GNU bug report logs -
#28397
[PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.
Previous Next
Reported by: Kei Kebreau <kkebreau <at> posteo.net>
Date: Sat, 9 Sep 2017 13:44:02 UTC
Severity: normal
Tags: patch
Done: Kei Kebreau <kkebreau <at> posteo.net>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Sun, 10 Sep 2017 09:46:33 -0400
with message-id <87poayd5ty.fsf <at> posteo.net>
and subject line Re: [bug#28397] [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.
has caused the debbugs.gnu.org bug report #28397,
regarding [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
28397: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=28397
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
---
gnu/local.mk | 1 +
gnu/packages/imagemagick.scm | 3 +-
.../patches/graphicsmagick-CVE-2017-14042.patch | 80 ++++++++++++++++++++++
3 files changed, 83 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 1ac9d5efe..c88b51378 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -678,6 +678,7 @@ dist_patch_DATA = \
%D%/packages/patches/graphicsmagick-CVE-2017-12937.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-13775.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch \
+ %D%/packages/patches/graphicsmagick-CVE-2017-14042.patch \
%D%/packages/patches/graphite2-ffloat-store.patch \
%D%/packages/patches/grep-gnulib-lock.patch \
%D%/packages/patches/grep-timing-sensitive-test.patch \
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 57ac7fda9..632be7034 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -182,7 +182,8 @@ script.")
"graphicsmagick-CVE-2017-12936.patch"
"graphicsmagick-CVE-2017-12937.patch"
"graphicsmagick-CVE-2017-13775.patch"
- "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"))))
+ "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
+ "graphicsmagick-CVE-2017-14042.patch"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
new file mode 100644
index 000000000..755e188c5
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
@@ -0,0 +1,80 @@
+http://openwall.com/lists/oss-security/2017/08/28/5
+http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen <at> GraphicsMagick.org>
+# Date 1503268616 18000
+# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072
+# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3
+PNM: For binary formats, verify sufficient backing file data before memory request.
+
+diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
+--- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500
++++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500
+@@ -569,7 +569,7 @@
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
+ image->colors);
+ }
+- number_pixels=image->columns*image->rows;
++ number_pixels=MagickArraySize(image->columns,image->rows);
+ if (number_pixels == 0)
+ ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
+ if (image->storage_class == PseudoClass)
+@@ -858,14 +858,14 @@
+ if (1 == bits_per_sample)
+ {
+ /* PBM */
+- bytes_per_row=((image->columns+7) >> 3);
++ bytes_per_row=((image->columns+7U) >> 3);
+ import_options.grayscale_miniswhite=MagickTrue;
+ quantum_type=GrayQuantum;
+ }
+ else
+ {
+ /* PGM & XV_332 */
+- bytes_per_row=((bits_per_sample+7)/8)*image->columns;
++ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
+ if (XV_332_Format == format)
+ {
+ quantum_type=IndexQuantum;
+@@ -878,7 +878,8 @@
+ }
+ else
+ {
+- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
++ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
++ image->columns);
+ if (3 == samples_per_pixel)
+ {
+ /* PPM */
+@@ -915,6 +916,28 @@
+ is_monochrome=MagickFalse;
+ }
+ }
++
++ /* Validate file size before allocating memory */
++ if (BlobIsSeekable(image))
++ {
++ const magick_off_t file_size = GetBlobSize(image);
++ const magick_off_t current_offset = TellBlob(image);
++ if ((file_size > 0) &&
++ (current_offset > 0) &&
++ (file_size > current_offset))
++ {
++ const magick_off_t remaining = file_size-current_offset;
++ const magick_off_t needed = (magick_off_t) image->rows *
++ (magick_off_t) bytes_per_row;
++ if ((remaining < (magick_off_t) bytes_per_row) ||
++ (remaining < needed))
++ {
++ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
++ image->filename);
++ break;
++ }
++ }
++ }
+
+ scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
+ if (scanline_set == (ThreadViewDataSet *) NULL)
--
2.14.1
[Message part 3 (message/rfc822, inline)]
[Message part 4 (text/plain, inline)]
ludo <at> gnu.org (Ludovic Courtès) writes:
> Kei Kebreau <kkebreau <at> posteo.net> skribis:
>
>> * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
>> * gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register them.
>
> LGTM, thank you!
>
> Ludo’.
Pushed to master as 2cc752c0b0ab801509574d601c1024b73aed0dab. Thanks for
reviewing!
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 259 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.