diff options
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/local.mk | 9 | ||||
-rw-r--r-- | gnu/packages/imagemagick.scm | 14 | ||||
-rw-r--r-- | gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch | 137 | ||||
-rw-r--r-- | gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch | 28 | ||||
-rw-r--r-- | gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch | 16 | ||||
-rw-r--r-- | gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch | 28 | ||||
-rw-r--r-- | gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch | 195 | ||||
-rw-r--r-- | gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch | 179 | ||||
-rw-r--r-- | gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch | 80 | ||||
-rw-r--r-- | gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch | 72 | ||||
-rw-r--r-- | gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch | 210 |
11 files changed, 2 insertions, 966 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 75065b019d..22f2a8f927 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -704,15 +704,6 @@ dist_patch_DATA = \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ %D%/packages/patches/gobject-introspection-cc.patch \ %D%/packages/patches/gobject-introspection-girepository.patch \ - %D%/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch \ - %D%/packages/patches/graphicsmagick-CVE-2017-12935.patch \ - %D%/packages/patches/graphicsmagick-CVE-2017-12936.patch \ - %D%/packages/patches/graphicsmagick-CVE-2017-12937.patch \ - %D%/packages/patches/graphicsmagick-CVE-2017-13775.patch \ - %D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch \ - %D%/packages/patches/graphicsmagick-CVE-2017-14042.patch \ - %D%/packages/patches/graphicsmagick-CVE-2017-14165.patch \ - %D%/packages/patches/graphicsmagick-CVE-2017-14649.patch \ %D%/packages/patches/graphite2-ffloat-store.patch \ %D%/packages/patches/grep-gnulib-lock.patch \ %D%/packages/patches/grep-timing-sensitive-test.patch \ diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm index 42f4a7c92e..ac9fca8600 100644 --- a/gnu/packages/imagemagick.scm +++ b/gnu/packages/imagemagick.scm @@ -164,7 +164,7 @@ script.") (define-public graphicsmagick (package (name "graphicsmagick") - (version "1.3.26") + (version "1.3.27") (source (origin (method url-fetch) (uri @@ -176,17 +176,7 @@ script.") "/GraphicsMagick-" version ".tar.xz"))) (sha256 (base32 - "122zgs96dqrys62mnh8x5yvfff6km4d3yrnvaxzg3mg5sprib87v")) - (patches - (search-patches "graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch" - "graphicsmagick-CVE-2017-12935.patch" - "graphicsmagick-CVE-2017-12936.patch" - "graphicsmagick-CVE-2017-12937.patch" - "graphicsmagick-CVE-2017-13775.patch" - "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch" - "graphicsmagick-CVE-2017-14042.patch" - "graphicsmagick-CVE-2017-14165.patch" - "graphicsmagick-CVE-2017-14649.patch")))) + "0rq35p3rml10cxz2z4s7xcfsilhhk19mmy094g3ivz0fg797hcnh")))) (build-system gnu-build-system) (arguments `(#:configure-flags diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch deleted file mode 100644 index dbcaea1343..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch +++ /dev/null @@ -1,137 +0,0 @@ -http://www.openwall.com/lists/oss-security/2017/09/01/6 - -CVE-2017-11403: -http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37 - -CVE-2017-14103: -http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f - -some changes were made to make the patch apply - -# HG changeset patch -# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com> -# Date 1503875721 14400 -# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2 -# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad -Attempt to fix Issue 440. - -diff -ru a/coders/png.c b/coders/png.c ---- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500 -+++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400 -@@ -3106,7 +3106,9 @@ - if (length > PNG_MAX_UINT || count == 0) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(CorruptImageError,CorruptImage,image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "chunk length (%lu) > PNG_MAX_UINT",length); -+ return ((Image*)NULL); - } - - chunk=(unsigned char *) NULL; -@@ -3117,13 +3119,16 @@ - if (chunk == (unsigned char *) NULL) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, -- image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " Could not allocate chunk memory"); -+ return ((Image*)NULL); - } - if (ReadBlob(image,length,chunk) < length) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(CorruptImageError,CorruptImage,image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " chunk reading was incomplete"); -+ return ((Image*)NULL); - } - p=chunk; - } -@@ -3198,7 +3203,7 @@ - jng_width, jng_height); - MagickFreeMemory(chunk); - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(CorruptImageError,ImproperImageHeader,image); -+ return ((Image *)NULL); - } - - /* Temporarily set width and height resources to match JHDR */ -@@ -3233,8 +3238,9 @@ - if (color_image == (Image *) NULL) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, -- image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not open color_image blob"); -+ return ((Image *)NULL); - } - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), -@@ -3245,7 +3251,9 @@ - if (status == MagickFalse) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(CoderError,UnableToOpenBlob,color_image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not open color_image blob"); -+ return ((Image *)NULL); - } - - if (!image_info->ping && jng_color_type >= 12) -@@ -3255,17 +3263,18 @@ - if (alpha_image_info == (ImageInfo *) NULL) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(ResourceLimitError, -- MemoryAllocationFailed, image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not allocate alpha_image_info",length); -+ return ((Image *)NULL); - } - GetImageInfo(alpha_image_info); - alpha_image=AllocateImage(alpha_image_info); - if (alpha_image == (Image *) NULL) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(ResourceLimitError, -- MemoryAllocationFailed, -- alpha_image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not allocate alpha_image"); -+ return ((Image *)NULL); - } - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), -@@ -3277,7 +3286,9 @@ - { - DestroyJNGInfo(color_image_info,alpha_image_info); - DestroyImage(alpha_image); -- ThrowReaderException(CoderError,UnableToOpenBlob,image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not allocate alpha_image blob"); -+ return ((Image *)NULL); - } - if (jng_alpha_compression_method == 0) - { -@@ -3613,6 +3624,8 @@ - alpha_image = (Image *)NULL; - DestroyImageInfo(alpha_image_info); - alpha_image_info = (ImageInfo *)NULL; -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " Destroy the JNG image"); - DestroyImage(jng_image); - jng_image = (Image *)NULL; - } -@@ -5146,8 +5159,8 @@ - - if (image == (Image *) NULL) - { -- DestroyImageList(previous); - CloseBlob(previous); -+ DestroyImageList(previous); - MngInfoFreeStruct(mng_info,&have_mng_structure); - return((Image *) NULL); - } diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch deleted file mode 100644 index 2cb3d46f62..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch +++ /dev/null @@ -1,28 +0,0 @@ -This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188. - -diff -ur a/coders/png.c b/coders/png.c ---- a/coders/png.c 2017-07-04 17:32:08.000000000 -0400 -+++ b/coders/png.c 2017-08-19 11:16:20.933969362 -0400 -@@ -4101,11 +4101,17 @@ - mng_info->image=image; - } - -- if ((mng_info->mng_width > 65535L) || (mng_info->mng_height -- > 65535L)) -- (void) ThrowException(&image->exception,ImageError, -- WidthOrHeightExceedsLimit, -- image->filename); -+ if ((mng_info->mng_width > 65535L) || -+ (mng_info->mng_height > 65535L)) -+ { -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " MNG width or height is too large: %lu, %lu", -+ mng_info->mng_width,mng_info->mng_height); -+ MagickFreeMemory(chunk); -+ ThrowReaderException(CorruptImageError, -+ ImproperImageHeader,image); -+ } -+ - FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width, - mng_info->mng_height); - mng_info->frame.left=0; diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch deleted file mode 100644 index 7036f37438..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch +++ /dev/null @@ -1,16 +0,0 @@ -This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd. - -diff -ur a/coders/wmf.c b/coders/wmf.c ---- a/coders/wmf.c 2016-09-05 15:20:23.000000000 -0400 -+++ b/coders/wmf.c 2017-08-19 10:38:08.984187264 -0400 -@@ -2719,8 +2719,8 @@ - if(image->exception.severity != UndefinedException) - ThrowException2(exception, - CoderWarning, -- ddata->image->exception.reason, -- ddata->image->exception.description); -+ image->exception.reason, -+ image->exception.description); - - if(logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(),"leave ReadWMFImage()"); diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch deleted file mode 100644 index 71af9ffe59..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch +++ /dev/null @@ -1,28 +0,0 @@ -This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978. - -diff -ur a/coders/sun.c b/coders/sun.c ---- a/coders/sun.c 2016-05-30 13:19:54.000000000 -0400 -+++ b/coders/sun.c 2017-08-18 18:00:00.191023610 -0400 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2003-2015 GraphicsMagick Group -+% Copyright (C) 2003-2017 GraphicsMagick Group - % Copyright (C) 2002 ImageMagick Studio - % Copyright 1991-1999 E. I. du Pont de Nemours and Company - % -@@ -577,6 +577,7 @@ - for (bit=7; bit >= 0; bit--) - { - index=((*p) & (0x01 << bit) ? 0x01 : 0x00); -+ VerifyColormapIndex(image,index); - indexes[x+7-bit]=index; - q[x+7-bit]=image->colormap[index]; - } -@@ -587,6 +588,7 @@ - for (bit=7; bit >= (long) (8-(image->columns % 8)); bit--) - { - index=((*p) & (0x01 << bit) ? 0x01 : 0x00); -+ VerifyColormapIndex(image,index); - indexes[x+7-bit]=index; - q[x+7-bit]=image->colormap[index]; - } diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch deleted file mode 100644 index 83478c13b3..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch +++ /dev/null @@ -1,195 +0,0 @@ -http://openwall.com/lists/oss-security/2017/08/31/3 -http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/b037d79b6ccd - -some changes were made to make the patch apply - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1503774853 18000 -# Node ID b037d79b6ccd0cfba7ba9ce09b454ed46d688036 -# Parent 198ea602ea7cc767dc3022bbcf887bcd4534158d -JNX: Fix DOS issues - -diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c ---- a/coders/jnx.c Tue Aug 22 08:08:30 2017 -0500 -+++ b/coders/jnx.c Sat Aug 26 14:14:13 2017 -0500 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2012-2015 GraphicsMagick Group -+% Copyright (C) 2012-2017 GraphicsMagick Group - % - % This program is covered by multiple licenses, which are described in - % Copyright.txt. You should have received a copy of Copyright.txt with this -@@ -100,6 +100,7 @@ - - char img_label_str[MaxTextExtent]; - -+ - alloc_size = TileInfo->PicSize + 2; - - if (image->logging) -@@ -242,6 +243,9 @@ - total_tiles, - current_tile; - -+ magick_off_t -+ file_size; -+ - /* Open image file. */ - assert(image_info != (const ImageInfo *) NULL); - assert(image_info->signature == MagickSignature); -@@ -254,9 +258,8 @@ - if (status == False) - ThrowReaderException(FileOpenError, UnableToOpenFile, image); - -- memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo)); -- - /* Read JNX image header. */ -+ (void) memset(&JNXHeader, 0, sizeof(JNXHeader)); - JNXHeader.Version = ReadBlobLSBLong(image); - if (JNXHeader.Version > 4) - ThrowReaderException(CorruptImageError, ImproperImageHeader, image); -@@ -266,8 +269,6 @@ - JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image); - JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image); - JNXHeader.Levels = ReadBlobLSBLong(image); -- if (JNXHeader.Levels > 20) -- ThrowReaderException(CorruptImageError, ImproperImageHeader, image); - JNXHeader.Expiration = ReadBlobLSBLong(image); - JNXHeader.ProductID = ReadBlobLSBLong(image); - JNXHeader.CRC = ReadBlobLSBLong(image); -@@ -279,7 +280,41 @@ - if (EOFBlob(image)) - ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); - -+ file_size = GetBlobSize(image); -+ -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "JNX Header:\n" -+ " Version: %u\n" -+ " DeviceSN: %u\n" -+ " MapBounds:\n" -+ " NorthEast: lat = %u, lon = %u\n" -+ " SouthWest: lat = %u, lon = %u\n" -+ " Levels: %u\n" -+ " Expiration: %u\n" -+ " ProductID: %u\n" -+ " CRC: %u\n" -+ " SigVersion: %u\n" -+ " SigOffset: %u\n" -+ " ZOrder: %u", -+ JNXHeader.Version, -+ JNXHeader.DeviceSN, -+ JNXHeader.MapBounds.NorthEast.lat, -+ JNXHeader.MapBounds.NorthEast.lon, -+ JNXHeader.MapBounds.SouthWest.lat, -+ JNXHeader.MapBounds.SouthWest.lon, -+ JNXHeader.Levels, -+ JNXHeader.Expiration, -+ JNXHeader.ProductID, -+ JNXHeader.CRC, -+ JNXHeader.SigVersion, -+ JNXHeader.SigOffset, -+ JNXHeader.ZOrder); -+ -+ if (JNXHeader.Levels > 20) -+ ThrowReaderException(CorruptImageError, ImproperImageHeader, image); -+ - /* Read JNX image level info. */ -+ memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo)); - total_tiles = 0; - current_tile = 0; - for (i = 0; i < JNXHeader.Levels; i++) -@@ -302,11 +337,23 @@ - { - JNXLevelInfo[i].Copyright = NULL; - } -+ -+ if (EOFBlob(image)) -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ -+ if (image->logging) -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "Level[%u] Info:" -+ " TileCount: %4u" -+ " TilesOffset: %6u" -+ " Scale: %04u", -+ i, -+ JNXLevelInfo[i].TileCount, -+ JNXLevelInfo[i].TilesOffset, -+ JNXLevelInfo[i].Scale -+ ); - } - -- if (EOFBlob(image)) -- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -- - /* Get the current limit */ - SaveLimit = GetMagickResourceLimit(MapResource); - -@@ -316,11 +363,32 @@ - /* Read JNX image data. */ - for (i = 0; i < JNXHeader.Levels; i++) - { -+ /* -+ Validate TileCount against remaining file data -+ */ -+ const magick_off_t current_offset = TellBlob(image); -+ const size_t pos_list_entry_size = -+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + -+ sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) + -+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t); -+ const magick_off_t remaining = file_size-current_offset; -+ const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount); -+ -+ if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed)) -+ { -+ (void) SetMagickResourceLimit(MapResource, SaveLimit); -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ } -+ - PositionList = MagickAllocateArray(TJNXTileInfo *, - JNXLevelInfo[i].TileCount, - sizeof(TJNXTileInfo)); - if (PositionList == NULL) -- continue; -+ { -+ (void) SetMagickResourceLimit(MapResource, SaveLimit); -+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, -+ image); -+ } - - (void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET); - for (j = 0; j < JNXLevelInfo[i].TileCount; j++) -@@ -333,12 +401,15 @@ - PositionList[j].PicHeight = ReadBlobLSBShort(image); - PositionList[j].PicSize = ReadBlobLSBLong(image); - PositionList[j].PicOffset = ReadBlobLSBLong(image); -- } - -- if (EOFBlob(image)) -- { -- MagickFreeMemory(PositionList); -- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ if (EOFBlob(image) || -+ ((magick_off_t) PositionList[j].PicOffset + -+ PositionList[j].PicSize > file_size)) -+ { -+ (void) SetMagickResourceLimit(MapResource, SaveLimit); -+ MagickFreeMemory(PositionList); -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ } - } - - for (j = 0; j < JNXLevelInfo[i].TileCount; j++) -@@ -351,6 +422,9 @@ - image = ExtractTileJPG(image, image_info, PositionList+j, exception); - (void) SetMonitorHandler(previous_handler); - -+ if (exception->severity >= ErrorException) -+ break; -+ - current_tile++; - if (QuantumTick(current_tile,total_tiles)) - if (!MagickMonitorFormatted(current_tile,total_tiles,exception, - diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch deleted file mode 100644 index e129fd58fc..