Re: CVE-2017-14103 / graphicsmagick
Brian May <bam@debian.org> writes:
> Ok, understand CVE-2017-14733.
New patch that fixes this is below. Also updated version for testing. If
no response in the next 1 or 2 days, I will upload to wheezy-security.
diff -Nru graphicsmagick-1.3.16/debian/changelog graphicsmagick-1.3.16/debian/changelog
--- graphicsmagick-1.3.16/debian/changelog 2017-09-01 03:14:05.000000000 +1000
+++ graphicsmagick-1.3.16/debian/changelog 2017-09-18 17:15:11.000000000 +1000
@@ -1,3 +1,19 @@
+graphicsmagick (1.3.16-1.1+deb7u10) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2017-14103: The ReadJNGImage and ReadOneJNGImage functions in
+ coders/png.c did not properly manage image pointers after certain error
+ conditions.
+ * Fix CVE-2017-14314: heap-based buffer over-read in DrawDashPolygon() .
+ * Fix CVE-2017-14504: NULL pointer dereference triggered by malformed file.
+ * Fix CVE-2017-14733: Ensure we detect alpha images with too few colors.
+ * Fix CVE-2017-14994: DCM_ReadNonNativeImages() can produce image list with
+ no frames, resulting in null image pointer.
+ * Fix CVE-2017-14997: unsigned underflow leading to astonishingly
+ large allocation request.
+
+ -- Brian May <bam@debian.org> Mon, 18 Sep 2017 17:15:11 +1000
+
graphicsmagick (1.3.16-1.1+deb7u9) wheezy-security; urgency=high
* Non-maintainer upload by the LTS team.
diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch
--- graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch 1970-01-01 10:00:00.000000000 +1000
+++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch 2017-09-15 17:26:20.000000000 +1000
@@ -0,0 +1,126 @@
+--- a/coders/png.c
++++ b/coders/png.c
+@@ -3112,15 +3112,23 @@
+ type[0],type[1],type[2],type[3],length);
+
+ if (length > PNG_MAX_UINT || count == 0)
+- ThrowReaderException(CorruptImageError,CorruptImage,image);
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "chunk length (%lu) > PNG_MAX_UINT",length);
++ return ((Image*)NULL);
++ }
++
+ chunk=(unsigned char *) NULL;
+ p=NULL;
+ if (length)
+ {
+ chunk=MagickAllocateMemory(unsigned char *,length);
+ if (chunk == (unsigned char *) NULL)
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " Could not allocate chunk memory");
++ return ((Image*)NULL);
++ }
+ if (ReadBlob(image,length,chunk) < length)
+ {
+ if (color_image_info != (ImageInfo *)NULL)
+@@ -3131,7 +3139,9 @@
+ {
+ DestroyImageInfo(alpha_image_info);
+ }
+- ThrowReaderException(CorruptImageError,CorruptImage,image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " chunk reading was incomplete");
++ return ((Image*)NULL);
+ }
+ p=chunk;
+ }
+@@ -3214,14 +3224,19 @@
+
+ color_image_info=MagickAllocateMemory(ImageInfo *,sizeof(ImageInfo));
+ if (color_image_info == (ImageInfo *) NULL)
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate color_image_info");
++ return ((Image *)NULL);
++ }
+ GetImageInfo(color_image_info);
+ color_image=AllocateImage(color_image_info);
+ if (color_image == (Image *) NULL)
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
+-
