imagemagick
Hello,
I have backported the patches for imagemagick in Jessie to Wheezy.
As attached. I think most of this is straight forward however not 100%
certain of the 0079-Indirect-filename-must-be-authorized-by-policy.patch
patch.
In particular, it returns ConstantString("") instead of NULL - I hope
this is correct for the Wheezy version. There also appears to be a new
check that returns ConstantString("") if the input string only contains
whitespace that I included.
I am looking to see if I can find a test case to test this against,
however I don't see anything on oss-security.
My complete patches attached.
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
diff -Nru imagemagick-6.7.7.10/debian/changelog imagemagick-6.7.7.10/debian/changelog
--- imagemagick-6.7.7.10/debian/changelog 2014-03-03 04:24:19.000000000 +1100
+++ imagemagick-6.7.7.10/debian/changelog 2016-05-18 10:55:59.000000000 +1000
@@ -1,3 +1,25 @@
+imagemagick (8:6.7.7.10-5+deb7u4) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * ImageTragick: The coders EPHEMERAL, URL, HTTPS, MVG, MSL, TEXT,
+ SHOW, WIN, and PLT are disabled via policy.xml file, since they are
+ vulnerable to code injection. This mitigates CVE-2016-3714,
+ CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, and CVE-2016-3718.
+ Since ImageMagick reverts to its internal SVG renderer (which uses
+ MVG coder) if Inkscape or RSVG is not used, the option --with-rsvg
+ is included. Closes: 823542. In addition, some other actions were
+ taken with respect to these vulnerabilities:
+ - Drop the PLT/Gnuplot decoder, which was vulnerable to command
+ injection.
+ - Some sanitization for input filenames in http/https delegates is
+ added.
+ - Indirect filename are now authorized by policy.
+ - Indirect reads with label:@ are prevented.
+ - Less secure coders (such as MVG, TEXT, and MSL) require explicit
+ reference in the filename (e.g. mvg:my-graph.mvg).
+
+ -- Brian May <bam@debian.org> Wed, 18 May 2016 10:55:03 +1000
+
imagemagick (8:6.7.7.10-5+deb7u3) wheezy-security; urgency=high
* Fix three security bugs (Closes: #740250):
diff -Nru imagemagick-6.7.7.10/debian/patches/0076-Disable-EPHEMERAL-URL-HTTPS-MVG-MSL-TEXT-SHOW-WIN-and-PLT-coders.patch imagemagick-6.7.7.10/debian/patches/0076-Disable-EPHEMERAL-URL-HTTPS-MVG-MSL-TEXT-SHOW-WIN-and-PLT-coders.patch
--- imagemagick-6.7.7.10/debian/patches/0076-Disable-EPHEMERAL-URL-HTTPS-MVG-MSL-TEXT-SHOW-WIN-and-PLT-coders.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.7.7.10/debian/patches/0076-Disable-EPHEMERAL-URL-HTTPS-MVG-MSL-TEXT-SHOW-WIN-and-PLT-coders.patch 2016-05-18 10:58:02.000000000 +1000
@@ -0,0 +1,28 @@
+From: Luciano Bello <luciano@debian.org>
+Date: Thu, 12 May 2016 23:24:44 +0200
+Subject: Disable the coders EPHEMERAL, URL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT
+ Following the recomendation from imagetragick.com this patch
+ disable the coders EPHEMERAL, URL, HTTPS, MVG, MSL, TEXT, SHOW, WIN,
+ and PLT since they are vulnerable to multiple attacks. These
+ vulnerability were collectible called "ImageTragick".
+Bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
+Bug-CVE: CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718
+Bug-Debian: https://bugs.debian.org/823542
+Last-Update: 2016-05-12
+---
+--- a/config/policy.xml
++++ b/config/policy.xml
+@@ -55,4 +55,13 @@
+ <!-- <policy domain="resource" name="thread" value="4"/> -->
+ <!-- <policy domain="resource" name="throttle" value="0"/> -->
+ <!-- <policy domain="resource" name="time" value="3600"/> -->
++ <policy domain="coder" rights="none" pattern="EPHEMERAL" />
++ <policy domain="coder" rights="none" pattern="URL" />
++ <policy domain="coder" rights="none" pattern="HTTPS" />
++ <policy domain="coder" rights="none" pattern="MVG" />
++ <policy domain="coder" rights="none" pattern="MSL" />
++ <policy domain="coder" rights="none" pattern="TEXT" />
++ <policy domain="coder" rights="none" pattern="SHOW" />
++ <policy domain="coder" rights="none" pattern="WIN" />
++ <policy domain="coder" rights="none" pattern="PLT" />
+ </policymap>
diff -Nru imagemagick-6.7.7.10/debian/patches/0077-Remove-PLT-Gnuplot-decoder.patch imagemagick-6.7.7.10/debian/patches/0077-Remove-PLT-Gnuplot-decoder.patch
--- imagemagick-6.7.7.10/debian/patches/0077-Remove-PLT-Gnuplot-decoder.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.7.7.10/debian/patches/0077-Remove-PLT-Gnuplot-decoder.patch 2016-05-18 11:02:40.000000000 +1000
@@ -0,0 +1,147 @@
+Description: Drop the PLT/Gnuplot decoder
+ The Gnuplot delegate was vulnerable to code injection. This
+ vulnerability is connected with CVE-2016-3714 (aka ImageTragick).
+Origin: upstream, https://github.com/ImageMagick/ImageMagick/commit/e87116ab2bd070c47943d4118a18c8f3a47461e2
+Applied-Upstream: e87116ab2bd070c47943d4118a18c8f3a47461e2
+Last-Update: 2016-05-15
+Bug: https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/
+Bug-CVE: CVE-2016-3714
+Bug-Debian: https://bugs.debian.org/823542
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -2438,7 +2438,6 @@
+ GVCDecodeDelegate = @GVCDecodeDelegate@
+ GVC_CFLAGS = @GVC_CFLAGS@
+ GVC_LIBS = @GVC_LIBS@
+-GnuplotDecodeDelegate = @GnuplotDecodeDelegate@
+ HPGLDecodeDelegate = @HPGLDecodeDelegate@
+ HTMLDecodeDelegate = @HTMLDecodeDelegate@
+ ILBMDecodeDelegate = @ILBMDecodeDelegate@
+--- a/config/delegates.xml.in
++++ b/config/delegates.xml.in
+@@ -80,7 +80,6 @@
+ <delegate decode="eps" encode="pdf" mode="bi" command=""@PSDelegate@" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 "-sDEVICE=@GSPDFDevice@" "-sOutputFile=%o" "-f%i""/>
+ <delegate decode="eps" encode="ps" mode="bi" command=""@PSDelegate@" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@GSPSDevice@" "-sOutputFile=%o" "-f%i""/>
+ <delegate decode="fig" command=""@FIGDecodeDelegate@" -L ps "%i" "%o""/>
+- <delegate decode="plt" command=""@EchoDelegate@" "set size 1.25,0.62; set terminal postscript portrait color solid; set output \'%o\'; load \'%i\'" > "%u";"@GnuplotDecodeDelegate@" "%u""/>
+ <delegate decode="hpg" command=""@HPGLDecodeDelegate@" -q -m eps -f `basename "%o"` "%i"; mv -f `basename "%o"` "%o""/>
+ <delegate decode="hpgl" command="if [ -e @HPGLDecodeDelegate@ -o -e /usr/bin/@HPGLDecodeDelegate@ ]; then @HPGLDecodeDelegate@ -q -m eps -f `basename "%o"` "%i"; mv -f `basename "%o"` "%o"; else echo "You need to install hp2xx to use HPGL files with ImageMagick."; exit 1; fi"/>
+ <delegate decode="htm" command=""@HTMLDecodeDelegate@" -U -o "%o" "%i""/>
+--- a/configure
++++ b/configure
+@@ -725,7 +725,6 @@
+ ILBMDecodeDelegate
+ HTMLDecodeDelegate
+ HPGLDecodeDelegate
+-GnuplotDecodeDelegate
+ MogrifyDelegate
+ DisplayDelegate
+ ConvertDelegate
+@@ -32765,7 +32764,6 @@
+ ConvertDelegateDefault=`echo convert | sed ${configure_transform_name}`
+ DisplayDelegateDefault=`echo display | sed ${configure_transform_name}`
+ MogrifyDelegateDefault=`echo mogrify | sed ${configure_transform_name}`
+-GnuplotDecodeDelegateDefault='gnuplot'
+ HPGLDecodeDelegateDefault='hp2xx'
+ HTMLDecodeDelegateDefault='html2ps'
+ ILBMDecodeDelegateDefault='ilbmtoppm'
+@@ -33417,47 +33415,6 @@
+ fi
+
+
+-# Extract the first word of ""$GnuplotDecodeDelegateDefault"", so it can be a program name with args.
+-set dummy "$GnuplotDecodeDelegateDefault"; ac_word=$2
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+-$as_echo_n "checking for $ac_word... " >&6; }
+-if ${ac_cv_path_GnuplotDecodeDelegate+:} false; then :
+- $as_echo_n "(cached) " >&6
+-else
+- case $GnuplotDecodeDelegate in
+- [\\/]* | ?:[\\/]*)
+- ac_cv_path_GnuplotDecodeDelegate="$GnuplotDecodeDelegate" # Let the user override the test with a path.
+- ;;
+- *)
+- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+-for as_dir in $PATH
+-do
+- IFS=$as_save_IFS
+- test -z "$as_dir" && as_dir=.
+- for ac_exec_ext in '' $ac_executable_extensions; do
+- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+- ac_cv_path_GnuplotDecodeDelegate="$as_dir/$ac_word$ac_exec_ext"
+- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+- break 2
+- fi
+-done
+- done
+-IFS=$as_save_IFS
+-
+- test -z "$ac_cv_path_GnuplotDecodeDelegate" && ac_cv_path_GnuplotDecodeDelegate=""$GnuplotDecodeDelegateDefault""
+- ;;
+-esac
+-fi
+-GnuplotDecodeDelegate=$ac_cv_path_GnuplotDecodeDelegate
+-if test -n "$GnuplotDecodeDelegate"; then
+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GnuplotDecodeDelegate" >&5
+-$as_echo "$GnuplotDecodeDelegate" >&6; }
+-else
+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+-fi
+-
+-
+ # Extract the first word of ""$HPGLDecodeDelegateDefault"", so it can be a program name with args.
+ set dummy "$HPGLDecodeDelegateDefault"; ac_word=$2
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+@@ -34754,7 +34711,6 @@
+ EchoDelegate="$EchoDelegateDefault"
+ EditorDelegate="$EditorDelegateDefault"
+ FIGDecodeDelegate="$FIGDecodeDelegateDefault"
+- GnuplotDecodeDelegate="$GnuplotDecodeDelegateDefault"
+ HPGLDecodeDelegate="$HPGLDecodeDelegateDefault"
+ HTMLDecodeDelegate="$HTMLDecodeDelegateDefault"
+ ILBMDecodeDelegate="$ILBMDecodeDelegateDefault"
+@@ -34790,7 +34746,6 @@
+
+
+
+-
+
+
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -3048,7 +3048,6 @@
+ ConvertDelegateDefault=`echo convert | sed ${configure_transform_name}`
+ DisplayDelegateDefault=`echo display | sed ${configure_transform_name}`
+ MogrifyDelegateDefault=`echo mogrify | sed ${configure_transform_name}`
+-GnuplotDecodeDelegateDefault='gnuplot'
+ HPGLDecodeDelegateDefault='hp2xx'
+ HTMLDecodeDelegateDefault='html2ps'
+ ILBMDecodeDelegateDefault='ilbmtoppm'
+@@ -3100,7 +3099,6 @@
+ AC_PATH_PROG(ConvertDelegate, "$ConvertDelegateDefault", "$ConvertDelegateDefault")
+ AC_PATH_PROG(DisplayDelegate, "$DisplayDelegateDefault", "$DisplayDelegateDefault")
