Hello Bastien, I uploaded a fixed version to squeeze (8:6.6.0.4-3+squeeze7) and updated the security tracker entries with all my findings.
I also opened #806441 to track the status of those issues in all Debian releases. I attached the two patches I used there. And here I attach the debdiff if you want to integrate my changes in a git repository or similar. Cheers, On Sat, 17 Oct 2015, Bastien Roucaries wrote: > > > Le 14 octobre 2015 00:56:36 GMT+02:00, [email protected] a écrit : > >Hello dear maintainer(s), > > > >the Debian LTS team would like to fix the security issues which are > >currently open in the Squeeze version of imagemagick: > >https://security-tracker.debian.org/tracker/source-package/imagemagick > > > >Would you like to take care of this yourself? We are still understaffed > >so > >any help is always highly appreciated. > > > >If yes, please follow the workflow we have defined here: > >http://wiki.debian.org/LTS/Development > > > >If that workflow is a burden to you, feel free to just prepare an > >updated source package and send it to [email protected] > >(via a debdiff, or with an URL pointing to the the source package, > >or even with a pointer to your packaging repository), and the members > >of the LTS team will take care of the rest. Indicate clearly whether > >you > >have tested the updated package or not. > > > Will take care > >If you don't want to take care of this update, it's not a problem, we > >will do our best with your package. Just let us know whether you would > >like to review and/or test the updated package before it gets released. > > > >Thank you very much. > > > >Ben Hutchings, > > on behalf of the Debian LTS team. > > > >PS: A member of the LTS team might start working on this update at > >any point in time. You can verify whether someone is registered > >on this update in this file: > >https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > > -- > Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté. > -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
diff --git a/debian/changelog b/debian/changelog index 1f4da02..6733b7d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +imagemagick (8:6.6.0.4-3+squeeze7) squeeze-lts; urgency=medium + + * Non-maintainer upload by the Debian LTS team. + * Add fix-overflow-in-icon-parsing.patch to fix an integer overflow + that can lead to a buffer overrun in the icon parsing code. + * Add fix-overflow-in-pict-parsing.patch to fix an integer overflow + that can lead to a double free. + + -- Raphaël Hertzog <[email protected]> Fri, 27 Nov 2015 14:01:49 +0100 + imagemagick (8:6.6.0.4-3+squeeze6) squeeze-lts; urgency=high * Acknowledge NMUs (Closes: #768494). diff --git a/debian/patches/fix-overflow-in-icon-parsing.patch b/debian/patches/fix-overflow-in-icon-parsing.patch new file mode 100644 index 0000000..4b5a3ce --- /dev/null +++ b/debian/patches/fix-overflow-in-icon-parsing.patch @@ -0,0 +1,20 @@ +Description: Fix buffer overflow in icon parsing code + This patch backports a small extract of a larger upstream + commit that addresses this specific issue. +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747 +Origin: backport, https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 +Applied-Upstream: 7.0.0 +Last-Update: 2015-11-26 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/coders/icon.c ++++ b/coders/icon.c +@@ -275,6 +275,8 @@ static Image *ReadICONImage(const ImageI + Icon image encoded as a compressed PNG image. + */ + length=icon_file.directory[i].size; ++ if (~length < 12) ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + png=(unsigned char *) AcquireQuantumMemory(length+12,sizeof(*png)); + if (png == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); diff --git a/debian/patches/fix-overflow-in-pict-parsing.patch b/debian/patches/fix-overflow-in-pict-parsing.patch new file mode 100644 index 0000000..6196dc8 --- /dev/null +++ b/debian/patches/fix-overflow-in-pict-parsing.patch @@ -0,0 +1,45 @@ +Description: Fix overflow in pict image parsing + Backport a small part of an upstream commit fixing + an issue with pict image parsing. +Origin: backport, https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803 +Applied-Upstream: 7.0.0 +Last-Update: 2015-11-27 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/coders/pict.c ++++ b/coders/pict.c +@@ -1589,6 +1589,7 @@ static MagickBooleanType WritePICTImage( + x; + + size_t ++ row_bytes, + count; + + unsigned char +@@ -1602,7 +1603,6 @@ static MagickBooleanType WritePICTImage( + + unsigned short + base_address, +- row_bytes, + transfer_mode; + + /* +@@ -1633,7 +1633,7 @@ static MagickBooleanType WritePICTImage( + source_rectangle=size_rectangle; + destination_rectangle=size_rectangle; + base_address=0xff; +- row_bytes=(unsigned short) (image->columns | 0x8000); ++ row_bytes=image->columns; + bounds.top=0; + bounds.left=0; + bounds.bottom=(short) image->rows; +@@ -1663,7 +1663,7 @@ static MagickBooleanType WritePICTImage( + pixmap.bits_per_pixel=32; + pixmap.pack_type=0x04; + transfer_mode=0x40; +- row_bytes=(unsigned short) ((4*image->columns) | 0x8000); ++ row_bytes=4*image->columns; + } + /* + Allocate memory. diff --git a/debian/patches/series b/debian/patches/series index 1e57eb6..acd983a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -57,3 +57,5 @@ 0056-During-identification-of-image-do-not-fill-memory.patch 0057-Fix-correctly-the-xpm-crash-problem.patch 0058-Avoid-a-memory-leak-in-quantum-management.patch +fix-overflow-in-icon-parsing.patch +fix-overflow-in-pict-parsing.patch
