GNU bug report logs -
#28397
[PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.
Previous Next
Reported by: Kei Kebreau <kkebreau <at> posteo.net>
Date: Sat, 9 Sep 2017 13:44:02 UTC
Severity: normal
Tags: patch
Done: Kei Kebreau <kkebreau <at> posteo.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28397 in the body.
You can then email your comments to 28397 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#28397; Package
guix-patches.
(Sat, 09 Sep 2017 13:44:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Kei Kebreau <kkebreau <at> posteo.net>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 09 Sep 2017 13:44:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
---
gnu/local.mk | 1 +
gnu/packages/imagemagick.scm | 3 +-
.../patches/graphicsmagick-CVE-2017-14042.patch | 80 ++++++++++++++++++++++
3 files changed, 83 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 1ac9d5efe..c88b51378 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -678,6 +678,7 @@ dist_patch_DATA = \
%D%/packages/patches/graphicsmagick-CVE-2017-12937.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-13775.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch \
+ %D%/packages/patches/graphicsmagick-CVE-2017-14042.patch \
%D%/packages/patches/graphite2-ffloat-store.patch \
%D%/packages/patches/grep-gnulib-lock.patch \
%D%/packages/patches/grep-timing-sensitive-test.patch \
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 57ac7fda9..632be7034 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -182,7 +182,8 @@ script.")
"graphicsmagick-CVE-2017-12936.patch"
"graphicsmagick-CVE-2017-12937.patch"
"graphicsmagick-CVE-2017-13775.patch"
- "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"))))
+ "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
+ "graphicsmagick-CVE-2017-14042.patch"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
new file mode 100644
index 000000000..755e188c5
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
@@ -0,0 +1,80 @@
+http://openwall.com/lists/oss-security/2017/08/28/5
+http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen <at> GraphicsMagick.org>
+# Date 1503268616 18000
+# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072
+# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3
+PNM: For binary formats, verify sufficient backing file data before memory request.
+
+diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
+--- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500
++++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500
+@@ -569,7 +569,7 @@
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
+ image->colors);
+ }
+- number_pixels=image->columns*image->rows;
++ number_pixels=MagickArraySize(image->columns,image->rows);
+ if (number_pixels == 0)
+ ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
+ if (image->storage_class == PseudoClass)
+@@ -858,14 +858,14 @@
+ if (1 == bits_per_sample)
+ {
+ /* PBM */
+- bytes_per_row=((image->columns+7) >> 3);
++ bytes_per_row=((image->columns+7U) >> 3);
+ import_options.grayscale_miniswhite=MagickTrue;
+ quantum_type=GrayQuantum;
+ }
+ else
+ {
+ /* PGM & XV_332 */
+- bytes_per_row=((bits_per_sample+7)/8)*image->columns;
++ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
+ if (XV_332_Format == format)
+ {
+ quantum_type=IndexQuantum;
+@@ -878,7 +878,8 @@
+ }
+ else
+ {
+- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
++ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
++ image->columns);
+ if (3 == samples_per_pixel)
+ {
+ /* PPM */
+@@ -915,6 +916,28 @@
+ is_monochrome=MagickFalse;
+ }
+ }
++
++ /* Validate file size before allocating memory */
++ if (BlobIsSeekable(image))
++ {
++ const magick_off_t file_size = GetBlobSize(image);
++ const magick_off_t current_offset = TellBlob(image);
++ if ((file_size > 0) &&
++ (current_offset > 0) &&
++ (file_size > current_offset))
++ {
++ const magick_off_t remaining = file_size-current_offset;
++ const magick_off_t needed = (magick_off_t) image->rows *
++ (magick_off_t) bytes_per_row;
++ if ((remaining < (magick_off_t) bytes_per_row) ||
++ (remaining < needed))
++ {
++ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
++ image->filename);
++ break;
++ }
++ }
++ }
+
+ scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
+ if (scanline_set == (ThreadViewDataSet *) NULL)
--
2.14.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#28397; Package
guix-patches.
(Sun, 10 Sep 2017 13:30:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 28397 <at> debbugs.gnu.org (full text, mbox):
Kei Kebreau <kkebreau <at> posteo.net> skribis:
> * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
> * gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Register them.
LGTM, thank you!
Ludo’.
Reply sent
to
Kei Kebreau <kkebreau <at> posteo.net>:
You have taken responsibility.
(Sun, 10 Sep 2017 13:48:03 GMT)
Full text and
rfc822 format available.
Notification sent
to
Kei Kebreau <kkebreau <at> posteo.net>:
bug acknowledged by developer.
(Sun, 10 Sep 2017 13:48:04 GMT)
Full text and
rfc822 format available.
Message #13 received at 28397-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
ludo <at> gnu.org (Ludovic Courtès) writes:
> Kei Kebreau <kkebreau <at> posteo.net> skribis:
>
>> * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
>> * gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register them.
>
> LGTM, thank you!
>
> Ludo’.
Pushed to master as 2cc752c0b0ab801509574d601c1024b73aed0dab. Thanks for
reviewing!
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 09 Oct 2017 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 259 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.