[ImageMagick/f21: 4/4] Fix 6 security issues
Pavel Alexeev
hubbitus at fedoraproject.org
Tue Mar 10 22:54:20 UTC 2015
commit a7581637fb0a42eb95d178f7a24286c40bcc57fe
Merge: 17a226f 86767a6
Author: Hubbitus <pahan at hubbitus.info>
Date: Wed Mar 11 01:53:19 2015 +0300
Fix 6 security issues
Merge remote-tracking branch 'origin/f20' into f21
- Merge fixes from f20 branch (some rabased):
o Backport upstream fix http://trac.imagemagick.org/changeset/16765 (bz#1158520) for CVE-2014-8354
Add Patch1: ImageMagick-6.8.7-CVE-2014-8354.patch
o Backport upstream fix http://trac.imagemagick.org/changeset/16774 (bz#1158524) for CVE-2014-8355
Add Patch2: ImageMagick-6.8.6-CVE-2014-8355.patch
- Concretize soname versions.
- Fix 4 more security bags:
o Backport upstream fix http://trac.imagemagick.org/changeset/17846 - bz#1195263
Add Patch3: ImageMagick-6.8.6-hdr-bz#1195263.patch
o Backport upstream fix http://trac.imagemagick.org/changeset/17854 - bz#1195265
Add Patch4: ImageMagick-6.8.6-miff-bz#1195265.patch
o Backport upstream fix http://trac.imagemagick.org/changeset/17855 - bz#1195269
Add Patch5: ImageMagick-6.8.6-pdb-bz#1195269.patch
o Backport upstream fix http://trac.imagemagick.org/changeset/17856 - bz#1195271
Add Patch6: ImageMagick-6.8.6-vicar-bz#1195271.patch
Conflicts:
ImageMagick.spec
ImageMagick-6.8.6-CVE-2014-8354.patch | 18 +++++
ImageMagick-6.8.6-CVE-2014-8355.patch | 109 +++++++++++++++++++++++++++++++
ImageMagick-6.8.6-hdr-bz#1195263.patch | 69 +++++++++++++++++++
ImageMagick-6.8.6-miff-bz#1195265.patch | 54 +++++++++++++++
ImageMagick-6.8.6-pdb-bz#1195269.patch | 19 ++++++
ImageMagick-6.8.6-vicar-bz#1195271.patch | 11 ++++
ImageMagick-6.8.7-psd-CVE.patch | 25 +++++++
ImageMagick.spec | 73 ++++++++++++++-------
8 files changed, 353 insertions(+), 25 deletions(-)
---
diff --cc ImageMagick-6.8.6-CVE-2014-8355.patch
index 0000000,5174b62..db43c8e
mode 000000,100644..100644
--- a/ImageMagick-6.8.6-CVE-2014-8355.patch
+++ b/ImageMagick-6.8.6-CVE-2014-8355.patch
@@@ -1,0 -1,345 +1,109 @@@
---- orig/coders/pcx.c 2013-04-07 20:20:50.000000000 +0400
-+++ fixed/coders/pcx.c 2015-03-10 13:30:49.758099539 +0300
-@@ -13,11 +13,11 @@
- % Read/Write ZSoft IBM PC Paintbrush Image Format %
- % %
- % Software Design %
--% John Cristy %
-+% Cristy %
- % July 1992 %
- % %
- % %
--% Copyright 1999-2013 ImageMagick Studio LLC, a non-profit organization %
-+% Copyright 1999-2014 ImageMagick Studio LLC, a non-profit organization %
- % dedicated to making software imaging solutions freely available. %
- % %
- % You may not use this file except in compliance with the License. You may %
-@@ -40,6 +40,7 @@
- Include declarations.
