packages/ImageMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 6.9.12.86 for Fix CVE-2023-1289,CVE-2023-1906

Browse Source 
(cherry picked from commit 334839d62096bca5b6feed4929464239d4296d32)
This commit is contained in:
wk333 2023-04-24 18:02:58 +08:00 committed by openeuler-sync-bot
parent 4e184b8aa5
commit 0d171f0093
8 changed files with 8 additions and 227 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
CVE-2022-3213-pre1.patch
View File

@ -1,53 +0,0 @@
From 4393e83230128de1cb798b67e798101d683380b1 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Tue, 21 Jun 2022 15:06:40 -0400
Subject: [PATCH] prevent possible buffer overrun
---
coders/tiff.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index e278ca7c0a..d5e30293db 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1796,9 +1796,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
*/
extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
#if defined(TIFF_VERSION_BIG)
- extent+=image->columns*sizeof(uint64);
+ extent+=samples_per_pixel*sizeof(uint64);
#else
- extent+=image->columns*sizeof(uint32);
+ extent+=samples_per_pixel*sizeof(uint32);
#endif
strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*strip_pixels));
@@ -1894,11 +1894,12 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
number_pixels=(MagickSizeType) columns*rows;
if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
- extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
+ extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
+ TIFFTileSize(tiff));
#if defined(TIFF_VERSION_BIG)
- extent+=image->columns*sizeof(uint64);
+ extent+=samples_per_pixel*sizeof(uint64);
#else
- extent+=image->columns*sizeof(uint32);
+ extent+=samples_per_pixel*sizeof(uint32);
#endif
tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*tile_pixels));
@@ -1996,9 +1997,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
number_pixels=(MagickSizeType) image->columns*image->rows;
#if defined(TIFF_VERSION_BIG)
- number_pixels+=image->columns*sizeof(uint64);
+ number_pixels+=samples_per_pixel*sizeof(uint64);
#else
- number_pixels+=image->columns*sizeof(uint32);
+ number_pixels+=samples_per_pixel*sizeof(uint32);
#endif
generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels));
if (generic_info == (MemoryInfo *) NULL)

54
CVE-2022-3213-pre2.patch
View File

@ -1,54 +0,0 @@
From 2b4eabb9d09b278f16727c635e928bd951c58773 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 29 Jun 2022 19:41:14 -0400
Subject: [PATCH] eliminate possible buffer overflow
---
coders/tiff.c | 19 ++-----------------
1 file changed, 2 insertions(+), 17 deletions(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index d5e30293db..d88711f941 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1794,12 +1794,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
/*
Convert stripped TIFF image.
*/
- extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
-#if defined(TIFF_VERSION_BIG)
- extent+=samples_per_pixel*sizeof(uint64);
-#else
- extent+=samples_per_pixel*sizeof(uint32);
-#endif
+ extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff);
strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*strip_pixels));
if (strip_pixels == (unsigned char *) NULL)
@@ -1894,13 +1889,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
number_pixels=(MagickSizeType) columns*rows;
if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
- extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
+ extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
TIFFTileSize(tiff));
-#if defined(TIFF_VERSION_BIG)
- extent+=samples_per_pixel*sizeof(uint64);
-#else
- extent+=samples_per_pixel*sizeof(uint32);
-#endif
tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*tile_pixels));
if (tile_pixels == (unsigned char *) NULL)
@@ -1996,11 +1986,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
number_pixels=(MagickSizeType) image->columns*image->rows;
-#if defined(TIFF_VERSION_BIG)
- number_pixels+=samples_per_pixel*sizeof(uint64);
-#else
- number_pixels+=samples_per_pixel*sizeof(uint32);
-#endif
generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels));
if (generic_info == (MemoryInfo *) NULL)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");

22
CVE-2022-3213.patch
View File

@ -1,22 +0,0 @@
From 1aea203eb36409ce6903b9e41fe7cb70030e8750 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 27 Aug 2022 08:38:18 -0400
Subject: [PATCH] squash heap-buffer-overflow, PoC TIFF from Hardik
---
coders/tiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index 3165ab925..05549f9e5 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1798,7 +1798,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
/*
Convert stripped TIFF image.
*/
- extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff);
+ extent=4*((image->depth+7)/8)*(samples_per_pixel+1)*TIFFStripSize(tiff);
strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*strip_pixels));
if (strip_pixels == (unsigned char *) NULL)

30
CVE-2022-32547.patch
View File

@ -1,30 +0,0 @@
From dc070da861a015d3c97488fdcca6063b44d47a7b Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 9 Apr 2022 08:40:54 -0400
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/pull/5034
---
magick/property.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/magick/property.c b/magick/property.c
index 2d80493dd2..bfc689466d 100644
--- a/magick/property.c
+++ b/magick/property.c
@@ -1526,12 +1526,14 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
}
case EXIF_FMT_SINGLE:
{
- EXIFMultipleValues(4,"%f",(double) *(float *) p1);
+ EXIFMultipleValues(4,"%.20g",(double)
+ ReadPropertySignedLong(endian,p1));
break;
}
case EXIF_FMT_DOUBLE:
{
- EXIFMultipleValues(8,"%f",*(double *) p1);
+ EXIFMultipleValues(8,"%.20g",(double)
+ ReadPropertySignedLong(endian,p1));
break;
}
case EXIF_FMT_STRING:

