guix-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#28397] [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.

From: Kei Kebreau
Subject: [bug#28397] [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.
Date: Sat, 9 Sep 2017 09:43:08 -0400 
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/imagemagick.scm                       |  3 +-
 .../patches/graphicsmagick-CVE-2017-14042.patch    | 80 ++++++++++++++++++++++
 3 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 1ac9d5efe..c88b51378 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -678,6 +678,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/graphicsmagick-CVE-2017-12937.patch     \
   %D%/packages/patches/graphicsmagick-CVE-2017-13775.patch     \
   %D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch      
\
+  %D%/packages/patches/graphicsmagick-CVE-2017-14042.patch     \
   %D%/packages/patches/graphite2-ffloat-store.patch            \
   %D%/packages/patches/grep-gnulib-lock.patch                   \
   %D%/packages/patches/grep-timing-sensitive-test.patch                \
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 57ac7fda9..632be7034 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -182,7 +182,8 @@ script.")
                                "graphicsmagick-CVE-2017-12936.patch"
                                "graphicsmagick-CVE-2017-12937.patch"
                                "graphicsmagick-CVE-2017-13775.patch"
-                               
"graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"))))
+                               
"graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
+                               "graphicsmagick-CVE-2017-14042.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch 
b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
new file mode 100644
index 000000000..755e188c5
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
@@ -0,0 +1,80 @@
+http://openwall.com/lists/oss-security/2017/08/28/5
+http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Bob Friesenhahn <address@hidden>
+# Date 1503268616 18000
+# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072
+# Parent  83a5b946180835f260bcb91e3d06327a8e2577e3
+PNM: For binary formats, verify sufficient backing file data before memory 
request.
+
+diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
+--- a/coders/pnm.c     Sun Aug 20 17:31:35 2017 -0500
++++ b/coders/pnm.c     Sun Aug 20 17:36:56 2017 -0500
+@@ -569,7 +569,7 @@
+           (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
+                                 image->colors);
+         }
+-      number_pixels=image->columns*image->rows;
++      number_pixels=MagickArraySize(image->columns,image->rows);
+       if (number_pixels == 0)
+         ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
+       if (image->storage_class == PseudoClass)
+@@ -858,14 +858,14 @@
+               if (1 == bits_per_sample)
+                 {
+                   /* PBM */
+-                  bytes_per_row=((image->columns+7) >> 3);
++                  bytes_per_row=((image->columns+7U) >> 3);
+                   import_options.grayscale_miniswhite=MagickTrue;
+                   quantum_type=GrayQuantum;
+                 }
+               else
+                 {
+                   /* PGM & XV_332 */
+-                  bytes_per_row=((bits_per_sample+7)/8)*image->columns;
++                  
bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
+                   if (XV_332_Format == format)
+                     {
+                       quantum_type=IndexQuantum;
+@@ -878,7 +878,8 @@
+             }
+           else
+             {
+-              
bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
++              
bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
++                                              image->columns);
+               if (3 == samples_per_pixel)
+                 {
+                   /* PPM */
+@@ -915,6 +916,28 @@
+                   is_monochrome=MagickFalse;
+                 }
+             }
++
++            /* Validate file size before allocating memory */
++            if (BlobIsSeekable(image))
++              {
++                const magick_off_t file_size = GetBlobSize(image);
++                const magick_off_t current_offset = TellBlob(image);
++                if ((file_size > 0) &&
++                    (current_offset > 0) &&
++                    (file_size > current_offset))
++                  {
++                    const magick_off_t remaining = file_size-current_offset;
++                    const magick_off_t needed = (magick_off_t) image->rows *
++                      (magick_off_t) bytes_per_row;
++                    if ((remaining < (magick_off_t) bytes_per_row) ||
++                        (remaining < needed))
++                      {
++                        
ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
++                                       image->filename);
++                        break;
++                      }
++                  }
++              }
+         
+             
scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
+             if (scanline_set == (ThreadViewDataSet *) NULL)
-- 
2.14.1
reply via email to
[Prev in Thread] Current Thread [Next in Thread]