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch +++ /dev/null @@ -1,179 +0,0 @@ -http://openwall.com/lists/oss-security/2017/08/31/1 -http://openwall.com/lists/oss-security/2017/08/31/2 -http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/233a720bfd5e - -some changes were made to make the patch apply - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1503779175 18000 -# Node ID 233a720bfd5efd378f133a776507ed41230da617 -# Parent b037d79b6ccd0cfba7ba9ce09b454ed46d688036 -XBM: Fix DOS issues. - -diff -r b037d79b6ccd -r 233a720bfd5e coders/xbm.c ---- a/coders/xbm.c Sat Aug 26 14:14:13 2017 -0500 -+++ b/coders/xbm.c Sat Aug 26 15:26:15 2017 -0500 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2003 -2012 GraphicsMagick Group -+% Copyright (C) 2003-2017 GraphicsMagick Group - % Copyright (C) 2002 ImageMagick Studio - % Copyright 1991-1999 E. I. du Pont de Nemours and Company - % -@@ -121,13 +121,15 @@ - - static int XBMInteger(Image *image,short int *hex_digits) - { -+ unsigned int -+ flag; -+ - int - c, -- flag, - value; - - value=0; -- flag=0; -+ flag=0U; - for ( ; ; ) - { - c=ReadBlobByte(image); -@@ -158,18 +160,14 @@ - Image - *image; - -- int -- bit; -- -- long -- y; -- - register IndexPacket - *indexes; - -- register long -+ register size_t -+ bytes_per_line, - i, -- x; -+ x, -+ y; - - register PixelPacket - *q; -@@ -177,22 +175,24 @@ - register unsigned char - *p; - -- short int -- hex_digits[256]; -- - unsigned char - *data; - - unsigned int -+ bit, -+ byte, -+ padding, -+ version; -+ -+ int -+ value; -+ -+ short int -+ hex_digits[256]; -+ -+ MagickPassFail - status; - -- unsigned long -- byte, -- bytes_per_line, -- padding, -- value, -- version; -- - /* - Open image file. - */ -@@ -207,6 +207,8 @@ - /* - Read X bitmap header. - */ -+ (void) memset(buffer,0,sizeof(buffer)); -+ name[0]='\0'; - while (ReadBlobString(image,buffer) != (char *) NULL) - if (sscanf(buffer,"#define %s %lu",name,&image->columns) == 2) - if ((strlen(name) >= 6) && -@@ -278,6 +280,8 @@ - /* - Initialize hex values. - */ -+ for (i = 0; i < sizeof(hex_digits)/sizeof(hex_digits[0]); i++) -+ hex_digits[i]=(-1); - hex_digits['0']=0; - hex_digits['1']=1; - hex_digits['2']=2; -@@ -311,40 +315,50 @@ - */ - p=data; - if (version == 10) -- for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2)) -+ for (i=0; i < (bytes_per_line*image->rows); (i+=2)) - { - value=XBMInteger(image,hex_digits); -+ if (value < 0) -+ { -+ MagickFreeMemory(data); -+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); -+ } - *p++=(unsigned char) value; - if (!padding || ((i+2) % bytes_per_line)) - *p++=(unsigned char) (value >> 8); - } - else -- for (i=0; i < (long) (bytes_per_line*image->rows); i++) -+ for (i=0; i < (bytes_per_line*image->rows); i++) - { - value=XBMInteger(image,hex_digits); -+ if (value < 0) -+ { -+ MagickFreeMemory(data); -+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); -+ } - *p++=(unsigned char) value; - } - /* - Convert X bitmap image to pixel packets. - */ - p=data; -- for (y=0; y < (long) image->rows; y++) -+ for (y=0; y < image->rows; y++) - { - q=SetImagePixels(image,0,y,image->columns,1); - if (q == (PixelPacket *) NULL) - break; - indexes=AccessMutableIndexes(image); -- bit=0; -- byte=0; -- for (x=0; x < (long) image->columns; x++) -+ bit=0U; -+ byte=0U; -+ for (x=0; x < image->columns; x++) - { -- if (bit == 0) -+ if (bit == 0U) - byte=(*p++); - indexes[x]=byte & 0x01 ? 0x01 : 0x00; - bit++; -- byte>>=1; -- if (bit == 8) -- bit=0; -+ byte>>=1U; -+ if (bit == 8U) -+ bit=0U; - } - if (!SyncImagePixels(image)) - break; - diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch deleted file mode 100644 index 46f6b032c7..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch +++ /dev/null @@ -1,80 +0,0 @@ -http://openwall.com/lists/oss-security/2017/08/28/5 -http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d - -some changes were made to make the patch apply - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1503268616 18000 -# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072 -# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3 -PNM: For binary formats, verify sufficient backing file data before memory request. - -diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c ---- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500 -+++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500 -@@ -569,7 +569,7 @@ - (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u", - image->colors); - } -- number_pixels=image->columns*image->rows; -+ number_pixels=MagickArraySize(image->columns,image->rows); - if (number_pixels == 0) - ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image); - if (image->storage_class == PseudoClass) -@@ -858,14 +858,14 @@ - if (1 == bits_per_sample) - { - /* PBM */ -- bytes_per_row=((image->columns+7) >> 3); -+ bytes_per_row=((image->columns+7U) >> 3); - import_options.grayscale_miniswhite=MagickTrue; - quantum_type=GrayQuantum; - } - else - { - /* PGM & XV_332 */ -- bytes_per_row=((bits_per_sample+7)/8)*image->columns; -+ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns); - if (XV_332_Format == format) - { - quantum_type=IndexQuantum; -@@ -878,7 +878,8 @@ - } - else - { -- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns; -+ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel), -+ image->columns); - if (3 == samples_per_pixel) - { - /* PPM */ -@@ -915,6 +916,28 @@ - is_monochrome=MagickFalse; - } - } -+ -+ /* Validate file size before allocating memory */ -+ if (BlobIsSeekable(image)) -+ { -+ const magick_off_t file_size = GetBlobSize(image); -+ const magick_off_t current_offset = TellBlob(image); -+ if ((file_size > 0) && -+ (current_offset > 0) && -+ (file_size > current_offset)) -+ { -+ const magick_off_t remaining = file_size-current_offset; -+ const magick_off_t needed = (magick_off_t) image->rows * -+ (magick_off_t) bytes_per_row; -+ if ((remaining < (magick_off_t) bytes_per_row) || -+ (remaining < needed)) -+ { -+ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile, -+ image->filename); -+ break; -+ } -+ } -+ } - - scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1); - if (scanline_set == (ThreadViewDataSet *) NULL) diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch deleted file mode 100644 index 1f55d90d38..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch +++ /dev/null @@ -1,72 +0,0 @@ -http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa -http://openwall.com/lists/oss-security/2017/09/06/4 - -some changes were made to make the patch apply - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1503257388 18000 -# Node ID 493da54370aa42cb430c52a69eb75db0001a5589 -# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f -SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions. - -diff -r f87246749079 -r 493da54370aa coders/sun.c ---- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200 -+++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500 -@@ -498,6 +498,12 @@ - if (sun_info.depth < 8) - image->depth=sun_info.depth; - -+ if (image_info->ping) -+ { -+ CloseBlob(image); -+ return(image); -+ } -+ - /* - Compute bytes per line and bytes per image for an unencoded - image. -@@ -522,15 +528,37 @@ - if (bytes_per_image > sun_info.length) - ThrowReaderException(CorruptImageError,ImproperImageHeader,image); - -- if (image_info->ping) -- { -- CloseBlob(image); -- return(image); -- } - if (sun_info.type == RT_ENCODED) - sun_data_length=(size_t) sun_info.length; - else - sun_data_length=bytes_per_image; -+ -+ /* -+ Verify that data length claimed by header is supported by file size -+ */ -+ if (sun_info.type == RT_ENCODED) -+ { -+ if (sun_data_length < bytes_per_image/255U) -+ { -+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); -+ } -+ } -+ if (BlobIsSeekable(image)) -+ { -+ const magick_off_t file_size = GetBlobSize(image); -+ const magick_off_t current_offset = TellBlob(image); -+ if ((file_size > 0) && -+ (current_offset > 0) && -+ (file_size > current_offset)) -+ { -+ const magick_off_t remaining = file_size-current_offset; -+ if (remaining < (magick_off_t) sun_data_length) -+ { -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ } -+ } -+ } -+ - sun_data=MagickAllocateMemory(unsigned char *,sun_data_length); - if (sun_data == (unsigned char *) NULL) - ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); - diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch deleted file mode 100644 index 8e1166ba7a..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch +++ /dev/null @@ -1,210 +0,0 @@ -http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a -http://www.openwall.com/lists/oss-security/2017/09/22/2 - -Some changes were made to make the patch apply. - -Notably, the DestroyJNG() function in the upstream diff has been replaced by -its equivalent, a series of calls to MagickFreeMemory(), DestroyImageInfo(), -and DestroyImage(). See -http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5. - -# HG changeset patch -# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com> -# Date 1504014487 14400 -# Node ID 358608a46f0a9c55e9bb8b37d09bf1ac9bc87f06 -# Parent 38c362f0ae5e7a914c3fe822284c6953f8e6eee2 -Fix Issue 439 - -diff -ru a/coders/png.c b/coders/png.c ---- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500 -+++ b/coders/png.c 2017-09-30 08:20:16.218944991 -0400 -@@ -1176,15 +1176,15 @@ - /* allocate space */ - if (length == 0) - { -- (void) ThrowException2(&image->exception,CoderWarning, -- "invalid profile length",(char *) NULL); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "invalid profile length"); - return (MagickFail); - } - info=MagickAllocateMemory(unsigned char *,length); - if (info == (unsigned char *) NULL) - { -- (void) ThrowException2(&image->exception,CoderWarning, -- "unable to copy profile",(char *) NULL); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "Unable to copy profile"); - return (MagickFail); - } - /* copy profile, skipping white space and column 1 "=" signs */ -@@ -1197,8 +1197,8 @@ - if (*sp == '\0') - { - MagickFreeMemory(info); -- (void) ThrowException2(&image->exception,CoderWarning, -- "ran out of profile data",(char *) NULL); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "ran out of profile data"); - return (MagickFail); - } - sp++; -@@ -1234,8 +1234,9 @@ - if(SetImageProfile(image,profile_name,info,length) == MagickFail) - { - MagickFreeMemory(info); -- (void) ThrowException(&image->exception,ResourceLimitError, -- MemoryAllocationFailed,"unable to copy profile"); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "unable to copy profile"); -+ return MagickFail; - } - MagickFreeMemory(info); - return MagickTrue; -@@ -3285,7 +3286,6 @@ - if (status == MagickFalse) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- DestroyImage(alpha_image); - (void) LogMagickEvent(CoderEvent,GetMagickModule(), - " could not allocate alpha_image blob"); - return ((Image *)NULL); -@@ -3534,7 +3534,7 @@ - CloseBlob(color_image); - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), -- " Reading jng_image from color_blob."); -+ " Reading jng_image from