Re: CVE-2017-14103 / graphicsmagick
I have a test version (1.3.16-1.1+deb7u10) available for testing at:
https://people.debian.org/~bam/debian/pool/main/g/graphicsmagick/
I think I am out of time for this month. If somebody wants to upload to
wheezy-security, please do so, otherwise I will look at doing this next
month.
Also the debdiff is below:
=== cut ===
diff -Nru graphicsmagick-1.3.16/debian/changelog graphicsmagick-1.3.16/debian/changelog
--- graphicsmagick-1.3.16/debian/changelog 2017-09-01 03:14:05.000000000 +1000
+++ graphicsmagick-1.3.16/debian/changelog 2017-09-18 17:15:11.000000000 +1000
@@ -1,3 +1,12 @@
+graphicsmagick (1.3.16-1.1+deb7u10) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2017-14103: The ReadJNGImage and ReadOneJNGImage functions in
+ coders/png.c did not properly manage image pointers after certain error
+ conditions.
+
+ -- Brian May <bam@debian.org> Mon, 18 Sep 2017 17:15:11 +1000
+
graphicsmagick (1.3.16-1.1+deb7u9) wheezy-security; urgency=high
* Non-maintainer upload by the LTS team.
diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch
--- graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch 1970-01-01 10:00:00.000000000 +1000
+++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch 2017-09-15 17:26:20.000000000 +1000
@@ -0,0 +1,126 @@
+--- a/coders/png.c
++++ b/coders/png.c
+@@ -3112,15 +3112,23 @@
+ type[0],type[1],type[2],type[3],length);
+
+ if (length > PNG_MAX_UINT || count == 0)
+- ThrowReaderException(CorruptImageError,CorruptImage,image);
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "chunk length (%lu) > PNG_MAX_UINT",length);
++ return ((Image*)NULL);
++ }
++
+ chunk=(unsigned char *) NULL;
+ p=NULL;
+ if (length)
+ {
+ chunk=MagickAllocateMemory(unsigned char *,length);
+ if (chunk == (unsigned char *) NULL)
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " Could not allocate chunk memory");
++ return ((Image*)NULL);
++ }
+ if (ReadBlob(image,length,chunk) < length)
+ {
+ if (color_image_info != (ImageInfo *)NULL)
+@@ -3131,7 +3139,9 @@
+ {
+ DestroyImageInfo(alpha_image_info);
+ }
+- ThrowReaderException(CorruptImageError,CorruptImage,image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " chunk reading was incomplete");
++ return ((Image*)NULL);
+ }
+ p=chunk;
+ }
+@@ -3214,14 +3224,19 @@
+
+ color_image_info=MagickAllocateMemory(ImageInfo *,sizeof(ImageInfo));
+ if (color_image_info == (ImageInfo *) NULL)
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate color_image_info");
++ return ((Image *)NULL);
++ }
+ GetImageInfo(color_image_info);
+ color_image=AllocateImage(color_image_info);
+ if (color_image == (Image *) NULL)
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
+-
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate color_image");
++ return ((Image *)NULL);
++ }
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " Creating color_blob.");
+@@ -3229,23 +3244,31 @@
+ status=OpenBlob(color_image_info,color_image,WriteBinaryBlobMode,
+ exception);
+ if (status == MagickFalse)
+- ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not open color_image blob");
++ return ((Image *)NULL);
++ }
++
+
+ if (!image_info->ping && jng_color_type >= 12)
+ {
+ alpha_image_info=MagickAllocateMemory(ImageInfo *,
+ sizeof(ImageInfo));
+ if (alpha_image_info == (ImageInfo *) NULL)
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+- image);
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate alpha_image_info");
++ return ((Image *)NULL);
++ }
+ GetImageInfo(alpha_image_info);
+ alpha_image=AllocateImage(alpha_image_info);
+ if (alpha_image == (Image *) NULL)
+ {
+ DestroyImage(alpha_image);
+- ThrowReaderException(ResourceLimitError,
+- MemoryAllocationFailed,
+- alpha_image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not allocate alpha_image");
++ return ((Image *)NULL);
+ }
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -3254,7 +3277,11 @@
+ status=OpenBlob(alpha_image_info,alpha_image,WriteBinaryBlobMode,
+ exception);
+ if (status == MagickFalse)
+- ThrowReaderException(CoderError,UnableToOpenBlob,image);
++ {
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " could not open alpha_image blob");
++ return ((Image *)NULL);
++ }
+ if (jng_alpha_compression_method == 0)
+ {
+ unsigned char
+@@ -3324,8 +3351,7 @@
+ (void) WriteBlobMSBULong(alpha_image,
+ crc32(crc32(0,data,4),chunk,length));
+ }
+- if (length)
+- MagickFreeMemory(chunk);
++ MagickFreeMemory(chunk);
+ continue;
+ }
+
diff -Nru graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch
--- graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch 1970-01-01 10:00:00.000000000 +1000
+++ graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch 2017-09-15 17:05:34.000000000 +1000
@@ -0,0 +1,23 @@
+--- graphicsmagick-1.3.16.orig/coders/png.c
++++ graphicsmagick-1.3.16/coders/png.c
+@@ -3121,8 +3121,18 @@ static Image *ReadOneJNGImage(MngInfo *m
+ if (chunk == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+ image);
+- for (i=0; i < (long) length; i++)
+- chunk[i]=ReadBlobByte(image);
++ if (ReadBlob(image,length,chunk) < length)
++ {
++ if (color_image_info != (ImageInfo *)NULL)
++ {
++ DestroyImageInfo(color_image_info);
++ }
++ if (alpha_image_info != (ImageInfo *)NULL)
++ {
++ DestroyImageInfo(alpha_image_info);
++ }
++ ThrowReaderException(CorruptImageError,CorruptImage,image);
++ }
+ p=chunk;
+ }
+ (void) ReadBlobMSBLong(image); /* read crc word */
diff -Nru graphicsmagick-1.3.16/debian/patches/series graphicsmagick-1.3.16/debian/patches/series
--- graphicsmagick-1.3.16/debian/patches/series 2017-09-01 03:13:57.000000000 +1000
+++ graphicsmagick-1.3.16/debian/patches/series 2017-09-15 17:20:20.000000000 +1000
@@ -28,3 +28,5 @@
CVE-2017-12937.patch
CVE-2017-13063-13064-13065.patch
CVE-2017-13776-13777.patch
+fix_infinite_read.patch
+CVE-2017-14103.patch
=== cut ===
--
Brian May <bam@debian.org>
Reply to: