summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/imagemagick.scm3
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch72
3 files changed, 75 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 64b1b1c14d..43eac7717a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -681,6 +681,7 @@ dist_patch_DATA = \
%D%/packages/patches/graphicsmagick-CVE-2017-13775.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-14042.patch \
+ %D%/packages/patches/graphicsmagick-CVE-2017-14165.patch \
%D%/packages/patches/graphite2-ffloat-store.patch \
%D%/packages/patches/grep-gnulib-lock.patch \
%D%/packages/patches/grep-timing-sensitive-test.patch \
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 632be70349..502dc43acf 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -183,7 +183,8 @@ script.")
"graphicsmagick-CVE-2017-12937.patch"
"graphicsmagick-CVE-2017-13775.patch"
"graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
- "graphicsmagick-CVE-2017-14042.patch"))))
+ "graphicsmagick-CVE-2017-14042.patch"
+ "graphicsmagick-CVE-2017-14165.patch"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch
new file mode 100644
index 0000000000..1f55d90d38
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch
@@ -0,0 +1,72 @@
+http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa
+http://openwall.com/lists/oss-security/2017/09/06/4
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1503257388 18000
+# Node ID 493da54370aa42cb430c52a69eb75db0001a5589
+# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f
+SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions.
+
+diff -r f87246749079 -r 493da54370aa coders/sun.c
+--- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200
++++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500
+@@ -498,6 +498,12 @@
+ if (sun_info.depth < 8)
+ image->depth=sun_info.depth;
+
++ if (image_info->ping)
++ {
++ CloseBlob(image);
++ return(image);
++ }
++
+ /*
+ Compute bytes per line and bytes per image for an unencoded
+ image.
+@@ -522,15 +528,37 @@
+ if (bytes_per_image > sun_info.length)
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+
+- if (image_info->ping)
+- {
+- CloseBlob(image);
+- return(image);
+- }
+ if (sun_info.type == RT_ENCODED)
+ sun_data_length=(size_t) sun_info.length;
+ else
+ sun_data_length=bytes_per_image;
++
++ /*
++ Verify that data length claimed by header is supported by file size
++ */
++ if (sun_info.type == RT_ENCODED)
++ {
++ if (sun_data_length < bytes_per_image/255U)
++ {
++ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
++ }
++ }
++ if (BlobIsSeekable(image))
++ {
++ const magick_off_t file_size = GetBlobSize(image);
++ const magick_off_t current_offset = TellBlob(image);
++ if ((file_size > 0) &&
++ (current_offset > 0) &&
++ (file_size > current_offset))
++ {
++ const magick_off_t remaining = file_size-current_offset;
++ if (remaining < (magick_off_t) sun_data_length)
++ {
++ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
++ }
++ }
++ }
++
+ sun_data=MagickAllocateMemory(unsigned char *,sun_data_length);
+ if (sun_data == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
+