From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52262)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dqg3L-00042a-EQ
	for guix-patches@gnu.org; Sat, 09 Sep 2017 09:44:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dqg3G-0007w7-Gl
	for guix-patches@gnu.org; Sat, 09 Sep 2017 09:44:07 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:48302)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dqg3G-0007w3-D9
	for guix-patches@gnu.org; Sat, 09 Sep 2017 09:44:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dqg3G-0005hB-7e
	for guix-patches@gnu.org; Sat, 09 Sep 2017 09:44:02 -0400
Subject: [bug#28397] [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.
Resent-Message-ID: <handler.28397.B.150496463421871@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52218)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kkebreau@posteo.net>) id 1dqg2w-00041L-NJ
	for guix-patches@gnu.org; Sat, 09 Sep 2017 09:43:43 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kkebreau@posteo.net>) id 1dqg2r-0007hS-PU
	for guix-patches@gnu.org; Sat, 09 Sep 2017 09:43:42 -0400
Received: from mout02.posteo.de ([185.67.36.66]:54140)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <kkebreau@posteo.net>) id 1dqg2r-0007hE-FD
	for guix-patches@gnu.org; Sat, 09 Sep 2017 09:43:37 -0400
Received: from submission (posteo.de [89.146.220.130])
	by mout02.posteo.de (Postfix) with ESMTPS id B863820467
	for <guix-patches@gnu.org>; Sat,  9 Sep 2017 15:43:33 +0200 (CEST)
From: Kei Kebreau <kkebreau@posteo.net>
Date: Sat,  9 Sep 2017 09:43:08 -0400
Message-Id: <20170909134308.29996-1-kkebreau@posteo.net>
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: 28397@debbugs.gnu.org
Cc: Kei Kebreau <kkebreau@posteo.net>

* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/imagemagick.scm                       |  3 +-
 .../patches/graphicsmagick-CVE-2017-14042.patch    | 80 ++++++++++++++++++++++
 3 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 1ac9d5efe..c88b51378 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -678,6 +678,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/graphicsmagick-CVE-2017-12937.patch	\
   %D%/packages/patches/graphicsmagick-CVE-2017-13775.patch	\
   %D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch	\
+  %D%/packages/patches/graphicsmagick-CVE-2017-14042.patch	\
   %D%/packages/patches/graphite2-ffloat-store.patch		\
   %D%/packages/patches/grep-gnulib-lock.patch                   \
   %D%/packages/patches/grep-timing-sensitive-test.patch		\
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 57ac7fda9..632be7034 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -182,7 +182,8 @@ script.")
                                "graphicsmagick-CVE-2017-12936.patch"
                                "graphicsmagick-CVE-2017-12937.patch"
                                "graphicsmagick-CVE-2017-13775.patch"
-                               "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"))))
+                               "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
+                               "graphicsmagick-CVE-2017-14042.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
new file mode 100644
index 000000000..755e188c5
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
@@ -0,0 +1,80 @@
+http://openwall.com/lists/oss-security/2017/08/28/5
+http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1503268616 18000
+# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072
+# Parent  83a5b946180835f260bcb91e3d06327a8e2577e3
+PNM: For binary formats, verify sufficient backing file data before memory request.
+
+diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
+--- a/coders/pnm.c	Sun Aug 20 17:31:35 2017 -0500
++++ b/coders/pnm.c	Sun Aug 20 17:36:56 2017 -0500
+@@ -569,7 +569,7 @@
+           (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
+                                 image->colors);
+         }
+-      number_pixels=image->columns*image->rows;
++      number_pixels=MagickArraySize(image->columns,image->rows);
+       if (number_pixels == 0)
+         ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
+       if (image->storage_class == PseudoClass)
+@@ -858,14 +858,14 @@
+ 		if (1 == bits_per_sample)
+ 		  {
+ 		    /* PBM */
+-		    bytes_per_row=((image->columns+7) >> 3);
++		    bytes_per_row=((image->columns+7U) >> 3);
+ 		    import_options.grayscale_miniswhite=MagickTrue;
+ 		    quantum_type=GrayQuantum;
+ 		  }
+ 		else
+ 		  {
+ 		    /* PGM & XV_332 */
+-		    bytes_per_row=((bits_per_sample+7)/8)*image->columns;
++		    bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
+ 		    if (XV_332_Format == format)
+ 		      {
+ 			quantum_type=IndexQuantum;
+@@ -878,7 +878,8 @@
+ 	      }
+ 	    else
+ 	      {
+-		bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
++		bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
++                                              image->columns);
+ 		if (3 == samples_per_pixel)
+ 		  {
+ 		    /* PPM */
+@@ -915,6 +916,28 @@
+ 		    is_monochrome=MagickFalse;
+ 		  }
+ 	      }
++
++            /* Validate file size before allocating memory */
++            if (BlobIsSeekable(image))
++              {
++                const magick_off_t file_size = GetBlobSize(image);
++                const magick_off_t current_offset = TellBlob(image);
++                if ((file_size > 0) &&
++                    (current_offset > 0) &&
++                    (file_size > current_offset))
++                  {
++                    const magick_off_t remaining = file_size-current_offset;
++                    const magick_off_t needed = (magick_off_t) image->rows *
++                      (magick_off_t) bytes_per_row;
++                    if ((remaining < (magick_off_t) bytes_per_row) ||
++                        (remaining < needed))
++                      {
++                        ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
++                                       image->filename);
++                        break;
++                      }
++                  }
++              }
+         
+             scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
+             if (scanline_set == (ThreadViewDataSet *) NULL)
-- 
2.14.1