[ImageMagick/f20] Backport patches to fix CVE-2014-8354 and CVE-2014-8355 in Fedora20
Pavel Alexeev
hubbitus at fedoraproject.org
Tue Mar 10 17:22:31 UTC 2015
commit 86767a6ec320409710c494f095451584bebeddbc
Author: Hubbitus <pahan at hubbitus.info>
Date: Tue Mar 10 20:21:59 2015 +0300
Backport patches to fix CVE-2014-8354 and CVE-2014-8355 in Fedora20
- Backport upstream fix http://trac.imagemagick.org/changeset/16765 (bz#1158520) for CVE-2014-8354
Add Patch1: ImageMagick-6.8.7-CVE-2014-8354.patch
- Backport upstream fix http://trac.imagemagick.org/changeset/16774 (bz#1158524) for CVE-2014-8355
Add Patch2: ImageMagick-6.8.6-CVE-2014-8355.patch
ImageMagick-6.8.6-CVE-2014-8354.patch | 18 ++
ImageMagick-6.8.6-CVE-2014-8355.patch | 345 ++++++++++++++++++++++++++++++++++
ImageMagick.spec | 15 +-
3 files changed, 377 insertions(+), 1 deletion(-)
---
diff --git a/ImageMagick-6.8.6-CVE-2014-8354.patch b/ImageMagick-6.8.6-CVE-2014-8354.patch
new file mode 100644
index 0000000..7753d4f
--- /dev/null
+++ b/ImageMagick-6.8.6-CVE-2014-8354.patch
@@ -0,0 +1,18 @@
+Index: ImageMagick/trunk/MagickCore/resize.c
+===================================================================
+--- a/ImageMagick/trunk/magick/resize.c
++++ b/ImageMagick/trunk/magick/resize.c
+@@ -2498,4 +2498,6 @@
+ density+=contribution[n].weight;
+ }
++ if (n == 0)
++ continue;
+ if ((density != 0.0) && (density != 1.0))
+ {
+@@ -2711,4 +2713,6 @@
+ density+=contribution[n].weight;
+ }
++ if (n == 0)
++ continue;
+ if ((density != 0.0) && (density != 1.0))
+ {
diff --git a/ImageMagick-6.8.6-CVE-2014-8355.patch b/ImageMagick-6.8.6-CVE-2014-8355.patch
new file mode 100644
index 0000000..5174b62
--- /dev/null
+++ b/ImageMagick-6.8.6-CVE-2014-8355.patch
@@ -0,0 +1,345 @@
+--- orig/coders/pcx.c 2013-04-07 20:20:50.000000000 +0400
++++ fixed/coders/pcx.c 2015-03-10 13:30:49.758099539 +0300
+@@ -13,11 +13,11 @@
+ % Read/Write ZSoft IBM PC Paintbrush Image Format %
+ % %
+ % Software Design %
+-% John Cristy %
++% Cristy %
+ % July 1992 %
+ % %
+ % %
+-% Copyright 1999-2013 ImageMagick Studio LLC, a non-profit organization %
++% Copyright 1999-2014 ImageMagick Studio LLC, a non-profit organization %
+ % dedicated to making software imaging solutions freely available. %
+ % %
+ % You may not use this file except in compliance with the License. You may %
+@@ -40,6 +40,7 @@
+ Include declarations.
+ */
+ #include "magick/studio.h"
++#include "magick/attribute.h"
+ #include "magick/blob.h"
+ #include "magick/blob-private.h"
+ #include "magick/cache.h"
+@@ -220,6 +221,13 @@
+
+ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
++#define ThrowPCXException(severity,tag) \
++ { \
++ scanline=(unsigned char *) RelinquishMagickMemory(scanline); \
++ pixel_info=RelinquishVirtualMemory(pixel_info); \
++ ThrowReaderException(severity,tag); \
++ }
++
+ Image
+ *image;
+
+@@ -235,6 +243,9 @@
+ offset,
+ *page_table;
+
++ MemoryInfo
++ *pixel_info;
++
+ PCXInfo
+ pcx_info;
+
+@@ -264,8 +275,8 @@
+
+ unsigned char
+ packet,
+- *pcx_colormap,
+- *pcx_pixels,
++ pcx_colormap[768],
++ *pixels,
+ *scanline;
+
+ /*
+@@ -317,10 +328,12 @@
+ if (offset < 0)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
+- pcx_colormap=(unsigned char *) NULL;
+ count=ReadBlob(image,1,&pcx_info.identifier);
+ for (id=1; id < 1024; id++)
+ {
++ int
++ bits_per_pixel;
++
+ /*
+ Verify PCX identifier.
