community/graphicsmagick: security fixes (CVE-2017-13065, CVE-2017-13648, CVE-2017-14042, CVE-2017-14103, CVE-2017-14165)

author: Francesco Colista <fcolista@alpinelinux.org> 2017-10-03 08:12:26 +0000
committer: Francesco Colista <fcolista@alpinelinux.org> 2017-10-03 08:12:26 +0000
commit: a3156514cd10b8ec568649e64eb4f1ceb2879c39 (patch)
tree: e9a9cdfd92f65b4cfda0e44616b0653a3fa32fb2 /community/graphicsmagick
parent: 7f29820b2245b38b761bebe248ccc12e474ef6cb (diff)
download: aports-a3156514cd10b8ec568649e64eb4f1ceb2879c39.tar.bz2
aports-a3156514cd10b8ec568649e64eb4f1ceb2879c39.tar.xz
6 files changed, 325 insertions, 5 deletions
diff --git a/community/graphicsmagick/APKBUILD b/community/graphicsmagick/APKBUILD
index a04220609b..14788a2351 100644
--- a/community/graphicsmagick/APKBUILD
+++ b/community/graphicsmagick/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=graphicsmagick
 pkgver=1.3.26
-pkgrel=4
+pkgrel=5
 pkgdesc="Image processing system"
 url="http://www.graphicsmagick.org/"
 arch="all"
@@ -15,13 +15,24 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname/$pkgver/GraphicsMagic
 	CVE-2017-12935.patch
 	CVE-2017-12936.patch
 	CVE-2017-12937.patch
-	CVE-2017-13063-13064.patch
+	CVE-2017-13063-13064-13065.patch
+	CVE-2017-13648.patch
 	CVE-2017-13775.patch
-	CVE-2017-13776-13777.patch"
+	CVE-2017-13776-13777.patch
+	CVE-2017-14103.patch
+	CVE-2017-14042.patch
+	CVE-2017-14165.patch"
 options="libtool !check"
 builddir="$srcdir"/GraphicsMagick-$pkgver
 
 # security fixes:
+#   1.3.26-r5:
+#     - CVE-2017-13065
+#     - CVE-2017-13648
+#     - CVE-2017-14042
+#     - CVE-2017-14103
+#     - CVE-2017-14165
+
 #   1.3.26-r3:
 #     - CVE-2017-13775
 #     - CVE-2017-13776
@@ -68,6 +79,10 @@ f9167ad79f54fc3881d81b9b5cb5b84f38e847103c6945af4fda516d6696ff8e95ec48cbae84161f
 2cb2ee3f88a835dff63c903bd215abb09c1812fedecbbb19c228fd2680c5762c6a20e6be1497c0fc3ed7a9b16eac6e7fe7f0fc9da4f6ef3e90fe75a049085ca7  CVE-2017-12935.patch
 b78b61d7b29c2316ecefe69c473b1aa1e93185e0da245f7cf2d351566ff737bce8e560e9b471334549e4ab76bc8752717f403e7afa9d393bdd64e191f8abbb9c  CVE-2017-12936.patch
 508ceee0aa73744e9b36c6e60b071d4dc4a5254b4d5265c4ee2bde317713b831db8958667fac44aa1e89b3cc8094027cade368f10f7f5f3d1a2980c2a70d516d  CVE-2017-12937.patch
-262434bab04541c276728111c9ec5d92abbb68e980813a50712d03505f3d3c4681b4daf02fd22e4ba11ed0daf5b553e4a47291c43f4c146554f1809292b73441  CVE-2017-13063-13064.patch
+262434bab04541c276728111c9ec5d92abbb68e980813a50712d03505f3d3c4681b4daf02fd22e4ba11ed0daf5b553e4a47291c43f4c146554f1809292b73441  CVE-2017-13063-13064-13065.patch
+01cebf614e38f4a80dea508ac03f9a6bba9113fba0bcf66cd6808257ba18957e54e21d728c6c6f201513682696939cde5a29791e42d8eae4bbbca2a787543ecd  CVE-2017-13648.patch