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate color_image");
++ return ((Image *)NULL);
++ }
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " Creating color_blob.");
+@@ -3229,23 +3244,31 @@
+ status=OpenBlob(color_image_info,color_image,WriteBinaryBlobMode,
+ exception);
+ if (status == MagickFalse)
+- ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not open color_image blob");
++ return ((Image *)NULL);
++ }
++
+
+ if (!image_info->ping && jng_color_type >= 12)
+ {
+ alpha_image_info=MagickAllocateMemory(ImageInfo *,
+ sizeof(ImageInfo));
+ if (alpha_image_info == (ImageInfo *) NULL)
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate alpha_image_info");
++ return ((Image *)NULL);
++ }
+ GetImageInfo(alpha_image_info);
+ alpha_image=AllocateImage(alpha_image_info);
+ if (alpha_image == (Image *) NULL)
+ {
+ DestroyImage(alpha_image);
+- ThrowReaderException(ResourceLimitError,
+- MemoryAllocationFailed,
+- alpha_image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate alpha_image");
++ return ((Image *)NULL);
+ }
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -3254,7 +3277,11 @@
+ status=OpenBlob(alpha_image_info,alpha_image,WriteBinaryBlobMode,
+ exception);
+ if (status == MagickFalse)
+- ThrowReaderException(CoderError,UnableToOpenBlob,image);
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not open alpha_image blob");
++ return ((Image *)NULL);
++ }
+ if (jng_alpha_compression_method == 0)
+ {
+ unsigned char
+@@ -3324,8 +3351,7 @@
+ (void) WriteBlobMSBULong(alpha_image,
+ crc32(crc32(0,data,4),chunk,length));
+ }
+- if (length)
+- MagickFreeMemory(chunk);
++ MagickFreeMemory(chunk);
+ continue;
+ }
+
diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14314.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14314.patch
--- graphicsmagick-1.3.16/debian/patches/CVE-2017-14314.patch 1970-01-01 10:00:00.000000000 +1000
+++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14314.patch 2017-09-18 17:15:11.000000000 +1000
@@ -0,0 +1,11 @@
+--- a/magick/render.c
++++ b/magick/render.c
+@@ -2491,7 +2491,7 @@
+ MagickGetToken(p,&p,token,token_max_length);
+ }
+ graphic_context[n]->dash_pattern=
+- MagickAllocateArray(double *,(2*x+1),sizeof(double));
++ MagickAllocateArray(double *,(2*x+2),sizeof(double));
+ if (graphic_context[n]->dash_pattern == (double *) NULL)
+ {
+ ThrowException3(&image->exception,ResourceLimitError,
diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14504.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14504.patch
--- graphicsmagick-1.3.16/debian/patches/CVE-2017-14504.patch 1970-01-01 10:00:00.000000000 +1000
+++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14504.patch 2017-09-18 17:15:11.000000000 +1000
@@ -0,0 +1,32 @@
+--- a/coders/pnm.c
++++ b/coders/pnm.c
+@@ -526,6 +526,9 @@
+ }
+ }
+
++ if ((format == XV_332_Format) && (max_value != 255))
++ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
++
+ if (max_value <= 1)
+ bits_per_sample=1;
+ else if (max_value <= 255U)
+@@ -569,6 +572,9 @@
+ /*
+ Create colormap.
+ */
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "Allocating colormap with %u colors",
++ image->colors);
+ if (!AllocateImageColormap(image,image->colors))
+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+ image);
+@@ -888,6 +894,9 @@
+ quantum_type=CMYKAQuantum;
+ }
+ }
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "using %s QuantumType",
++ QuantumTypeToString(quantum_type));
+
+
+
diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14733.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14733.patch
--- graphicsmagick-1.3.16/debian/patches/CVE-2017-14733.patch 1970-01-01 10:00:00.000000000 +1000
+++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14733.patch 2017-09-18 17:15:11.000000000 +1000
@@ -0,0 +1,10 @@
+--- a/coders/rle.c
++++ b/coders/rle.c
+@@ -215,6 +215,7 @@
+ number_colormaps=ReadBlobByte(image);
+ map_length=1U << ReadBlobByte(image);
+ if ((number_planes == 0) || (number_planes == 2) || (bits_per_pixel != 8) ||
++ ((flags & 0x04) && ((number_planes > 254) || (number_planes < 3))) ||
+ (image->columns == 0))
+ ThrowReaderException(CoderError,DataEncodingSchemeIsNotSupported,image);
+ (void) memset(background_color,0,sizeof(background_color));
diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14994.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14994.patch
--- graphicsmagick-1.3.16/debian/patches/CVE-2017-14994.patch 1970-01-01 10:00:00.000000000 +1000
+++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14994.patch 2017-09-18 17:15:11.000000000 +1000
@@ -0,0 +1,35 @@
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -1,5 +1,5 @@
+ /*
+-% Copyright (C) 2003-2009 GraphicsMagick Group
++% Copyright (C) 2003-2017 GraphicsMagick Group
+ % Copyright (C) 2002 ImageMagick Studio
+ % Copyright 1991-1999 E. I. du Pont de Nemours and Company
+ %
+@@ -4804,10 +4804,21 @@
+ MagickFreeMemory(dcm.rescale_map);
+ if (status == MagickPass)
+ {
+- while (image->previous != (Image *) NULL)
+- image=image->previous;
+- CloseBlob(image);
+- return(image);
++ /* It is possible to have success status yet have no image */
++ if (image != (Image *) NULL)
++ {
++ while (image->previous != (Image *) NULL)
++ image=image->previous;
++ CloseBlob(image);
++ return(image);
++ }
++ else
++ {
++ ThrowException(exception,CorruptImageError,
++ ImageFileDoesNotContainAnyImageData,
++ image_info->filename);
++ return (Image *) NULL;
++ }
+ }
+ else
+ {
diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14997.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14997.patch
--- graphicsmagick-1.3.16/debian/patches/CVE-2017-14997.patch 1970-01-01 10:00:00.000000000 +1000
+++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14997.patch 2017-09-18 17:15:11.000000000 +1000
@@ -0,0 +1,11 @@
+--- a/coders/pict.c
++++ b/coders/pict.c
+@@ -1186,7 +1186,7 @@
+ if (length == 0)
+ break;
+ (void) ReadBlobMSBLong(image);
+- length-=4;
++ length-=Min(4,length);
+ if (length == 0)
+ break;
+ info=MagickAllocateMemory(unsigned char *,length);
diff -Nru graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch
--- graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch 1970-01-01 10:00:00.000000000 +1000
+++ graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch 2017-09-15 17:05:34.000000000 +1000
@@ -0,0 +1,23 @@
+--- graphicsmagick-1.3.16.orig/coders/png.c
++++ graphicsmagick-1.3.16/coders/png.c
+@@ -3121,8 +3121,18 @@ static Image *ReadOneJNGImage(MngInfo *m
+ if (chunk == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+ image);
+- for (i=0; i < (long) length; i++)
+- chunk[i]=ReadBlobByte(image);
++ if (ReadBlob(image,length,chunk) < length)
++ {
++ if (color_image_info != (ImageInfo *)NULL)
++ {
++ DestroyImageInfo(color_image_info);
++ }
++ if (alpha_image_info != (ImageInfo *)NULL)
++ {
++ DestroyImageInfo(alpha_image_info);
++ }
++ ThrowReaderException(CorruptImageError,CorruptImage,image);
++ }
+ p=chunk;
+ }
+ (void) ReadBlobMSBLong(image); /* read crc word */
diff -Nru graphicsmagick-1.3.16/debian/patches/series graphicsmagick-1.3.16/debian/patches/series
--- graphicsmagick-1.3.16/debian/patches/series 2017-09-01 03:13:57.000000000 +1000
+++ graphicsmagick-1.3.16/debian/patches/series 2017-09-18 17:15:11.000000000 +1000
@@ -28,3 +28,10 @@
CVE-2017-12937.patch
CVE-2017-13063-13064-13065.patch
CVE-2017-13776-13777.patch
+fix_infinite_read.patch
+CVE-2017-14103.patch
+CVE-2017-14314.patch
+CVE-2017-14504.patch
+CVE-2017-14733.patch
+CVE-2017-14994.patch
+CVE-2017-14997.patch
--
Brian May <bam@debian.org>
Reply to: