From 224bb4b6f9fa7c14fbbaac682ec0b5d1a48c616d Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sun, 10 Sep 2017 21:40:17 +0300 Subject: gnu: graphicsmagick: Fix CVE-2017-14165. * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch. * gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/packages/imagemagick.scm | 3 +- .../patches/graphicsmagick-CVE-2017-14165.patch | 72 ++++++++++++++++++++++ 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch (limited to 'gnu/packages') diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm index 632be70349..502dc43acf 100644 --- a/gnu/packages/imagemagick.scm +++ b/gnu/packages/imagemagick.scm @@ -183,7 +183,8 @@ script.") "graphicsmagick-CVE-2017-12937.patch" "graphicsmagick-CVE-2017-13775.patch" "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch" - "graphicsmagick-CVE-2017-14042.patch")))) + "graphicsmagick-CVE-2017-14042.patch" + "graphicsmagick-CVE-2017-14165.patch")))) (build-system gnu-build-system) (arguments `(#:configure-flags diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch new file mode 100644 index 0000000000..1f55d90d38 --- /dev/null +++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch @@ -0,0 +1,72 @@ +http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa +http://openwall.com/lists/oss-security/2017/09/06/4 + +some changes were made to make the patch apply + +# HG changeset patch +# User Bob Friesenhahn +# Date 1503257388 18000 +# Node ID 493da54370aa42cb430c52a69eb75db0001a5589 +# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f +SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions. + +diff -r f87246749079 -r 493da54370aa coders/sun.c +--- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200 ++++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500 +@@ -498,6 +498,12 @@ + if (sun_info.depth < 8) + image->depth=sun_info.depth; + ++ if (image_info->ping) ++ { ++ CloseBlob(image); ++ return(image); ++ } ++ + /* + Compute bytes per line and bytes per image for an unencoded + image. +@@ -522,15 +528,37 @@ + if (bytes_per_image > sun_info.length) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); + +- if (image_info->ping) +- { +- CloseBlob(image); +- return(image); +- } + if (sun_info.type == RT_ENCODED) + sun_data_length=(size_t) sun_info.length; + else + sun_data_length=bytes_per_image; ++ ++ /* ++ Verify that data length claimed by header is supported by file size ++ */ ++ if (sun_info.type == RT_ENCODED) ++ { ++ if (sun_data_length < bytes_per_image/255U) ++ { ++ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); ++ } ++ } ++ if (BlobIsSeekable(image)) ++ { ++ const magick_off_t file_size = GetBlobSize(image); ++ const magick_off_t current_offset = TellBlob(image); ++ if ((file_size > 0) && ++ (current_offset > 0) && ++ (file_size > current_offset)) ++ { ++ const magick_off_t remaining = file_size-current_offset; ++ if (remaining < (magick_off_t) sun_data_length) ++ { ++ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); ++ } ++ } ++ } ++ + sun_data=MagickAllocateMemory(unsigned char *,sun_data_length); + if (sun_data == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); + -- cgit v1.2.3