Hi Markus,
> I'm fine with uploading tomorrow. Just send me your debdiff and I will
> incorporate your changes.
You can find the debdiff for CVE-2019-9956, CVE-2019-11598, CVE-2019-11597
and CVE-2019-10650 in attachement, along with appropriate DLA text entries.
I briefly thought of adding fixes for other recent CVEs, but given the
pain it was to backport CVE-2019-11598 and CVE-2019-11597 (multiple issues
in the patches, required extensive testing), I though it would maybe be
better to avoid very large uploads and keep them for future DLAs.
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru imagemagick-6.8.9.9/debian/changelog imagemagick-6.8.9.9/debian/changelog
--- imagemagick-6.8.9.9/debian/changelog 2018-11-11 17:03:02.000000000 +0100
+++ imagemagick-6.8.9.9/debian/changelog 2019-05-05 13:46:47.000000000 +0200
@@ -1,3 +1,17 @@
+imagemagick (8:6.8.9.9-5+deb8u16) jessie-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * CVE-2019-9956: stack-based buffer overflow in PopHexPixel, allows DoS or
+ remote code execution (Closes: #925395).
+ * CVE-2019-11598: heap-based buffer over-read in WritePNMImage, allows DoS
+ or information disclosure (Closes: #928206).
+ * CVE-2019-11597: heap-based buffer over-read in WriteTIFFImage, allows Dos
+ or information disclosure (Closes: #928207).
+ * CVE-2019-10650: heap-based buffer over-read in WriteTIFFImage, allows DoS
+ or information disclosure (Closes: #926091).
+
+ -- Hugo Lefeuvre <hle@debian.org> Sun, 05 May 2019 13:46:47 +0200
+
imagemagick (8:6.8.9.9-5+deb8u15) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
diff -Nru imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch
--- imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch 2019-05-05 13:46:47.000000000 +0200
@@ -0,0 +1,22 @@
+Subject: fix stack buffer overflow in PopHexPixel
+Author: Cristy <mikayla-grace@urban-warrior.org>
+Origin: upstream, https://github.com/ImageMagick/ImageMagick6/commit/90401e430840c5ff31ad870f4370bbda1318ac94
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925395
+--- a/coders/ps.c 2019-05-05 13:46:32.000000000 +0200
++++ b/coders/ps.c 2019-05-11 08:03:04.238884795 +0200
+@@ -2206,8 +2206,13 @@
+ p++;
+ }
+ q=PopHexPixel(hex_digits,(size_t) index,q);
+- q=PopHexPixel(hex_digits,(size_t)
+- MagickMin(length,0xff),q);
++ q=PopHexPixel(hex_digits,(size_t) MagickMin(length,0xff),q);
++ if ((q-pixels+6) >= 80)
++ {
++ *q++='\n';
++ (void) WriteBlob(image,q-pixels,pixels);
++ q=pixels;
++ }
+ if (image->previous == (Image *) NULL)
+ {
+ status=SetImageProgress(image,SaveImageTag,
diff -Nru imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch
--- imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch 2019-05-05 13:46:47.000000000 +0200
@@ -0,0 +1,19 @@
+Subject: fix heap-buffer-overflow in WriteTIFFImage
+Author: Cristy <mikayla-grace@urban-warrior.org>
+Origin: upstream, https://github.com/ImageMagick/ImageMagick6/commit/4800ae0dabdb3012f82820af946060c3ca9fdb87
+ https://github.com/ImageMagick/ImageMagick6/commit/d8d844c6f23f4d90d8fe893fe9225dd78fc1e6ef
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926091
+--- a/coders/tiff.c 2019-05-11 08:11:49.834745216 +0200
++++ b/coders/tiff.c 2019-05-11 08:15:36.645306260 +0200
+@@ -2946,6 +2946,11 @@
+ (void) TIFFSetErrorHandler(error_handler);
+ return(MagickFalse);
+ }
++ if (image->exception.severity > ErrorException)
++ {
++ TIFFClose(tiff);
++ return(MagickFalse);
++ }
+ scene=0;
+ debug=IsEventLogging();
+ (void) debug;
diff -Nru imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch
--- imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch 2019-05-05 13:46:47.000000000 +0200
@@ -0,0 +1,97 @@
+Subject: fix heap-buffer-overflow in SetGrayscaleImage()
+ This patch addresses a heap-buffer-overflow in SetGrayscaleImage(),
+ known as CVE-2019-11598.
+ .
+ The original upstream patch also included a few minor modifications
+ addressing potential overflow issues. Those were not removed during
+ the backporting process in order to ease diff comparison.