 b15d1c71a4f7e15cbc6a6a83590c99dfaf20d25f08e07a1ea8ff08f9e0f92d55da3a0afc86a259f88cae01ec0fa21c9b555a9085aae24f4bf3d36c48b29d56e5  CVE-2017-13775.patch
-f23c5e7d8e5c9e670ceb27b7e027910f181107033ec86538ce9778a2d37c29964008d5d8774bf59d4b45126b36630d73dc460636bfc55ab72ca64eefaae1768e  CVE-2017-13776-13777.patch"
+f23c5e7d8e5c9e670ceb27b7e027910f181107033ec86538ce9778a2d37c29964008d5d8774bf59d4b45126b36630d73dc460636bfc55ab72ca64eefaae1768e  CVE-2017-13776-13777.patch
+7abbd2edcd3dc029b359ad19e0f9eb406805ee4d5d4847f36f3709e0ed43164c20105b3fae7ef22a8dc2c89804f708ba41e7f800cfe5d2bf47dfbb19683978ef  CVE-2017-14103.patch
+d19741e0e6ae181ab74f0a5a9b8fc72b69eb4107bb34573a34d6e701622dffe73e3d723dd512ba24aae9ca321897a91e0715c74617aa74500deac867c6bbe852  CVE-2017-14042.patch
+91df1ec37345fe054f190dc1a0fef759380502b9a211bd61a1c48f7efcebbbf31a6abc8e64c7e3180af559800defdde03e4cfa14c6bf42afb8e5a1088ad44cb9  CVE-2017-14165.patch"
diff --git a/community/graphicsmagick/CVE-2017-13063-13064.patch b/community/graphicsmagick/CVE-2017-13063-13064-13065.patch
index ce35e0623c..ce35e0623c 100644
--- a/community/graphicsmagick/CVE-2017-13063-13064.patch
+++ b/community/graphicsmagick/CVE-2017-13063-13064-13065.patch
diff --git a/community/graphicsmagick/CVE-2017-13648.patch b/community/graphicsmagick/CVE-2017-13648.patch
new file mode 100644
index 0000000000..f27c313ce1
--- /dev/null
+++ b/community/graphicsmagick/CVE-2017-13648.patch
@@ -0,0 +1,23 @@
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1505397055 18000
+# Node ID a0e598438aa970f237fa9b35edce0728cc144f29
+# Parent  cadd4b0522fa8b6b6e8ea6a5a9b4a5baebc1b011
+MAT: Fix under-sized allocation leading to heap overflow.
+
+diff -r cadd4b0522fa -r a0e598438aa9 coders/mat.c
+--- a/coders/mat.c	Wed Sep 13 10:28:42 2017 -0400
++++ b/coders/mat.c	Thu Sep 14 08:50:55 2017 -0500
+@@ -1050,9 +1050,10 @@
+     }  
+ 
+   /* ----- Load raster data ----- */
+-    BImgBuff = MagickAllocateMemory(unsigned char *,(size_t) (ldblk));    /* Ldblk was set in the check phase */
++    BImgBuff = MagickAllocateArray(unsigned char *,(size_t) (ldblk),sizeof(double));    /* Ldblk was set in the check phase */
+     if (BImgBuff == NULL)
+       goto NoMemory;
++    (void) memset(BImgBuff,0,ldblk*sizeof(double));
+ 
+     if (CellType==miDOUBLE)        /* Find Min and Max Values for floats */
+     {
diff --git a/community/graphicsmagick/CVE-2017-14042.patch b/community/graphicsmagick/CVE-2017-14042.patch
new file mode 100644
index 0000000000..524632a1ed
--- /dev/null
+++ b/community/graphicsmagick/CVE-2017-14042.patch
@@ -0,0 +1,77 @@
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1503268616 18000
+# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072
+# Parent  83a5b946180835f260bcb91e3d06327a8e2577e3
+PNM: For binary formats, verify sufficient backing file data before memory request.