+ AC_PATH_PROG(MogrifyDelegate, "$MogrifyDelegateDefault", "$MogrifyDelegateDefault")
+-AC_PATH_PROG(GnuplotDecodeDelegate, "$GnuplotDecodeDelegateDefault", "$GnuplotDecodeDelegateDefault")
+ AC_PATH_PROG(HPGLDecodeDelegate, "$HPGLDecodeDelegateDefault", "$HPGLDecodeDelegateDefault")
+ AC_PATH_PROG(HTMLDecodeDelegate, "$HTMLDecodeDelegateDefault", "$HTMLDecodeDelegateDefault")
+ AC_PATH_PROG(ILBMDecodeDelegate, "$ILBMDecodeDelegateDefault", "$ILBMDecodeDelegateDefault")
+@@ -3266,7 +3264,6 @@
+ EchoDelegate="$EchoDelegateDefault"
+ EditorDelegate="$EditorDelegateDefault"
+ FIGDecodeDelegate="$FIGDecodeDelegateDefault"
+- GnuplotDecodeDelegate="$GnuplotDecodeDelegateDefault"
+ HPGLDecodeDelegate="$HPGLDecodeDelegateDefault"
+ HTMLDecodeDelegate="$HTMLDecodeDelegateDefault"
+ ILBMDecodeDelegate="$ILBMDecodeDelegateDefault"
+@@ -3311,7 +3308,6 @@
+ AC_SUBST(EchoDelegate)
+ AC_SUBST(EditorDelegate)
+ AC_SUBST(FIGDecodeDelegate)
+-AC_SUBST(GnuplotDecodeDelegate)
+ AC_SUBST(HPGLDecodeDelegate)
+ AC_SUBST(HTMLDecodeDelegate)
+ AC_SUBST(ILBMDecodeDelegate)
diff -Nru imagemagick-6.7.7.10/debian/patches/0078-Sanitize-input-filename-for-http-and-https-delegates.patch imagemagick-6.7.7.10/debian/patches/0078-Sanitize-input-filename-for-http-and-https-delegates.patch
--- imagemagick-6.7.7.10/debian/patches/0078-Sanitize-input-filename-for-http-and-https-delegates.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.7.7.10/debian/patches/0078-Sanitize-input-filename-for-http-and-https-delegates.patch 2016-05-18 11:09:02.000000000 +1000
@@ -0,0 +1,64 @@
+Description: Sanitize input filename for http / https delegates
+ cherry-picked from 06c41aba39b97203f6b9a0be6a2ccf8888cddc93 and
+ a347456a1ef3b900c20402f9866992a17eb5d181.
+Origin: upstream, https://github.com/ImageMagick/ImageMagick/commit/06c41aba39b97203f6b9a0be6a2ccf8888cddc93, https://github.com/ImageMagick/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181
+Applied-Upstream: commit, 06c41aba39b97203f6b9a0be6a2ccf8888cddc93, a347456a1ef3b900c20402f9866992a17eb5d181
+Bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
+Bug-CVE: CVE-2016-3714
+Bug-Debian: https://bugs.debian.org/823542
+Last-Update: 2016-05-16
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/config/delegates.xml.in
++++ b/config/delegates.xml.in
+@@ -55,6 +55,7 @@
+ %w image columns (width)
+ %x input image x resolution
+ %y input image y resolution
++ %F sanitized original input filename
+
+ Set option delegate:bimodal=true to process bimodal delegates otherwise they
+ are ignored.
+@@ -84,11 +85,11 @@
+ <delegate decode="hpgl" command="if [ -e @HPGLDecodeDelegate@ -o -e /usr/bin/@HPGLDecodeDelegate@ ]; then @HPGLDecodeDelegate@ -q -m eps -f `basename "%o"` "%i"; mv -f `basename "%o"` "%o"; else echo "You need to install hp2xx to use HPGL files with ImageMagick."; exit 1; fi"/>
+ <delegate decode="htm" command=""@HTMLDecodeDelegate@" -U -o "%o" "%i""/>
+ <delegate decode="html" command=""@HTMLDecodeDelegate@" -U -o "%o" "%i""/>
+- <delegate decode="https" command=""@WWWDecodeDelegate@" -s -k -o "%o" "https:%M""/>
++ <delegate decode="https" command=""@WWWDecodeDelegate@" -s -k -o "%o" "https:%F""/>
+ <delegate decode="ilbm" command=""@ILBMDecodeDelegate@" "%i" > "%o""/>
+ <delegate decode="man" command=""@MANDelegate@" -man -Tps "%i" > "%o""/>
+ <delegate decode="mpeg:decode" command=""@MPEGDecodeDelegate@" -v -1 -i "%i" -vframes %S -vcodec pam -an -f rawvideo -y "%u.pam" 2> "%Z""/>
+- <delegate encode="mpeg:encode" stealth="True" command=""@MPEGEncodeDelegate@" -v -1 -mbd rd -trellis 2 -cmp 2 -subcmp 2 -g 300 -i "%M%%d.jpg" "%u.%m" 2> "%Z""/>
++ <delegate encode="mpeg:encode" stealth="True" command=""@MPEGEncodeDelegate@" -v -1 -mbd rd -trellis 2 -cmp 2 -subcmp 2 -g 300 -i "%F%%d.jpg" "%u.%m" 2> "%Z""/>
+ <delegate decode="sid" command=""@MrSIDDecodeDelegate@" -if sid -i "%i" -of tif -o "%o" > "%u""/>
+ <delegate decode="pcl:color" stealth="True" command=""@PCLDelegate@" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@PCLColorDevice@" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s""/>
+ <delegate decode="pcl:cmyk" stealth="True" command=""@PCLDelegate@" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@PCLCMYKDevice@" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s""/>
+--- a/magick/property.c
++++ b/magick/property.c
+@@ -3534,6 +3534,26 @@
+ ConstantString(property),ConstantString(value));
+ break;
+ }
++ case 'F': /* Magick filename (sanitized) - filename given incl. coder & read mods */
++ {
++ const char
++ *q;
++
++ register char
++ *p;
++
++ static char
++ whitelist[] =
++ "^-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
++ "+&@#/%?=~_|!:,.;()";
++
++ (void) CopyMagickString(value,image->magick_filename,MaxTextExtent);
++ p=value;
++ q=value+strlen(value);
++ for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist))
++ *p='_';
++ break;
++ }
+ case 'G':
+ case 'g':
+ {
diff -Nru imagemagick-6.7.7.10/debian/patches/0079-Indirect-filename-must-be-authorized-by-policy.patch imagemagick-6.7.7.10/debian/patches/0079-Indirect-filename-must-be-authorized-by-policy.patch
--- imagemagick-6.7.7.10/debian/patches/0079-Indirect-filename-must-be-authorized-by-policy.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.7.7.10/debian/patches/0079-Indirect-filename-must-be-authorized-by-policy.patch 2016-05-18 11:14:50.000000000 +1000
@@ -0,0 +1,57 @@
+Description: Indirect filename must be authorized by policy
+Origin: upstream, https://github.com/ImageMagick/ImageMagick/commit/89ce096de81428c1b15b44ec97eb5a7c7d4e0f8b, https://github.com/ImageMagick/ImageMagick/commit/58a2ce1638c7cca4db9c9a70ea841b34c8932490
+Bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
+Bug-CVE: CVE-2016-3714
+Bug-Debian: https://bugs.debian.org/823542
+Last-Update: 2016-05-15
+---
+--- a/magick/property.c
++++ b/magick/property.c
+@@ -66,6 +66,7 @@
+ #include "magick/monitor.h"
+ #include "magick/montage.h"
+ #include "magick/option.h"
++#include "magick/policy.h"
+ #include "magick/profile.h"
+ #include "magick/property.h"
+ #include "magick/quantum.h"
+@@ -2941,19 +2942,28 @@
+ (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);
+
+ if ((embed_text == (const char *) NULL) || (*embed_text == '\0'))
+- return((char *) NULL);
++ return(ConstantString(""));
+ p=embed_text;
+
+- /* handle a '@' replace string from file */
+- if (*p == '@') {
+- p++;
+- if (*p != '-' && (IsPathAccessible(p) == MagickFalse) ) {
+- (void) ThrowMagickException(&image->exception,GetMagickModule(),
+- OptionError,"UnableToAccessPath","%s",p);
+- return((char *) NULL);
+- }
+- return(FileToString(p,~0,&image->exception));
+- }
++ while ((isspace((int) ((unsigned char) *p)) != 0) && (*p != '\0'))
++ p++;
++ if (*p == '\0')
++ return(ConstantString(""));
++
++ if ((*p == '@') && (IsPathAccessible(p+1) != MagickFalse))
++ {
++ /* handle a '@' replace string from file */
++ if (IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,p) == MagickFalse)
++ {
++ errno=EPERM;
++ (void) ThrowMagickException(&image->exception,GetMagickModule(),
++ PolicyError,"NotAuthorized","`%s'",p);
++ return(ConstantString(""));
++ }
++ interpret_text=FileToString(p+1,~0UL,&image->exception);
++ if (interpret_text != (char *) NULL)
++ return(interpret_text);
++ }
+
+ /*
+ Translate any embedded format characters.
diff -Nru imagemagick-6.7.7.10/debian/patches/0080-Prevent-indirect-reads-with-label-at.patch imagemagick-6.7.7.10/debian/patches/0080-Prevent-indirect-reads-with-label-at.patch
--- imagemagick-6.7.7.10/debian/patches/0080-Prevent-indirect-reads-with-label-at.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.7.7.10/debian/patches/0080-Prevent-indirect-reads-with-label-at.patch 2016-05-18 11:15:00.000000000 +1000
@@ -0,0 +1,17 @@
+Description: Disarm CVE-2016-3717 by preventing indirect reads with label:@
+ This policy prevents indirect reads with labels:@
+Origin: upstream, https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
+Bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
+Bug-CVE: CVE-2016-3717
+Bug-Debian: https://bugs.debian.org/823542
+Last-Update: 2016-05-16
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/config/policy.xml
++++ b/config/policy.xml
+@@ -64,4 +64,5 @@
+ <policy domain="coder" rights="none" pattern="SHOW" />
+ <policy domain="coder" rights="none" pattern="WIN" />
+ <policy domain="coder" rights="none" pattern="PLT" />
++ <policy domain="path" rights="none" pattern="@*" />
+ </policymap>
diff -Nru imagemagick-6.7.7.10/debian/patches/0081-Less-secure-coders-require-explicit-reference.patch imagemagick-6.7.7.10/debian/patches/0081-Less-secure-coders-require-explicit-reference.patch
--- imagemagick-6.7.7.10/debian/patches/0081-Less-secure-coders-require-explicit-reference.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.7.7.10/debian/patches/0081-Less-secure-coders-require-explicit-reference.patch 2016-05-18 11:15:06.000000000 +1000
@@ -0,0 +1,62 @@
+Description: Less secure coders require explicit reference (e.g. mvg:my-graph.mvg)
+Origin: upstream, https://github.com/ImageMagick/ImageMagick/commit/611b2f063eb526da5f1ec1e8045794cf28a55921
+Applied-Upstream: commit, 611b2f063eb526da5f1ec1e8045794cf28a55921
+Bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
+Bug-CVE: CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718
+Bug-Debian: https://bugs.debian.org/823542
+Last-Update: 2016-05-16
+---
+--- a/coders/msl.c
++++ b/coders/msl.c
+@@ -7796,6 +7796,7 @@
+ entry->decoder=(DecodeImageHandler *) ReadMSLImage;
+ entry->encoder=(EncodeImageHandler *) WriteMSLImage;
+ #endif
++ entry->format_type=ImplicitFormatType;
+ entry->description=ConstantString("Magick Scripting Language");
+ entry->module=ConstantString("MSL");
+ (void) RegisterMagickInfo(entry);
+--- a/coders/mvg.c
++++ b/coders/mvg.c
+@@ -250,6 +250,7 @@
+ entry->magick=(IsImageFormatHandler *) IsMVG;
+ entry->adjoin=MagickFalse;
+ entry->seekable_stream=MagickTrue;
++ entry->format_type=ImplicitFormatType;
+ entry->description=ConstantString("Magick Vector Graphics");
+ entry->module=ConstantString("MVG");
+ (void) RegisterMagickInfo(entry);
+--- a/coders/txt.c
++++ b/coders/txt.c
+@@ -420,8 +420,6 @@
+ }
+ (void) ResetMagickMemory(text,0,sizeof(text));
+ (void) ReadBlobString(image,text);
+- if (LocaleNCompare((char *) text,MagickID,strlen(MagickID)) != 0)
+- return(ReadTEXTImage(image_info,image,text,exception));
+ do
+ {
+ *colorspace='\0';
+@@ -543,10 +541,11 @@
+ *entry;
+
+ entry=SetMagickInfo("TEXT");
+- entry->decoder=(DecodeImageHandler *) ReadTXTImage;
++ entry->decoder=(DecodeImageHandler *) ReadTEXTImage;
+ entry->encoder=(EncodeImageHandler *) WriteTXTImage;
+ entry->raw=MagickTrue;
+ entry->endian_support=MagickTrue;
++ entry->format_type=ImplicitFormatType;
+ entry->description=ConstantString("Text");
+ entry->module=ConstantString("TXT");
+ (void) RegisterMagickInfo(entry);
+--- a/magick/magic.c
++++ b/magick/magic.c
+@@ -140,7 +140,6 @@
+ { "MPC", 0, MagickString("id=MagickCache") },
+ { "MPEG", 0, MagickString("\000\000\001\263") },
+ { "MRW", 0, MagickString("\x00MRM") },
+- { "MVG", 0, MagickString("push graphic-context") },
+ { "ORF", 0, MagickString("IIRO\x08\x00\x00\x00") },
+ { "PCD", 2048, MagickString("PCD_") },
+ { "PCL", 0, MagickString("\033E\033") },
diff -Nru imagemagick-6.7.7.10/debian/patches/series imagemagick-6.7.7.10/debian/patches/series
--- imagemagick-6.7.7.10/debian/patches/series 2014-03-09 09:48:48.000000000 +1100
+++ imagemagick-6.7.7.10/debian/patches/series 2016-05-18 10:54:56.000000000 +1000
@@ -10,3 +10,9 @@
0009-Fixing-a-buffer-overflow-in-psd-file-handling.patch
0010-Added-boundary-checks-in-DecodePSDPixels.patch
0011-Prevent-buffer-overflow-in-messaging-system-CVE-2014.patch
+0076-Disable-EPHEMERAL-URL-HTTPS-MVG-MSL-TEXT-SHOW-WIN-and-PLT-coders.patch
+0077-Remove-PLT-Gnuplot-decoder.patch
+0078-Sanitize-input-filename-for-http-and-https-delegates.patch
+0079-Indirect-filename-must-be-authorized-by-policy.patch
+0080-Prevent-indirect-reads-with-label-at.patch
+0081-Less-secure-coders-require-explicit-reference.patch
Reply to: