Hi,
I've looked at updating the graphicsmagick (GM) update to fix the issues
outlined in a [recent discussion][1]. The fix to CVE-2016-5240.patch is
trivial. I can also confirm the current GM version in wheezy-security
segfaults with the POC.
I've had difficulties fixing the pending CVE-2016-9830 in wheezy,
however. The patch depends on the fairly new heigth/width "magick
resource limit" management, which was introduced in [January
2015][2]. The [patch][2] is rather intrusive and i don't think is a good
candidate for wheezy, especially because it probably breaks ABI
compatibility. Attached is my best shot at porting the patch for
CVE-2016-9830, which fails to comply, but may be useful for jessie or
others.
So I don't see any choice but to mark that issue as no-dsa. The impact
of the patch is more of a DOS (memory exhaustion, from what I can tell)
than code execution, so I think it doesn't warrant major code changes.
I have built a package for amd64 in the [usual location][3] and attached
the debdiff for the debu6 update. I confirm the patch here fixes
CVE-2016-5240 properly.
I am not sure I should upload this directly now considering it's such a
small fix, but given that it crashes with the bad data, maybe it's worth
it?
Let me know,
A.
[1]:
https://lists.debian.org/msgid-search/1481666658.43717.818066433.42d9b...@webmail.messagingengine.com
[2]: http://hg.code.sf.net/p/graphicsmagick/code/rev/fac88115873c
[3]: https://people.debian.org/~anarcat/debian/wheezy-lts/
--
Tu connaîtras la vérité de ton chemin à ce qui te rend heureux.
- Aristote
# HG changeset patch
# User Glenn Randers-Pehrson <glennrp+...@gmail.com>
# Date 1477099736 14400
# Node ID 38d0f281e8c81e12ead220e1a7849d69e89b4697
# Parent 400a2e59c0d9bd7fb8b19abb1b8df60d04418f8f
*coders/png.c (ReadOneJNGImage): Enforce spec requirement that
the dimensions of the JPEG embedded in a JDAT chunk must match
the JHDR dimensions.
--- a/coders/png.c
+++ b/coders/png.c
@@ -70,6 +70,7 @@
#include "magick/pixel_cache.h"
#include "magick/profile.h"
#include "magick/quantize.h"
+#include "magick/resource.h"
#include "magick/semaphore.h"
#include "magick/static.h"
#include "magick/tempfile.h"
@@ -3043,6 +3044,10 @@ static Image *ReadOneJNGImage(MngInfo *m
skip_to_iend,
status;
+ magick_int64_t
+ height_resource,
+ width_resource;
+
unsigned long
length;
@@ -3082,6 +3087,10 @@ static Image *ReadOneJNGImage(MngInfo *m
read_JSEP=MagickFalse;
reading_idat=MagickFalse;
skip_to_iend=MagickFalse;
+
+ width_resource = GetMagickResourceLimit(WidthResource);
+ height_resource = GetMagickResourceLimit(HeightResource);
+
for (;;)
{
char
@@ -3186,6 +3195,10 @@ static Image *ReadOneJNGImage(MngInfo *m
}
if (length)
MagickFreeMemory(chunk);
+ /* Temporarily set width and height resources to match JHDR */
+ SetMagickResourceLimit(WidthResource,jng_width);
+ SetMagickResourceLimit(HeightResource,jng_height);
+
continue;
}
@@ -3588,6 +3601,10 @@ static Image *ReadOneJNGImage(MngInfo *m
if (logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
" exit ReadOneJNGImage()");
+
+ SetMagickResourceLimit(WidthResource,width_resource);
+ SetMagickResourceLimit(HeightResource,height_resource);
+
return (image);
}
diff -Nru graphicsmagick-1.3.16/debian/changelog graphicsmagick-1.3.16/debian/changelog
--- graphicsmagick-1.3.16/debian/changelog 2016-10-26 17:11:46.000000000 -0400
+++ graphicsmagick-1.3.16/debian/changelog 2017-01-16 14:35:02.000000000 -0500
@@ -1,3 +1,11 @@
+graphicsmagick (1.3.16-1.1+deb7u6) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Properly fix CVE-2016-5240. Previous patch caused a segfault instead
+ of fixing the Denial of Service.
+
+ -- Antoine Beaupré <anar...@debian.org> Mon, 16 Jan 2017 14:35:02 -0500
+
graphicsmagick (1.3.16-1.1+deb7u5) wheezy-security; urgency=high
* Non-maintainer upload by the Wheezy LTS team.
diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2016-5240.patch graphicsmagick-1.3.16/debian/patches/CVE-2016-5240.patch
--- graphicsmagick-1.3.16/debian/patches/CVE-2016-5240.patch 2016-10-26 16:31:22.000000000 -0400
+++ graphicsmagick-1.3.16/debian/patches/CVE-2016-5240.patch 2017-01-16 13:28:27.000000000 -0500
@@ -1,6 +1,6 @@
--- a/magick/render.c
+++ b/magick/render.c
-@@ -1519,7 +1519,7 @@
+@@ -1519,7 +1519,7 @@ static unsigned int DrawDashPolygon(cons
n++;
}
status=True;
@@ -9,7 +9,7 @@
{
dx=primitive_info[i].point.x-primitive_info[i-1].point.x;
dy=primitive_info[i].point.y-primitive_info[i-1].point.y;
-@@ -1531,7 +1531,7 @@
+@@ -1531,7 +1531,7 @@ static unsigned int DrawDashPolygon(cons
n=0;
length=scale*draw_info->dash_pattern[n];
}
@@ -18,7 +18,7 @@
{
total_length+=length;
if (n & 0x01)
-@@ -2474,8 +2474,7 @@
+@@ -2474,8 +2474,7 @@ MagickExport unsigned int DrawImage(Imag
}
if (LocaleCompare("stroke-dasharray",keyword) == 0)
{
@@ -28,17 +28,18 @@
if (IsPoint(q))
{
char
-@@ -2505,6 +2504,13 @@
+@@ -2505,7 +2504,14 @@ MagickExport unsigned int DrawImage(Imag
if (*token == ',')
MagickGetToken(q,&q,token,token_max_length);
graphic_context[n]->dash_pattern[j]=MagickAtoF(token);
+ if (graphic_context[n]->dash_pattern[j] < 0.0)
+ status=MagickFail;
-+ if (status == MagickFail)
-+ {
-+ MagickFreeMemory(graphic_context[n]->dash_pattern);
-+ break;
-+ }
}
++ if (status == MagickFail)
++ {
++ MagickFreeMemory(graphic_context[n]->dash_pattern);
++ break;
++ }
if (x & 0x01)
for ( ; j < (2*x); j++)
+ graphic_context[n]->dash_pattern[j]=
diff -Nru graphicsmagick-1.3.16/debian/rules graphicsmagick-1.3.16/debian/rules
--- graphicsmagick-1.3.16/debian/rules 2016-09-20 17:52:26.000000000 -0400
+++ graphicsmagick-1.3.16/debian/rules 2017-01-16 13:22:54.000000000 -0500
@@ -36,7 +36,7 @@
CFLAGS = -Wall -g -fno-strict-aliasing
LDFLAGS =
-include /usr/share/hardening-includes/hardening.make
+-include /usr/share/hardening-includes/hardening.make
CFLAGS += $(HARDENING_CFLAGS)
LDFLAGS += $(HARDENING_LDFLAGS)