- */
- #include "magick/studio.h"
-+#include "magick/attribute.h"
- #include "magick/blob.h"
- #include "magick/blob-private.h"
- #include "magick/cache.h"
-@@ -220,6 +221,13 @@
++diff -ru ImageMagick-6.8.8-10.orig/coders/pcx.c ImageMagick-6.8.8-10/coders/pcx.c
++--- ImageMagick-6.8.8-10.orig/coders/pcx.c 2014-02-23 03:29:04.000000000 +0400
+++++ ImageMagick-6.8.8-10/coders/pcx.c 2015-03-11 01:23:23.618561284 +0300
++@@ -221,6 +221,13 @@
+
+ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ +#define ThrowPCXException(severity,tag) \
+ + { \
+ + scanline=(unsigned char *) RelinquishMagickMemory(scanline); \
+ + pixel_info=RelinquishVirtualMemory(pixel_info); \
+ + ThrowReaderException(severity,tag); \
+ + }
+ +
+ Image
+ *image;
+
-@@ -235,6 +243,9 @@
- offset,
- *page_table;
-
-+ MemoryInfo
-+ *pixel_info;
-+
- PCXInfo
- pcx_info;
-
-@@ -264,8 +275,8 @@
++@@ -268,7 +275,7 @@
+
+ unsigned char
+ packet,
+ - *pcx_colormap,
-- *pcx_pixels,
+ + pcx_colormap[768],
-+ *pixels,
++ *pixels,
+ *scanline;
+
- /*
-@@ -317,10 +328,12 @@
++@@ -321,7 +328,6 @@
+ if (offset < 0)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
+ - pcx_colormap=(unsigned char *) NULL;
+ count=ReadBlob(image,1,&pcx_info.identifier);
+ for (id=1; id < 1024; id++)
+ {
-+ int
-+ bits_per_pixel;
-+
- /*
- Verify PCX identifier.
- */
-@@ -328,7 +341,10 @@
- if ((count == 0) || (pcx_info.identifier != 0x0a))
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
- pcx_info.encoding=(unsigned char) ReadBlobByte(image);
-- pcx_info.bits_per_pixel=(unsigned char) ReadBlobByte(image);
-+ bits_per_pixel=ReadBlobByte(image);
-+ if (bits_per_pixel == -1)
-+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
-+ pcx_info.bits_per_pixel=(unsigned char) bits_per_pixel;
- pcx_info.left=ReadBlobLSBShort(image);
- pcx_info.top=ReadBlobLSBShort(image);
- pcx_info.right=ReadBlobLSBShort(image);
-@@ -350,13 +366,11 @@
++@@ -354,10 +360,6 @@
+ image->x_resolution=(double) pcx_info.horizontal_resolution;
+ image->y_resolution=(double) pcx_info.vertical_resolution;
+ image->colors=16;
+ - pcx_colormap=(unsigned char *) AcquireQuantumMemory(256UL,
+ - 3*sizeof(*pcx_colormap));
+ - if (pcx_colormap == (unsigned char *) NULL)
+ - ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ count=ReadBlob(image,3*image->colors,pcx_colormap);
+ pcx_info.reserved=(unsigned char) ReadBlobByte(image);
+ pcx_info.planes=(unsigned char) ReadBlobByte(image);
-+ if ((pcx_info.bits_per_pixel*pcx_info.planes) >= 64)
-+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
- one=1;
- if ((pcx_info.bits_per_pixel != 8) || (pcx_info.planes == 1))
- if ((pcx_info.version == 3) || (pcx_info.version == 5) ||
-@@ -384,25 +398,33 @@
- /*
++@@ -389,6 +391,9 @@
+ Read image data.
+ */
-- pcx_packets=(size_t) image->rows*pcx_info.bytes_per_line*
-- pcx_info.planes;
-- pcx_pixels=(unsigned char *) AcquireQuantumMemory(pcx_packets,
-- sizeof(*pcx_pixels));
-+ pcx_packets=(size_t) image->rows*pcx_info.bytes_per_line*pcx_info.planes;
++ pcx_packets=(size_t) image->rows*pcx_info.bytes_per_line*pcx_info.planes;
+ + if ((size_t) (pcx_info.bits_per_pixel*pcx_info.planes*image->columns) >
+ + (pcx_packets*8U))
+ + ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ scanline=(unsigned char *) AcquireQuantumMemory(MagickMax(image->columns,
+ pcx_info.bytes_per_line),MagickMax(8,pcx_info.planes)*sizeof(*scanline));
-- if ((pcx_pixels == (unsigned char *) NULL) ||
-- (scanline == (unsigned char *) NULL))
-- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-+ pixel_info=AcquireVirtualMemory(pcx_packets,sizeof(*pixels));
-+ if ((scanline == (unsigned char *) NULL) ||
-+ (pixel_info == (MemoryInfo *) NULL))
-+ {
-+ if (scanline != (unsigned char *) NULL)
-+ scanline=(unsigned char *) RelinquishMagickMemory(scanline);
-+ if (pixel_info != (MemoryInfo *) NULL)
-+ pixel_info=RelinquishVirtualMemory(pixel_info);
-+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-+ }
-+ pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
- /*
- Uncompress image data.
