[PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403,14103}.

  • Done
  • quality assurance status badge
Details
2 participants
  • Kei Kebreau
  • Ludovic Courtès
Owner
unassigned
Submitted by
Kei Kebreau
Severity
normal

Debbugs page

Kei Kebreau wrote 8 years ago
(address . guix-patches@gnu.org)(name . Kei Kebreau)(address . kkebreau@posteo.net)
20170910162144.32609-1-kkebreau@posteo.net
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
gnu/local.mk | 1 +
gnu/packages/imagemagick.scm | 3 +-
...phicsmagick-CVE-2017-11403+CVE-2017-14103.patch | 137 +++++++++++++++++++++
3 files changed, 140 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch

Toggle diff (171 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 64b1b1c14..53fae7873 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -675,6 +675,7 @@ dist_patch_DATA = \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
%D%/packages/patches/gobject-introspection-girepository.patch \
+ %D%/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12935.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12936.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12937.patch \
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 632be7034..3b4fc4ac6 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -178,7 +178,8 @@ script.")
(base32
"122zgs96dqrys62mnh8x5yvfff6km4d3yrnvaxzg3mg5sprib87v"))
(patches
- (search-patches "graphicsmagick-CVE-2017-12935.patch"
+ (search-patches "graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch"
+ "graphicsmagick-CVE-2017-12935.patch"
"graphicsmagick-CVE-2017-12936.patch"
"graphicsmagick-CVE-2017-12937.patch"
"graphicsmagick-CVE-2017-13775.patch"
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
new file mode 100644
index 000000000..dbcaea134
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
@@ -0,0 +1,137 @@
+http://www.openwall.com/lists/oss-security/2017/09/01/6
+
+CVE-2017-11403:
+http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37
+
+CVE-2017-14103:
+http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
+# Date 1503875721 14400
+# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2
+# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad
+Attempt to fix Issue 440.
+
+diff -ru a/coders/png.c b/coders/png.c
+--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
++++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400
+@@ -3106,7 +3106,9 @@
+ if (length > PNG_MAX_UINT || count == 0)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(CorruptImageError,CorruptImage,image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "chunk length (%lu) > PNG_MAX_UINT",length);
++ return ((Image*)NULL);
+ }
+
+ chunk=(unsigned char *) NULL;
+@@ -3117,13 +3119,16 @@
+ if (chunk == (unsigned char *) NULL)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " Could not allocate chunk memory");
++ return ((Image*)NULL);
+ }
+ if (ReadBlob(image,length,chunk) < length)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(CorruptImageError,CorruptImage,image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " chunk reading was incomplete");
++ return ((Image*)NULL);
+ }
+ p=chunk;
+ }
+@@ -3198,7 +3203,7 @@
+ jng_width, jng_height);
+ MagickFreeMemory(chunk);
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
++ return ((Image *)NULL);
+ }
+
+ /* Temporarily set width and height resources to match JHDR */
+@@ -3233,8 +3238,9 @@
+ if (color_image == (Image *) NULL)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not open color_image blob");
++ return ((Image *)NULL);
+ }
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -3245,7 +3251,9 @@
+ if (status == MagickFalse)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not open color_image blob");
++ return ((Image *)NULL);
+ }
+
+ if (!image_info->ping && jng_color_type >= 12)
+@@ -3255,17 +3263,18 @@
+ if (alpha_image_info == (ImageInfo *) NULL)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(ResourceLimitError,
+- MemoryAllocationFailed, image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate alpha_image_info",length);
++ return ((Image *)NULL);
+ }
+ GetImageInfo(alpha_image_info);
+ alpha_image=AllocateImage(alpha_image_info);
+ if (alpha_image == (Image *) NULL)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- ThrowReaderException(ResourceLimitError,
+- MemoryAllocationFailed,
+- alpha_image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate alpha_image");
++ return ((Image *)NULL);
+ }
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -3277,7 +3286,9 @@
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+ DestroyImage(alpha_image);
+- ThrowReaderException(CoderError,UnableToOpenBlob,image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate alpha_image blob");
++ return ((Image *)NULL);
+ }
+ if (jng_alpha_compression_method == 0)
+ {
+@@ -3613,6 +3624,8 @@
+ alpha_image = (Image *)NULL;
+ DestroyImageInfo(alpha_image_info);
+ alpha_image_info = (ImageInfo *)NULL;
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " Destroy the JNG image");
+ DestroyImage(jng_image);
+ jng_image = (Image *)NULL;
+ }
+@@ -5146,8 +5159,8 @@
+
+ if (image == (Image *) NULL)
+ {
+- DestroyImageList(previous);
+ CloseBlob(previous);
++ DestroyImageList(previous);
+ MngInfoFreeStruct(mng_info,&have_mng_structure);
+ return((Image *) NULL);
+ }
--
2.14.1
Kei Kebreau wrote 8 years ago
(address . 28406@debbugs.gnu.org)
87lglmcygi.fsf_-_@posteo.net
It should be noted that AddressSanitizer still reports a memory leak
with these fixes, even though the use-after-free problem seems to be
solved.

