mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-23 21:17:11 -05:00
gnu: graphicsmagick: Fix CVE-2017-14165.
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch. * gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it.
This commit is contained in:
parent
814da59fcc
commit
224bb4b6f9
3 changed files with 75 additions and 1 deletions
|
@ -681,6 +681,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/graphicsmagick-CVE-2017-13775.patch \
|
||||
%D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch \
|
||||
%D%/packages/patches/graphicsmagick-CVE-2017-14042.patch \
|
||||
%D%/packages/patches/graphicsmagick-CVE-2017-14165.patch \
|
||||
%D%/packages/patches/graphite2-ffloat-store.patch \
|
||||
%D%/packages/patches/grep-gnulib-lock.patch \
|
||||
%D%/packages/patches/grep-timing-sensitive-test.patch \
|
||||
|
|
|
@ -183,7 +183,8 @@ (define-public graphicsmagick
|
|||
"graphicsmagick-CVE-2017-12937.patch"
|
||||
"graphicsmagick-CVE-2017-13775.patch"
|
||||
"graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
|
||||
"graphicsmagick-CVE-2017-14042.patch"))))
|
||||
"graphicsmagick-CVE-2017-14042.patch"
|
||||
"graphicsmagick-CVE-2017-14165.patch"))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
`(#:configure-flags
|
||||
|
|
72
gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch
Normal file
72
gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch
Normal file
|
@ -0,0 +1,72 @@
|
|||
http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa
|
||||
http://openwall.com/lists/oss-security/2017/09/06/4
|
||||
|
||||
some changes were made to make the patch apply
|
||||
|
||||
# HG changeset patch
|
||||
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
|
||||
# Date 1503257388 18000
|
||||
# Node ID 493da54370aa42cb430c52a69eb75db0001a5589
|
||||
# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f
|
||||
SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions.
|
||||
|
||||
diff -r f87246749079 -r 493da54370aa coders/sun.c
|
||||
--- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200
|
||||
+++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500
|
||||
@@ -498,6 +498,12 @@
|
||||
if (sun_info.depth < 8)
|
||||
image->depth=sun_info.depth;
|
||||
|
||||
+ if (image_info->ping)
|
||||
+ {
|
||||
+ CloseBlob(image);
|
||||
+ return(image);
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
Compute bytes per line and bytes per image for an unencoded
|
||||
image.
|
||||
@@ -522,15 +528,37 @@
|
||||
if (bytes_per_image > sun_info.length)
|
||||
ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
|
||||
|
||||
- if (image_info->ping)
|
||||
- {
|
||||
- CloseBlob(image);
|
||||
- return(image);
|
||||
- }
|
||||
if (sun_info.type == RT_ENCODED)
|
||||
sun_data_length=(size_t) sun_info.length;
|
||||
else
|
||||
sun_data_length=bytes_per_image;
|
||||
+
|
||||
+ /*
|
||||
+ Verify that data length claimed by header is supported by file size
|
||||
+ */
|
||||
+ if (sun_info.type == RT_ENCODED)
|
||||
+ {
|
||||
+ if (sun_data_length < bytes_per_image/255U)
|
||||
+ {
|
||||
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
|
||||
+ }
|
||||
+ }
|
||||
+ if (BlobIsSeekable(image))
|
||||
+ {
|
||||
+ const magick_off_t file_size = GetBlobSize(image);
|
||||
+ const magick_off_t current_offset = TellBlob(image);
|
||||
+ if ((file_size > 0) &&
|
||||
+ (current_offset > 0) &&
|
||||
+ (file_size > current_offset))
|
||||
+ {
|
||||
+ const magick_off_t remaining = file_size-current_offset;
|
||||
+ if (remaining < (magick_off_t) sun_data_length)
|
||||
+ {
|
||||
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
sun_data=MagickAllocateMemory(unsigned char *,sun_data_length);
|
||||
if (sun_data == (unsigned char *) NULL)
|
||||
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
|
||||
|
Loading…
Reference in a new issue