From db7f7eb8ca670ee5d76e3bad3ada29e87e3f6a10 Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Sun, 10 Sep 2017 12:19:06 -0400 Subject: gnu: graphicsmagick: Fix CVE-2017-{11403,14103}. * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch. * gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/imagemagick.scm | 3 +- ...phicsmagick-CVE-2017-11403+CVE-2017-14103.patch | 137 +++++++++++++++++++++ 3 files changed, 140 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch diff --git a/gnu/local.mk b/gnu/local.mk index 1f55e52bfd..4fefa3b10b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -678,6 +678,7 @@ dist_patch_DATA = \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ %D%/packages/patches/gobject-introspection-cc.patch \ %D%/packages/patches/gobject-introspection-girepository.patch \ + %D%/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch \ %D%/packages/patches/graphicsmagick-CVE-2017-12935.patch \ %D%/packages/patches/graphicsmagick-CVE-2017-12936.patch \ %D%/packages/patches/graphicsmagick-CVE-2017-12937.patch \ diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm index 72b4643735..5f3e3ad96d 100644 --- a/gnu/packages/imagemagick.scm +++ b/gnu/packages/imagemagick.scm @@ -178,7 +178,8 @@ script.") (base32 "122zgs96dqrys62mnh8x5yvfff6km4d3yrnvaxzg3mg5sprib87v")) (patches - (search-patches "graphicsmagick-CVE-2017-12935.patch" + (search-patches "graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch" + "graphicsmagick-CVE-2017-12935.patch" "graphicsmagick-CVE-2017-12936.patch" "graphicsmagick-CVE-2017-12937.patch" "graphicsmagick-CVE-2017-13775.patch" diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch new file mode 100644 index 0000000000..dbcaea1343 --- /dev/null +++ b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch @@ -0,0 +1,137 @@ +http://www.openwall.com/lists/oss-security/2017/09/01/6 + +CVE-2017-11403: +http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37 + +CVE-2017-14103: +http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f + +some changes were made to make the patch apply + +# HG changeset patch +# User Glenn Randers-Pehrson +# Date 1503875721 14400 +# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2 +# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad +Attempt to fix Issue 440. + +diff -ru a/coders/png.c b/coders/png.c +--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500 ++++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400 +@@ -3106,7 +3106,9 @@ + if (length > PNG_MAX_UINT || count == 0) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(CorruptImageError,CorruptImage,image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "chunk length (%lu) > PNG_MAX_UINT",length); ++ return ((Image*)NULL); + } + + chunk=(unsigned char *) NULL; +@@ -3117,13 +3119,16 @@ + if (chunk == (unsigned char *) NULL) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " Could not allocate chunk memory"); ++ return ((Image*)NULL); + } + if (ReadBlob(image,length,chunk) < length) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(CorruptImageError,CorruptImage,image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " chunk reading was incomplete"); ++ return ((Image*)NULL); + } + p=chunk; + } +@@ -3198,7 +3203,7 @@ + jng_width, jng_height); + MagickFreeMemory(chunk); + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(CorruptImageError,ImproperImageHeader,image); ++ return ((Image *)NULL); + } + + /* Temporarily set width and height resources to match JHDR */ +@@ -3233,8 +3238,9 @@ + if (color_image == (Image *) NULL) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not open color_image blob"); ++ return ((Image *)NULL); + } + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +@@ -3245,7 +3251,9 @@ + if (status == MagickFalse) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(CoderError,UnableToOpenBlob,color_image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not open color_image blob"); ++ return ((Image *)NULL); + } + + if (!image_info->ping && jng_color_type >= 12) +@@ -3255,17 +3263,18 @@ + if (alpha_image_info == (ImageInfo *) NULL) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(ResourceLimitError, +- MemoryAllocationFailed, image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate alpha_image_info",length); ++ return ((Image *)NULL); + } + GetImageInfo(alpha_image_info); + alpha_image=AllocateImage(alpha_image_info); + if (alpha_image == (Image *) NULL) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(ResourceLimitError, +- MemoryAllocationFailed, +- alpha_image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate alpha_image"); ++ return ((Image *)NULL); + } + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +@@ -3277,7 +3286,9 @@ + { + DestroyJNGInfo(color_image_info,alpha_image_info); + DestroyImage(alpha_image); +- ThrowReaderException(CoderError,UnableToOpenBlob,image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate alpha_image blob"); ++ return ((Image *)NULL); + } + if (jng_alpha_compression_method == 0) + { +@@ -3613,6 +3624,8 @@ + alpha_image = (Image *)NULL; + DestroyImageInfo(alpha_image_info); + alpha_image_info = (ImageInfo *)NULL; ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " Destroy the JNG image"); + DestroyImage(jng_image); + jng_image = (Image *)NULL; + } +@@ -5146,8 +5159,8 @@ + + if (image == (Image *) NULL) + { +- DestroyImageList(previous); + CloseBlob(previous); ++ DestroyImageList(previous); + MngInfoFreeStruct(mng_info,&have_mng_structure); + return((Image *) NULL); + } -- cgit v1.2.3