[debbugs-tracker] bug#28397: closed ([PATCH] gnu: graphicsmagick: Fix CV

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#28397: closed ([PATCH] gnu: graphicsmagick: Fix CV

From:	GNU bug Tracking System
Subject:	[debbugs-tracker] bug#28397: closed ([PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.)
Date:	Sun, 10 Sep 2017 13:48:03 +0000

Your message dated Sun, 10 Sep 2017 09:46:33 -0400
with message-id <address@hidden>
and subject line Re: [bug#28397] [PATCH] gnu: graphicsmagick: Fix 
CVE-2017-14042.
has caused the debbugs.gnu.org bug report #28397,
regarding [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
28397: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=28397
GNU Bug Tracking System
Contact address@hidden with problems

--- Begin Message --- Subject: [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042. Date: Sat, 9 Sep 2017 09:43:08 -0400

* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/imagemagick.scm                       |  3 +-
 .../patches/graphicsmagick-CVE-2017-14042.patch    | 80 ++++++++++++++++++++++
 3 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 1ac9d5efe..c88b51378 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -678,6 +678,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/graphicsmagick-CVE-2017-12937.patch     \
   %D%/packages/patches/graphicsmagick-CVE-2017-13775.patch     \
   %D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch      
\
+  %D%/packages/patches/graphicsmagick-CVE-2017-14042.patch     \
   %D%/packages/patches/graphite2-ffloat-store.patch            \
   %D%/packages/patches/grep-gnulib-lock.patch                   \
   %D%/packages/patches/grep-timing-sensitive-test.patch                \
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 57ac7fda9..632be7034 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -182,7 +182,8 @@ script.")
                                "graphicsmagick-CVE-2017-12936.patch"
                                "graphicsmagick-CVE-2017-12937.patch"
                                "graphicsmagick-CVE-2017-13775.patch"
-                               
"graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"))))
+                               
"graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
+                               "graphicsmagick-CVE-2017-14042.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch 
b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
new file mode 100644
index 000000000..755e188c5
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
@@ -0,0 +1,80 @@
+http://openwall.com/lists/oss-security/2017/08/28/5
+http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Bob Friesenhahn <address@hidden>
+# Date 1503268616 18000
+# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072
+# Parent  83a5b946180835f260bcb91e3d06327a8e2577e3
+PNM: For binary formats, verify sufficient backing file data before memory 
request.
+
+diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
+--- a/coders/pnm.c     Sun Aug 20 17:31:35 2017 -0500
++++ b/coders/pnm.c     Sun Aug 20 17:36:56 2017 -0500
+@@ -569,7 +569,7 @@
+           (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
+                                 image->colors);
+         }
+-      number_pixels=image->columns*image->rows;
++      number_pixels=MagickArraySize(image->columns,image->rows);
+       if (number_pixels == 0)
+         ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
+       if (image->storage_class == PseudoClass)
+@@ -858,14 +858,14 @@
+               if (1 == bits_per_sample)
+                 {
+                   /* PBM */
+-                  bytes_per_row=((image->columns+7) >> 3);
++                  bytes_per_row=((image->columns+7U) >> 3);
+                   import_options.grayscale_miniswhite=MagickTrue;
+                   quantum_type=GrayQuantum;
+                 }
+               else
+                 {
+                   /* PGM & XV_332 */
+-                  bytes_per_row=((bits_per_sample+7)/8)*image->columns;
++                  
bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
+                   if (XV_332_Format == format)
+                     {
+                       quantum_type=IndexQuantum;
+@@ -878,7 +878,8 @@
+             }
+           else
+             {
+-              
bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
++              
bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
++                                              image->columns);
+               if (3 == samples_per_pixel)
+                 {
+                   /* PPM */
+@@ -915,6 +916,28 @@
+                   is_monochrome=MagickFalse;
+                 }
+             }
++
++            /* Validate file size before allocating memory */
++            if (BlobIsSeekable(image))
++              {
++                const magick_off_t file_size = GetBlobSize(image);
++                const magick_off_t current_offset = TellBlob(image);
++                if ((file_size > 0) &&
++                    (current_offset > 0) &&
++                    (file_size > current_offset))
++                  {
++                    const magick_off_t remaining = file_size-current_offset;
++                    const magick_off_t needed = (magick_off_t) image->rows *
++                      (magick_off_t) bytes_per_row;
++                    if ((remaining < (magick_off_t) bytes_per_row) ||
++                        (remaining < needed))
++                      {
++                        
ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
++                                       image->filename);
++                        break;
++                      }
++                  }
++              }
+         
+             
scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
+             if (scanline_set == (ThreadViewDataSet *) NULL)
-- 
2.14.1

--- End Message ---

--- Begin Message --- Subject: Re: [bug#28397] [PATCH] gnu: graphicsmagick: Fix CVE-2017-14042. Date: Sun, 10 Sep 2017 09:46:33 -0400 User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
address@hidden (Ludovic Courtès) writes:

> Kei Kebreau <address@hidden> skribis:
>
>> * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
>> * gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register them.
>
> LGTM, thank you!
>
> Ludo’.

Pushed to master as 2cc752c0b0ab801509574d601c1024b73aed0dab. Thanks for
reviewing!
signature.asc
Description: PGP signature

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

[debbugs-tracker] bug#28397: closed ([PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.), GNU bug Tracking System <=

Prev by Date: [debbugs-tracker] bug#27593: closed (groff build is not reproducible)
Next by Date: [debbugs-tracker] bug#28200: closed ([PATCH] gnu: Add emacs-rspec.)
Previous by thread: [debbugs-tracker] bug#27593: closed (groff build is not reproducible)
Next by thread: [debbugs-tracker] bug#28200: closed ([PATCH] gnu: Add emacs-rspec.)
Index(es):
- Date
- Thread