From: Kei Kebreau <kkebreau@posteo.net>
To: 28406@debbugs.gnu.org
Cc: Kei Kebreau <kkebreau@posteo.net>
Subject: [bug#28406] [PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403,14103}.
Date: Sun, 10 Sep 2017 12:21:44 -0400 [thread overview]
Message-ID: <20170910162144.32609-1-kkebreau@posteo.net> (raw)
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
gnu/local.mk | 1 +
gnu/packages/imagemagick.scm | 3 +-
...phicsmagick-CVE-2017-11403+CVE-2017-14103.patch | 137 +++++++++++++++++++++
3 files changed, 140 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 64b1b1c14..53fae7873 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -675,6 +675,7 @@ dist_patch_DATA = \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
%D%/packages/patches/gobject-introspection-girepository.patch \
+ %D%/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12935.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12936.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12937.patch \
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 632be7034..3b4fc4ac6 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -178,7 +178,8 @@ script.")
(base32
"122zgs96dqrys62mnh8x5yvfff6km4d3yrnvaxzg3mg5sprib87v"))
(patches
- (search-patches "graphicsmagick-CVE-2017-12935.patch"
+ (search-patches "graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch"
+ "graphicsmagick-CVE-2017-12935.patch"
"graphicsmagick-CVE-2017-12936.patch"
"graphicsmagick-CVE-2017-12937.patch"
"graphicsmagick-CVE-2017-13775.patch"
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
new file mode 100644
index 000000000..dbcaea134
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
@@ -0,0 +1,137 @@
+http://www.openwall.com/lists/oss-security/2017/09/01/6
+
+CVE-2017-11403:
+http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37
+
+CVE-2017-14103:
+http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
+# Date 1503875721 14400
+# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2
+# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad
+Attempt to fix Issue 440.
+
+diff -ru a/coders/png.c b/coders/png.c
+--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
++++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400
+@@ -3106,7 +3106,9 @@
+ if (length > PNG_MAX_UINT || count == 0)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(CorruptImageError,CorruptImage,image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "chunk length (%lu) > PNG_MAX_UINT",length);
++ return ((Image*)NULL);
+ }
+
+ chunk=(unsigned char *) NULL;
+@@ -3117,13 +3119,16 @@
+ if (chunk == (unsigned char *) NULL)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " Could not allocate chunk memory");
++ return ((Image*)NULL);
+ }
+ if (ReadBlob(image,length,chunk) < length)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(CorruptImageError,CorruptImage,image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " chunk reading was incomplete");
++ return ((Image*)NULL);
+ }
+ p=chunk;
+ }
+@@ -3198,7 +3203,7 @@
+ jng_width, jng_height);
+ MagickFreeMemory(chunk);
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
++ return ((Image *)NULL);
+ }
+
+ /* Temporarily set width and height resources to match JHDR */
+@@ -3233,8 +3238,9 @@
+ if (color_image == (Image *) NULL)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not open color_image blob");
++ return ((Image *)NULL);
+ }
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -3245,7 +3251,9 @@
+ if (status == MagickFalse)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not open color_image blob");
++ return ((Image *)NULL);
+ }
+
+ if (!image_info->ping && jng_color_type >= 12)
+@@ -3255,17 +3263,18 @@
+ if (alpha_image_info == (ImageInfo *) NULL)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(ResourceLimitError,
+- MemoryAllocationFailed, image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate alpha_image_info",length);
++ return ((Image *)NULL);
+ }
+ GetImageInfo(alpha_image_info);
+ alpha_image=AllocateImage(alpha_image_info);
+ if (alpha_image == (Image *) NULL)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(ResourceLimitError,
+- MemoryAllocationFailed,
+- alpha_image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate alpha_image");
++ return ((Image *)NULL);
+ }
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -3277,7 +3286,9 @@
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+ DestroyImage(alpha_image);
+- ThrowReaderException(CoderError,UnableToOpenBlob,image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate alpha_image blob");
++ return ((Image *)NULL);
+ }
+ if (jng_alpha_compression_method == 0)
+ {
+@@ -3613,6 +3624,8 @@
+ alpha_image = (Image *)NULL;
+ DestroyImageInfo(alpha_image_info);
+ alpha_image_info = (ImageInfo *)NULL;
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " Destroy the JNG image");
+ DestroyImage(jng_image);
+ jng_image = (Image *)NULL;
+ }
+@@ -5146,8 +5159,8 @@
+
+ if (image == (Image *) NULL)
+ {
+- DestroyImageList(previous);
+ CloseBlob(previous);
++ DestroyImageList(previous);
+ MngInfoFreeStruct(mng_info,&have_mng_structure);
+ return((Image *) NULL);
+ }
--
2.14.1
next reply other threads:[~2017-09-10 16:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-10 16:21 Kei Kebreau [this message]
[not found] ` <handler.28406.B.150506055012428.ack@debbugs.gnu.org>
2017-09-10 16:25 ` [bug#28406] [PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403,14103} Kei Kebreau
2017-09-14 11:46 ` [bug#28406] [PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403, 14103} Ludovic Courtès
2017-09-14 13:39 ` bug#28406: " Kei Kebreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170910162144.32609-1-kkebreau@posteo.net \
--to=kkebreau@posteo.net \
--cc=28406@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.