[PATCH] gnu: graphicsmagick: Fix CVE-2017-14042.

Kei Kebreau wrote 8 years ago

Recipients:(address . guix-patches@gnu.org)(name . Kei Kebreau)(address . kkebreau@posteo.net)

Message-ID:20170909134308.29996-1-kkebreau@posteo.net

* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/imagemagick.scm                       |  3 +-
 .../patches/graphicsmagick-CVE-2017-14042.patch    | 80 ++++++++++++++++++++++
 3 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch

Toggle diff (114 lines)diff --git a/gnu/local.mk b/gnu/local.mk
index 1ac9d5efe..c88b51378 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -678,6 +678,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/graphicsmagick-CVE-2017-12937.patch	\
   %D%/packages/patches/graphicsmagick-CVE-2017-13775.patch	\
   %D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch	\
+  %D%/packages/patches/graphicsmagick-CVE-2017-14042.patch	\
   %D%/packages/patches/graphite2-ffloat-store.patch		\
   %D%/packages/patches/grep-gnulib-lock.patch                   \
   %D%/packages/patches/grep-timing-sensitive-test.patch		\
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 57ac7fda9..632be7034 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -182,7 +182,8 @@ script.")
                                "graphicsmagick-CVE-2017-12936.patch"
                                "graphicsmagick-CVE-2017-12937.patch"
                                "graphicsmagick-CVE-2017-13775.patch"
-                               "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"))))
+                               "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
+                               "graphicsmagick-CVE-2017-14042.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
new file mode 100644
index 000000000..755e188c5
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
@@ -0,0 +1,80 @@
+http://openwall.com/lists/oss-security/2017/08/28/5
+http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1503268616 18000
+# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072
+# Parent  83a5b946180835f260bcb91e3d06327a8e2577e3
+PNM: For binary formats, verify sufficient backing file data before memory request.
+
+diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
+--- a/coders/pnm.c	Sun Aug 20 17:31:35 2017 -0500
++++ b/coders/pnm.c	Sun Aug 20 17:36:56 2017 -0500
+@@ -569,7 +569,7 @@
+           (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
+                                 image->colors);
+         }
+-      number_pixels=image->columns*image->rows;
++      number_pixels=MagickArraySize(image->columns,image->rows);
+       if (number_pixels == 0)
+         ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
+       if (image->storage_class == PseudoClass)
+@@ -858,14 +858,14 @@
+ 		if (1 == bits_per_sample)
+ 		  {
+ 		    /* PBM */
+-		    bytes_per_row=((image->columns+7) >> 3);
++		    bytes_per_row=((image->columns+7U) >> 3);
+ 		    import_options.grayscale_miniswhite=MagickTrue;
+ 		    quantum_type=GrayQuantum;
+ 		  }
+ 		else
+ 		  {
+ 		    /* PGM & XV_332 */
+-		    bytes_per_row=((bits_per_sample+7)/8)*image->columns;
++		    bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
+ 		    if (XV_332_Format == format)
+ 		      {
+ 			quantum_type=IndexQuantum;
+@@ -878,7 +878,8 @@
+ 	      }
+ 	    else
+ 	      {
+-		bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
++		bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
++                                              image->columns);
+ 		if (3 == samples_per_pixel)
+ 		  {
+ 		    /* PPM */
+@@ -915,6 +916,28 @@
+ 		    is_monochrome=MagickFalse;
+ 		  }
+ 	      }
++
++            /* Validate file size before allocating memory */
++            if (BlobIsSeekable(image))
++              {
++                const magick_off_t file_size = GetBlobSize(image);
++                const magick_off_t current_offset = TellBlob(image);
++                if ((file_size > 0) &&
++                    (current_offset > 0) &&
++                    (file_size > current_offset))
++                  {
++                    const magick_off_t remaining = file_size-current_offset;
++                    const magick_off_t needed = (magick_off_t) image->rows *
++                      (magick_off_t) bytes_per_row;
++                    if ((remaining < (magick_off_t) bytes_per_row) ||
++                        (remaining < needed))
++                      {
++                        ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
++                                       image->filename);
++                        break;
++                      }
++                  }
++              }
+         
+             scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
+             if (scanline_set == (ThreadViewDataSet *) NULL)
-- 
2.14.1

Ludovic Courtès wrote 8 years ago

Recipients:(name . Kei Kebreau)(address . kkebreau@posteo.net)(address . 28397@debbugs.gnu.org)

Message-ID:87377u7kcx.fsf@gnu.org

Kei Kebreau <kkebreau@posteo.net> skribis:

Toggle quote (4 lines)

> * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.

> * gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.

> * gnu/local.mk (dist_patch_DATA): Register them.

LGTM, thank you!

Ludo’.

Kei Kebreau wrote 8 years ago

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 28397-done@debbugs.gnu.org)

Message-ID:87poayd5ty.fsf@posteo.net

ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (10 lines)> Kei Kebreau <kkebreau@posteo.net> skribis:
>
>> * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
>> * gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register them.
>
> LGTM, thank you!
>
> Ludo’.

Pushed to master as 2cc752c0b0ab801509574d601c1024b73aed0dab. Thanks for

reviewing!

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 28397@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 28397

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags

mumi command -t +confirmed -t +easy

Or, remove the moreinfo tag and set the help tag

mumi command -t -moreinfo -t +help

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date