I have a test version (1.3.16-1.1+deb7u10) available for testing at: https://people.debian.org/~bam/debian/pool/main/g/graphicsmagick/
I think I am out of time for this month. If somebody wants to upload to wheezy-security, please do so, otherwise I will look at doing this next month. Also the debdiff is below: === cut === diff -Nru graphicsmagick-1.3.16/debian/changelog graphicsmagick-1.3.16/debian/changelog --- graphicsmagick-1.3.16/debian/changelog 2017-09-01 03:14:05.000000000 +1000 +++ graphicsmagick-1.3.16/debian/changelog 2017-09-18 17:15:11.000000000 +1000 @@ -1,3 +1,12 @@ +graphicsmagick (1.3.16-1.1+deb7u10) wheezy-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * Fix CVE-2017-14103: The ReadJNGImage and ReadOneJNGImage functions in + coders/png.c did not properly manage image pointers after certain error + conditions. + + -- Brian May <[email protected]> Mon, 18 Sep 2017 17:15:11 +1000 + graphicsmagick (1.3.16-1.1+deb7u9) wheezy-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch --- graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch 1970-01-01 10:00:00.000000000 +1000 +++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch 2017-09-15 17:26:20.000000000 +1000 @@ -0,0 +1,126 @@ +--- a/coders/png.c ++++ b/coders/png.c +@@ -3112,15 +3112,23 @@ + type[0],type[1],type[2],type[3],length); + + if (length > PNG_MAX_UINT || count == 0) +- ThrowReaderException(CorruptImageError,CorruptImage,image); ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "chunk length (%lu) > PNG_MAX_UINT",length); ++ return ((Image*)NULL); ++ } ++ + chunk=(unsigned char *) NULL; + p=NULL; + if (length) + { + chunk=MagickAllocateMemory(unsigned char *,length); + if (chunk == (unsigned char *) NULL) +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " Could not allocate chunk memory"); ++ return ((Image*)NULL); ++ } + if (ReadBlob(image,length,chunk) < length) + { + if (color_image_info != (ImageInfo *)NULL) +@@ -3131,7 +3139,9 @@ + { + DestroyImageInfo(alpha_image_info); + } +- ThrowReaderException(CorruptImageError,CorruptImage,image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " chunk reading was incomplete"); ++ return ((Image*)NULL); + } + p=chunk; + } +@@ -3214,14 +3224,19 @@ + + color_image_info=MagickAllocateMemory(ImageInfo *,sizeof(ImageInfo)); + if (color_image_info == (ImageInfo *) NULL) +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate color_image_info"); ++ return ((Image *)NULL); ++ } + GetImageInfo(color_image_info); + color_image=AllocateImage(color_image_info); + if (color_image == (Image *) NULL) +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); +- ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate color_image"); ++ return ((Image *)NULL); ++ } + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Creating color_blob."); +@@ -3229,23 +3244,31 @@ + status=OpenBlob(color_image_info,color_image,WriteBinaryBlobMode, + exception); + if (status == MagickFalse) +- ThrowReaderException(CoderError,UnableToOpenBlob,color_image); ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not open color_image blob"); ++ return ((Image *)NULL); ++ } ++ + + if (!image_info->ping && jng_color_type >= 12) + { + alpha_image_info=MagickAllocateMemory(ImageInfo *, + sizeof(ImageInfo)); + if (alpha_image_info == (ImageInfo *) NULL) +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate alpha_image_info"); ++ return ((Image *)NULL); ++ } + GetImageInfo(alpha_image_info); + alpha_image=AllocateImage(alpha_image_info); + if (alpha_image == (Image *) NULL) + { + DestroyImage(alpha_image); +- ThrowReaderException(ResourceLimitError, +- MemoryAllocationFailed, +- alpha_image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate alpha_image"); ++ return ((Image *)NULL); + } + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +@@ -3254,7 +3277,11 @@ + status=OpenBlob(alpha_image_info,alpha_image,WriteBinaryBlobMode, + exception); + if (status == MagickFalse) +- ThrowReaderException(CoderError,UnableToOpenBlob,image); ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not open alpha_image blob"); ++ return ((Image *)NULL); ++ } + if (jng_alpha_compression_method == 0) + { + unsigned char +@@ -3324,8 +3351,7 @@ + (void) WriteBlobMSBULong(alpha_image, + crc32(crc32(0,data,4),chunk,length)); + } +- if (length) +- MagickFreeMemory(chunk); ++ MagickFreeMemory(chunk); + continue; + } + diff -Nru graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch --- graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch 1970-01-01 10:00:00.000000000 +1000 +++ graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch 2017-09-15 17:05:34.000000000 +1000 @@ -0,0 +1,23 @@ +--- graphicsmagick-1.3.16.orig/coders/png.c ++++ graphicsmagick-1.3.16/coders/png.c +@@ -3121,8 +3121,18 @@ static Image *ReadOneJNGImage(MngInfo *m + if (chunk == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, + image); +- for (i=0; i < (long) length; i++) +- chunk[i]=ReadBlobByte(image); ++ if (ReadBlob(image,length,chunk) < length) ++ { ++ if (color_image_info != (ImageInfo *)NULL) ++ { ++ DestroyImageInfo(color_image_info); ++ } ++ if (alpha_image_info != (ImageInfo *)NULL) ++ { ++ DestroyImageInfo(alpha_image_info); ++ } ++ ThrowReaderException(CorruptImageError,CorruptImage,image); ++ } + p=chunk; + } + (void) ReadBlobMSBLong(image); /* read crc word */ diff -Nru graphicsmagick-1.3.16/debian/patches/series graphicsmagick-1.3.16/debian/patches/series --- graphicsmagick-1.3.16/debian/patches/series 2017-09-01 03:13:57.000000000 +1000 +++ graphicsmagick-1.3.16/debian/patches/series 2017-09-15 17:20:20.000000000 +1000 @@ -28,3 +28,5 @@ CVE-2017-12937.patch CVE-2017-13063-13064-13065.patch CVE-2017-13776-13777.patch +fix_infinite_read.patch +CVE-2017-14103.patch === cut === -- Brian May <[email protected]>
