!174 [sync] PR-170: Update to 6.9.12.86 for Fix CVE-2023-1289,CVE-2023-1906

From: @openeuler-sync-bot 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge

CVE-2022-3213-pre1.patch

@@ -1,53 +0,0 @@
-From 4393e83230128de1cb798b67e798101d683380b1 Mon Sep 17 00:00:00 2001
-From: Cristy <urban-warrior@imagemagick.org>
-Date: Tue, 21 Jun 2022 15:06:40 -0400
-Subject: [PATCH] prevent possible buffer overrun
-
----
- coders/tiff.c | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
-diff --git a/coders/tiff.c b/coders/tiff.c
-index e278ca7c0a..d5e30293db 100644
---- a/coders/tiff.c
-+++ b/coders/tiff.c
-@@ -1796,9 +1796,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
-         */
-         extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
- #if defined(TIFF_VERSION_BIG)
--        extent+=image->columns*sizeof(uint64);
-+        extent+=samples_per_pixel*sizeof(uint64);
- #else
--        extent+=image->columns*sizeof(uint32);
-+        extent+=samples_per_pixel*sizeof(uint32);
- #endif
-         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
-           sizeof(*strip_pixels));
-@@ -1894,11 +1894,12 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
-         number_pixels=(MagickSizeType) columns*rows;
-         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
-           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
--        extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
-+        extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
-+          TIFFTileSize(tiff));
- #if defined(TIFF_VERSION_BIG)
--        extent+=image->columns*sizeof(uint64);
-+        extent+=samples_per_pixel*sizeof(uint64);
- #else
--        extent+=image->columns*sizeof(uint32);
-+        extent+=samples_per_pixel*sizeof(uint32);
- #endif
-         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
-           sizeof(*tile_pixels));
-@@ -1996,9 +1997,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
-           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
-         number_pixels=(MagickSizeType) image->columns*image->rows;
- #if defined(TIFF_VERSION_BIG)
--        number_pixels+=image->columns*sizeof(uint64);
-+        number_pixels+=samples_per_pixel*sizeof(uint64);
- #else
--        number_pixels+=image->columns*sizeof(uint32);
-+        number_pixels+=samples_per_pixel*sizeof(uint32);
- #endif
-         generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels));
-         if (generic_info == (MemoryInfo *) NULL)

CVE-2022-3213-pre2.patch

@@ -1,54 +0,0 @@
-From 2b4eabb9d09b278f16727c635e928bd951c58773 Mon Sep 17 00:00:00 2001
-From: Cristy <urban-warrior@imagemagick.org>
-Date: Wed, 29 Jun 2022 19:41:14 -0400
-Subject: [PATCH] eliminate possible buffer overflow
-
----
- coders/tiff.c | 19 ++-----------------
- 1 file changed, 2 insertions(+), 17 deletions(-)
-
-diff --git a/coders/tiff.c b/coders/tiff.c
-index d5e30293db..d88711f941 100644
---- a/coders/tiff.c
-+++ b/coders/tiff.c
-@@ -1794,12 +1794,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
-         /*
-           Convert stripped TIFF image.
-         */
--        extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
--#if defined(TIFF_VERSION_BIG)
--        extent+=samples_per_pixel*sizeof(uint64);
--#else
--        extent+=samples_per_pixel*sizeof(uint32);
--#endif
-+        extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff);
-         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
-           sizeof(*strip_pixels));
-         if (strip_pixels == (unsigned char *) NULL)
-@@ -1894,13 +1889,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
-         number_pixels=(MagickSizeType) columns*rows;
-         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
-           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
--        extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
-+        extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
-           TIFFTileSize(tiff));
--#if defined(TIFF_VERSION_BIG)
--        extent+=samples_per_pixel*sizeof(uint64);
--#else
--        extent+=samples_per_pixel*sizeof(uint32);
--#endif
-         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
-           sizeof(*tile_pixels));
-         if (tile_pixels == (unsigned char *) NULL)
-@@ -1996,11 +1986,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
-         if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse)
-           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
-         number_pixels=(MagickSizeType) image->columns*image->rows;
--#if defined(TIFF_VERSION_BIG)
--        number_pixels+=samples_per_pixel*sizeof(uint64);
--#else
--        number_pixels+=samples_per_pixel*sizeof(uint32);
--#endif
-         generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels));
-         if (generic_info == (MemoryInfo *) NULL)
-           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");

CVE-2022-3213.patch

@@ -1,22 +0,0 @@
-From 1aea203eb36409ce6903b9e41fe7cb70030e8750 Mon Sep 17 00:00:00 2001
-From: Cristy <urban-warrior@imagemagick.org>
-Date: Sat, 27 Aug 2022 08:38:18 -0400
-Subject: [PATCH] squash heap-buffer-overflow, PoC TIFF from Hardik
-
----
- coders/tiff.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/coders/tiff.c b/coders/tiff.c
-index 3165ab925..05549f9e5 100644
---- a/coders/tiff.c
-+++ b/coders/tiff.c
-@@ -1798,7 +1798,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
-         /*
-           Convert stripped TIFF image.
-         */
--        extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff);
-+        extent=4*((image->depth+7)/8)*(samples_per_pixel+1)*TIFFStripSize(tiff);
-         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
-           sizeof(*strip_pixels));
-         if (strip_pixels == (unsigned char *) NULL)

CVE-2022-32547.patch

@@ -1,30 +0,0 @@
-From dc070da861a015d3c97488fdcca6063b44d47a7b Mon Sep 17 00:00:00 2001
-From: Cristy <urban-warrior@imagemagick.org>
-Date: Sat, 9 Apr 2022 08:40:54 -0400
-Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/pull/5034
-
----
- magick/property.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/magick/property.c b/magick/property.c
-index 2d80493dd2..bfc689466d 100644
---- a/magick/property.c
-+++ b/magick/property.c
-@@ -1526,12 +1526,14 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
-             }
-             case EXIF_FMT_SINGLE:
-             {
--              EXIFMultipleValues(4,"%f",(double) *(float *) p1);
-+              EXIFMultipleValues(4,"%.20g",(double)
-+                ReadPropertySignedLong(endian,p1));
-               break;
-             }
-             case EXIF_FMT_DOUBLE:
-             {
--              EXIFMultipleValues(8,"%f",*(double *) p1);
-+              EXIFMultipleValues(8,"%.20g",(double)
-+                ReadPropertySignedLong(endian,p1));
-               break;
-             }
-             case EXIF_FMT_STRING:

CVE-2022-44267_CVE-2022-44268.patch

@@ -1,30 +0,0 @@
-From 3c5188b41902a909e163492fb0c19e49efefcefe Mon Sep 17 00:00:00 2001
-From: Cristy <urban-warrior@imagemagick.org>
-Date: Sat, 22 Oct 2022 13:28:51 -0400
-Subject: [PATCH] possible DoS @ stdin (OCE-2022-70); possible arbitrary file
- leak (OCE-2022-72)
-
----
- coders/png.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/coders/png.c b/coders/png.c
-index dae894d9c..887827636 100644
---- a/coders/png.c
-+++ b/coders/png.c
-@@ -3793,13 +3793,14 @@ static Image *ReadOnePNGImage(MngInfo *mng_info,
-              */
-             if (!png_get_valid(ping,ping_info,PNG_INFO_pHYs) ||
-                 (LocaleCompare(text[i].key,"density") != 0 &&
--                LocaleCompare(text[i].key,"units") != 0))
-+                 LocaleCompare(text[i].key,"units") != 0))
-               {
-                 char
-                   key[MaxTextExtent];
- 
-                 (void) FormatLocaleString(key,MaxTextExtent,"%s",text[i].key);
-                 if ((LocaleCompare(key,"version") == 0) ||
-+                    (LocaleCompare(key,"profile") == 0) ||
-                     (LocaleCompare(key,"width") == 0))
-                   (void) FormatLocaleString(key,MagickPathExtent,"png:%s",
-                     text[i].key);

ImageMagick.spec

@@ -1,19 +1,11 @@
 Name:           ImageMagick
 Epoch:          1
-Version:        6.9.12.43
+Version:        6.9.12.86
-Release:        5
+Release:        1
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
-Source0:        https://www.imagemagick.org/download/ImageMagick-6.9.12-43.tar.xz
+Source0:        https://www.imagemagick.org/download/ImageMagick-6.9.12-86.tar.xz
-
-Patch0001: backport-fix-CVE-2022-1115.patch
-Patch0002: CVE-2022-3213-pre1.patch
-Patch0003: CVE-2022-3213-pre2.patch
-Patch0004: CVE-2022-3213.patch
-Patch0005: CVE-2022-32547.patch
-Patch0006: CVE-2022-44267_CVE-2022-44268.patch
-
 
 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@@ -79,7 +71,7 @@ Requires:       ImageMagick-devel = %{epoch}:%{version}-%{release}
 Development files for ImageMagick-c++.
 
 %prep
-%autosetup -n ImageMagick-6.9.12-43 -p1
+%autosetup -n ImageMagick-6.9.12-86 -p1
 
 install -d Magick++/examples
 cp -p Magick++/demo/*.cpp Magick++/demo/*.miff Magick++/examples
@@ -147,7 +139,7 @@ rm PerlMagick/demo/Generic.ttf
 %{_includedir}/%{name}-6/wand
 
 %files help
-%doc README.txt NEWS.txt ChangeLog.md QuickStart.txt
+%doc README.txt NEWS.txt QuickStart.txt
 %doc %{_datadir}/doc/ImageMagick-6
 %doc %{_datadir}/doc/ImageMagick-6.9.12
 %{_mandir}/man[145]/[a-z]*
@@ -171,6 +163,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick++*
 
 %changelog
+* Mon Apr 24 2023 wangkai <13474090681@163.com> - 1:6.9.12.86-1
+- Update to 6.9.12.86 for Fix CVE-2023-1289,CVE-2023-1906
+
 * Thu Feb 09 2023 yaoxin <yaoxin30@h-partners.com> - 1:6.9.12.43-5
 - Fix CVE-2022-44267 and CVE-2022-44268
 

backport-fix-CVE-2022-1115.patch

@@ -1,25 +0,0 @@
-From e88576bc495951a1c08a6e9cdbc2121b4c9d8ac8 Mon Sep 17 00:00:00 2001
-From: cenhuilin <cenhuilin@kylinos.cn>
-Date: Mon, 5 Sep 2022 06:39:50 +0000
-Subject: [PATCH] heap-buffer-overflow in magick at quantum-private.h PushShortPixel
-
----
- coders/tiff.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/coders/tiff.c b/coders/tiff.c
-index 8fd1451..b4c94bb 100644
---- a/coders/tiff.c
-+++ b/coders/tiff.c
-@@ -1894,7 +1894,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
-         number_pixels=(MagickSizeType) columns*rows;
-         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
-           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
--        extent=MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
-+        extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
- #if defined(TIFF_VERSION_BIG)
-         extent+=image->columns*sizeof(uint64);
- #else
--- 
-2.33.0
-