Thanks in advance,
Kei
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAlm1Z44ACgkQ5qXuPBlG
eg3GJBAAwMF/ueOALfrEBJSsNnKxmdTgDtrR6IB80opgPNFlCSofGUG/r6QbhrQA
ztX1o9023q5fyKsrh0vNqvuslljKb6G42okS/d2UunRwf6fwc2Hx72TgL3cRp1hK
Vs/7Y2a03is1pOriwI/O2Q0OBfFjNxTeiJ1aPFXU4HM5cucrTYH622jKoNCGVfDh
/+YnhMFtKC3UZAiQjx3PUSrO7LKxEuWgAcWPljlp/Gw+s6HDhAQKxgUDVM6WL3/o
0C9bZ31UtRlLbYY/a+3IUIyvaEleRke42S8RkXeZa8U3fsK2SKZV7wABxYiioMpk
5TJx8/FqqK/to5ztVz3s68GSliv2tPqmTwpLLyMKV3t5kOMSGolBnYgcTn/G5uNo
hqbFlvTE4mgbICS1IHTeDZXCmhyqjsH/J8hqr87PF2E7Ry+VyfSoaa2dtDQYuAnm
mIL8KMRsIYsuSzcjZp4rS21qJAbvad0m2W5noJAH8tpoNrZ2wpTnCes1YOqia4KU
GM70B8tW1wjnUvBCxJZEpquRSoH/hvVwBI3aKZkg97aLHp7xIXDVGNoF74qPaKEP
NzSiB05wZRsdV50c8XAbuTTuTZrj6sGdvXaPCGd36OvgBNIHD87KIXPZiwfZweN1
zSFnSw1jULhJWNsiXQDQLH8h/Z/746ilpRM5UerrKDVmcaBDplU=
=7aKw
-----END PGP SIGNATURE-----

Ludovic Courtès wrote 7 years ago
Re: [bug#28406] [PATCH] gnu: graphicsmagick: Fix CVE-2017-{11403, 14103}.
(name . Kei Kebreau)(address . kkebreau@posteo.net)(address . 28406@debbugs.gnu.org)
87poata4fd.fsf@gnu.org
Hi Kei,

Kei Kebreau <kkebreau@posteo.net> skribis:

Toggle quote (5 lines)
> * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
> * gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Register it.

I think you can go ahead.

Thanks for taking care of it!

Ludo’.
Kei Kebreau wrote 7 years ago
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 28406-done@debbugs.gnu.org)
87377pcsck.fsf@posteo.net
ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (15 lines)
> Hi Kei,
>
> Kei Kebreau <kkebreau@posteo.net> skribis:
>
>> * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
>> * gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch:
>> New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>
> I think you can go ahead.
>
> Thanks for taking care of it!
>
> Ludo’.

Pushed to master as db7f7eb8ca670ee5d76e3bad3ada29e87e3f6a10.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAlm6hnsACgkQ5qXuPBlG
eg0tShAAm/c+1vpZ920zrYeVGrob2O4DNURGwsAYru/WkaAS0w6rS7zb+lCLe4Yu
y9AtwTQeY2jmTKzrpnAvtu4irk/ieytN1B+ra7uO1T+RU+Ev8iySaPjbjPHzIfCz
PYeKvzxUVuQgDjKPH3NW8OHNmH/Www7ctgGPXuR/ftwJi5MtpcLxDgNlVY+oUKzN
PydalOL+uNLKmgNJUyrGmTLH8Rbso0coym9d+VAhUXSqRnjbRZz3ZXvbcUV90e0Y
T5Xs2q1693g8zZuawH0KgfhB/eUoOd1NmfAI32mbqVJsjcKUCebsrfJg9Ac9GeZ3
BfPIJ9fIZWulkqo0hBiTeyhacZkGZbNz6nFLekc8p2b0vC1y/Vph6DjJRFCrQ/WQ
LG+FusM8vz8VaGUnDS0IeTJfItyCwkwukSekMsk6C9ofVT5j6gh2FjJ9s10IMIqr
TZG/E30sSeBwpqPDSUJNLbDIxL92kKTGZPJdrL+7oBWvzciN+fRwpE94Mpbwlc4I
CTP/FmXEGCbrSBM5IgwanGOIohTLJ0uUg9ottUj12/56+CQhoRwobeQN7lwxV0e7
i0oXZG0axJBGQdR8yKLOE+QjO6KQqlH5U0ZMF3Zh31TDPp3MITVK0X0ImcriQbNE
htgMQAsE9ocGPsAx9oWdgeuYX8lKh2NU6qLcrwYRawhET7fzfhc=
=XGnZ
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 28406@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 28406
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help