From e184d4429a00b65ff237864cce04d1061accdbbc Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Sat, 19 Aug 2017 11:39:33 -0400 Subject: [PATCH] gnu: graphicsmagick: Fix CVE-2017-{12935,12936,12937}. * gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch, gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch, gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Use them. --- gnu/local.mk | 3 +++ gnu/packages/imagemagick.scm | 6 ++++- .../patches/graphicsmagick-CVE-2017-12935.patch | 28 ++++++++++++++++++++++ .../patches/graphicsmagick-CVE-2017-12936.patch | 16 +++++++++++++ .../patches/graphicsmagick-CVE-2017-12937.patch | 28 ++++++++++++++++++++++ 5 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch diff --git a/gnu/local.mk b/gnu/local.mk index 2d49b1e97..1c6158cbf 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -679,6 +679,9 @@ dist_patch_DATA = \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ %D%/packages/patches/gobject-introspection-cc.patch \ %D%/packages/patches/gobject-introspection-girepository.patch \ + %D%/packages/patches/graphicsmagick-CVE-2017-12935.patch \ + %D%/packages/patches/graphicsmagick-CVE-2017-12936.patch \ + %D%/packages/patches/graphicsmagick-CVE-2017-12937.patch \ %D%/packages/patches/graphite2-ffloat-store.patch \ %D%/packages/patches/grep-timing-sensitive-test.patch \ %D%/packages/patches/gsl-test-i686.patch \ diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm index 8e1730754..3bd705fa2 100644 --- a/gnu/packages/imagemagick.scm +++ b/gnu/packages/imagemagick.scm @@ -175,7 +175,11 @@ script.") "/GraphicsMagick-" version ".tar.xz"))) (sha256 (base32 - "122zgs96dqrys62mnh8x5yvfff6km4d3yrnvaxzg3mg5sprib87v")))) + "122zgs96dqrys62mnh8x5yvfff6km4d3yrnvaxzg3mg5sprib87v")) + (patches + (search-patches "graphicsmagick-CVE-2017-12935.patch" + "graphicsmagick-CVE-2017-12936.patch" + "graphicsmagick-CVE-2017-12937.patch")))) (build-system gnu-build-system) (arguments `(#:configure-flags diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch new file mode 100644 index 000000000..2cb3d46f6 --- /dev/null +++ b/gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch @@ -0,0 +1,28 @@ +This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188. + +diff -ur a/coders/png.c b/coders/png.c +--- a/coders/png.c 2017-07-04 17:32:08.000000000 -0400 ++++ b/coders/png.c 2017-08-19 11:16:20.933969362 -0400 +@@ -4101,11 +4101,17 @@ + mng_info->image=image; + } + +- if ((mng_info->mng_width > 65535L) || (mng_info->mng_height +- > 65535L)) +- (void) ThrowException(&image->exception,ImageError, +- WidthOrHeightExceedsLimit, +- image->filename); ++ if ((mng_info->mng_width > 65535L) || ++ (mng_info->mng_height > 65535L)) ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " MNG width or height is too large: %lu, %lu", ++ mng_info->mng_width,mng_info->mng_height); ++ MagickFreeMemory(chunk); ++ ThrowReaderException(CorruptImageError, ++ ImproperImageHeader,image); ++ } ++ + FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width, + mng_info->mng_height); + mng_info->frame.left=0; diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch new file mode 100644 index 000000000..7036f3743 --- /dev/null +++ b/gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch @@ -0,0 +1,16 @@ +This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd. + +diff -ur a/coders/wmf.c b/coders/wmf.c +--- a/coders/wmf.c 2016-09-05 15:20:23.000000000 -0400 ++++ b/coders/wmf.c 2017-08-19 10:38:08.984187264 -0400 +@@ -2719,8 +2719,8 @@ + if(image->exception.severity != UndefinedException) + ThrowException2(exception, + CoderWarning, +- ddata->image->exception.reason, +- ddata->image->exception.description); ++ image->exception.reason, ++ image->exception.description); + + if(logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(),"leave ReadWMFImage()"); diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch new file mode 100644 index 000000000..71af9ffe5 --- /dev/null +++ b/gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch @@ -0,0 +1,28 @@ +This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978. + +diff -ur a/coders/sun.c b/coders/sun.c +--- a/coders/sun.c 2016-05-30 13:19:54.000000000 -0400 ++++ b/coders/sun.c 2017-08-18 18:00:00.191023610 -0400 +@@ -1,5 +1,5 @@ + /* +-% Copyright (C) 2003-2015 GraphicsMagick Group ++% Copyright (C) 2003-2017 GraphicsMagick Group + % Copyright (C) 2002 ImageMagick Studio + % Copyright 1991-1999 E. I. du Pont de Nemours and Company + % +@@ -577,6 +577,7 @@ + for (bit=7; bit >= 0; bit--) + { + index=((*p) & (0x01 << bit) ? 0x01 : 0x00); ++ VerifyColormapIndex(image,index); + indexes[x+7-bit]=index; + q[x+7-bit]=image->colormap[index]; + } +@@ -587,6 +588,7 @@ + for (bit=7; bit >= (long) (8-(image->columns % 8)); bit--) + { + index=((*p) & (0x01 << bit) ? 0x01 : 0x00); ++ VerifyColormapIndex(image,index); + indexes[x+7-bit]=index; + q[x+7-bit]=image->colormap[index]; + } -- 2.13.4