[GraphicsMagick] 1.3.20, CVE-2014-1947 (#1064098,#1083082)

Rex Dieter rdieter at fedoraproject.org
Wed Aug 20 12:51:33 UTC 2014 

commit 59e8f594d3f54a8c8d1c12b153f42029e2b9a751
Author: Rex Dieter <rdieter at math.unl.edu>
Date:   Wed Aug 20 07:51:27 2014 -0500

    1.3.20, CVE-2014-1947 (#1064098,#1083082)

 .gitignore                                |    2 +-
 GraphicsMagick-1.3.19-fd85f2.patch        |   10 ----------
 GraphicsMagick-1.3.20-CVE-2014-1947.patch |   25 +++++++++++++++++++++++++
 GraphicsMagick.spec                       |   15 ++++++++-------
 sources                                   |    2 +-
 5 files changed, 35 insertions(+), 19 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 179b11a..d9bb688 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-/GraphicsMagick-1.3.19.tar.xz
+/GraphicsMagick-1.3.20.tar.xz
diff --git a/GraphicsMagick-1.3.20-CVE-2014-1947.patch b/GraphicsMagick-1.3.20-CVE-2014-1947.patch
new file mode 100644
index 0000000..27b16cd
--- /dev/null
+++ b/GraphicsMagick-1.3.20-CVE-2014-1947.patch
@@ -0,0 +1,25 @@
+diff -up GraphicsMagick-1.3.20/coders/psd.c.CVE-2014-1947 GraphicsMagick-1.3.20/coders/psd.c
+--- GraphicsMagick-1.3.20/coders/psd.c.CVE-2014-1947	2014-08-16 15:33:23.000000000 -0500
++++ GraphicsMagick-1.3.20/coders/psd.c	2014-08-20 07:30:08.767862041 -0500
+@@ -1719,8 +1719,7 @@ static unsigned int WritePSDImage(const
+     i;
+ 
+   unsigned char
+-    *pixels,
+-    layer_name[4];
++    *pixels;
+ 
+   unsigned int
+     packet_size,
+@@ -1944,8 +1943,9 @@ static unsigned int WritePSDImage(const
+             (void) WriteBlob(image, 3, &layer_name[1]);
+           */ 
+         } else {
+-          (void) sprintf((char *) layer_name, "L%02d", layer_count++ );
+-          WritePascalString( image, (char*)layer_name, 4 );
++          char layer_name[4];
++          (void) sprintf(layer_name, "L%02d", layer_count++ );
++          WritePascalString( image, layer_name, 4 );
+         }
+         tmp_image = tmp_image->next;
+       };
diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec
index 59b32e1..f6d229a 100644
--- a/GraphicsMagick.spec
+++ b/GraphicsMagick.spec
@@ -32,8 +32,8 @@
 
 Summary: An ImageMagick fork, offering faster image generation and better quality
 Name: GraphicsMagick
-Version: 1.3.19
-Release: 9%{?dist}
+Version: 1.3.20
+Release: 1%{?dist}
 
 License: MIT
 Group: Applications/Multimedia
@@ -44,12 +44,10 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 # workaround multilib conflicts with GraphicsMagick-config
 Patch1: GraphicsMagick-1.3.16-multilib.patch
 
-# Upstream patch - drop debug output
-# http://sourceforge.net/p/graphicsmagick/code/ci/fd85f264c97504ae5fd4308fb5347ba7f126beb8/
-Patch2: GraphicsMagick-1.3.19-fd85f2.patch
-
 ## upstreamable patches
 Patch50: GraphicsMagick-1.3.14-perl_linkage.patch
+# https://bugzilla.redhat.com/1064098
+Patch51: GraphicsMagick-1.3.20-CVE-2014-1947.patch
 
 ## upstream patches
 
@@ -159,8 +157,8 @@ however.
 %setup -q
 
 %patch1 -p1 -b .multilib
-%patch2 -p1 -b .fd85f2
 %patch50 -p1 -b .perl_linkage
+%patch51 -p1 -b .CVE-2014-1947
 
 for f in ChangeLog.{2006,2008,2009,2012} NEWS.txt ; do
     iconv -f iso-8859-2 -t utf8 < $f > $f.utf8
@@ -315,6 +313,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Wed Aug 20 2014 Rex Dieter <rdieter at fedoraproject.org> 1.3.20-1
+- 1.3.20, CVE-2014-1947 (#1064098,#1083082)
+
 * Fri Aug 15 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.3.19-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
 
diff --git a/sources b/sources
index a814bf8..08d7599 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-e2795d7bdc2f3917804e40c8cae1993e  GraphicsMagick-1.3.19.tar.xz
+5bb456e3466026ada6f12cc53c9776dc  GraphicsMagick-1.3.20.tar.xz

More information about the scm-commits mailing list