color_blob."); - - FormatString(color_image_info->filename,"%.1024s",color_image->filename); - -@@ -3558,13 +3558,18 @@ - - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), -- " Copying jng_image pixels to main image."); -+ " Copying jng_image pixels to main image."); - image->rows=jng_height; - image->columns=jng_width; - length=image->columns*sizeof(PixelPacket); -+ if ((jng_height == 0 || jng_width == 0) && logging) -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " jng_width=%lu jng_height=%lu", -+ (unsigned long)jng_width,(unsigned long)jng_height); - for (y=0; y < (long) image->rows; y++) - { -- s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception); -+ s=AcquireImagePixels(jng_image,0,y,image->columns,1, -+ &image->exception); - q=SetImagePixels(image,0,y,image->columns,1); - (void) memcpy(q,s,length); - if (!SyncImagePixels(image)) -@@ -3589,45 +3594,79 @@ - CloseBlob(alpha_image); - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), -- " Reading opacity from alpha_blob."); -+ " Reading opacity from alpha_blob."); - - FormatString(alpha_image_info->filename,"%.1024s", - alpha_image->filename); - - jng_image=ReadImage(alpha_image_info,exception); - -- for (y=0; y < (long) image->rows; y++) -+ if (jng_image == (Image *)NULL) - { -- s=AcquireImagePixels(jng_image,0,y,image->columns,1, -- &image->exception); -- if (image->matte) -- { -- q=SetImagePixels(image,0,y,image->columns,1); -- for (x=(long) image->columns; x > 0; x--,q++,s++) -- q->opacity=(Quantum) MaxRGB-s->red; -- } -- else -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " jng_image is NULL."); -+ if (color_image_info) -+ DestroyImageInfo(color_image_info); -+ if (alpha_image_info) -+ DestroyImageInfo(alpha_image_info); -+ if (color_image) -+ DestroyImage(color_image); -+ if (alpha_image) -+ DestroyImage(alpha_image); -+ } -+ else -+ { -+ -+ if (logging) - { -- q=SetImagePixels(image,0,y,image->columns,1); -- for (x=(long) image->columns; x > 0; x--,q++,s++) -- { -- q->opacity=(Quantum) MaxRGB-s->red; -- if (q->opacity != OpaqueOpacity) -- image->matte=MagickTrue; -- } -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " Read jng_image."); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " jng_image->width=%lu, jng_image->height=%lu", -+ (unsigned long)jng_width,(unsigned long)jng_height); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " image->rows=%lu, image->columns=%lu", -+ (unsigned long)image->rows, -+ (unsigned long)image->columns); - } -- if (!SyncImagePixels(image)) -- break; -- } -- (void) LiberateUniqueFileResource(alpha_image->filename); -- DestroyImage(alpha_image); -- alpha_image = (Image *)NULL; -- DestroyImageInfo(alpha_image_info); -- alpha_image_info = (ImageInfo *)NULL; -- (void) LogMagickEvent(CoderEvent,GetMagickModule(), -- " Destroy the JNG image"); -- DestroyImage(jng_image); -- jng_image = (Image *)NULL; -+ -+ for (y=0; y < (long) image->rows; y++) -+ { -+ s=AcquireImagePixels(jng_image,0,y,image->columns,1, -+ &image->exception); -+ if (image->matte) -+ { -+ q=SetImagePixels(image,0,y,image->columns,1); -+ for (x=(long) image->columns; x > 0; x--,q++,s++) -+ q->opacity=(Quantum) MaxRGB-s->red; -+ } -+ else -+ { -+ q=SetImagePixels(image,0,y,image->columns,1); -+ for (x=(long) image->columns; x > 0; x--,q++,s++) -+ { -+ q->opacity=(Quantum) MaxRGB-s->red; -+ if (q->opacity != OpaqueOpacity) -+ image->matte=MagickTrue; -+ } -+ } -+ if (!SyncImagePixels(image)) -+ break; -+ } -+ (void) LiberateUniqueFileResource(alpha_image->filename); -+ if (color_image_info) -+ DestroyImageInfo(color_image_info); -+ if (alpha_image_info) -+ DestroyImageInfo(alpha_image_info); -+ if (color_image) -+ DestroyImage(color_image); -+ if (alpha_image) -+ DestroyImage(alpha_image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " Destroy the JNG image"); -+ DestroyImage(jng_image); -+ jng_image = (Image *)NULL; -+ } - } - } |