diff options
author | Kei Kebreau <kkebreau@posteo.net> | 2017-09-09 09:41:28 -0400 |
---|---|---|
committer | Kei Kebreau <kkebreau@posteo.net> | 2017-09-10 09:33:56 -0400 |
commit | 2cc752c0b0ab801509574d601c1024b73aed0dab (patch) | |
tree | 4e7247830b5187a354935ebbe9f799b8a7ed8ac4 | |
parent | c2a59a92bb18360f26d251c8b1b121b40b1bc806 (diff) | |
download | patches-2cc752c0b0ab801509574d601c1024b73aed0dab.tar patches-2cc752c0b0ab801509574d601c1024b73aed0dab.tar.gz |
gnu: graphicsmagick: Fix CVE-2017-14042.
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/imagemagick.scm | 3 | ||||
-rw-r--r-- | gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch | 80 |
3 files changed, 83 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 8ffa13b3ee..64b1b1c14d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -680,6 +680,7 @@ dist_patch_DATA = \ %D%/packages/patches/graphicsmagick-CVE-2017-12937.patch \ %D%/packages/patches/graphicsmagick-CVE-2017-13775.patch \ %D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch \ + %D%/packages/patches/graphicsmagick-CVE-2017-14042.patch \ %D%/packages/patches/graphite2-ffloat-store.patch \ %D%/packages/patches/grep-gnulib-lock.patch \ %D%/packages/patches/grep-timing-sensitive-test.patch \ diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm index 57ac7fda97..632be70349 100644 --- a/gnu/packages/imagemagick.scm +++ b/gnu/packages/imagemagick.scm @@ -182,7 +182,8 @@ script.") "graphicsmagick-CVE-2017-12936.patch" "graphicsmagick-CVE-2017-12937.patch" "graphicsmagick-CVE-2017-13775.patch" - "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch")))) + "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch" + "graphicsmagick-CVE-2017-14042.patch")))) (build-system gnu-build-system) (arguments `(#:configure-flags diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch new file mode 100644 index 0000000000..46f6b032c7 --- /dev/null +++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch @@ -0,0 +1,80 @@ +http://openwall.com/lists/oss-security/2017/08/28/5 +http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d + +some changes were made to make the patch apply + +# HG changeset patch +# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> +# Date 1503268616 18000 +# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072 +# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3 +PNM: For binary formats, verify sufficient backing file data before memory request. + +diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c +--- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500 ++++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500 +@@ -569,7 +569,7 @@ + (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u", + image->colors); + } +- number_pixels=image->columns*image->rows; ++ number_pixels=MagickArraySize(image->columns,image->rows); + if (number_pixels == 0) + ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image); + if (image->storage_class == PseudoClass) +@@ -858,14 +858,14 @@ + if (1 == bits_per_sample) + { + /* PBM */ +- bytes_per_row=((image->columns+7) >> 3); ++ bytes_per_row=((image->columns+7U) >> 3); + import_options.grayscale_miniswhite=MagickTrue; + quantum_type=GrayQuantum; + } + else + { + /* PGM & XV_332 */ +- bytes_per_row=((bits_per_sample+7)/8)*image->columns; ++ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns); + if (XV_332_Format == format) + { + quantum_type=IndexQuantum; +@@ -878,7 +878,8 @@ + } + else + { +- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns; ++ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel), ++ image->columns); + if (3 == samples_per_pixel) + { + /* PPM */ +@@ -915,6 +916,28 @@ + is_monochrome=MagickFalse; + } + } ++ ++ /* Validate file size before allocating memory */ ++ if (BlobIsSeekable(image)) ++ { ++ const magick_off_t file_size = GetBlobSize(image); ++ const magick_off_t current_offset = TellBlob(image); ++ if ((file_size > 0) && ++ (current_offset > 0) && ++ (file_size > current_offset)) ++ { ++ const magick_off_t remaining = file_size-current_offset; ++ const magick_off_t needed = (magick_off_t) image->rows * ++ (magick_off_t) bytes_per_row; ++ if ((remaining < (magick_off_t) bytes_per_row) || ++ (remaining < needed)) ++ { ++ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile, ++ image->filename); ++ break; ++ } ++ } ++ } + + scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1); + if (scanline_set == (ThreadViewDataSet *) NULL) |