* [bug#28406] [PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403,14103}.
@ 2017-09-10 16:21 Kei Kebreau
[not found] ` <handler.28406.B.150506055012428.ack@debbugs.gnu.org>
2017-09-14 11:46 ` [bug#28406] [PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403, 14103} Ludovic Courtès
0 siblings, 2 replies; 4+ messages in thread
From: Kei Kebreau @ 2017-09-10 16:21 UTC (permalink / raw)
To: 28406; +Cc: Kei Kebreau
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
gnu/local.mk | 1 +
gnu/packages/imagemagick.scm | 3 +-
...phicsmagick-CVE-2017-11403+CVE-2017-14103.patch | 137 +++++++++++++++++++++
3 files changed, 140 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 64b1b1c14..53fae7873 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -675,6 +675,7 @@ dist_patch_DATA = \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
%D%/packages/patches/gobject-introspection-girepository.patch \
+ %D%/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12935.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12936.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12937.patch \
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 632be7034..3b4fc4ac6 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -178,7 +178,8 @@ script.")
(base32
"122zgs96dqrys62mnh8x5yvfff6km4d3yrnvaxzg3mg5sprib87v"))
(patches
- (search-patches "graphicsmagick-CVE-2017-12935.patch"
+ (search-patches "graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch"
+ "graphicsmagick-CVE-2017-12935.patch"
"graphicsmagick-CVE-2017-12936.patch"
"graphicsmagick-CVE-2017-12937.patch"
"graphicsmagick-CVE-2017-13775.patch"
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
new file mode 100644
index 000000000..dbcaea134
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
@@ -0,0 +1,137 @@
+http://www.openwall.com/lists/oss-security/2017/09/01/6
+
+CVE-2017-11403:
+http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37
+
+CVE-2017-14103:
+http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
+# Date 1503875721 14400
+# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2
+# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad
+Attempt to fix Issue 440.
+
+diff -ru a/coders/png.c b/coders/png.c
+--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
++++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400
+@@ -3106,7 +3106,9 @@
+ if (length > PNG_MAX_UINT || count == 0)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(CorruptImageError,CorruptImage,image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "chunk length (%lu) > PNG_MAX_UINT",length);
++ return ((Image*)NULL);
+ }
+
+ chunk=(unsigned char *) NULL;
+@@ -3117,13 +3119,16 @@
+ if (chunk == (unsigned char *) NULL)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " Could not allocate chunk memory");
++ return ((Image*)NULL);
+ }
+ if (ReadBlob(image,length,chunk) < length)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(CorruptImageError,CorruptImage,image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " chunk reading was incomplete");
++ return ((Image*)NULL);
+ }
+ p=chunk;
+ }
+@@ -3198,7 +3203,7 @@
+ jng_width, jng_height);
+ MagickFreeMemory(chunk);
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
++ return ((Image *)NULL);
+ }
+
+ /* Temporarily set width and height resources to match JHDR */
+@@ -3233,8 +3238,9 @@
+ if (color_image == (Image *) NULL)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not open color_image blob");
++ return ((Image *)NULL);
+ }
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -3245,7 +3251,9 @@
+ if (status == MagickFalse)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not open color_image blob");
++ return ((Image *)NULL);
+ }
+
+ if (!image_info->ping && jng_color_type >= 12)
+@@ -3255,17 +3263,18 @@
+ if (alpha_image_info == (ImageInfo *) NULL)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(ResourceLimitError,
+- MemoryAllocationFailed, image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate alpha_image_info",length);
++ return ((Image *)NULL);
+ }
+ GetImageInfo(alpha_image_info);
+ alpha_image=AllocateImage(alpha_image_info);
+ if (alpha_image == (Image *) NULL)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(ResourceLimitError,
+- MemoryAllocationFailed,
+- alpha_image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate alpha_image");
++ return ((Image *)NULL);
+ }
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -3277,7 +3286,9 @@
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+ DestroyImage(alpha_image);
+- ThrowReaderException(CoderError,UnableToOpenBlob,image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate alpha_image blob");
++ return ((Image *)NULL);
+ }
+ if (jng_alpha_compression_method == 0)
+ {
+@@ -3613,6 +3624,8 @@
+ alpha_image = (Image *)NULL;
+ DestroyImageInfo(alpha_image_info);
+ alpha_image_info = (ImageInfo *)NULL;
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " Destroy the JNG image");
+ DestroyImage(jng_image);
+ jng_image = (Image *)NULL;
+ }
+@@ -5146,8 +5159,8 @@
+
+ if (image == (Image *) NULL)
+ {
+- DestroyImageList(previous);
+ CloseBlob(previous);
++ DestroyImageList(previous);
+ MngInfoFreeStruct(mng_info,&have_mng_structure);
+ return((Image *) NULL);
+ }
--
2.14.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [bug#28406] [PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403,14103}.
[not found] ` <handler.28406.B.150506055012428.ack@debbugs.gnu.org>
@ 2017-09-10 16:25 ` Kei Kebreau
0 siblings, 0 replies; 4+ messages in thread
From: Kei Kebreau @ 2017-09-10 16:25 UTC (permalink / raw)
To: 28406
[-- Attachment #1: Type: text/plain, Size: 170 bytes --]
It should be noted that AddressSanitizer still reports a memory leak
with these fixes, even though the use-after-free problem seems to be
solved.
Thanks in advance,
Kei
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#28406] [PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403, 14103}.
2017-09-10 16:21 [bug#28406] [PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403,14103} Kei Kebreau
[not found] ` <handler.28406.B.150506055012428.ack@debbugs.gnu.org>
@ 2017-09-14 11:46 ` Ludovic Courtès
2017-09-14 13:39 ` bug#28406: " Kei Kebreau
1 sibling, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2017-09-14 11:46 UTC (permalink / raw)
To: Kei Kebreau; +Cc: 28406
Hi Kei,
Kei Kebreau <kkebreau@posteo.net> skribis:
> * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
> * gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
I think you can go ahead.
Thanks for taking care of it!
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#28406: [PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403, 14103}.
2017-09-14 11:46 ` [bug#28406] [PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403, 14103} Ludovic Courtès
@ 2017-09-14 13:39 ` Kei Kebreau
0 siblings, 0 replies; 4+ messages in thread
From: Kei Kebreau @ 2017-09-14 13:39 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 28406-done
[-- Attachment #1: Type: text/plain, Size: 470 bytes --]
ludo@gnu.org (Ludovic Courtès) writes:
> Hi Kei,
>
> Kei Kebreau <kkebreau@posteo.net> skribis:
>
>> * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
>> * gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch:
>> New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>
> I think you can go ahead.
>
> Thanks for taking care of it!
>
> Ludo’.
Pushed to master as db7f7eb8ca670ee5d76e3bad3ada29e87e3f6a10.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-09-14 13:41 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-10 16:21 [bug#28406] [PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403,14103} Kei Kebreau
[not found] ` <handler.28406.B.150506055012428.ack@debbugs.gnu.org>
2017-09-10 16:25 ` Kei Kebreau
2017-09-14 11:46 ` [bug#28406] [PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403, 14103} Ludovic Courtès
2017-09-14 13:39 ` bug#28406: " Kei Kebreau
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).