+Author: Cristy <mikayla-grace@urban-warrior.org>
+Origin: upstream, https://github.com/ImageMagick/ImageMagick6/commit/e2a21735e3a3f3930bd431585ec36334c4c2eb77
+ https://github.com/ImageMagick/ImageMagick6/commit/e04581699db5c413ca6da4de08b3dc830faf265d
+ https://github.com/ImageMagick/ImageMagick6/commit/3771e33bed8e2889325e1ac5ae45bb6314b6ca5d
+ https://github.com/ImageMagick/ImageMagick6/commit/dd8efbac0b7fa9dd2da527ea3f629f39bf1c02cb
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928206
+--- a/magick/quantize.c 2019-05-12 10:44:41.305665460 +0200
++++ b/magick/quantize.c 2019-05-12 10:44:41.297665517 +0200
+@@ -2148,10 +2148,8 @@
+ mean_error,
+ mean_error_per_pixel;
+
+- size_t
+- index;
+-
+ ssize_t
++ index,
+ y;
+
+ assert(image != (Image *) NULL);
+@@ -2184,7 +2182,7 @@
+ indexes=GetCacheViewAuthenticIndexQueue(image_view);
+ for (x=0; x < (ssize_t) image->columns; x++)
+ {
+- index=1UL*GetPixelIndex(indexes+x);
++ index=(ssize_t) GetPixelIndex(indexes+x);
+ if (image->matte != MagickFalse)
+ {
+ alpha=(MagickRealType) (QuantumScale*(GetPixelAlpha(p)));
+@@ -3302,16 +3300,16 @@
+
+ static int IntensityCompare(const void *x,const void *y)
+ {
++ double
++ intensity;
++
+ PixelPacket
+ *color_1,
+ *color_2;
+
+- int
+- intensity;
+-
+ color_1=(PixelPacket *) x;
+ color_2=(PixelPacket *) y;
+- intensity=PixelPacketIntensity(color_1)-(int) PixelPacketIntensity(color_2);
++ intensity=PixelPacketIntensity(color_1)-PixelPacketIntensity(color_2);
+ return((int) intensity);
+ }
+
+@@ -3336,6 +3334,9 @@
+ register ssize_t
+ i;
+
++ size_t
++ extent;
++
+ ssize_t
+ *colormap_index,
+ j,
+@@ -3345,7 +3346,8 @@
+ assert(image->signature == MagickSignature);
+ if (image->type != GrayscaleType)
+ (void) TransformImageColorspace(image,GRAYColorspace);
+- colormap_index=(ssize_t *) AcquireQuantumMemory(MaxMap+1,
++ extent=MagickMax(image->colors+1,MagickMax(MaxColormapSize,MaxMap+1));
++ colormap_index=(ssize_t *) AcquireQuantumMemory(extent,
+ sizeof(*colormap_index));
+ if (colormap_index == (ssize_t *) NULL)
+ ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+@@ -3355,9 +3357,8 @@
+ ExceptionInfo
+ *exception;
+
+- for (i=0; i <= (ssize_t) MaxMap; i++)
+- colormap_index[i]=(-1);
+- if (AcquireImageColormap(image,MaxMap+1) == MagickFalse)
++ (void) memset(colormap_index,(-1),extent*sizeof(*colormap_index));
++ if (AcquireImageColormap(image,MaxColormapSize) == MagickFalse)
+ ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+ image->filename);
+ image->colors=0;
+@@ -3417,6 +3418,7 @@
+ }
+ image_view=DestroyCacheView(image_view);
+ }
++ (void) memset(colormap_index,0,extent*sizeof(*colormap_index));
+ for (i=0; i < (ssize_t) image->colors; i++)
+ image->colormap[i].opacity=(unsigned short) i;
+ qsort((void *) image->colormap,image->colors,sizeof(PixelPacket),
diff -Nru imagemagick-6.8.9.9/debian/patches/0286-CVE-2019-11597.patch imagemagick-6.8.9.9/debian/patches/0286-CVE-2019-11597.patch
--- imagemagick-6.8.9.9/debian/patches/0286-CVE-2019-11597.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.8.9.9/debian/patches/0286-CVE-2019-11597.patch 2019-05-05 13:46:47.000000000 +0200
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow in WriteTIFFImage
+ This patch also addresses a few memory leaks bundled to the same CVE.
+Author: Dirk Lemstra <dirk@lemstra.org>,
+ Cristy <mikayla-grace@urban-warrior.org>
+Origin: upstream, https://github.com/ImageMagick/ImageMagick6/commit/1d6c036f0388d7857c725342f7212b60e39a14c1
+ https://github.com/ImageMagick/ImageMagick6/commit/c979b348d64a25a04f12ea7fe7888b2b23f230a7
+ https://github.com/ImageMagick/ImageMagick6/commit/3c53413eb544cc567309b4c86485eae43e956112
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928207
+--- a/coders/pdf.c 2019-05-12 13:38:13.017924318 +0200
++++ b/coders/pdf.c 2019-05-12 13:38:13.013924347 +0200
+@@ -1015,19 +1015,19 @@
+ unsigned char
+ *group4;
+
++ group4_image=CloneImage(inject_image,0,0,MagickTrue,&image->exception);
++ if (group4_image == (Image *) NULL)
++ return(MagickFalse);
+ status=MagickTrue;
+ write_info=CloneImageInfo(image_info);
+ (void) CopyMagickString(write_info->filename,"GROUP4:",MaxTextExtent);
+ (void) CopyMagickString(write_info->magick,"GROUP4",MaxTextExtent);
+- group4_image=CloneImage(inject_image,0,0,MagickTrue,&image->exception);
+- if (group4_image == (Image *) NULL)
+- return(MagickFalse);
+ group4=(unsigned char *) ImageToBlob(write_info,group4_image,&length,
+ &image->exception);
+ group4_image=DestroyImage(group4_image);
++ write_info=DestroyImageInfo(write_info);
+ if (group4 == (unsigned char *) NULL)
+ return(MagickFalse);
+- write_info=DestroyImageInfo(write_info);
+ if (WriteBlob(image,length,group4) != (ssize_t) length)
+ status=MagickFalse;
+ group4=(unsigned char *) RelinquishMagickMemory(group4);
+--- a/coders/ps3.c 2019-05-12 13:38:13.017924318 +0200
++++ b/coders/ps3.c 2019-05-12 13:38:13.013924347 +0200
+@@ -217,19 +217,19 @@
+ unsigned char
+ *group4;
+
++ group4_image=CloneImage(inject_image,0,0,MagickTrue,&image->exception);
++ if (group4_image == (Image *) NULL)
++ return(MagickFalse);
+ status=MagickTrue;
+ write_info=CloneImageInfo(image_info);
+ (void) CopyMagickString(write_info->filename,"GROUP4:",MaxTextExtent);
+ (void) CopyMagickString(write_info->magick,"GROUP4",MaxTextExtent);
+- group4_image=CloneImage(inject_image,0,0,MagickTrue,&image->exception);
+- if (group4_image == (Image *) NULL)
+- return(MagickFalse);
+ group4=(unsigned char *) ImageToBlob(write_info,group4_image,&length,
+ &image->exception);
+ group4_image=DestroyImage(group4_image);
++ write_info=DestroyImageInfo(write_info);
+ if (group4 == (unsigned char *) NULL)
+ return(MagickFalse);
+- write_info=DestroyImageInfo(write_info);
+ if (WriteBlob(image,length,group4) != (ssize_t) length)
+ status=MagickFalse;
+ group4=(unsigned char *) RelinquishMagickMemory(group4);
+--- a/coders/tiff.c 2019-05-12 13:38:13.017924318 +0200
++++ b/coders/tiff.c 2019-05-12 13:39:41.797294897 +0200
+@@ -3703,7 +3703,11 @@
+ if (0 && (image_info->verbose != MagickFalse))
+ RestoreMSCWarning
+ TIFFPrintDirectory(tiff,stdout,MagickFalse);
+- (void) TIFFWriteDirectory(tiff);
++ if (TIFFWriteDirectory(tiff) == 0)
++ {
++ status=MagickFalse;
++ break;
++ }
+ image=SyncNextImageInList(image);
+ if (image == (Image *) NULL)
+ break;
+@@ -3715,6 +3719,6 @@
+ (void) TIFFSetWarningHandler(warning_handler);
+ (void) TIFFSetErrorHandler(error_handler);
+ TIFFClose(tiff);
+- return(MagickTrue);
++ return(status);
+ }
+ #endif
diff -Nru imagemagick-6.8.9.9/debian/patches/series imagemagick-6.8.9.9/debian/patches/series
--- imagemagick-6.8.9.9/debian/patches/series 2018-11-11 17:03:02.000000000 +0100
+++ imagemagick-6.8.9.9/debian/patches/series 2019-05-05 13:46:47.000000000 +0200
@@ -282,3 +282,7 @@
0281-CVE-2018-16749.patch
0282-CVE-2018-18025.patch
#XXX do not enable yet, see #907336: 0300-disable-ghostscript-formats.patch
+0283-CVE-2019-9956.patch
+0284-CVE-2019-10650.patch
+0285-CVE-2019-11598.patch
+0286-CVE-2019-11597.patch
CVE-2019-9956
The PopHexPixel function of coders/ps.c is affected by a stack-based
buffer overflow. This vulnerability might be leveraged by remote
attackers to cause denial of service or remote code execution via a
crafted PostScript file.
CVE-2019-11598
The WritePNMImage function of coders/pnm.c is affected by a heap-based
buffer over-read vulnerability. This flaw might be leveraged by remote
attackers to cause denial of service or unauthorized disclosure of
information via a crafted PNM file.
CVE-2019-11597
CVE-2019-10650
The WriteTIFFImage function of coders/tiff.c is affected by two
heap-based buffer over-read vulnerabilities. These flaws might be
triggered by remote attackers to cause denial of service or
unauthorized disclosure of information via a crafted TIFF file.
Attachment:
signature.asc
Description: PGP signature