gnu: graphicsmagick: Fix CVE-2017-{12935,12936,12937}.

* gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch,
gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch,
gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Use them.
This commit is contained in:
Kei Kebreau 2017-08-19 11:39:33 -04:00
parent a8cd352304
commit 6d7d9d9507
No known key found for this signature in database
GPG key ID: E6A5EE3C19467A0D
5 changed files with 80 additions and 1 deletions

View file

@ -679,6 +679,9 @@ dist_patch_DATA = \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
%D%/packages/patches/gobject-introspection-girepository.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12935.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12936.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12937.patch \
%D%/packages/patches/graphite2-ffloat-store.patch \
%D%/packages/patches/grep-timing-sensitive-test.patch \
%D%/packages/patches/gsl-test-i686.patch \

View file

@ -175,7 +175,11 @@ (define-public graphicsmagick
"/GraphicsMagick-" version ".tar.xz")))
(sha256
(base32
"122zgs96dqrys62mnh8x5yvfff6km4d3yrnvaxzg3mg5sprib87v"))))
"122zgs96dqrys62mnh8x5yvfff6km4d3yrnvaxzg3mg5sprib87v"))
(patches
(search-patches "graphicsmagick-CVE-2017-12935.patch"
"graphicsmagick-CVE-2017-12936.patch"
"graphicsmagick-CVE-2017-12937.patch"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags

View file

@ -0,0 +1,28 @@
This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188.
diff -ur a/coders/png.c b/coders/png.c
--- a/coders/png.c 2017-07-04 17:32:08.000000000 -0400
+++ b/coders/png.c 2017-08-19 11:16:20.933969362 -0400
@@ -4101,11 +4101,17 @@
mng_info->image=image;
}
- if ((mng_info->mng_width > 65535L) || (mng_info->mng_height
- > 65535L))
- (void) ThrowException(&image->exception,ImageError,
- WidthOrHeightExceedsLimit,
- image->filename);
+ if ((mng_info->mng_width > 65535L) ||
+ (mng_info->mng_height > 65535L))
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " MNG width or height is too large: %lu, %lu",
+ mng_info->mng_width,mng_info->mng_height);
+ MagickFreeMemory(chunk);
+ ThrowReaderException(CorruptImageError,
+ ImproperImageHeader,image);
+ }
+
FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width,
mng_info->mng_height);
mng_info->frame.left=0;

View file

@ -0,0 +1,16 @@
This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd.
diff -ur a/coders/wmf.c b/coders/wmf.c
--- a/coders/wmf.c 2016-09-05 15:20:23.000000000 -0400
+++ b/coders/wmf.c 2017-08-19 10:38:08.984187264 -0400
@@ -2719,8 +2719,8 @@
if(image->exception.severity != UndefinedException)
ThrowException2(exception,
CoderWarning,
- ddata->image->exception.reason,
- ddata->image->exception.description);
+ image->exception.reason,
+ image->exception.description);
if(logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),"leave ReadWMFImage()");

View file

@ -0,0 +1,28 @@
This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978.
diff -ur a/coders/sun.c b/coders/sun.c
--- a/coders/sun.c 2016-05-30 13:19:54.000000000 -0400
+++ b/coders/sun.c 2017-08-18 18:00:00.191023610 -0400
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003-2015 GraphicsMagick Group
+% Copyright (C) 2003-2017 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
@@ -577,6 +577,7 @@
for (bit=7; bit >= 0; bit--)
{
index=((*p) & (0x01 << bit) ? 0x01 : 0x00);
+ VerifyColormapIndex(image,index);
indexes[x+7-bit]=index;
q[x+7-bit]=image->colormap[index];
}
@@ -587,6 +588,7 @@
for (bit=7; bit >= (long) (8-(image->columns % 8)); bit--)
{
index=((*p) & (0x01 << bit) ? 0x01 : 0x00);
+ VerifyColormapIndex(image,index);
indexes[x+7-bit]=index;
q[x+7-bit]=image->colormap[index];
}