Hi Markus, > I'm fine with uploading tomorrow. Just send me your debdiff and I will > incorporate your changes. You can find the debdiff for CVE-2019-9956, CVE-2019-11598, CVE-2019-11597 and CVE-2019-10650 in attachement, along with appropriate DLA text entries. I briefly thought of adding fixes for other recent CVEs, but given the pain it was to backport CVE-2019-11598 and CVE-2019-11597 (multiple issues in the patches, required extensive testing), I though it would maybe be better to avoid very large uploads and keep them for future DLAs. cheers, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru imagemagick-6.8.9.9/debian/changelog imagemagick-6.8.9.9/debian/changelog --- imagemagick-6.8.9.9/debian/changelog 2018-11-11 17:03:02.000000000 +0100 +++ imagemagick-6.8.9.9/debian/changelog 2019-05-05 13:46:47.000000000 +0200 @@ -1,3 +1,17 @@ +imagemagick (8:6.8.9.9-5+deb8u16) jessie-security; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * CVE-2019-9956: stack-based buffer overflow in PopHexPixel, allows DoS or + remote code execution (Closes: #925395). + * CVE-2019-11598: heap-based buffer over-read in WritePNMImage, allows DoS + or information disclosure (Closes: #928206). + * CVE-2019-11597: heap-based buffer over-read in WriteTIFFImage, allows Dos + or information disclosure (Closes: #928207). + * CVE-2019-10650: heap-based buffer over-read in WriteTIFFImage, allows DoS + or information disclosure (Closes: #926091). + + -- Hugo Lefeuvre <hle@debian.org> Sun, 05 May 2019 13:46:47 +0200 + imagemagick (8:6.8.9.9-5+deb8u15) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. diff -Nru imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch --- imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch 2019-05-05 13:46:47.000000000 +0200 @@ -0,0 +1,22 @@ +Subject: fix stack buffer overflow in PopHexPixel +Author: Cristy <mikayla-grace@urban-warrior.org> +Origin: upstream, https://github.com/ImageMagick/ImageMagick6/commit/90401e430840c5ff31ad870f4370bbda1318ac94 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925395 +--- a/coders/ps.c 2019-05-05 13:46:32.000000000 +0200 ++++ b/coders/ps.c 2019-05-11 08:03:04.238884795 +0200 +@@ -2206,8 +2206,13 @@ + p++; + } + q=PopHexPixel(hex_digits,(size_t) index,q); +- q=PopHexPixel(hex_digits,(size_t) +- MagickMin(length,0xff),q); ++ q=PopHexPixel(hex_digits,(size_t) MagickMin(length,0xff),q); ++ if ((q-pixels+6) >= 80) ++ { ++ *q++='\n'; ++ (void) WriteBlob(image,q-pixels,pixels); ++ q=pixels; ++ } + if (image->previous == (Image *) NULL) + { + status=SetImageProgress(image,SaveImageTag, diff -Nru imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch --- imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch 2019-05-05 13:46:47.000000000 +0200 @@ -0,0 +1,19 @@ +Subject: fix heap-buffer-overflow in WriteTIFFImage +Author: Cristy <mikayla-grace@urban-warrior.org> +Origin: upstream, https://github.com/ImageMagick/ImageMagick6/commit/4800ae0dabdb3012f82820af946060c3ca9fdb87 + https://github.com/ImageMagick/ImageMagick6/commit/d8d844c6f23f4d90d8fe893fe9225dd78fc1e6ef +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926091 +--- a/coders/tiff.c 2019-05-11 08:11:49.834745216 +0200 ++++ b/coders/tiff.c 2019-05-11 08:15:36.645306260 +0200 +@@ -2946,6 +2946,11 @@ + (void) TIFFSetErrorHandler(error_handler); + return(MagickFalse); + } ++ if (image->exception.severity > ErrorException) ++ { ++ TIFFClose(tiff); ++ return(MagickFalse); ++ } + scene=0; + debug=IsEventLogging(); + (void) debug; diff -Nru imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch --- imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch 2019-05-05 13:46:47.000000000 +0200 @@ -0,0 +1,97 @@ +Subject: fix heap-buffer-overflow in SetGrayscaleImage() + This patch addresses a heap-buffer-overflow in SetGrayscaleImage(), + known as CVE-2019-11598. + . + The original upstream patch also included a few minor modifications + addressing potential overflow issues. Those were not removed during + the backporting process in order to ease diff comparison. +Author: Cristy <mikayla-grace@urban-warrior.org> +Origin: upstream, https://github.com/ImageMagick/ImageMagick6/commit/e2a21735e3a3f3930bd431585ec36334c4c2eb77 + https://github.com/ImageMagick/ImageMagick6/commit/e04581699db5c413ca6da4de08b3dc830faf265d + https://github.com/ImageMagick/ImageMagick6/commit/3771e33bed8e2889325e1ac5ae45bb6314b6ca5d + https://github.com/ImageMagick/ImageMagick6/commit/dd8efbac0b7fa9dd2da527ea3f629f39bf1c02cb +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928206 +--- a/magick/quantize.c 2019-05-12 10:44:41.305665460 +0200 ++++ b/magick/quantize.c 2019-05-12 10:44:41.297665517 +0200 +@@ -2148,10 +2148,8 @@ + mean_error, + mean_error_per_pixel; + +- size_t +- index; +- + ssize_t ++ index, + y; + + assert(image != (Image *) NULL); +@@ -2184,7 +2182,7 @@ + indexes=GetCacheViewAuthenticIndexQueue(image_view); + for (x=0; x < (ssize_t) image->columns; x++) + { +- index=1UL*GetPixelIndex(indexes+x); ++ index=(ssize_t) GetPixelIndex(indexes+x); + if (image->matte != MagickFalse) + { + alpha=(MagickRealType) (QuantumScale*(GetPixelAlpha(p))); +@@ -3302,16 +3300,16 @@ + + static int IntensityCompare(const void *x,const void *y) + { ++ double ++ intensity; ++ + PixelPacket + *color_1, + *color_2; + +- int +- intensity; +- + color_1=(PixelPacket *) x; + color_2=(PixelPacket *) y; +- intensity=PixelPacketIntensity(color_1)-(int) PixelPacketIntensity(color_2); ++ intensity=PixelPacketIntensity(color_1)-PixelPacketIntensity(color_2); + return((int) intensity); + } + +@@ -3336,6 +3334,9 @@ + register ssize_t + i; + ++ size_t ++ extent; ++ + ssize_t + *colormap_index, + j, +@@ -3345,7 +3346,8 @@ + assert(image->signature == MagickSignature); + if (image->type != GrayscaleType) + (void) TransformImageColorspace(image,GRAYColorspace); +- colormap_index=(ssize_t *) AcquireQuantumMemory(MaxMap+1, ++ extent=MagickMax(image->colors+1,MagickMax(MaxColormapSize,MaxMap+1)); ++ colormap_index=(ssize_t *) AcquireQuantumMemory(extent, + sizeof(*colormap_index)); + if (colormap_index == (ssize_t *) NULL) + ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed", +@@ -3355,9 +3357,8 @@ + ExceptionInfo + *exception; + +- for (i=0; i <= (ssize_t) MaxMap; i++) +- colormap_index[i]=(-1); +- if (AcquireImageColormap(image,MaxMap+1) == MagickFalse) ++ (void) memset(colormap_index,(-1),extent*sizeof(*colormap_index)); ++ if (AcquireImageColormap(image,MaxColormapSize) == MagickFalse) + ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed", + image->filename); + image->colors=0; +@@ -3417,6 +3418,7 @@ + } + image_view=DestroyCacheView(image_view); + } ++ (void) memset(colormap_index,0,extent*sizeof(*colormap_index)); + for (i=0; i < (ssize_t) image->colors; i++) + image->colormap[i].opacity=(unsigned short) i; + qsort((void *) image->colormap,image->colors,sizeof(PixelPacket), diff -Nru imagemagick-6.8.9.9/debian/patches/0286-CVE-2019-11597.patch imagemagick-6.8.9.9/debian/patches/0286-CVE-2019-11597.patch --- imagemagick-6.8.9.9/debian/patches/0286-CVE-2019-11597.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-6.8.9.9/debian/patches/0286-CVE-2019-11597.patch 2019-05-05 13:46:47.000000000 +0200 @@ -0,0 +1,83 @@ +Description: fix heap buffer overflow in WriteTIFFImage + This patch also addresses a few memory leaks bundled to the same CVE. +Author: Dirk Lemstra <dirk@lemstra.org>, + Cristy <mikayla-grace@urban-warrior.org> +Origin: upstream, https://github.com/ImageMagick/ImageMagick6/commit/1d6c036f0388d7857c725342f7212b60e39a14c1 + https://github.com/ImageMagick/ImageMagick6/commit/c979b348d64a25a04f12ea7fe7888b2b23f230a7 + https://github.com/ImageMagick/ImageMagick6/commit/3c53413eb544cc567309b4c86485eae43e956112 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928207 +--- a/coders/pdf.c 2019-05-12 13:38:13.017924318 +0200 ++++ b/coders/pdf.c 2019-05-12 13:38:13.013924347 +0200 +@@ -1015,19 +1015,19 @@ + unsigned char + *group4; + ++ group4_image=CloneImage(inject_image,0,0,MagickTrue,&image->exception); ++ if (group4_image == (Image *) NULL) ++ return(MagickFalse); + status=MagickTrue; + write_info=CloneImageInfo(image_info); + (void) CopyMagickString(write_info->filename,"GROUP4:",MaxTextExtent); + (void) CopyMagickString(write_info->magick,"GROUP4",MaxTextExtent); +- group4_image=CloneImage(inject_image,0,0,MagickTrue,&image->exception); +- if (group4_image == (Image *) NULL) +- return(MagickFalse); + group4=(unsigned char *) ImageToBlob(write_info,group4_image,&length, + &image->exception); + group4_image=DestroyImage(group4_image); ++ write_info=DestroyImageInfo(write_info); + if (group4 == (unsigned char *) NULL) + return(MagickFalse); +- write_info=DestroyImageInfo(write_info); + if (WriteBlob(image,length,group4) != (ssize_t) length) + status=MagickFalse; + group4=(unsigned char *) RelinquishMagickMemory(group4); +--- a/coders/ps3.c 2019-05-12 13:38:13.017924318 +0200 ++++ b/coders/ps3.c 2019-05-12 13:38:13.013924347 +0200 +@@ -217,19 +217,19 @@ + unsigned char + *group4; + ++ group4_image=CloneImage(inject_image,0,0,MagickTrue,&image->exception); ++ if (group4_image == (Image *) NULL) ++ return(MagickFalse); + status=MagickTrue; + write_info=CloneImageInfo(image_info); + (void) CopyMagickString(write_info->filename,"GROUP4:",MaxTextExtent); + (void) CopyMagickString(write_info->magick,"GROUP4",MaxTextExtent); +- group4_image=CloneImage(inject_image,0,0,MagickTrue,&image->exception); +- if (group4_image == (Image *) NULL) +- return(MagickFalse); + group4=(unsigned char *) ImageToBlob(write_info,group4_image,&length, + &image->exception); + group4_image=DestroyImage(group4_image); ++ write_info=DestroyImageInfo(write_info); + if (group4 == (unsigned char *) NULL) + return(MagickFalse); +- write_info=DestroyImageInfo(write_info); + if (WriteBlob(image,length,group4) != (ssize_t) length) + status=MagickFalse; + group4=(unsigned char *) RelinquishMagickMemory(group4); +--- a/coders/tiff.c 2019-05-12 13:38:13.017924318 +0200 ++++ b/coders/tiff.c 2019-05-12 13:39:41.797294897 +0200 +@@ -3703,7 +3703,11 @@ + if (0 && (image_info->verbose != MagickFalse)) + RestoreMSCWarning + TIFFPrintDirectory(tiff,stdout,MagickFalse); +- (void) TIFFWriteDirectory(tiff); ++ if (TIFFWriteDirectory(tiff) == 0) ++ { ++ status=MagickFalse; ++ break; ++ } + image=SyncNextImageInList(image); + if (image == (Image *) NULL) + break; +@@ -3715,6 +3719,6 @@ + (void) TIFFSetWarningHandler(warning_handler); + (void) TIFFSetErrorHandler(error_handler); + TIFFClose(tiff); +- return(MagickTrue); ++ return(status); + } + #endif diff -Nru imagemagick-6.8.9.9/debian/patches/series imagemagick-6.8.9.9/debian/patches/series --- imagemagick-6.8.9.9/debian/patches/series 2018-11-11 17:03:02.000000000 +0100 +++ imagemagick-6.8.9.9/debian/patches/series 2019-05-05 13:46:47.000000000 +0200 @@ -282,3 +282,7 @@ 0281-CVE-2018-16749.patch 0282-CVE-2018-18025.patch #XXX do not enable yet, see #907336: 0300-disable-ghostscript-formats.patch +0283-CVE-2019-9956.patch +0284-CVE-2019-10650.patch +0285-CVE-2019-11598.patch +0286-CVE-2019-11597.patch
CVE-2019-9956 The PopHexPixel function of coders/ps.c is affected by a stack-based buffer overflow. This vulnerability might be leveraged by remote attackers to cause denial of service or remote code execution via a crafted PostScript file. CVE-2019-11598 The WritePNMImage function of coders/pnm.c is affected by a heap-based buffer over-read vulnerability. This flaw might be leveraged by remote attackers to cause denial of service or unauthorized disclosure of information via a crafted PNM file. CVE-2019-11597 CVE-2019-10650 The WriteTIFFImage function of coders/tiff.c is affected by two heap-based buffer over-read vulnerabilities. These flaws might be triggered by remote attackers to cause denial of service or unauthorized disclosure of information via a crafted TIFF file.
Attachment:
signature.asc
Description: PGP signature