+
+diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
+--- a/coders/pnm.c	Sun Aug 20 17:31:35 2017 -0500
++++ b/coders/pnm.c	Sun Aug 20 17:36:56 2017 -0500
+@@ -569,7 +569,7 @@
+           (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
+                                 image->colors);
+         }
+-      number_pixels=image->columns*image->rows;
++      number_pixels=MagickArraySize(image->columns,image->rows);
+       if (number_pixels == 0)
+         ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
+       if (image->storage_class == PseudoClass)
+@@ -858,14 +858,14 @@
+ 		if (1 == bits_per_sample)
+ 		  {
+ 		    /* PBM */
+-		    bytes_per_row=((image->columns+7) >> 3);
++		    bytes_per_row=((image->columns+7U) >> 3);
+ 		    import_options.grayscale_miniswhite=MagickTrue;
+ 		    quantum_type=GrayQuantum;
+ 		  }
+ 		else
+ 		  {
+ 		    /* PGM & XV_332 */
+-		    bytes_per_row=((bits_per_sample+7)/8)*image->columns;
++		    bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
+ 		    if (XV_332_Format == format)
+ 		      {
+ 			quantum_type=IndexQuantum;
+@@ -878,7 +878,8 @@
+ 	      }
+ 	    else
+ 	      {
+-		bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
++		bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
++                                              image->columns);
+ 		if (3 == samples_per_pixel)
+ 		  {
+ 		    /* PPM */
+@@ -915,6 +916,28 @@
+ 		    is_monochrome=MagickFalse;
+ 		  }
+ 	      }
++
++            /* Validate file size before allocating memory */
++            if (BlobIsSeekable(image))
++              {
++                const magick_off_t file_size = GetBlobSize(image);
++                const magick_off_t current_offset = TellBlob(image);
++                if ((file_size > 0) &&
++                    (current_offset > 0) &&
++                    (file_size > current_offset))
++                  {
++                    const magick_off_t remaining = file_size-current_offset;
++                    const magick_off_t needed = (magick_off_t) image->rows *
++                      (magick_off_t) bytes_per_row;
++                    if ((remaining < (magick_off_t) bytes_per_row) ||
++                        (remaining < needed))
++                      {
++                        ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
++                                       image->filename);
++                        break;
++                      }
++                  }
++              }
+         
+             scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
+             if (scanline_set == (ThreadViewDataSet *) NULL)
+
diff --git a/community/graphicsmagick/CVE-2017-14103.patch b/community/graphicsmagick/CVE-2017-14103.patch
new file mode 100644
index 0000000000..dbcaea1343
--- /dev/null
+++ b/community/graphicsmagick/CVE-2017-14103.patch
@@ -0,0 +1,137 @@
+http://www.openwall.com/lists/oss-security/2017/09/01/6
+
+CVE-2017-11403:
+http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37
+
+CVE-2017-14103:
+http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
+# Date 1503875721 14400
+# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2
+# Parent  f0f2ea85a2930f3b6dcd72352719adb9660f2aad
+Attempt to fix Issue 440.
+
+diff -ru a/coders/png.c b/coders/png.c
+--- a/coders/png.c	1969-12-31 19:00:00.000000000 -0500
++++ b/coders/png.c	2017-09-10 11:31:56.543194173 -0400
+@@ -3106,7 +3106,9 @@
+       if (length > PNG_MAX_UINT || count == 0)
+         {
+           DestroyJNGInfo(color_image_info,alpha_image_info);
+-          ThrowReaderException(CorruptImageError,CorruptImage,image);
++          (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++              "chunk length (%lu) > PNG_MAX_UINT",length);
++          return ((Image*)NULL);
+         }
+
+       chunk=(unsigned char *) NULL;
+@@ -3117,13 +3119,16 @@
+           if (chunk == (unsigned char *) NULL)
+             {
+               DestroyJNGInfo(color_image_info,alpha_image_info);
+-              ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+-                                   image);
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                  "    Could not allocate chunk memory");
++              return ((Image*)NULL);
+             }
+           if (ReadBlob(image,length,chunk) < length)
+             {
+               DestroyJNGInfo(color_image_info,alpha_image_info);
+-              ThrowReaderException(CorruptImageError,CorruptImage,image);
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                  "    chunk reading was incomplete");
++              return ((Image*)NULL);
+             }
+           p=chunk;
+         }
+@@ -3198,7 +3203,7 @@
+                   jng_width, jng_height);
+               MagickFreeMemory(chunk);
+               DestroyJNGInfo(color_image_info,alpha_image_info);
+-              ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
++              return ((Image *)NULL);
+             }
+
+           /* Temporarily set width and height resources to match JHDR */
+@@ -3233,8 +3238,9 @@
+           if (color_image == (Image *) NULL)
+             {
+               DestroyJNGInfo(color_image_info,alpha_image_info);
+-              ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+-                                   image);
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                  "    could not open color_image blob");
++              return ((Image *)NULL);
+             }
+           if (logging)
+             (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -3245,7 +3251,9 @@
