Re: Wheezy update of graphicsmagick?
Ola Lundqvist <ola@inguza.com> writes:
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of graphicsmagick:
> https://security-tracker.debian.org/tracker/CVE-2017-13737
> https://security-tracker.debian.org/tracker/CVE-2017-15277
I have created a fix for these issues in Debian wheezy. A patch is
below.
The upstream patch for CVE-2017-15277 seemed to include unrelated
changes, most of which I excluded. One of these changes - checking the
number of colours we read - looked like it could be another security
issue, so I included it just in case.
There is a version for testing at
https://people.debian.org/~bam/debian/pool/main/g/graphicsmagick/ - not
I got the name of the patch file wrong in this upload (but not the diff
below). This will be corrected for the final upload.
diff -Nru graphicsmagick-1.3.16/debian/changelog graphicsmagick-1.3.16/debian/changelog
--- graphicsmagick-1.3.16/debian/changelog 2017-10-10 17:57:27.000000000 +1100
+++ graphicsmagick-1.3.16/debian/changelog 2017-10-16 15:21:09.000000000 +1100
@@ -1,3 +1,13 @@
+graphicsmagick (1.3.16-1.1+deb7u11) wheezy-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2017-13737: Fix incorrect rounding up, resulting
+ in scrambling the heap beyond the allocation.
+ * Fix CVE-2017-15277: Leaves the palette uninitialized when processing a GIF
+ file that has neither a global nor local palette.
+
+ -- Brian May <bam@debian.org> Mon, 16 Oct 2017 15:21:09 +1100
+
graphicsmagick (1.3.16-1.1+deb7u10) wheezy-security; urgency=high
* Non-maintainer upload by the LTS Team.
diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-13737.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-13737.patch
--- graphicsmagick-1.3.16/debian/patches/CVE-2017-13737.patch 1970-01-01 10:00:00.000000000 +1000
+++ graphicsmagick-1.3.16/debian/patches/CVE-2017-13737.patch 2017-10-16 15:20:44.000000000 +1100
@@ -0,0 +1,11 @@
+--- a/magick/studio.h
++++ b/magick/studio.h
+@@ -336,7 +336,7 @@
+ #define MagickSQ2PI 2.50662827463100024161235523934010416269302368164062
+ #define Max(x,y) (((x) > (y)) ? (x) : (y))
+ #define Min(x,y) (((x) < (y)) ? (x) : (y))
+-#define NumberOfObjectsInArray(octets,size) ((octets+size-1)/size)
++#define NumberOfObjectsInArray(octets,size) (octets/size) /* rounds down */
+ #define QuantumTick(i,span) \
+ ((((i) % ((Max(101,span)-1)/100)) == 0) || \
+ ((magick_int64_t) (i) == ((magick_int64_t) (span)-1)))
diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-15277.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-15277.patch
--- graphicsmagick-1.3.16/debian/patches/CVE-2017-15277.patch 1970-01-01 10:00:00.000000000 +1000
+++ graphicsmagick-1.3.16/debian/patches/CVE-2017-15277.patch 2017-10-16 15:21:09.000000000 +1100
@@ -0,0 +1,19 @@
+--- a/coders/gif.c
++++ b/coders/gif.c
+@@ -873,8 +873,15 @@
+ global_colormap=MagickAllocateMemory(unsigned char *,3*Max(global_colors,256));
+ if (global_colormap == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
++ (void) memset(global_colormap,0,3*Max(global_colors,256U));
+ if (BitSet(flag,0x80))
+- (void) ReadBlob(image,3*global_colors,(char *) global_colormap);
++ {
++ if (ReadBlob(image,3*global_colors,(char *) global_colormap) != 3U*global_colors)
++ {
++ MagickFreeMemory(global_colormap);
++ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
++ }
++ }
+ delay=0;
+ dispose=0;
+ iterations=1;
diff -Nru graphicsmagick-1.3.16/debian/patches/series graphicsmagick-1.3.16/debian/patches/series
--- graphicsmagick-1.3.16/debian/patches/series 2017-10-09 17:53:49.000000000 +1100
+++ graphicsmagick-1.3.16/debian/patches/series 2017-10-16 15:21:09.000000000 +1100
@@ -35,3 +35,5 @@
CVE-2017-14733.patch
CVE-2017-14994.patch
CVE-2017-14997.patch
+CVE-2017-13737.patch
+CVE-2017-15277.patch
--
Brian May <bam@debian.org>
Reply to: