imagemagick

To: team@security.debian.org
Cc: debian-lts@lists.debian.org
Subject: imagemagick
From: Brian May <brian@linuxpenguins.xyz>
Date: Sun, 06 Mar 2016 16:34:26 +1100
Message-id: <[🔎] 87egbodva5.fsf@prune.linuxpenguins.xyz>

Hello,

The following patch applied to the imagemagick in Debian wheezy should
fix the security problem already resolved in squeeze. The patches have
been ported from the squeeze version.

https://security-tracker.debian.org/tracker/TEMP-0773834-5EB6CF

I will also make debs available for testing.

Any comments?

Regards


diff -Nru imagemagick-6.7.7.10/debian/changelog imagemagick-6.7.7.10/debian/changelog
--- imagemagick-6.7.7.10/debian/changelog	2014-03-03 04:24:19.000000000 +1100
+++ imagemagick-6.7.7.10/debian/changelog	2016-03-06 15:44:11.000000000 +1100
@@ -1,3 +1,12 @@
+imagemagick (8:6.7.7.10-5+deb7u4) wheezy-security; urgency=medium
+
+  * Add fix-overflow-in-icon-parsing.patch to fix an integer overflow
+    that can lead to a buffer overrun in the icon parsing code.
+  * Add fix-overflow-in-pict-parsing.patch to fix an integer overflow
+    that can lead to a double free.
+
+ -- Brian May <bam@debian.org>  Sun, 06 Mar 2016 15:43:39 +1100
+
 imagemagick (8:6.7.7.10-5+deb7u3) wheezy-security; urgency=high
 
   * Fix three security bugs (Closes: #740250):
diff -Nru imagemagick-6.7.7.10/debian/patches/fix-overflow-in-icon-parsing.patch imagemagick-6.7.7.10/debian/patches/fix-overflow-in-icon-parsing.patch
--- imagemagick-6.7.7.10/debian/patches/fix-overflow-in-icon-parsing.patch	1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.7.7.10/debian/patches/fix-overflow-in-icon-parsing.patch	2016-03-06 15:37:47.000000000 +1100
@@ -0,0 +1,20 @@
+Description: Fix buffer overflow in icon parsing code
+ This patch backports a small extract of a larger upstream
+ commit that addresses this specific issue.
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747
+Origin: backport, https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734
+Applied-Upstream: 7.0.0
+Last-Update: 2015-11-26
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/coders/icon.c
++++ b/coders/icon.c
+@@ -277,6 +277,8 @@
+           Icon image encoded as a compressed PNG image.
+         */
+         length=icon_file.directory[i].size;
++        if (~length < 12)
++          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+         png=(unsigned char *) AcquireQuantumMemory(length+16,sizeof(*png));
+         if (png == (unsigned char *) NULL)
+           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
diff -Nru imagemagick-6.7.7.10/debian/patches/fix-overflow-in-pict-parsing.patch imagemagick-6.7.7.10/debian/patches/fix-overflow-in-pict-parsing.patch
--- imagemagick-6.7.7.10/debian/patches/fix-overflow-in-pict-parsing.patch	1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.7.7.10/debian/patches/fix-overflow-in-pict-parsing.patch	2016-03-06 16:03:04.000000000 +1100
@@ -0,0 +1,45 @@
+Description: Fix overflow in pict image parsing
+ Backport a small part of an upstream commit fixing
+ an issue with pict image parsing.
+Origin: backport, https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803
+Applied-Upstream: 7.0.0
+Last-Update: 2015-11-27
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/coders/pict.c
++++ b/coders/pict.c
+@@ -1573,6 +1573,7 @@
+ 
+   size_t
+     bytes_per_line,
++    row_bytes,
+     count,
+     storage_class;
+ 
+@@ -1587,7 +1588,6 @@
+ 
+   unsigned short
+     base_address,
+-    row_bytes,
+     transfer_mode;
+ 
+   /*
+@@ -1618,7 +1618,7 @@
+   source_rectangle=size_rectangle;
+   destination_rectangle=size_rectangle;
+   base_address=0xff;
+-  row_bytes=(unsigned short) (image->columns | 0x8000);
++  row_bytes=image->columns;
+   bounds.top=0;
+   bounds.left=0;
+   bounds.bottom=(short) image->rows;
+@@ -1648,7 +1648,7 @@
+       pixmap.bits_per_pixel=32;
+       pixmap.pack_type=0x04;
+       transfer_mode=0x40;
+-      row_bytes=(unsigned short) ((4*image->columns) | 0x8000);
++      row_bytes=4*image->columns;
+     }
+   /*
+     Allocate memory.
diff -Nru imagemagick-6.7.7.10/debian/patches/series imagemagick-6.7.7.10/debian/patches/series
--- imagemagick-6.7.7.10/debian/patches/series	2014-03-09 09:48:48.000000000 +1100
+++ imagemagick-6.7.7.10/debian/patches/series	2016-03-06 15:33:59.000000000 +1100
@@ -10,3 +10,5 @@
 0009-Fixing-a-buffer-overflow-in-psd-file-handling.patch
 0010-Added-boundary-checks-in-DecodePSDPixels.patch
 0011-Prevent-buffer-overflow-in-messaging-system-CVE-2014.patch
+fix-overflow-in-icon-parsing.patch
+fix-overflow-in-pict-parsing.patch

-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Reply to:

Follow-Ups:
- Re: imagemagick
  - From: Brian May <bam@debian.org>
- Re: imagemagick
  - From: Luciano Bello <luciano@debian.org>

Prev by Date: tracking security issues without CVEs
Next by Date: Re: imagemagick
Previous by thread: Re: tracking security issues without CVEs
Next by thread: Re: imagemagick
Index(es):
- Date
- Thread