From 0f4ab4a59f4a8955135c7579c3579b8656e4060a Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sun, 10 Dec 2017 19:15:44 +0100 Subject: gnu: graphicsmagick: Update to 1.3.27. * gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch, gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch, gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch, gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch, gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch, gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch, gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch, gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch, gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. * gnu/packages/imagemagick.scm (graphicsmagick): Update to 1.3.27. [source](patches): Remove. --- .../patches/graphicsmagick-CVE-2017-13775.patch | 195 --------------------- 1 file changed, 195 deletions(-) delete mode 100644 gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch (limited to 'gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch') diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch deleted file mode 100644 index 83478c13b3..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch +++ /dev/null @@ -1,195 +0,0 @@ -http://openwall.com/lists/oss-security/2017/08/31/3 -http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/b037d79b6ccd - -some changes were made to make the patch apply - -# HG changeset patch -# User Bob Friesenhahn -# Date 1503774853 18000 -# Node ID b037d79b6ccd0cfba7ba9ce09b454ed46d688036 -# Parent 198ea602ea7cc767dc3022bbcf887bcd4534158d -JNX: Fix DOS issues - -diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c ---- a/coders/jnx.c Tue Aug 22 08:08:30 2017 -0500 -+++ b/coders/jnx.c Sat Aug 26 14:14:13 2017 -0500 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2012-2015 GraphicsMagick Group -+% Copyright (C) 2012-2017 GraphicsMagick Group - % - % This program is covered by multiple licenses, which are described in - % Copyright.txt. You should have received a copy of Copyright.txt with this -@@ -100,6 +100,7 @@ - - char img_label_str[MaxTextExtent]; - -+ - alloc_size = TileInfo->PicSize + 2; - - if (image->logging) -@@ -242,6 +243,9 @@ - total_tiles, - current_tile; - -+ magick_off_t -+ file_size; -+ - /* Open image file. */ - assert(image_info != (const ImageInfo *) NULL); - assert(image_info->signature == MagickSignature); -@@ -254,9 +258,8 @@ - if (status == False) - ThrowReaderException(FileOpenError, UnableToOpenFile, image); - -- memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo)); -- - /* Read JNX image header. */ -+ (void) memset(&JNXHeader, 0, sizeof(JNXHeader)); - JNXHeader.Version = ReadBlobLSBLong(image); - if (JNXHeader.Version > 4) - ThrowReaderException(CorruptImageError, ImproperImageHeader, image); -@@ -266,8 +269,6 @@ - JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image); - JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image); - JNXHeader.Levels = ReadBlobLSBLong(image); -- if (JNXHeader.Levels > 20) -- ThrowReaderException(CorruptImageError, ImproperImageHeader, image); - JNXHeader.Expiration = ReadBlobLSBLong(image); - JNXHeader.ProductID = ReadBlobLSBLong(image); - JNXHeader.CRC = ReadBlobLSBLong(image); -@@ -279,7 +280,41 @@ - if (EOFBlob(image)) - ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); - -+ file_size = GetBlobSize(image); -+ -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "JNX Header:\n" -+ " Version: %u\n" -+ " DeviceSN: %u\n" -+ " MapBounds:\n" -+ " NorthEast: lat = %u, lon = %u\n" -+ " SouthWest: lat = %u, lon = %u\n" -+ " Levels: %u\n" -+ " Expiration: %u\n" -+ " ProductID: %u\n" -+ " CRC: %u\n" -+ " SigVersion: %u\n" -+ " SigOffset: %u\n" -+ " ZOrder: %u", -+ JNXHeader.Version, -+ JNXHeader.DeviceSN, -+ JNXHeader.MapBounds.NorthEast.lat, -+ JNXHeader.MapBounds.NorthEast.lon, -+ JNXHeader.MapBounds.SouthWest.lat, -+ JNXHeader.MapBounds.SouthWest.lon, -+ JNXHeader.Levels, -+ JNXHeader.Expiration, -+ JNXHeader.ProductID, -+ JNXHeader.CRC, -+ JNXHeader.SigVersion, -+ JNXHeader.SigOffset, -+ JNXHeader.ZOrder); -+ -+ if (JNXHeader.Levels > 20) -+ ThrowReaderException(CorruptImageError, ImproperImageHeader, image); -+ - /* Read JNX image level info. */ -+ memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo)); - total_tiles = 0; - current_tile = 0; - for (i = 0; i < JNXHeader.Levels; i++) -@@ -302,11 +337,23 @@ - { - JNXLevelInfo[i].Copyright = NULL; - } -+ -+ if (EOFBlob(image)) -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ -+ if (image->logging) -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "Level[%u] Info:" -+ " TileCount: %4u" -+ " TilesOffset: %6u" -+ " Scale: %04u", -+ i, -+ JNXLevelInfo[i].TileCount, -+ JNXLevelInfo[i].TilesOffset, -+ JNXLevelInfo[i].Scale -+ ); - } - -- if (EOFBlob(image)) -- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -- - /* Get the current limit */ - SaveLimit = GetMagickResourceLimit(MapResource); - -@@ -316,11 +363,32 @@ - /* Read JNX image data. */ - for (i = 0; i < JNXHeader.Levels; i++) - { -+ /* -+ Validate TileCount against remaining file data -+ */ -+ const magick_off_t current_offset = TellBlob(image); -+ const size_t pos_list_entry_size = -+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + -+ sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) + -+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t); -+ const magick_off_t remaining = file_size-current_offset; -+ const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount); -+ -+ if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed)) -+ { -+ (void) SetMagickResourceLimit(MapResource, SaveLimit); -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ } -+ - PositionList = MagickAllocateArray(TJNXTileInfo *, - JNXLevelInfo[i].TileCount, - sizeof(TJNXTileInfo)); - if (PositionList == NULL) -- continue; -+ { -+ (void) SetMagickResourceLimit(MapResource, SaveLimit); -+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, -+ image); -+ } - - (void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET); - for (j = 0; j < JNXLevelInfo[i].TileCount; j++) -@@ -333,12 +401,15 @@ - PositionList[j].PicHeight = ReadBlobLSBShort(image); - PositionList[j].PicSize = ReadBlobLSBLong(image); - PositionList[j].PicOffset = ReadBlobLSBLong(image); -- } - -- if (EOFBlob(image)) -- { -- MagickFreeMemory(PositionList); -- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ if (EOFBlob(image) || -+ ((magick_off_t) PositionList[j].PicOffset + -+ PositionList[j].PicSize > file_size)) -+ { -+ (void) SetMagickResourceLimit(MapResource, SaveLimit); -+ MagickFreeMemory(PositionList); -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ } - } - - for (j = 0; j < JNXLevelInfo[i].TileCount; j++) -@@ -351,6 +422,9 @@ - image = ExtractTileJPG(image, image_info, PositionList+j, exception); - (void) SetMonitorHandler(previous_handler); - -+ if (exception->severity >= ErrorException) -+ break; -+ - current_tile++; - if (QuantumTick(current_tile,total_tiles)) - if (!MagickMonitorFormatted(current_tile,total_tiles,exception, - -- cgit v1.2.3