- */
-- p=pcx_pixels;
-+ p=pixels;
- if (pcx_info.encoding == 0)
- while (pcx_packets != 0)
++ pixel_info=AcquireVirtualMemory(pcx_packets,sizeof(*pixels));
++@@ -411,7 +416,7 @@
+ {
+ packet=(unsigned char) ReadBlobByte(image);
+ if (EOFBlob(image) != MagickFalse)
+ - ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
+ + ThrowPCXException(CorruptImageError,"UnexpectedEndOfFile");
+ *p++=packet;
+ pcx_packets--;
+ }
-@@ -411,7 +433,7 @@
++@@ -420,7 +425,7 @@
+ {
+ packet=(unsigned char) ReadBlobByte(image);
+ if (EOFBlob(image) != MagickFalse)
+ - ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
+ + ThrowPCXException(CorruptImageError,"UnexpectedEndOfFile");
+ if ((packet & 0xc0) != 0xc0)
+ {
+ *p++=packet;
-@@ -421,7 +443,7 @@
++@@ -430,7 +435,7 @@
+ count=(ssize_t) (packet & 0x3f);
+ packet=(unsigned char) ReadBlobByte(image);
+ if (EOFBlob(image) != MagickFalse)
+ - ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
+ + ThrowPCXException(CorruptImageError,"UnexpectedEndOfFile");
+ for ( ; count != 0; count--)
+ {
+ *p++=packet;
-@@ -440,7 +462,7 @@
++@@ -449,7 +454,7 @@
+ Initialize image colormap.
+ */
+ if (image->colors > 256)
+ - ThrowReaderException(CorruptImageError,"ColormapExceeds256Colors");
+ + ThrowPCXException(CorruptImageError,"ColormapExceeds256Colors");
+ if ((pcx_info.bits_per_pixel*pcx_info.planes) == 1)
+ {
+ /*
-@@ -469,14 +491,13 @@
++@@ -478,7 +483,6 @@
+ image->colormap[i].blue=ScaleCharToQuantum(*p++);
+ }
+ }
+ - pcx_colormap=(unsigned char *) RelinquishMagickMemory(pcx_colormap);
+ }
+ /*
+ Convert PCX raster image to pixel packets.
- */
- for (y=0; y < (ssize_t) image->rows; y++)
- {
-- p=pcx_pixels+(y*pcx_info.bytes_per_line*pcx_info.planes);
-+ p=pixels+(y*pcx_info.bytes_per_line*pcx_info.planes);
- q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
- if (q == (PixelPacket *) NULL)
- break;
-@@ -626,9 +647,7 @@
++@@ -634,8 +638,6 @@
++ }
+ if (image->storage_class == PseudoClass)
+ (void) SyncImage(image);
- scanline=(unsigned char *) RelinquishMagickMemory(scanline);
+ - if (pcx_colormap != (unsigned char *) NULL)
+ - pcx_colormap=(unsigned char *) RelinquishMagickMemory(pcx_colormap);
-- pcx_pixels=(unsigned char *) RelinquishMagickMemory(pcx_pixels);
-+ pixel_info=RelinquishVirtualMemory(pixel_info);
++ scanline=(unsigned char *) RelinquishMagickMemory(scanline);
++ pixel_info=RelinquishVirtualMemory(pixel_info);
+ if (EOFBlob(image) != MagickFalse)
- {
- ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile",
-@@ -839,6 +858,9 @@
- *page_table,
- scene;
-
-+ MemoryInfo
-+ *pixel_info;
-+
- PCXInfo
- pcx_info;
-
-@@ -863,7 +885,7 @@
-
- unsigned char
- *pcx_colormap,
-- *pcx_pixels;
-+ *pixels;
-
- /*
- Open output image file.
-@@ -877,8 +899,7 @@
- status=OpenBlob(image_info,image,WriteBinaryBlobMode,&image->exception);
- if (status == MagickFalse)
- return(status);
-- if (IssRGBCompatibleColorspace(image->colorspace) == MagickFalse)
-- (void) TransformImageColorspace(image,sRGBColorspace);
-+ (void) TransformImageColorspace(image,sRGBColorspace);
- page_table=(MagickOffsetType *) NULL;
- if ((LocaleCompare(image_info->magick,"DCX") == 0) ||
- ((GetNextImageInList(image) != (Image *) NULL) &&
-@@ -982,29 +1003,24 @@
- for (i=0; i < 58; i++)
- (void) WriteBlobByte(image,'\0');
- length=(size_t) pcx_info.bytes_per_line;
-- pcx_pixels=(unsigned char *) AcquireQuantumMemory(length,pcx_info.planes*
-- sizeof(*pcx_pixels));
-- if (pcx_pixels == (unsigned char *) NULL)
-+ pixel_info=AcquireVirtualMemory(length,pcx_info.planes*sizeof(*pixels));
-+ if (pixel_info == (MemoryInfo *) NULL)
- ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
-- q=pcx_pixels;
-+ pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
-+ q=pixels;
- if ((image->storage_class == DirectClass) || (image->colors > 256))
- {
-- const PixelPacket
-- *pixels;
--
- /*
- Convert DirectClass image to PCX raster pixels.
- */
- for (y=0; y < (ssize_t) image->rows; y++)
- {
-- pixels=GetVirtualPixels(image,0,y,image->columns,1,
-- &image->exception);
-- if (pixels == (const PixelPacket *) NULL)
-- break;
-- q=pcx_pixels;
-+ q=pixels;
- for (i=0; i < pcx_info.planes; i++)
- {
-- p=pixels;
-+ p=GetVirtualPixels(image,0,y,image->columns,1,&image->exception);
-+ if (p == (const PixelPacket *) NULL)
-+ break;
- switch ((int) i)
- {
- case 0:
-@@ -1047,7 +1063,7 @@
- }
- }
- }
-- if (PCXWritePixels(&pcx_info,pcx_pixels,image) == MagickFalse)
-+ if (PCXWritePixels(&pcx_info,pixels,image) == MagickFalse)
- break;
- if (image->previous == (Image *) NULL)
- {
-@@ -1067,10 +1083,10 @@
- if (p == (const PixelPacket *) NULL)
- break;
- indexes=GetVirtualIndexQueue(image);
-- q=pcx_pixels;
-+ q=pixels;
- for (x=0; x < (ssize_t) image->columns; x++)
- *q++=(unsigned char) GetPixelIndex(indexes+x);
-- if (PCXWritePixels(&pcx_info,pcx_pixels,image) == MagickFalse)
-+ if (PCXWritePixels(&pcx_info,pixels,image) == MagickFalse)
- break;
- if (image->previous == (Image *) NULL)
- {
-@@ -1082,9 +1098,6 @@
- }
- else
- {
-- IndexPacket
-- polarity;
--
- register unsigned char
- bit,
- byte;
-@@ -1092,26 +1105,19 @@
- /*
- Convert PseudoClass image to a PCX monochrome image.
- */
-- polarity=(IndexPacket) (GetPixelLuma(image,
-- &image->colormap[0]) < (QuantumRange/2) ? 1 : 0);
-- if (image->colors == 2)
-- polarity=(IndexPacket) (
-- GetPixelLuma(image,&image->colormap[0]) <
-- GetPixelLuma(image,&image->colormap[1]) ? 1 : 0);
- for (y=0; y < (ssize_t) image->rows; y++)
- {
-- p=GetVirtualPixels(image,0,y,image->columns,1,
-- &image->exception);
-+ p=GetVirtualPixels(image,0,y,image->columns,1,&image->exception);
- if (p == (const PixelPacket *) NULL)
- break;
- indexes=GetVirtualIndexQueue(image);
- bit=0;
- byte=0;
-- q=pcx_pixels;
-+ q=pixels;
- for (x=0; x < (ssize_t) image->columns; x++)
- {
- byte<<=1;
-- if (GetPixelIndex(indexes+x) == polarity)
-+ if (GetPixelLuma(image,p) >= (QuantumRange/2.0))
- byte|=0x01;
- bit++;
- if (bit == 8)
-@@ -1124,7 +1130,7 @@
- }
- if (bit != 0)
- *q++=byte << (8-bit);
-- if (PCXWritePixels(&pcx_info,pcx_pixels,image) == MagickFalse)
-+ if (PCXWritePixels(&pcx_info,pixels,image) == MagickFalse)
- break;
- if (image->previous == (Image *) NULL)
- {
-@@ -1138,7 +1144,7 @@
- (void) WriteBlobByte(image,pcx_info.colormap_signature);
- (void) WriteBlob(image,3*256,pcx_colormap);
- }
-- pcx_pixels=(unsigned char *) RelinquishMagickMemory(pcx_pixels);
-+ pixel_info=RelinquishVirtualMemory(pixel_info);
- pcx_colormap=(unsigned char *) RelinquishMagickMemory(pcx_colormap);
- if (page_table == (MagickOffsetType *) NULL)
- break;
++Только в ImageMagick-6.8.8-10/coders: pcx.c.orig
diff --cc ImageMagick-6.8.6-hdr-bz#1195263.patch
index 0000000,0000000..e0f069b
new file mode 100644
--- /dev/null
+++ b/ImageMagick-6.8.6-hdr-bz#1195263.patch
@@@ -1,0 -1,0 +1,69 @@@
++Index: ImageMagick/branches/ImageMagick-6/ChangeLog
++===================================================================
++--- a/ImageMagick/branches/ImageMagick-6/ChangeLog
+++++ b/ImageMagick/branches/ImageMagick-6/ChangeLog
++@@ -1,6 +1,8 @@
++ 2013-07-01 6.8.6-3 Cristy <quetzlzacatenango at image...>
++ * New version 6.8.6-3, SVN revision 12579.
++
+++ * Fixed infinite loop in HDR reader (reference
+++ http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26929).
++ 2013-06-26 6.8.6-3 Cristy <quetzlzacatenango at image...>
++ * Improve HCL to RGB roundtrip (reference
++ http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=22384).
++
++Index: ImageMagick/branches/ImageMagick-6/coders/hdr.c
++===================================================================
++--- a/ImageMagick/branches/ImageMagick-6/coders/hdr.c
+++++ b/ImageMagick/branches/ImageMagick-6/coders/hdr.c
++@@ -275,5 +275,5 @@
++ continue;
++ p=value;
++- while ((c != '\n') && (c != '\0'))
+++ while ((c != '\n') && (c != '\0') && (c != EOF))
++ {
++ if ((size_t) (p-value) < (MaxTextExtent-1))
++@@ -320,16 +320,18 @@
++ white_point[2];
++
++- (void) sscanf(value,"%g %g %g %g %g %g %g %g",
++- &chromaticity[0],&chromaticity[1],&chromaticity[2],
++- &chromaticity[3],&chromaticity[4],&chromaticity[5],
++- &white_point[0],&white_point[1]);
++- image->chromaticity.red_primary.x=chromaticity[0];
++- image->chromaticity.red_primary.y=chromaticity[1];
++- image->chromaticity.green_primary.x=chromaticity[2];
++- image->chromaticity.green_primary.y=chromaticity[3];
++- image->chromaticity.blue_primary.x=chromaticity[4];
++- image->chromaticity.blue_primary.y=chromaticity[5];
++- image->chromaticity.white_point.x=white_point[0],
++- image->chromaticity.white_point.y=white_point[1];
+++ if (sscanf(value,"%g %g %g %g %g %g %g %g",&chromaticity[0],
+++ &chromaticity[1],&chromaticity[2],&chromaticity[3],
+++ &chromaticity[4],&chromaticity[5],&white_point[0],
+++ &white_point[1]) == 8)
+++ {
+++ image->chromaticity.red_primary.x=chromaticity[0];
+++ image->chromaticity.red_primary.y=chromaticity[1];
+++ image->chromaticity.green_primary.x=chromaticity[2];
+++ image->chromaticity.green_primary.y=chromaticity[3];
+++ image->chromaticity.blue_primary.x=chromaticity[4];
+++ image->chromaticity.blue_primary.y=chromaticity[5];
+++ image->chromaticity.white_point.x=white_point[0],
+++ image->chromaticity.white_point.y=white_point[1];
+++ }
++ break;
++ }
++@@ -350,7 +352,9 @@
++ width;
++
++- (void) sscanf(value,"%d +X %d",&height,&width);
++- image->columns=(size_t) width;
++- image->rows=(size_t) height;
+++ if (sscanf(value,"%d +X %d",&height,&width) == 2)
+++ {
+++ image->columns=(size_t) width;
+++ image->rows=(size_t) height;
+++ }
++ break;
++ }
diff --cc ImageMagick-6.8.6-miff-bz#1195265.patch
index 0000000,0000000..5a49eec
new file mode 100644
--- /dev/null
+++ b/ImageMagick-6.8.6-miff-bz#1195265.patch
@@@ -1,0 -1,0 +1,54 @@@
++diff -ur ImageMagick-6.8.6-3.miff-orig/coders/miff.c ImageMagick-6.8.6-3/coders/miff.c
++--- ImageMagick-6.8.6-3.miff-orig/coders/miff.c 2013-05-17 22:58:19.000000000 +0400
+++++ ImageMagick-6.8.6-3/coders/miff.c 2015-03-10 22:37:49.930865595 +0300
++@@ -1399,6 +1399,9 @@
++ bzip_info.avail_out=(unsigned int) (packet_size*image->columns);
++ do
++ {
+++ int
+++ code;
+++
++ if (bzip_info.avail_in == 0)
++ {
++ bzip_info.next_in=(char *) compress_pixels;
++@@ -1408,7 +1411,13 @@
++ bzip_info.avail_in=(unsigned int) ReadBlob(image,length,
++ (unsigned char *) bzip_info.next_in);
++ }
++- if (BZ2_bzDecompress(&bzip_info) == BZ_STREAM_END)
+++ code=BZ2_bzDecompress(&bzip_info);
+++ if (code < 0)
+++ {
+++ status=MagickFalse;
+++ break;
+++ }
+++ if (code == BZ_STREAM_END)
++ break;
++ } while (bzip_info.avail_out != 0);
++ (void) ImportQuantumPixels(image,(CacheView *) NULL,quantum_info,
++@@ -1455,6 +1464,9 @@
++ zip_info.avail_out=(uInt) (packet_size*image->columns);
++ do
++ {
+++ int
+++ code;
+++
++ if (zip_info.avail_in == 0)
++ {
++ zip_info.next_in=compress_pixels;
++@@ -1464,7 +1476,13 @@
++ zip_info.avail_in=(unsigned int) ReadBlob(image,length,
++ zip_info.next_in);
++ }
++- if (inflate(&zip_info,Z_SYNC_FLUSH) == Z_STREAM_END)
+++ code=inflate(&zip_info,Z_SYNC_FLUSH);
+++ if (code < 0)
+++ {
+++ status=MagickFalse;
+++ break;
+++ }
+++ if (code == Z_STREAM_END)
++ break;
++ } while (zip_info.avail_out != 0);
++ (void) ImportQuantumPixels(image,(CacheView *) NULL,quantum_info,
++Только в ImageMagick-6.8.6-3/coders: miff.c.orig
diff --cc ImageMagick-6.8.6-pdb-bz#1195269.patch
index 0000000,0000000..54d4ad0
new file mode 100644
--- /dev/null
+++ b/ImageMagick-6.8.6-pdb-bz#1195269.patch
@@@ -1,0 -1,0 +1,19 @@@
++Index: ImageMagick/branches/ImageMagick-6/coders/pdb.c
++===================================================================
++--- a/ImageMagick/branches/ImageMagick-6/coders/pdb.c
+++++ b/ImageMagick/branches/ImageMagick-6/coders/pdb.c
++@@ -372,5 +372,13 @@
++ }
++ num_pad_bytes = (size_t) (img_offset - TellBlob( image ));
++- while (num_pad_bytes--) ReadBlobByte( image );
+++ while (num_pad_bytes-- != 0)
+++ {
+++ int
+++ c;
+++
+++ c=ReadBlobByte(image);
+++ if (c == EOF)
+++ break;
+++ }
++ /*
++ Read image header.
