gnu: graphicsmagick: Fix CVE-2017-{11403,14103}.

* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Register it.

3 files changed, 140 insertions, 1 deletions

diff --git a/gnu/local.mk b/gnu/local.mk
index 1f55e52bfd..4fefa3b10b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -678,6 +678,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
   %D%/packages/patches/gobject-introspection-cc.patch		\
   %D%/packages/patches/gobject-introspection-girepository.patch	\
+  %D%/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch	\
   %D%/packages/patches/graphicsmagick-CVE-2017-12935.patch	\
   %D%/packages/patches/graphicsmagick-CVE-2017-12936.patch	\
   %D%/packages/patches/graphicsmagick-CVE-2017-12937.patch	\
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 72b4643735..5f3e3ad96d 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -178,7 +178,8 @@ script.")
                (base32
                 "122zgs96dqrys62mnh8x5yvfff6km4d3yrnvaxzg3mg5sprib87v"))
               (patches
-               (search-patches "graphicsmagick-CVE-2017-12935.patch"
+               (search-patches "graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch"
+                               "graphicsmagick-CVE-2017-12935.patch"
                                "graphicsmagick-CVE-2017-12936.patch"
                                "graphicsmagick-CVE-2017-12937.patch"
                                "graphicsmagick-CVE-2017-13775.patch"
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
new file mode 100644
index 0000000000..dbcaea1343
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
@@ -0,0 +1,137 @@
+http://www.openwall.com/lists/oss-security/2017/09/01/6
+
+CVE-2017-11403:
+http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37
+
+CVE-2017-14103:
+http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
+# Date 1503875721 14400
+# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2
+# Parent  f0f2ea85a2930f3b6dcd72352719adb9660f2aad
+Attempt to fix Issue 440.
+
+diff -ru a/coders/png.c b/coders/png.c
+--- a/coders/png.c	1969-12-31 19:00:00.000000000 -0500
++++ b/coders/png.c	2017-09-10 11:31:56.543194173 -0400
+@@ -3106,7 +3106,9 @@
+       if (length > PNG_MAX_UINT || count == 0)
+         {
+           DestroyJNGInfo(color_image_info,alpha_image_info);
+-          ThrowReaderException(CorruptImageError,CorruptImage,image);
++          (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++              "chunk length (%lu) > PNG_MAX_UINT",length);
++          return ((Image*)NULL);
+         }
+
+       chunk=(unsigned char *) NULL;
+@@ -3117,13 +3119,16 @@
+           if (chunk == (unsigned char *) NULL)
+             {
+               DestroyJNGInfo(color_image_info,alpha_image_info);
+-              ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+-                                   image);
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                  "    Could not allocate chunk memory");
++              return ((Image*)NULL);
+             }
+           if (ReadBlob(image,length,chunk) < length)
+             {
+               DestroyJNGInfo(color_image_info,alpha_image_info);
+-              ThrowReaderException(CorruptImageError,CorruptImage,image);
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                  "    chunk reading was incomplete");
++              return ((Image*)NULL);
+             }
+           p=chunk;
+         }
+@@ -3198,7 +3203,7 @@
+                   jng_width, jng_height);
+               MagickFreeMemory(chunk);
+               DestroyJNGInfo(color_image_info,alpha_image_info);
+-              ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
++              return ((Image *)NULL);
+             }
+
+           /* Temporarily set width and height resources to match JHDR */
+@@ -3233,8 +3238,9 @@
+           if (color_image == (Image *) NULL)
+             {
+               DestroyJNGInfo(color_image_info,alpha_image_info);
+-              ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+-                                   image);
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                  "    could not open color_image blob");
++              return ((Image *)NULL);
+             }
+           if (logging)
+             (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -3245,7 +3251,9 @@
+           if (status == MagickFalse)
+             {
+               DestroyJNGInfo(color_image_info,alpha_image_info);
+-              ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                  "    could not open color_image blob");
++              return ((Image *)NULL);
+             }
+
+           if (!image_info->ping && jng_color_type >= 12)
+@@ -3255,17 +3263,18 @@
+               if (alpha_image_info == (ImageInfo *) NULL)
+                 {
+                   DestroyJNGInfo(color_image_info,alpha_image_info);
+-                  ThrowReaderException(ResourceLimitError,
+-                                       MemoryAllocationFailed, image);
++                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                      "    could not allocate alpha_image_info",length);
++                  return ((Image *)NULL);
+                 }
+               GetImageInfo(alpha_image_info);
+               alpha_image=AllocateImage(alpha_image_info);
+               if (alpha_image == (Image *) NULL)
+                 {
+                   DestroyJNGInfo(color_image_info,alpha_image_info);
+-                  ThrowReaderException(ResourceLimitError,
+-                                       MemoryAllocationFailed,
+-                                       alpha_image);
++                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                      "    could not allocate alpha_image");
++                  return ((Image *)NULL);
+                 }
+               if (logging)
+                 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -3277,7 +3286,9 @@
+                 {
+                   DestroyJNGInfo(color_image_info,alpha_image_info);
+                   DestroyImage(alpha_image);
+-                  ThrowReaderException(CoderError,UnableToOpenBlob,image);
++                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                      "    could not allocate alpha_image blob");
++                  return ((Image *)NULL);
+                 }
+               if (jng_alpha_compression_method == 0)
+                 {
+@@ -3613,6 +3624,8 @@
+               alpha_image = (Image *)NULL;
+               DestroyImageInfo(alpha_image_info);
+               alpha_image_info = (ImageInfo *)NULL;
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                  " Destroy the JNG image");
+               DestroyImage(jng_image);
+               jng_image = (Image *)NULL;
+             }
+@@ -5146,8 +5159,8 @@
+
+       if (image == (Image *) NULL)
+         {
+-          DestroyImageList(previous);
+           CloseBlob(previous);
++          DestroyImageList(previous);
+           MngInfoFreeStruct(mng_info,&have_mng_structure);
+           return((Image *) NULL);
+         }