+ */
+@@ -328,7 +341,10 @@
+ if ((count == 0) || (pcx_info.identifier != 0x0a))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ pcx_info.encoding=(unsigned char) ReadBlobByte(image);
+- pcx_info.bits_per_pixel=(unsigned char) ReadBlobByte(image);
++ bits_per_pixel=ReadBlobByte(image);
++ if (bits_per_pixel == -1)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ pcx_info.bits_per_pixel=(unsigned char) bits_per_pixel;
+ pcx_info.left=ReadBlobLSBShort(image);
+ pcx_info.top=ReadBlobLSBShort(image);
+ pcx_info.right=ReadBlobLSBShort(image);
+@@ -350,13 +366,11 @@
+ image->x_resolution=(double) pcx_info.horizontal_resolution;
+ image->y_resolution=(double) pcx_info.vertical_resolution;
+ image->colors=16;
+- pcx_colormap=(unsigned char *) AcquireQuantumMemory(256UL,
+- 3*sizeof(*pcx_colormap));
+- if (pcx_colormap == (unsigned char *) NULL)
+- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ count=ReadBlob(image,3*image->colors,pcx_colormap);
+ pcx_info.reserved=(unsigned char) ReadBlobByte(image);
+ pcx_info.planes=(unsigned char) ReadBlobByte(image);
++ if ((pcx_info.bits_per_pixel*pcx_info.planes) >= 64)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ one=1;
+ if ((pcx_info.bits_per_pixel != 8) || (pcx_info.planes == 1))
+ if ((pcx_info.version == 3) || (pcx_info.version == 5) ||
+@@ -384,25 +398,33 @@
+ /*
+ Read image data.
+ */
+- pcx_packets=(size_t) image->rows*pcx_info.bytes_per_line*
+- pcx_info.planes;
+- pcx_pixels=(unsigned char *) AcquireQuantumMemory(pcx_packets,
+- sizeof(*pcx_pixels));
++ pcx_packets=(size_t) image->rows*pcx_info.bytes_per_line*pcx_info.planes;
++ if ((size_t) (pcx_info.bits_per_pixel*pcx_info.planes*image->columns) >
++ (pcx_packets*8U))
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ scanline=(unsigned char *) AcquireQuantumMemory(MagickMax(image->columns,
+ pcx_info.bytes_per_line),MagickMax(8,pcx_info.planes)*sizeof(*scanline));
+- if ((pcx_pixels == (unsigned char *) NULL) ||
+- (scanline == (unsigned char *) NULL))
+- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ pixel_info=AcquireVirtualMemory(pcx_packets,sizeof(*pixels));
++ if ((scanline == (unsigned char *) NULL) ||
++ (pixel_info == (MemoryInfo *) NULL))
++ {
++ if (scanline != (unsigned char *) NULL)
++ scanline=(unsigned char *) RelinquishMagickMemory(scanline);
++ if (pixel_info != (MemoryInfo *) NULL)
++ pixel_info=RelinquishVirtualMemory(pixel_info);
++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ }
++ pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
+ /*
+ Uncompress image data.
+ */
+- p=pcx_pixels;
++ p=pixels;
+ if (pcx_info.encoding == 0)
+ while (pcx_packets != 0)
+ {
+ packet=(unsigned char) ReadBlobByte(image);
+ if (EOFBlob(image) != MagickFalse)
+- ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
++ ThrowPCXException(CorruptImageError,"UnexpectedEndOfFile");
+ *p++=packet;
+ pcx_packets--;
+ }
+@@ -411,7 +433,7 @@
+ {
+ packet=(unsigned char) ReadBlobByte(image);
+ if (EOFBlob(image) != MagickFalse)
+- ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
++ ThrowPCXException(CorruptImageError,"UnexpectedEndOfFile");
+ if ((packet & 0xc0) != 0xc0)
+ {
+ *p++=packet;
+@@ -421,7 +443,7 @@
+ count=(ssize_t) (packet & 0x3f);
+ packet=(unsigned char) ReadBlobByte(image);
+ if (EOFBlob(image) != MagickFalse)
+- ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
++ ThrowPCXException(CorruptImageError,"UnexpectedEndOfFile");
+ for ( ; count != 0; count--)
+ {
+ *p++=packet;
+@@ -440,7 +462,7 @@
+ Initialize image colormap.
+ */
+ if (image->colors > 256)
+- ThrowReaderException(CorruptImageError,"ColormapExceeds256Colors");
++ ThrowPCXException(CorruptImageError,"ColormapExceeds256Colors");
+ if ((pcx_info.bits_per_pixel*pcx_info.planes) == 1)
+ {
+ /*
+@@ -469,14 +491,13 @@
+ image->colormap[i].blue=ScaleCharToQuantum(*p++);
+ }
+ }
+- pcx_colormap=(unsigned char *) RelinquishMagickMemory(pcx_colormap);
+ }
+ /*
+ Convert PCX raster image to pixel packets.
+ */
+ for (y=0; y < (ssize_t) image->rows; y++)
+ {
+- p=pcx_pixels+(y*pcx_info.bytes_per_line*pcx_info.planes);
++ p=pixels+(y*pcx_info.bytes_per_line*pcx_info.planes);
+ q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
+ if (q == (PixelPacket *) NULL)
+ break;
+@@ -626,9 +647,7 @@
+ if (image->storage_class == PseudoClass)
+ (void) SyncImage(image);
+ scanline=(unsigned char *) RelinquishMagickMemory(scanline);
+- if (pcx_colormap != (unsigned char *) NULL)
+- pcx_colormap=(unsigned char *) RelinquishMagickMemory(pcx_colormap);
+- pcx_pixels=(unsigned char *) RelinquishMagickMemory(pcx_pixels);
++ pixel_info=RelinquishVirtualMemory(pixel_info);
+ if (EOFBlob(image) != MagickFalse)
+ {
+ ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile",
+@@ -839,6 +858,9 @@
+ *page_table,
+ scene;
+
++ MemoryInfo
++ *pixel_info;
++
+ PCXInfo
+ pcx_info;
+
+@@ -863,7 +885,7 @@
+
+ unsigned char
+ *pcx_colormap,
+- *pcx_pixels;
++ *pixels;
+
+ /*
+ Open output image file.
+@@ -877,8 +899,7 @@
+ status=OpenBlob(image_info,image,WriteBinaryBlobMode,&image->exception);
+ if (status == MagickFalse)
+ return(status);
+- if (IssRGBCompatibleColorspace(image->colorspace) == MagickFalse)
+- (void) TransformImageColorspace(image,sRGBColorspace);
++ (void) TransformImageColorspace(image,sRGBColorspace);
+ page_table=(MagickOffsetType *) NULL;
+ if ((LocaleCompare(image_info->magick,"DCX") == 0) ||
+ ((GetNextImageInList(image) != (Image *) NULL) &&
+@@ -982,29 +1003,24 @@
+ for (i=0; i < 58; i++)
+ (void) WriteBlobByte(image,'\0');
+ length=(size_t) pcx_info.bytes_per_line;
+- pcx_pixels=(unsigned char *) AcquireQuantumMemory(length,pcx_info.planes*
+- sizeof(*pcx_pixels));
+- if (pcx_pixels == (unsigned char *) NULL)
++ pixel_info=AcquireVirtualMemory(length,pcx_info.planes*sizeof(*pixels));
++ if (pixel_info == (MemoryInfo *) NULL)
+ ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
+- q=pcx_pixels;
++ pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
++ q=pixels;
+ if ((image->storage_class == DirectClass) || (image->colors > 256))
+ {
+- const PixelPacket
+- *pixels;
+-
+ /*
+ Convert DirectClass image to PCX raster pixels.
+ */
+ for (y=0; y < (ssize_t) image->rows; y++)
+ {
+- pixels=GetVirtualPixels(image,0,y,image->columns,1,
+- &image->exception);
+- if (pixels == (const PixelPacket *) NULL)
+- break;
+- q=pcx_pixels;
++ q=pixels;
+ for (i=0; i < pcx_info.planes; i++)
+ {
+- p=pixels;
++ p=GetVirtualPixels(image,0,y,image->columns,1,&image->exception);
++ if (p == (const PixelPacket *) NULL)
++ break;
+ switch ((int) i)
+ {
+ case 0:
+@@ -1047,7 +1063,7 @@
+ }
+ }
+ }
+- if (PCXWritePixels(&pcx_info,pcx_pixels,image) == MagickFalse)
++ if (PCXWritePixels(&pcx_info,pixels,image) == MagickFalse)
+ break;
+ if (image->previous == (Image *) NULL)
+ {
+@@ -1067,10 +1083,10 @@
+ if (p == (const PixelPacket *) NULL)
+ break;
+ indexes=GetVirtualIndexQueue(image);
+- q=pcx_pixels;
++ q=pixels;
+ for (x=0; x < (ssize_t) image->columns; x++)
+ *q++=(unsigned char) GetPixelIndex(indexes+x);
+- if (PCXWritePixels(&pcx_info,pcx_pixels,image) == MagickFalse)
++ if (PCXWritePixels(&pcx_info,pixels,image) == MagickFalse)
+ break;
+ if (image->previous == (Image *) NULL)
+ {
+@@ -1082,9 +1098,6 @@
+ }
+ else
+ {
+- IndexPacket
+- polarity;
+-
+ register unsigned char
+ bit,
+ byte;
+@@ -1092,26 +1105,19 @@
+ /*
+ Convert PseudoClass image to a PCX monochrome image.