diff --cc ImageMagick-6.8.6-vicar-bz#1195271.patch
index 0000000,0000000..7e6aa75
new file mode 100644
--- /dev/null
+++ b/ImageMagick-6.8.6-vicar-bz#1195271.patch
@@@ -1,0 -1,0 +1,11 @@@
++Index: ImageMagick/branches/ImageMagick-6/coders/vicar.c
++===================================================================
++--- a/ImageMagick/branches/ImageMagick-6/coders/vicar.c
+++++ b/ImageMagick/branches/ImageMagick-6/coders/vicar.c
++@@ -276,4 +276,6 @@
++ {
++ c=ReadBlobByte(image);
+++ if (c == EOF)
+++ break;
++ count++;
++ }
diff --cc ImageMagick.spec
index 5517a30,21985aa..ef14ca4
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@@@ -3,7 -3,7 +3,7 @@@
Name: ImageMagick
Version: %{VER}.%{Patchlevel}
--Release: 5%{?dist}
++Release: 6%{?dist}
Summary: An X application for displaying and manipulating images
Group: Applications/Multimedia
License: ImageMagick
@@@ -12,9 -12,17 +12,22 @@@ Source0: ftp://ftp.ImageMagick.org/pub
Requires: %{name}-libs = %{version}-%{release}
-# CVE bug fix backporting: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=25128&sid=ff40ad66b1f845c767aa77c7e32f9f9c&p=109901#p109901
-Patch0: ImageMagick-6.8.7-psd-CVE.patch
-# Backport upstream fix http://trac.imagemagick.org/changeset/16765 (bz#1158520)
++# Backport upstream fix http://trac.imagemagick.org/changeset/16765 - bz#1158520
+ Patch1: ImageMagick-6.8.6-CVE-2014-8354.patch
-# Backport upstream fix http://trac.imagemagick.org/changeset/16774#file0 (bz#1158524)
++# Backport upstream fix http://trac.imagemagick.org/changeset/16774 - bz#1158524
+ Patch2: ImageMagick-6.8.6-CVE-2014-8355.patch
-
++# Backport upstream fix http://trac.imagemagick.org/changeset/17846 - bz#1195263
++Patch3: ImageMagick-6.8.6-hdr-bz#1195263.patch
++# Backport upstream fix http://trac.imagemagick.org/changeset/17854 - bz#1195265
++Patch4: ImageMagick-6.8.6-miff-bz#1195265.patch
++# Backport upstream fix http://trac.imagemagick.org/changeset/17855 - bz#1195269
++Patch5: ImageMagick-6.8.6-pdb-bz#1195269.patch
++# Backport upstream fix http://trac.imagemagick.org/changeset/17856 - bz#1195271
++Patch6: ImageMagick-6.8.6-vicar-bz#1195271.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: bzip2-devel, freetype-devel, libjpeg-devel, libpng-devel
- BuildRequires: libtiff-devel, giflib-devel, zlib-devel, perl-devel >= 5.8.1
+ BuildRequires: libtiff-devel, zlib-devel, perl-devel >= 5.8.1
BuildRequires: ghostscript-devel, djvulibre-devel
BuildRequires: libwmf-devel, jasper-devel, libtool-ltdl-devel
BuildRequires: libX11-devel, libXext-devel, libXt-devel
@@@ -132,6 -140,10 +145,13 @@@ however
%prep
%setup -q -n %{name}-%{VER}-%{Patchlevel}
-%patch0 -p4 -b .cve
+ %patch1 -p3 -b .cve-2014-5354
+ %patch2 -p1 -b .cve-2014-5355
++%patch3 -p4 -b .hdr
++%patch4 -p1 -b .miff
++%patch5 -p4 -b .pdb
++%patch6 -p4 -b .vicar
+
sed -i 's/libltdl.la/libltdl.so/g' configure
iconv -f ISO-8859-1 -t UTF-8 README.txt > README.txt.tmp
touch -r README.txt README.txt.tmp
@@@ -319,37 -331,23 +339,40 @@@ rm -rf %{buildroot
%doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt
%changelog
-* Mon Mar 09 2015 Pavel Alexeev <Pahan at Hubbitus.info> - 6.8.6.3-5
-- Backport upstream fix http://trac.imagemagick.org/changeset/16765 (bz#1158520) for CVE-2014-8354
- Add Patch1: ImageMagick-6.8.7-CVE-2014-8354.patch
-- Backport upstream fix http://trac.imagemagick.org/changeset/16774 (bz#1158524) for CVE-2014-8355
- Add Patch2: ImageMagick-6.8.6-CVE-2014-8355.patch
++* Tue Mar 10 2015 Pavel Alexeev <Pahan at Hubbitus.info> - 6.8.8.10-6
++- Merge fixes from f20 branch (some rabased):
++ o Backport upstream fix http://trac.imagemagick.org/changeset/16765 (bz#1158520) for CVE-2014-8354
++ Add Patch1: ImageMagick-6.8.7-CVE-2014-8354.patch
++ o Backport upstream fix http://trac.imagemagick.org/changeset/16774 (bz#1158524) for CVE-2014-8355
++ Add Patch2: ImageMagick-6.8.6-CVE-2014-8355.patch
++- Concretize soname versions.