+           if (status == MagickFalse)
+             {
+               DestroyJNGInfo(color_image_info,alpha_image_info);
+-              ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                  "    could not open color_image blob");
++              return ((Image *)NULL);
+             }
+
+           if (!image_info->ping && jng_color_type >= 12)
+@@ -3255,17 +3263,18 @@
+               if (alpha_image_info == (ImageInfo *) NULL)
+                 {
+                   DestroyJNGInfo(color_image_info,alpha_image_info);
+-                  ThrowReaderException(ResourceLimitError,
+-                                       MemoryAllocationFailed, image);
++                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                      "    could not allocate alpha_image_info",length);
++                  return ((Image *)NULL);
+                 }
+               GetImageInfo(alpha_image_info);
+               alpha_image=AllocateImage(alpha_image_info);
+               if (alpha_image == (Image *) NULL)
+                 {
+                   DestroyJNGInfo(color_image_info,alpha_image_info);
+-                  ThrowReaderException(ResourceLimitError,
+-                                       MemoryAllocationFailed,
+-                                       alpha_image);
++                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                      "    could not allocate alpha_image");
++                  return ((Image *)NULL);
+                 }
+               if (logging)
+                 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -3277,7 +3286,9 @@
+                 {
+                   DestroyJNGInfo(color_image_info,alpha_image_info);
+                   DestroyImage(alpha_image);
+-                  ThrowReaderException(CoderError,UnableToOpenBlob,image);
++                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                      "    could not allocate alpha_image blob");
++                  return ((Image *)NULL);
+                 }
+               if (jng_alpha_compression_method == 0)
+                 {
+@@ -3613,6 +3624,8 @@
+               alpha_image = (Image *)NULL;
+               DestroyImageInfo(alpha_image_info);
+               alpha_image_info = (ImageInfo *)NULL;
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                  " Destroy the JNG image");
+               DestroyImage(jng_image);
+               jng_image = (Image *)NULL;
+             }
+@@ -5146,8 +5159,8 @@
+
+       if (image == (Image *) NULL)
+         {
+-          DestroyImageList(previous);
+           CloseBlob(previous);
++          DestroyImageList(previous);
+           MngInfoFreeStruct(mng_info,&have_mng_structure);
+           return((Image *) NULL);
+         }
diff --git a/community/graphicsmagick/CVE-2017-14165.patch b/community/graphicsmagick/CVE-2017-14165.patch
new file mode 100644
index 0000000000..67e6ef807e
--- /dev/null
+++ b/community/graphicsmagick/CVE-2017-14165.patch
@@ -0,0 +1,68 @@
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1503257388 18000
+# Node ID 493da54370aa42cb430c52a69eb75db0001a5589
+# Parent  f8724674907902b7bc37c04f252fe30fbdd88e6f
+SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions.
+
+diff -r f87246749079 -r 493da54370aa coders/sun.c
+--- a/coders/sun.c	Sun Aug 20 12:21:03 2017 +0200
++++ b/coders/sun.c	Sun Aug 20 14:29:48 2017 -0500
+@@ -498,6 +498,12 @@
+     if (sun_info.depth < 8)
+       image->depth=sun_info.depth;
+ 
++    if (image_info->ping)
++      {
++        CloseBlob(image);
++        return(image);
++      }
++
+     /*
+       Compute bytes per line and bytes per image for an unencoded
+       image.
+@@ -522,15 +528,37 @@
+       if (bytes_per_image > sun_info.length)
+         ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+ 
+-    if (image_info->ping)
+-      {
+-        CloseBlob(image);
+-        return(image);
+-      }
+     if (sun_info.type == RT_ENCODED)
+       sun_data_length=(size_t) sun_info.length;
+     else
+       sun_data_length=bytes_per_image;
++
++    /*
++      Verify that data length claimed by header is supported by file size
++    */
++    if (sun_info.type == RT_ENCODED)
++      {
++        if (sun_data_length < bytes_per_image/255U)
++          {
++            ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
++          }
++      }
++    if (BlobIsSeekable(image))
++      {
++        const magick_off_t file_size = GetBlobSize(image);
++        const magick_off_t current_offset = TellBlob(image);
++        if ((file_size > 0) &&
++            (current_offset > 0) &&
++            (file_size > current_offset))
++        {
++          const magick_off_t remaining = file_size-current_offset;
++          if (remaining < (magick_off_t) sun_data_length)
++            {
++              ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
++            }
++        }
++      }
++
+     sun_data=MagickAllocateMemory(unsigned char *,sun_data_length);
+     if (sun_data == (unsigned char *) NULL)
+       ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
+
author	Francesco Colista <fcolista@alpinelinux.org>	2017-10-03 08:12:26 +0000
committer	Francesco Colista <fcolista@alpinelinux.org>	2017-10-03 08:12:26 +0000
commit	a3156514cd10b8ec568649e64eb4f1ceb2879c39 (patch)
tree	e9a9cdfd92f65b4cfda0e44616b0653a3fa32fb2 /community/graphicsmagick
parent	7f29820b2245b38b761bebe248ccc12e474ef6cb (diff)
download	aports-a3156514cd10b8ec568649e64eb4f1ceb2879c39.tar.bz2 aports-a3156514cd10b8ec568649e64eb4f1ceb2879c39.tar.xz