+ */
+- polarity=(IndexPacket) (GetPixelLuma(image,
+- &image->colormap[0]) < (QuantumRange/2) ? 1 : 0);
+- if (image->colors == 2)
+- polarity=(IndexPacket) (
+- GetPixelLuma(image,&image->colormap[0]) <
+- GetPixelLuma(image,&image->colormap[1]) ? 1 : 0);
+ for (y=0; y < (ssize_t) image->rows; y++)
+ {
+- p=GetVirtualPixels(image,0,y,image->columns,1,
+- &image->exception);
++ p=GetVirtualPixels(image,0,y,image->columns,1,&image->exception);
+ if (p == (const PixelPacket *) NULL)
+ break;
+ indexes=GetVirtualIndexQueue(image);
+ bit=0;
+ byte=0;
+- q=pcx_pixels;
++ q=pixels;
+ for (x=0; x < (ssize_t) image->columns; x++)
+ {
+ byte<<=1;
+- if (GetPixelIndex(indexes+x) == polarity)
++ if (GetPixelLuma(image,p) >= (QuantumRange/2.0))
+ byte|=0x01;
+ bit++;
+ if (bit == 8)
+@@ -1124,7 +1130,7 @@
+ }
+ if (bit != 0)
+ *q++=byte << (8-bit);
+- if (PCXWritePixels(&pcx_info,pcx_pixels,image) == MagickFalse)
++ if (PCXWritePixels(&pcx_info,pixels,image) == MagickFalse)
+ break;
+ if (image->previous == (Image *) NULL)
+ {
+@@ -1138,7 +1144,7 @@
+ (void) WriteBlobByte(image,pcx_info.colormap_signature);
+ (void) WriteBlob(image,3*256,pcx_colormap);
+ }
+- pcx_pixels=(unsigned char *) RelinquishMagickMemory(pcx_pixels);
++ pixel_info=RelinquishVirtualMemory(pixel_info);
+ pcx_colormap=(unsigned char *) RelinquishMagickMemory(pcx_colormap);
+ if (page_table == (MagickOffsetType *) NULL)
+ break;
diff --git a/ImageMagick.spec b/ImageMagick.spec
index ac0e3df..21985aa 100644
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@@ -3,7 +3,7 @@
Name: ImageMagick
Version: %{VER}.%{Patchlevel}
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: An X application for displaying and manipulating images
Group: Applications/Multimedia
License: ImageMagick
@@ -14,6 +14,11 @@ Requires: %{name}-libs = %{version}-%{release}
# CVE bug fix backporting: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=25128&sid=ff40ad66b1f845c767aa77c7e32f9f9c&p=109901#p109901
Patch0: ImageMagick-6.8.7-psd-CVE.patch
+# Backport upstream fix http://trac.imagemagick.org/changeset/16765 (bz#1158520)
+Patch1: ImageMagick-6.8.6-CVE-2014-8354.patch
+# Backport upstream fix http://trac.imagemagick.org/changeset/16774#file0 (bz#1158524)
+Patch2: ImageMagick-6.8.6-CVE-2014-8355.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: bzip2-devel, freetype-devel, libjpeg-devel, libpng-devel
@@ -136,6 +141,8 @@ however.
%prep
%setup -q -n %{name}-%{VER}-%{Patchlevel}
%patch0 -p4 -b .cve
+%patch1 -p3 -b .cve-2014-5354
+%patch2 -p1 -b .cve-2014-5355
sed -i 's/libltdl.la/libltdl.so/g' configure
iconv -f ISO-8859-1 -t UTF-8 README.txt > README.txt.tmp
@@ -324,6 +331,12 @@ rm -rf %{buildroot}
%doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt
%changelog
+* Mon Mar 09 2015 Pavel Alexeev <Pahan at Hubbitus.info> - 6.8.6.3-5
+- Backport upstream fix http://trac.imagemagick.org/changeset/16765 (bz#1158520) for CVE-2014-8354
+ Add Patch1: ImageMagick-6.8.7-CVE-2014-8354.patch
+- Backport upstream fix http://trac.imagemagick.org/changeset/16774 (bz#1158524) for CVE-2014-8355
+ Add Patch2: ImageMagick-6.8.6-CVE-2014-8355.patch
+
* Thu Apr 3 2014 Pavel Alexeev <Pahan at Hubbitus.info> - 6.8.6.3-4
- Build 6.8.6-3 version because soname bump happened in newer.
- Concretize soname versioning.
More information about the scm-commits
mailing list