++- Fix 4 more security bags:
++ o Backport upstream fix http://trac.imagemagick.org/changeset/17846 - bz#1195263
++ Add Patch3: ImageMagick-6.8.6-hdr-bz#1195263.patch
++ o Backport upstream fix http://trac.imagemagick.org/changeset/17854 - bz#1195265
++ Add Patch4: ImageMagick-6.8.6-miff-bz#1195265.patch
++ o Backport upstream fix http://trac.imagemagick.org/changeset/17855 - bz#1195269
++ Add Patch5: ImageMagick-6.8.6-pdb-bz#1195269.patch
++ o Backport upstream fix http://trac.imagemagick.org/changeset/17856 - bz#1195271
++ Add Patch6: ImageMagick-6.8.6-vicar-bz#1195271.patch
++
+* Fri Aug 15 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 6.8.8.10-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Fri Jun 06 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 6.8.8.10-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
- * Wed Apr 2 2014 Pavel Alexeev <Pahan at Hubbitus.info> - 6.8.8.10-3
- - Concretize soname versions.
-
- * Sat Mar 29 2014 Pavel Alexeev <Pahan at Hubbitus.info> - 6.8.8.10-2
- - Update to 6.8.8-10 with hope to fix CVE-2014-1958 (bz#1067276, bz#1067277, bz#1067278), CVE-2014-1947, CVE-2014-2030 (bz#1064098)
+ * Thu Apr 3 2014 Pavel Alexeev <Pahan at Hubbitus.info> - 6.8.6.3-4
+ - Build 6.8.6-3 version because soname bump happened in newer.
+ - Concretize soname versioning.
+ - Add Patch0: ImageMagick-6.8.7-psd-CVE.patch CVE bug fix backporting:
+ http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=25128&sid=ff40ad66b1f845c767aa77c7e32f9f9c&p=109901#p109901
+ for fix CVE-2014-1958 (bz#1067276, bz#1067277, bz#1067278), CVE-2014-1947, CVE-2014-2030 (bz#1064098)
- Enable %%check by Alexander Todorov suggestion - bz#1076671.
- Add %%{?_smp_mflags} into make install and check (not main compilation).
-
- * Mon Jan 6 2014 Pavel Alexeev <Pahan at Hubbitus.info> - 6.8.7.0-4
- - Drop BR giflib-devel (bz#1039378)
-
- * Thu Jan 02 2014 Orion Poplawski <orion at cora.nwra.com> - 6.8.7.0-3
- - Rebuild for libwebp soname bump
-
- * Wed Nov 27 2013 Rex Dieter <rdieter at fedoraproject.org> 6.8.7.0-2
- - rebuild (openexr)
-
- * Fri Nov 08 2013 Kyle McMartin <kyle at fedoraproject.org>
- - Use %__isa_bits instead of hardcoding the list of 64-bit architectures.
-
- * Mon Oct 7 2013 Pavel Alexeev <Pahan at Hubbitus.info> - 6.8.7.0-1
- - Update to 6.8.7-0 to fix badurl (http://www.mail-archive.com/devel@lists.fedoraproject.org/msg67796.html)
-
- * Sun Sep 08 2013 Rex Dieter <rdieter at fedoraproject.org> - 6.8.6.3-4
- - rebuild (openexr)
+ - Porting some other non-destructive minor enhancments from master branch:
+ o Drop BR giflib-devel (bz#1039378)
+ o Use %%__isa_bits instead of hardcoding the list of 64-bit architectures.
* Fri Aug 02 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 6.8.6.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
More information about the scm-commits
mailing list