bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. - Léo Le Bouter via Bug reports for GNU Guix

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

From: "Léo Le Bouter via Bug reports for GNU Guix" <bug-guix@gnu.org>
To: 47418@debbugs.gnu.org
Cc: "Léo Le Bouter" <lle-bout@zaclys.net>
Subject: bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829.
Date: Fri, 26 Mar 2021 20:53:42 +0100	[thread overview]
Message-ID: <20210326195342.14152-1-lle-bout@zaclys.net> (raw)
In-Reply-To: <e3478c8a057c33edc40dff562106807e883cef99.camel@zaclys.net>

* gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existing
graft.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/imagemagick.scm                  |  3 ++-
 .../patches/imagemagick-CVE-2020-27829.patch  | 23 +++++++++++++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 40956598db..fe70238345 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1220,6 +1220,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/id3lib-UTF16-writing-bug.patch			\
   %D%/packages/patches/idris-disable-test.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
+  %D%/packages/patches/imagemagick-CVE-2020-27829.patch	\
   %D%/packages/patches/inetutils-hurd.patch			\
   %D%/packages/patches/inkscape-poppler-0.76.patch		\
   %D%/packages/patches/intel-xed-fix-nondeterminism.patch	\
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index a3562f2e13..1618a28596 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -143,7 +143,8 @@ text, lines, polygons, ellipses and Bézier curves.")
                                   "6.9.12-2.tar.xz"))
               (sha256
                (base32
-                "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa"))))
+                "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa"))
+              (patches (search-patches "imagemagick-CVE-2020-27829.patch"))))
     (arguments
      (substitute-keyword-arguments (package-arguments imagemagick)
        ((#:phases phases)
diff --git a/gnu/packages/patches/imagemagick-CVE-2020-27829.patch b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
new file mode 100644
index 0000000000..74debdc98e
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
@@ -0,0 +1,23 @@
+From 6ee5059cd3ac8d82714a1ab1321399b88539abf0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 30 Nov 2020 16:27:26 +0000
+Subject: [PATCH] possible TIFF related-heap buffer overflow (alert & POC by
+ Hardik Shah)
+
+---
+ coders/tiff.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index e98f927abd..1eecf17aea 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1975,7 +1975,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         extent+=image->columns*sizeof(uint32);
+ #endif
+         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+-          sizeof(*strip_pixels));
++          2*sizeof(*strip_pixels));
+         if (strip_pixels == (unsigned char *) NULL)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+         (void) memset(strip_pixels,0,extent*sizeof(*strip_pixels));
-- 
2.31.0

next prev parent reply	other threads:[~2021-03-26 20:23 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-26 19:52 bug#47418: imagemagick is vulnerable to CVE-2020-27829 Léo Le Bouter via Bug reports for GNU Guix
2021-03-26 19:53 ` Léo Le Bouter via Bug reports for GNU Guix [this message]
2021-03-26 23:12   ` bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829 Maxime Devos
2021-03-26 23:16     ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-27 13:27   ` Mark H Weaver
2021-03-27 13:30     ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-28  0:15       ` Mark H Weaver

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:40956598d dfblob:a3562f2e1 dfblob:fe7023834 dfblob:1618a2859
dfblob:74debdc98
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210326195342.14152-1-lle-bout@zaclys.net \
    --to=bug-guix@gnu.org \
    --cc=47418@debbugs.gnu.org \
    --cc=lle-bout@zaclys.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).