summary refs log tree commit diff
diff options
context:
space:
mode:
authorKei Kebreau <kkebreau@posteo.net>2017-09-30 09:11:43 -0400
committerKei Kebreau <kkebreau@posteo.net>2017-10-03 11:56:24 -0400
commit4d6801b735550ee804454a6d4f0d44c3372e0ae9 (patch)
tree0bb08be51d0d457c8ecfca12743865c66cc18d0e
parent3d7a15963e9c7a96c4aad720f2c1b5a6b63be4d0 (diff)
downloadguix-4d6801b735550ee804454a6d4f0d44c3372e0ae9.tar.gz
gnu: graphicsmagick: Fix CVE-2017-14649.
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Register it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/imagemagick.scm3
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch210
3 files changed, 213 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 6d14f2a47c..88d24fab27 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch	\
   %D%/packages/patches/graphicsmagick-CVE-2017-14042.patch	\
   %D%/packages/patches/graphicsmagick-CVE-2017-14165.patch	\
+  %D%/packages/patches/graphicsmagick-CVE-2017-14649.patch	\
   %D%/packages/patches/graphite2-ffloat-store.patch		\
   %D%/packages/patches/grep-gnulib-lock.patch                   \
   %D%/packages/patches/grep-timing-sensitive-test.patch		\
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 7599f87311..b22799eea2 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -185,7 +185,8 @@ script.")
                                "graphicsmagick-CVE-2017-13775.patch"
                                "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
                                "graphicsmagick-CVE-2017-14042.patch"
-                               "graphicsmagick-CVE-2017-14165.patch"))))
+                               "graphicsmagick-CVE-2017-14165.patch"
+                               "graphicsmagick-CVE-2017-14649.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch
new file mode 100644
index 0000000000..8e1166ba7a
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch
@@ -0,0 +1,210 @@
+http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a
+http://www.openwall.com/lists/oss-security/2017/09/22/2
+
+Some changes were made to make the patch apply.
+
+Notably, the DestroyJNG() function in the upstream diff has been replaced by
+its equivalent, a series of calls to MagickFreeMemory(), DestroyImageInfo(),
+and DestroyImage(). See
+http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5.
+
+# HG changeset patch
+# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
+# Date 1504014487 14400
+# Node ID 358608a46f0a9c55e9bb8b37d09bf1ac9bc87f06
+# Parent  38c362f0ae5e7a914c3fe822284c6953f8e6eee2
+Fix Issue 439
+
+diff -ru a/coders/png.c b/coders/png.c
+--- a/coders/png.c	1969-12-31 19:00:00.000000000 -0500
++++ b/coders/png.c	2017-09-30 08:20:16.218944991 -0400
+@@ -1176,15 +1176,15 @@
+   /* allocate space */
+   if (length == 0)
+     {
+-      (void) ThrowException2(&image->exception,CoderWarning,
+-                             "invalid profile length",(char *) NULL);
++      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++          "invalid profile length");
+       return (MagickFail);
+     }
+   info=MagickAllocateMemory(unsigned char *,length);
+   if (info == (unsigned char *) NULL)
+     {
+-      (void) ThrowException2(&image->exception,CoderWarning,
+-                             "unable to copy profile",(char *) NULL);
++      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++          "Unable to copy profile");
+       return (MagickFail);
+     }
+   /* copy profile, skipping white space and column 1 "=" signs */
+@@ -1197,8 +1197,8 @@
+           if (*sp == '\0')
+             {
+               MagickFreeMemory(info);
+-              (void) ThrowException2(&image->exception,CoderWarning,
+-                                     "ran out of profile data",(char *) NULL);
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                  "ran out of profile data");
+               return (MagickFail);
+             }
+           sp++;
+@@ -1234,8 +1234,9 @@
+   if(SetImageProfile(image,profile_name,info,length) == MagickFail)
+     {
+       MagickFreeMemory(info);
+-      (void) ThrowException(&image->exception,ResourceLimitError,
+-                            MemoryAllocationFailed,"unable to copy profile");
++      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++           "unable to copy profile");
++      return MagickFail;
+     }
+   MagickFreeMemory(info);
+   return MagickTrue;
+@@ -3285,7 +3286,6 @@
+               if (status == MagickFalse)
+                 {
+                   DestroyJNGInfo(color_image_info,alpha_image_info);
+-                  DestroyImage(alpha_image);
+                   (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                       "    could not allocate alpha_image blob");
+                   return ((Image *)NULL);
+@@ -3534,7 +3534,7 @@
+       CloseBlob(color_image);
+       if (logging)
+         (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+-                              "    Reading jng_image from color_blob.");
++            "    Reading jng_image from color_blob.");
+
+       FormatString(color_image_info->filename,"%.1024s",color_image->filename);
+
+@@ -3558,13 +3558,18 @@
+
+       if (logging)
+         (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+-                              "    Copying jng_image pixels to main image.");
++            "    Copying jng_image pixels to main image.");
+       image->rows=jng_height;
+       image->columns=jng_width;
+       length=image->columns*sizeof(PixelPacket);
++      if ((jng_height == 0 || jng_width == 0) && logging)
