info->mng_height +- > 65535L)) +- (void) ThrowException(&image->exception,ImageError, +- WidthOrHeightExceedsLimit, +- image->filename); ++ if ((mng_info->mng_width > 65535L) || ++ (mng_info->mng_height > 65535L)) ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " MNG width or height is too large: %lu, %lu", ++ mng_info->mng_width,mng_info->mng_height); ++ MagickFreeMemory(chunk); ++ ThrowReaderException(CorruptImageError, ++ ImproperImageHeader,image); ++ } ++ + FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width, + mng_info->mng_height); + mng_info->frame.left=0; + diff --git a/community/graphicsmagick/CVE-2017-12936.patch b/community/graphicsmagick/CVE-2017-12936.patch new file mode 100644 index 0000000000..37a4e6be9c --- /dev/null +++ b/community/graphicsmagick/CVE-2017-12936.patch @@ -0,0 +1,23 @@ + +# HG changeset patch +# User Bob Friesenhahn +# Date 1501116476 18000 +# Node ID be898b7c97bd855fc6fa0cef983faae916bd0c93 +# Parent 6a632982c866f36dbad87e4ab953e08a290eaa8b +WMF: Eliminate use of already freed heap data in error reporting path. + +diff -r 6a632982c866 -r be898b7c97bd coders/wmf.c +--- a/coders/wmf.c Tue Jul 25 20:11:16 2017 -0500 ++++ b/coders/wmf.c Wed Jul 26 19:47:56 2017 -0500 +@@ -2719,8 +2719,8 @@ + if(image->exception.severity != UndefinedException) + ThrowException2(exception, + CoderWarning, +- ddata->image->exception.reason, +- ddata->image->exception.description); ++ image->exception.reason, ++ image->exception.description); + + if(logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(),"leave ReadWMFImage()"); + diff --git a/community/graphicsmagick/CVE-2017-12937.patch b/community/graphicsmagick/CVE-2017-12937.patch new file mode 100644 index 0000000000..ee78a0ecda --- /dev/null +++ b/community/graphicsmagick/CVE-2017-12937.patch @@ -0,0 +1,34 @@ + +# HG changeset patch +# User Bob Friesenhahn +# Date 1501555785 18000 +# Node ID 95d00d55e978dec3e1bb4c288dbc210b5cc8bea1 +# Parent 921a31d31ea85405b54771941e195782e50e589d +SUN: Fix heap read overflow while indexing colormap in bilevel decoder + +diff -r 921a31d31ea8 -r 95d00d55e978 coders/sun.c +--- a/coders/sun.c Mon Jul 31 09:35:26 2017 -0400 ++++ b/coders/sun.c Mon Jul 31 21:49:45 2017 -0500 +@@ -1,5 +1,5 @@ + /* +-% Copyright (C) 2003-2015 GraphicsMagick Group ++% Copyright (C) 2003-2017 GraphicsMagick Group + % Copyright (C) 2002 ImageMagick Studio + % Copyright 1991-1999 E. I. du Pont de Nemours and Company + % +@@ -577,6 +577,7 @@ + for (bit=7; bit >= 0; bit--) + { + index=((*p) & (0x01 << bit) ? 0x01 : 0x00); ++ VerifyColormapIndex(image,index); + indexes[x+7-bit]=index; + q[x+7-bit]=image->colormap[index]; + } +@@ -587,6 +588,7 @@ + for (bit=7; bit >= (long) (8-(image->columns % 8)); bit--) + { + index=((*p) & (0x01 << bit) ? 0x01 : 0x00); ++ VerifyColormapIndex(image,index); + indexes[x+7-bit]=index; + q[x+7-bit]=image->colormap[index]; + } diff --git a/community/graphicsmagick/CVE-2017-13063-13064.patch b/community/graphicsmagick/CVE-2017-13063-13064.patch new file mode 100644 index 0000000000..ce35e0623c --- /dev/null +++ b/community/graphicsmagick/CVE-2017-13063-13064.patch @@ -0,0 +1,96 @@ +# HG changeset patch +# User Bob Friesenhahn +# Date 1502890099 18000 +# Node ID 54f48ab2d52a2a4af99781057075d8ea9744a649 +# Parent 4970ea920a9388d6f08be1b35d58ef5efded4908 +SVG: Fix buffer-overflow and inconsistent behavior in GetStyleTokens(). + +diff -r 4970ea920a93 -r 54f48ab2d52a coders/svg.c +--- a/coders/svg.c Tue Aug 15 08:05:00 2017 -0500 ++++ b/coders/svg.c Wed Aug 16 08:28:19 2017 -0500 +@@ -267,11 +267,12 @@ + char + **tokens; + +- register const char ++ const char + *p, + *q; + +- register size_t ++ size_t ++ alloc_tokens, + i; + + SVGInfo +@@ -279,21 +280,27 @@ + + svg_info=(SVGInfo *) context; + *number_tokens=0; ++ alloc_tokens=0; + if (text == (const char *) NULL) + return((char **) NULL); + /* + Determine the number of arguments. ++ ++ style="fill: red; stroke: blue; stroke-width: 3" + */ + for (p=text; *p != '\0'; p++) + if (*p == ':') +- (*number_tokens)+=2; +- tokens=MagickAllocateMemory(char **,(*number_tokens+2)*sizeof(*tokens)); ++ alloc_tokens+=2; ++ if (alloc_tokens == 0) ++ return((char **) NULL); ++ tokens=MagickAllocateMemory(char **,(alloc_tokens+2)*sizeof(*tokens)); + if (tokens == (char **) NULL) + { + ThrowException3(svg_info->exception,ResourceLimitError, + MemoryAllocationFailed,UnableToConvertStringToTokens); + return((char **) NULL); + } ++ (void) memset(tokens,0,(alloc_tokens+2)*sizeof(*tokens)); + /* + Convert string to an ASCII list. + */ +@@ -304,14 +311,36 @@ + if ((*q != ':') && (*q != ';') && (*q != '\0')) + continue; + tokens[i]=AllocateString(p); ++ if (tokens[i] == NULL) ++ { ++ ThrowException3(svg_info->exception,ResourceLimitError, ++ MemoryAllocationFailed,UnableToConvertStringToTokens); ++ break; ++ } + (void) strlcpy(tokens[i],p,q-p+1); +- Strip(tokens[i++]); ++ Strip(tokens[i]); ++ i++; ++ if (i >= alloc_tokens) ++ break; + p=q+1; + } +- tokens[i]=AllocateString(p); +- (void) strlcpy(tokens[i],p,q-p+1); +- Strip(tokens[i++]); ++ if (i < alloc_tokens) ++ { ++ tokens[i]=AllocateString(p); ++ if (tokens[i] == NULL) ++ { ++ ThrowException3(svg_info->exception,ResourceLimitError, ++ MemoryAllocationFailed,UnableToConvertStringToTokens); ++ } ++ else ++ { ++ (void) strlcpy(tokens[i],p,q-p+1); ++ Strip(tokens[i]); ++ i++; ++ } ++ } + tokens[i]=(char *) NULL; ++ *number_tokens=i; + return(tokens); + } + -- cgit v1.2.3