* bug#47418: imagemagick is vulnerable to CVE-2020-27829 @ 2021-03-26 19:52 Léo Le Bouter via Bug reports for GNU Guix 2021-03-26 19:53 ` bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829 Léo Le Bouter via Bug reports for GNU Guix 0 siblings, 1 reply; 7+ messages in thread From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-26 19:52 UTC (permalink / raw) To: 47418 [-- Attachment #1: Type: text/plain, Size: 425 bytes --] CVE-2020-27829 18:15 A heap based buffer overflow in coders/tiff.c may result in program crash and denial of service in ImageMagick before 7.0.10-45. Upstream patch available at https://github.com/ImageMagick/ImageMagick/commit/6ee5059cd3ac8d82714a1ab1321399b88539abf0 Not yet backported to 6.x series but applies more or less cleanly (besides ChangeLog file). A patch will follow, please review! Thank you [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. 2021-03-26 19:52 bug#47418: imagemagick is vulnerable to CVE-2020-27829 Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-26 19:53 ` Léo Le Bouter via Bug reports for GNU Guix 2021-03-26 23:12 ` Maxime Devos 2021-03-27 13:27 ` Mark H Weaver 0 siblings, 2 replies; 7+ messages in thread From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-26 19:53 UTC (permalink / raw) To: 47418; +Cc: Léo Le Bouter * gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existing graft. --- gnu/local.mk | 1 + gnu/packages/imagemagick.scm | 3 ++- .../patches/imagemagick-CVE-2020-27829.patch | 23 +++++++++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch diff --git a/gnu/local.mk b/gnu/local.mk index 40956598db..fe70238345 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1220,6 +1220,7 @@ dist_patch_DATA = \ %D%/packages/patches/id3lib-UTF16-writing-bug.patch \ %D%/packages/patches/idris-disable-test.patch \ %D%/packages/patches/ilmbase-fix-tests.patch \ + %D%/packages/patches/imagemagick-CVE-2020-27829.patch \ %D%/packages/patches/inetutils-hurd.patch \ %D%/packages/patches/inkscape-poppler-0.76.patch \ %D%/packages/patches/intel-xed-fix-nondeterminism.patch \ diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm index a3562f2e13..1618a28596 100644 --- a/gnu/packages/imagemagick.scm +++ b/gnu/packages/imagemagick.scm @@ -143,7 +143,8 @@ text, lines, polygons, ellipses and Bézier curves.") "6.9.12-2.tar.xz")) (sha256 (base32 - "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa")))) + "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa")) + (patches (search-patches "imagemagick-CVE-2020-27829.patch")))) (arguments (substitute-keyword-arguments (package-arguments imagemagick) ((#:phases phases) diff --git a/gnu/packages/patches/imagemagick-CVE-2020-27829.patch b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch new file mode 100644 index 0000000000..74debdc98e --- /dev/null +++ b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch @@ -0,0 +1,23 @@ +From 6ee5059cd3ac8d82714a1ab1321399b88539abf0 Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Mon, 30 Nov 2020 16:27:26 +0000 +Subject: [PATCH] possible TIFF related-heap buffer overflow (alert & POC by + Hardik Shah) + +--- + coders/tiff.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/coders/tiff.c b/coders/tiff.c +index e98f927abd..1eecf17aea 100644 +--- a/coders/tiff.c ++++ b/coders/tiff.c +@@ -1975,7 +1975,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, + extent+=image->columns*sizeof(uint32); + #endif + strip_pixels=(unsigned char *) AcquireQuantumMemory(extent, +- sizeof(*strip_pixels)); ++ 2*sizeof(*strip_pixels)); + if (strip_pixels == (unsigned char *) NULL) + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); + (void) memset(strip_pixels,0,extent*sizeof(*strip_pixels)); -- 2.31.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. 2021-03-26 19:53 ` bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829 Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-26 23:12 ` Maxime Devos 2021-03-26 23:16 ` Léo Le Bouter via Bug reports for GNU Guix 2021-03-27 13:27 ` Mark H Weaver 1 sibling, 1 reply; 7+ messages in thread From: Maxime Devos @ 2021-03-26 23:12 UTC (permalink / raw) To: Léo Le Bouter, 47418 [-- Attachment #1: Type: text/plain, Size: 1175 bytes --] This patch seems about right to me. However, $ guix lint -c cve imagemagick gnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE- 2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020- 27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-27760, CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020- 27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-13133, CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019- 7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398, CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE- 2018-16750, CVE-2018-20467, CVE-2018-6405 Did we forget some bugs & patches, or is "guix lint" incorrect here? Greetings, Maxime [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 260 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. 