++        (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++            "    jng_width=%lu jng_height=%lu",
++            (unsigned long)jng_width,(unsigned long)jng_height);
+       for (y=0; y < (long) image->rows; y++)
+         {
+-          s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception);
++          s=AcquireImagePixels(jng_image,0,y,image->columns,1,
++             &image->exception);
+           q=SetImagePixels(image,0,y,image->columns,1);
+           (void) memcpy(q,s,length);
+           if (!SyncImagePixels(image))
+@@ -3589,45 +3594,79 @@
+               CloseBlob(alpha_image);
+               if (logging)
+                 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+-                                      "    Reading opacity from alpha_blob.");
++                     "    Reading opacity from alpha_blob.");
+
+               FormatString(alpha_image_info->filename,"%.1024s",
+                            alpha_image->filename);
+
+               jng_image=ReadImage(alpha_image_info,exception);
+
+-              for (y=0; y < (long) image->rows; y++)
++              if (jng_image == (Image *)NULL)
+                 {
+-                  s=AcquireImagePixels(jng_image,0,y,image->columns,1,
+-                                       &image->exception);
+-                  if (image->matte)
+-                    {
+-                      q=SetImagePixels(image,0,y,image->columns,1);
+-                      for (x=(long) image->columns; x > 0; x--,q++,s++)
+-                        q->opacity=(Quantum) MaxRGB-s->red;
+-                    }
+-                  else
++                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                       "    jng_image is NULL.");
++                  if (color_image_info)
++                    DestroyImageInfo(color_image_info);
++                  if (alpha_image_info)
++                    DestroyImageInfo(alpha_image_info);
++                  if (color_image)
++                    DestroyImage(color_image);
++                  if (alpha_image)
++                    DestroyImage(alpha_image);
++                }
++              else
++                {
++
++                  if (logging)
+                     {
+-                      q=SetImagePixels(image,0,y,image->columns,1);
+-                      for (x=(long) image->columns; x > 0; x--,q++,s++)
+-                        {
+-                          q->opacity=(Quantum) MaxRGB-s->red;
+-                          if (q->opacity != OpaqueOpacity)
+-                            image->matte=MagickTrue;
+-                        }
++                      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                          "    Read jng_image.");
++                      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                          "      jng_image->width=%lu, jng_image->height=%lu",
++                          (unsigned long)jng_width,(unsigned long)jng_height);
++                      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                          "      image->rows=%lu, image->columns=%lu",
++                         (unsigned long)image->rows,
++                         (unsigned long)image->columns);
+                     }
+-                  if (!SyncImagePixels(image))
+-                    break;
+-                }
+-              (void) LiberateUniqueFileResource(alpha_image->filename);
+-              DestroyImage(alpha_image);
+-              alpha_image = (Image *)NULL;
+-              DestroyImageInfo(alpha_image_info);
+-              alpha_image_info = (ImageInfo *)NULL;
+-              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+-                  " Destroy the JNG image");
+-              DestroyImage(jng_image);
+-              jng_image = (Image *)NULL;
++
++                  for (y=0; y < (long) image->rows; y++)
++                   {
++                     s=AcquireImagePixels(jng_image,0,y,image->columns,1,
++                                          &image->exception);
++                     if (image->matte)
++                       {
++                         q=SetImagePixels(image,0,y,image->columns,1);
++                         for (x=(long) image->columns; x > 0; x--,q++,s++)
++                           q->opacity=(Quantum) MaxRGB-s->red;
++                       }
++                     else
++                       {
++                         q=SetImagePixels(image,0,y,image->columns,1);
++                         for (x=(long) image->columns; x > 0; x--,q++,s++)
++                           {
++                             q->opacity=(Quantum) MaxRGB-s->red;
++                             if (q->opacity != OpaqueOpacity)
++                               image->matte=MagickTrue;
++                           }
++                       }
++                     if (!SyncImagePixels(image))
++                       break;
++                   }
++                 (void) LiberateUniqueFileResource(alpha_image->filename);
++                 if (color_image_info)
++                   DestroyImageInfo(color_image_info);
++                 if (alpha_image_info)
++                   DestroyImageInfo(alpha_image_info);
++                 if (color_image)
++                   DestroyImage(color_image);
++                 if (alpha_image)
++                   DestroyImage(alpha_image);
++                 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                     " Destroy the JNG image");
++                 DestroyImage(jng_image);
++                 jng_image = (Image *)NULL;
++               }
+             }
+         }