[bug#28397] [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.

unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed

* [bug#28397] [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.
@ 2017-09-09 13:43 Kei Kebreau
  2017-09-10 13:29 ` Ludovic Courtès
  0 siblings, 1 reply; 3+ messages in thread
From: Kei Kebreau @ 2017-09-09 13:43 UTC (permalink / raw)
  To: 28397; +Cc: Kei Kebreau

* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/imagemagick.scm                       |  3 +-
 .../patches/graphicsmagick-CVE-2017-14042.patch    | 80 ++++++++++++++++++++++
 3 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 1ac9d5efe..c88b51378 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -678,6 +678,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/graphicsmagick-CVE-2017-12937.patch	\
   %D%/packages/patches/graphicsmagick-CVE-2017-13775.patch	\
   %D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch	\
+  %D%/packages/patches/graphicsmagick-CVE-2017-14042.patch	\
   %D%/packages/patches/graphite2-ffloat-store.patch		\
   %D%/packages/patches/grep-gnulib-lock.patch                   \
   %D%/packages/patches/grep-timing-sensitive-test.patch		\
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 57ac7fda9..632be7034 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -182,7 +182,8 @@ script.")
                                "graphicsmagick-CVE-2017-12936.patch"
                                "graphicsmagick-CVE-2017-12937.patch"
                                "graphicsmagick-CVE-2017-13775.patch"
-                               "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"))))
+                               "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
+                               "graphicsmagick-CVE-2017-14042.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
new file mode 100644
index 000000000..755e188c5
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
@@ -0,0 +1,80 @@
+http://openwall.com/lists/oss-security/2017/08/28/5
+http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1503268616 18000
+# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072
+# Parent  83a5b946180835f260bcb91e3d06327a8e2577e3
+PNM: For binary formats, verify sufficient backing file data before memory request.
+
+diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
+--- a/coders/pnm.c	Sun Aug 20 17:31:35 2017 -0500
++++ b/coders/pnm.c	Sun Aug 20 17:36:56 2017 -0500
+@@ -569,7 +569,7 @@
+           (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
+                                 image->colors);
+         }
+-      number_pixels=image->columns*image->rows;
++      number_pixels=MagickArraySize(image->columns,image->rows);
+       if (number_pixels == 0)
+         ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
+       if (image->storage_class == PseudoClass)
+@@ -858,14 +858,14 @@
+ 		if (1 == bits_per_sample)
+ 		  {
+ 		    /* PBM */
+-		    bytes_per_row=((image->columns+7) >> 3);
++		    bytes_per_row=((image->columns+7U) >> 3);
+ 		    import_options.grayscale_miniswhite=MagickTrue;
+ 		    quantum_type=GrayQuantum;
+ 		  }
+ 		else
+ 		  {
+ 		    /* PGM & XV_332 */
+-		    bytes_per_row=((bits_per_sample+7)/8)*image->columns;
++		    bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
+ 		    if (XV_332_Format == format)
+ 		      {
+ 			quantum_type=IndexQuantum;
+@@ -878,7 +878,8 @@
+ 	      }
+ 	    else
+ 	      {
+-		bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
++		bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
++                                              image->columns);
+ 		if (3 == samples_per_pixel)
+ 		  {
+ 		    /* PPM */
+@@ -915,6 +916,28 @@
+ 		    is_monochrome=MagickFalse;
+ 		  }
+ 	      }
++
++            /* Validate file size before allocating memory */
++            if (BlobIsSeekable(image))
++              {
++                const magick_off_t file_size = GetBlobSize(image);
++                const magick_off_t current_offset = TellBlob(image);
++                if ((file_size > 0) &&
++                    (current_offset > 0) &&
++                    (file_size > current_offset))
++                  {
++                    const magick_off_t remaining = file_size-current_offset;
++                    const magick_off_t needed = (magick_off_t) image->rows *
++                      (magick_off_t) bytes_per_row;
++                    if ((remaining < (magick_off_t) bytes_per_row) ||
++                        (remaining < needed))
++                      {
++                        ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
++                                       image->filename);
++                        break;
++                      }
++                  }
++              }
+         
+             scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
+             if (scanline_set == (ThreadViewDataSet *) NULL)
-- 
2.14.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [bug#28397] [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.
  2017-09-09 13:43 [bug#28397] [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042 Kei Kebreau
@ 2017-09-10 13:29 ` Ludovic Courtès
  2017-09-10 13:46   ` bug#28397: " Kei Kebreau
  0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2017-09-10 13:29 UTC (permalink / raw)
  To: Kei Kebreau; +Cc: 28397

Kei Kebreau <kkebreau@posteo.net> skribis:

> * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
> * gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Register them.

LGTM, thank you!

Ludo’.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* bug#28397: [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.
  2017-09-10 13:29 ` Ludovic Courtès
@ 2017-09-10 13:46   ` Kei Kebreau
  0 siblings, 0 replies; 3+ messages in thread
From: Kei Kebreau @ 2017-09-10 13:46 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 28397-done

[-- Attachment #1: Type: text/plain, Size: 418 bytes --]

ludo@gnu.org (Ludovic Courtès) writes:

> Kei Kebreau <kkebreau@posteo.net> skribis:
>
>> * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
>> * gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register them.
>
> LGTM, thank you!
>
> Ludo’.

Pushed to master as 2cc752c0b0ab801509574d601c1024b73aed0dab. Thanks for
reviewing!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2017-09-10 13:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-09 13:43 [bug#28397] [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042 Kei Kebreau
2017-09-10 13:29 ` Ludovic Courtès
2017-09-10 13:46   ` bug#28397: " Kei Kebreau

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).