2021-03-26 23:12 ` Maxime Devos @ 2021-03-26 23:16 ` Léo Le Bouter via Bug reports for GNU Guix 0 siblings, 0 replies; 7+ messages in thread From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-26 23:16 UTC (permalink / raw) To: Maxime Devos, 47418 [-- Attachment #1: Type: text/plain, Size: 1820 bytes --] On Sat, 2021-03-27 at 00:12 +0100, Maxime Devos wrote: > This patch seems about right to me. However, > > $ guix lint -c cve imagemagick > gnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably > vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE- > 2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020- > 25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020- > 27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020- > 27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020- > 27760, > CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE- > 2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020- > 27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020- > 27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019- > 13133, > CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE- > 2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019- > 7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398, > CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE- > 2018-16750, CVE-2018-20467, CVE-2018-6405 > > Did we forget some bugs & patches, or is "guix lint" incorrect here? > > Greetings, > Maxime To me, ImageMagick is lagging behind since a long while and we need to upgrade to the latest version ASAP. Unfortunately we don't seem to be able to do that since it has lots of dependents and backporting each and every of these patches is just impossible, also there's way more in the commit history without security labeling like CVE. I don't want to deal with backporting things for ImageMagick to catch up with the previous security fixes that no one cared to apply in due time earlier. It's just too much. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. 2021-03-26 19:53 ` bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829 Léo Le Bouter via Bug reports for GNU Guix 2021-03-26 23:12 ` Maxime Devos @ 2021-03-27 13:27 ` Mark H Weaver 2021-03-27 13:30 ` Léo Le Bouter via Bug reports for GNU Guix 1 sibling, 1 reply; 7+ messages in thread From: Mark H Weaver @ 2021-03-27 13:27 UTC (permalink / raw) To: 47418 Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> writes: > * gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch. > * gnu/local.mk (dist_patch_DATA): Register it. > * gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existing > graft. > --- > gnu/local.mk | 1 + > gnu/packages/imagemagick.scm | 3 ++- > .../patches/imagemagick-CVE-2020-27829.patch | 23 +++++++++++++++++++ > 3 files changed, 26 insertions(+), 1 deletion(-) > create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch Your patch looks good to me, but I've just posted an alternative patch set to 'guix-devel' which should enable us to keep ImageMagick up-to-date without grafting, and which fixes this security flaw and more. https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html It's not a big deal, but if you push your patch now, I would need to rebase the patch set on top of it. Mark ^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. 2021-03-27 13:27 ` Mark H Weaver @ 2021-03-27 13:30 ` Léo Le Bouter via Bug reports for GNU Guix 2021-03-28 0:15 ` Mark H Weaver 0 siblings, 1 reply; 7+ messages in thread From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-27 13:30 UTC (permalink / raw) To: Mark H Weaver, 47418 [-- Attachment #1: Type: text/plain, Size: 551 bytes --] On Sat, 2021-03-27 at 09:27 -0400, Mark H Weaver wrote: > Your patch looks good to me, but I've just posted an alternative > patch > set to 'guix-devel' which should enable us to keep ImageMagick > up-to-date without grafting, and which fixes this security flaw and > more. > > https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html > > It's not a big deal, but if you push your patch now, I would need to > rebase the patch set on top of it. > > Mark Thank you, let's get your better patch in then close this. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. 2021-03-27 13:30 ` Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-28 0:15 ` Mark H Weaver 0 siblings, 0 replies; 7+ messages in thread From: Mark H Weaver @ 2021-03-28 0:15 UTC (permalink / raw) To: Léo Le Bouter, 47418-done Léo Le Bouter <lle-bout@zaclys.net> writes: > Thank you, let's get your better patch in then close this. I've now pushed those patches to 'master'. CVE-2020-27829 is fixed in commit bfc69d5e7c45eac865e231643b58396580afb231, so I'm closing this bug now. Thanks! Mark ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-03-28 0:17 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-03-26 19:52 bug#47418: imagemagick is vulnerable to CVE-2020-27829 Léo Le Bouter via Bug reports for GNU Guix 2021-03-26 19:53 ` bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829 Léo Le Bouter via Bug reports for GNU Guix 2021-03-26 23:12 ` Maxime Devos 2021-03-26 23:16 ` Léo Le Bouter via Bug reports for GNU Guix 2021-03-27 13:27 ` Mark H Weaver 2021-03-27 13:30 ` Léo Le Bouter via Bug reports for GNU Guix 2021-03-28 0:15 ` Mark H Weaver
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).