gnu: graphicsmagick: Fix CVE-2017-14165.

* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch. * gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it.
2024-11-07 07:26:13 -05:00 · 2017-09-10 21:40:17 +03:00 · 2017-09-10 21:40:17 +03:00 · 224bb4b6f9
commit 224bb4b6f9
parent 814da59fcc
3 changed files with 75 additions and 1 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -681,6 +681,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/graphicsmagick-CVE-2017-13775.patch	\
  %D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch	\
  %D%/packages/patches/graphicsmagick-CVE-2017-14042.patch	\
+  %D%/packages/patches/graphicsmagick-CVE-2017-14165.patch	\
  %D%/packages/patches/graphite2-ffloat-store.patch		\
  %D%/packages/patches/grep-gnulib-lock.patch                   \
  %D%/packages/patches/grep-timing-sensitive-test.patch		\
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@ -183,7 +183,8 @@ (define-public graphicsmagick
                               "graphicsmagick-CVE-2017-12937.patch"
                               "graphicsmagick-CVE-2017-13775.patch"
                               "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
-                               "graphicsmagick-CVE-2017-14042.patch"))))
+                               "graphicsmagick-CVE-2017-14042.patch"
+                               "graphicsmagick-CVE-2017-14165.patch"))))
    (build-system gnu-build-system)
    (arguments
     `(#:configure-flags
--- a/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch
@ -0,0 +1,72 @@
+http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa
+http://openwall.com/lists/oss-security/2017/09/06/4
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1503257388 18000
+# Node ID 493da54370aa42cb430c52a69eb75db0001a5589
+# Parent  f8724674907902b7bc37c04f252fe30fbdd88e6f
+SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions.
+
+diff -r f87246749079 -r 493da54370aa coders/sun.c
+--- a/coders/sun.c	Sun Aug 20 12:21:03 2017 +0200
+++ b/coders/sun.c	Sun Aug 20 14:29:48 2017 -0500
+@@ -498,6 +498,12 @@
+     if (sun_info.depth < 8)
+       image->depth=sun_info.depth;
+ 
+    if (image_info->ping)
+      {
+        CloseBlob(image);
+        return(image);
+      }
+
+     /*
+       Compute bytes per line and bytes per image for an unencoded
+       image.
+@@ -522,15 +528,37 @@
+       if (bytes_per_image > sun_info.length)
+         ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+ 
+-    if (image_info->ping)
+-      {
+-        CloseBlob(image);
+-        return(image);
+-      }
+     if (sun_info.type == RT_ENCODED)
+       sun_data_length=(size_t) sun_info.length;
+     else
+       sun_data_length=bytes_per_image;
+
+    /*
+      Verify that data length claimed by header is supported by file size
+    */
+    if (sun_info.type == RT_ENCODED)
+      {
+        if (sun_data_length < bytes_per_image/255U)
+          {
+            ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+          }
+      }
+    if (BlobIsSeekable(image))
+      {
+        const magick_off_t file_size = GetBlobSize(image);
+        const magick_off_t current_offset = TellBlob(image);
+        if ((file_size > 0) &&
+            (current_offset > 0) &&
+            (file_size > current_offset))
+        {
+          const magick_off_t remaining = file_size-current_offset;
+          if (remaining < (magick_off_t) sun_data_length)
+            {
+              ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+            }
+        }
+      }
+
+     sun_data=MagickAllocateMemory(unsigned char *,sun_data_length);
+     if (sun_data == (unsigned char *) NULL)
+       ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
+