Hi, I've looked at updating the graphicsmagick (GM) update to fix the issues outlined in a [recent discussion][1]. The fix to CVE-2016-5240.patch is trivial. I can also confirm the current GM version in wheezy-security segfaults with the POC.
I've had difficulties fixing the pending CVE-2016-9830 in wheezy, however. The patch depends on the fairly new heigth/width "magick resource limit" management, which was introduced in [January 2015][2]. The [patch][2] is rather intrusive and i don't think is a good candidate for wheezy, especially because it probably breaks ABI compatibility. Attached is my best shot at porting the patch for CVE-2016-9830, which fails to comply, but may be useful for jessie or others. So I don't see any choice but to mark that issue as no-dsa. The impact of the patch is more of a DOS (memory exhaustion, from what I can tell) than code execution, so I think it doesn't warrant major code changes. I have built a package for amd64 in the [usual location][3] and attached the debdiff for the debu6 update. I confirm the patch here fixes CVE-2016-5240 properly. I am not sure I should upload this directly now considering it's such a small fix, but given that it crashes with the bad data, maybe it's worth it? Let me know, A. [1]: https://lists.debian.org/msgid-search/1481666658.43717.818066433.42d9b...@webmail.messagingengine.com [2]: http://hg.code.sf.net/p/graphicsmagick/code/rev/fac88115873c [3]: https://people.debian.org/~anarcat/debian/wheezy-lts/ -- Tu connaîtras la vérité de ton chemin à ce qui te rend heureux. - Aristote
# HG changeset patch # User Glenn Randers-Pehrson <glennrp+...@gmail.com> # Date 1477099736 14400 # Node ID 38d0f281e8c81e12ead220e1a7849d69e89b4697 # Parent 400a2e59c0d9bd7fb8b19abb1b8df60d04418f8f *coders/png.c (ReadOneJNGImage): Enforce spec requirement that the dimensions of the JPEG embedded in a JDAT chunk must match the JHDR dimensions. --- a/coders/png.c +++ b/coders/png.c @@ -70,6 +70,7 @@ #include "magick/pixel_cache.h" #include "magick/profile.h" #include "magick/quantize.h" +#include "magick/resource.h" #include "magick/semaphore.h" #include "magick/static.h" #include "magick/tempfile.h" @@ -3043,6 +3044,10 @@ static Image *ReadOneJNGImage(MngInfo *m skip_to_iend, status; + magick_int64_t + height_resource, + width_resource; + unsigned long length; @@ -3082,6 +3087,10 @@ static Image *ReadOneJNGImage(MngInfo *m read_JSEP=MagickFalse; reading_idat=MagickFalse; skip_to_iend=MagickFalse; + + width_resource = GetMagickResourceLimit(WidthResource); + height_resource = GetMagickResourceLimit(HeightResource); + for (;;) { char @@ -3186,6 +3195,10 @@ static Image *ReadOneJNGImage(MngInfo *m } if (length) MagickFreeMemory(chunk); + /* Temporarily set width and height resources to match JHDR */ + SetMagickResourceLimit(WidthResource,jng_width); + SetMagickResourceLimit(HeightResource,jng_height); + continue; } @@ -3588,6 +3601,10 @@ static Image *ReadOneJNGImage(MngInfo *m if (logging) (void) LogMagickEvent(CoderEvent,GetMagickModule(), " exit ReadOneJNGImage()"); + + SetMagickResourceLimit(WidthResource,width_resource); + SetMagickResourceLimit(HeightResource,height_resource); + return (image); }
diff -Nru graphicsmagick-1.3.16/debian/changelog graphicsmagick-1.3.16/debian/changelog --- graphicsmagick-1.3.16/debian/changelog 2016-10-26 17:11:46.000000000 -0400 +++ graphicsmagick-1.3.16/debian/changelog 2017-01-16 14:35:02.000000000 -0500 @@ -1,3 +1,11 @@ +graphicsmagick (1.3.16-1.1+deb7u6) UNRELEASED; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * Properly fix CVE-2016-5240. Previous patch caused a segfault instead + of fixing the Denial of Service. + + -- Antoine Beaupré <anar...@debian.org> Mon, 16 Jan 2017 14:35:02 -0500 + graphicsmagick (1.3.16-1.1+deb7u5) wheezy-security; urgency=high * Non-maintainer upload by the Wheezy LTS team. diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2016-5240.patch graphicsmagick-1.3.16/debian/patches/CVE-2016-5240.patch --- graphicsmagick-1.3.16/debian/patches/CVE-2016-5240.patch 2016-10-26 16:31:22.000000000 -0400 +++ graphicsmagick-1.3.16/debian/patches/CVE-2016-5240.patch 2017-01-16 13:28:27.000000000 -0500 @@ -1,6 +1,6 @@ --- a/magick/render.c +++ b/magick/render.c -@@ -1519,7 +1519,7 @@ +@@ -1519,7 +1519,7 @@ static unsigned int DrawDashPolygon(cons n++; } status=True; @@ -9,7 +9,7 @@ { dx=primitive_info[i].point.x-primitive_info[i-1].point.x; dy=primitive_info[i].point.y-primitive_info[i-1].point.y; -@@ -1531,7 +1531,7 @@ +@@ -1531,7 +1531,7 @@ static unsigned int DrawDashPolygon(cons n=0; length=scale*draw_info->dash_pattern[n]; } @@ -18,7 +18,7 @@ { total_length+=length; if (n & 0x01) -@@ -2474,8 +2474,7 @@ +@@ -2474,8 +2474,7 @@ MagickExport unsigned int DrawImage(Imag } if (LocaleCompare("stroke-dasharray",keyword) == 0) { @@ -28,17 +28,18 @@ if (IsPoint(q)) { char -@@ -2505,6 +2504,13 @@ +@@ -2505,7 +2504,14 @@ MagickExport unsigned int DrawImage(Imag if (*token == ',') MagickGetToken(q,&q,token,token_max_length); graphic_context[n]->dash_pattern[j]=MagickAtoF(token); + if (graphic_context[n]->dash_pattern[j] < 0.0) + status=MagickFail; -+ if (status == MagickFail) -+ { -+ MagickFreeMemory(graphic_context[n]->dash_pattern); -+ break; -+ } } ++ if (status == MagickFail) ++ { ++ MagickFreeMemory(graphic_context[n]->dash_pattern); ++ break; ++ } if (x & 0x01) for ( ; j < (2*x); j++) + graphic_context[n]->dash_pattern[j]= diff -Nru graphicsmagick-1.3.16/debian/rules graphicsmagick-1.3.16/debian/rules --- graphicsmagick-1.3.16/debian/rules 2016-09-20 17:52:26.000000000 -0400 +++ graphicsmagick-1.3.16/debian/rules 2017-01-16 13:22:54.000000000 -0500 @@ -36,7 +36,7 @@ CFLAGS = -Wall -g -fno-strict-aliasing LDFLAGS = -include /usr/share/hardening-includes/hardening.make +-include /usr/share/hardening-includes/hardening.make CFLAGS += $(HARDENING_CFLAGS) LDFLAGS += $(HARDENING_LDFLAGS)