30
CVE-2022-44267_CVE-2022-44268.patch
View File

@ -1,30 +0,0 @@
From 3c5188b41902a909e163492fb0c19e49efefcefe Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 22 Oct 2022 13:28:51 -0400
Subject: [PATCH] possible DoS @ stdin (OCE-2022-70); possible arbitrary file
leak (OCE-2022-72)
---
coders/png.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/coders/png.c b/coders/png.c
index dae894d9c..887827636 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -3793,13 +3793,14 @@ static Image *ReadOnePNGImage(MngInfo *mng_info,
*/
if (!png_get_valid(ping,ping_info,PNG_INFO_pHYs) ||
(LocaleCompare(text[i].key,"density") != 0 &&
- LocaleCompare(text[i].key,"units") != 0))
+ LocaleCompare(text[i].key,"units") != 0))
{
char
key[MaxTextExtent];
(void) FormatLocaleString(key,MaxTextExtent,"%s",text[i].key);
if ((LocaleCompare(key,"version") == 0) ||
+ (LocaleCompare(key,"profile") == 0) ||
(LocaleCompare(key,"width") == 0))
(void) FormatLocaleString(key,MagickPathExtent,"png:%s",
text[i].key);

BIN
ImageMagick-6.9.12-43.tar.xz → ImageMagick-6.9.12-86.tar.xz
View File

Binary file not shown.

21
ImageMagick.spec
View File

@ -1,19 +1,11 @@
Name: ImageMagick
Epoch: 1
Version: 6.9.12.43
Release: 5
Version: 6.9.12.86
Release: 1
Summary: Create, edit, compose, or convert bitmap images
License: ImageMagick and MIT
Url: http://www.imagemagick.org/
Source0: https://www.imagemagick.org/download/ImageMagick-6.9.12-43.tar.xz
Patch0001: backport-fix-CVE-2022-1115.patch
Patch0002: CVE-2022-3213-pre1.patch
Patch0003: CVE-2022-3213-pre2.patch
Patch0004: CVE-2022-3213.patch
Patch0005: CVE-2022-32547.patch
Patch0006: CVE-2022-44267_CVE-2022-44268.patch
Source0: https://www.imagemagick.org/download/ImageMagick-6.9.12-86.tar.xz
BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -79,7 +71,7 @@ Requires: ImageMagick-devel = %{epoch}:%{version}-%{release}
Development files for ImageMagick-c++.
%prep
%autosetup -n ImageMagick-6.9.12-43 -p1
%autosetup -n ImageMagick-6.9.12-86 -p1
install -d Magick++/examples
cp -p Magick++/demo/*.cpp Magick++/demo/*.miff Magick++/examples
@ -147,7 +139,7 @@ rm PerlMagick/demo/Generic.ttf
%{_includedir}/%{name}-6/wand
%files help
%doc README.txt NEWS.txt ChangeLog.md QuickStart.txt
%doc README.txt NEWS.txt QuickStart.txt
%doc %{_datadir}/doc/ImageMagick-6
%doc %{_datadir}/doc/ImageMagick-6.9.12
%{_mandir}/man[145]/[a-z]*
@ -171,6 +163,9 @@ rm PerlMagick/demo/Generic.ttf
%{_libdir}/pkgconfig/ImageMagick++*
%changelog
* Mon Apr 24 2023 wangkai <13474090681@163.com> - 1:6.9.12.86-1
- Update to 6.9.12.86 for Fix CVE-2023-1289,CVE-2023-1906
* Thu Feb 09 2023 yaoxin <yaoxin30@h-partners.com> - 1:6.9.12.43-5
- Fix CVE-2022-44267 and CVE-2022-44268

25
backport-fix-CVE-2022-1115.patch
View File

@ -1,25 +0,0 @@
From e88576bc495951a1c08a6e9cdbc2121b4c9d8ac8 Mon Sep 17 00:00:00 2001
From: cenhuilin <cenhuilin@kylinos.cn>
Date: Mon, 5 Sep 2022 06:39:50 +0000
Subject: [PATCH] heap-buffer-overflow in magick at quantum-private.h PushShortPixel
---
coders/tiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index 8fd1451..b4c94bb 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1894,7 +1894,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
number_pixels=(MagickSizeType) columns*rows;
if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
- extent=MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
+ extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
#if defined(TIFF_VERSION_BIG)
extent+=image->columns*sizeof(uint64);
#else
--
2.33.0