Brian May <[email protected]> writes: > Ok, understand CVE-2017-14733.
New patch that fixes this is below. Also updated version for testing. If no response in the next 1 or 2 days, I will upload to wheezy-security. diff -Nru graphicsmagick-1.3.16/debian/changelog graphicsmagick-1.3.16/debian/changelog --- graphicsmagick-1.3.16/debian/changelog 2017-09-01 03:14:05.000000000 +1000 +++ graphicsmagick-1.3.16/debian/changelog 2017-09-18 17:15:11.000000000 +1000 @@ -1,3 +1,19 @@ +graphicsmagick (1.3.16-1.1+deb7u10) wheezy-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * Fix CVE-2017-14103: The ReadJNGImage and ReadOneJNGImage functions in + coders/png.c did not properly manage image pointers after certain error + conditions. + * Fix CVE-2017-14314: heap-based buffer over-read in DrawDashPolygon() . + * Fix CVE-2017-14504: NULL pointer dereference triggered by malformed file. + * Fix CVE-2017-14733: Ensure we detect alpha images with too few colors. + * Fix CVE-2017-14994: DCM_ReadNonNativeImages() can produce image list with + no frames, resulting in null image pointer. + * Fix CVE-2017-14997: unsigned underflow leading to astonishingly + large allocation request. + + -- Brian May <[email protected]> Mon, 18 Sep 2017 17:15:11 +1000 + graphicsmagick (1.3.16-1.1+deb7u9) wheezy-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch --- graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch 1970-01-01 10:00:00.000000000 +1000 +++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14103.patch 2017-09-15 17:26:20.000000000 +1000 @@ -0,0 +1,126 @@ +--- a/coders/png.c ++++ b/coders/png.c +@@ -3112,15 +3112,23 @@ + type[0],type[1],type[2],type[3],length); + + if (length > PNG_MAX_UINT || count == 0) +- ThrowReaderException(CorruptImageError,CorruptImage,image); ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "chunk length (%lu) > PNG_MAX_UINT",length); ++ return ((Image*)NULL); ++ } ++ + chunk=(unsigned char *) NULL; + p=NULL; + if (length) + { + chunk=MagickAllocateMemory(unsigned char *,length); + if (chunk == (unsigned char *) NULL) +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " Could not allocate chunk memory"); ++ return ((Image*)NULL); ++ } + if (ReadBlob(image,length,chunk) < length) + { + if (color_image_info != (ImageInfo *)NULL) +@@ -3131,7 +3139,9 @@ + { + DestroyImageInfo(alpha_image_info); + } +- ThrowReaderException(CorruptImageError,CorruptImage,image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " chunk reading was incomplete"); ++ return ((Image*)NULL); + } + p=chunk; + } +@@ -3214,14 +3224,19 @@ + + color_image_info=MagickAllocateMemory(ImageInfo *,sizeof(ImageInfo)); + if (color_image_info == (ImageInfo *) NULL) +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate color_image_info"); ++ return ((Image *)NULL); ++ } + GetImageInfo(color_image_info); + color_image=AllocateImage(color_image_info); + if (color_image == (Image *) NULL) +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); +- ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate color_image"); ++ return ((Image *)NULL); ++ } + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Creating color_blob."); +@@ -3229,23 +3244,31 @@ + status=OpenBlob(color_image_info,color_image,WriteBinaryBlobMode, + exception); + if (status == MagickFalse) +- ThrowReaderException(CoderError,UnableToOpenBlob,color_image); ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not open color_image blob"); ++ return ((Image *)NULL); ++ } ++ + + if (!image_info->ping && jng_color_type >= 12) + { + alpha_image_info=MagickAllocateMemory(ImageInfo *, + sizeof(ImageInfo)); + if (alpha_image_info == (ImageInfo *) NULL) +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate alpha_image_info"); ++ return ((Image *)NULL); ++ } + GetImageInfo(alpha_image_info); + alpha_image=AllocateImage(alpha_image_info); + if (alpha_image == (Image *) NULL) + { + DestroyImage(alpha_image); +- ThrowReaderException(ResourceLimitError, +- MemoryAllocationFailed, +- alpha_image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate alpha_image"); ++ return ((Image *)NULL); + } + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +@@ -3254,7 +3277,11 @@ + status=OpenBlob(alpha_image_info,alpha_image,WriteBinaryBlobMode, + exception); + if (status == MagickFalse) +- ThrowReaderException(CoderError,UnableToOpenBlob,image); ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not open alpha_image blob"); ++ return ((Image *)NULL); ++ } + if (jng_alpha_compression_method == 0) + { + unsigned char +@@ -3324,8 +3351,7 @@ + (void) WriteBlobMSBULong(alpha_image, + crc32(crc32(0,data,4),chunk,length)); + } +- if (length) +- MagickFreeMemory(chunk); ++ MagickFreeMemory(chunk); + continue; + } + diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14314.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14314.patch --- graphicsmagick-1.3.16/debian/patches/CVE-2017-14314.patch 1970-01-01 10:00:00.000000000 +1000 +++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14314.patch 2017-09-18 17:15:11.000000000 +1000 @@ -0,0 +1,11 @@ +--- a/magick/render.c ++++ b/magick/render.c +@@ -2491,7 +2491,7 @@ + MagickGetToken(p,&p,token,token_max_length); + } + graphic_context[n]->dash_pattern= +- MagickAllocateArray(double *,(2*x+1),sizeof(double)); ++ MagickAllocateArray(double *,(2*x+2),sizeof(double)); + if (graphic_context[n]->dash_pattern == (double *) NULL) + { + ThrowException3(&image->exception,ResourceLimitError, diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14504.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14504.patch --- graphicsmagick-1.3.16/debian/patches/CVE-2017-14504.patch 1970-01-01 10:00:00.000000000 +1000 +++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14504.patch 2017-09-18 17:15:11.000000000 +1000 @@ -0,0 +1,32 @@ +--- a/coders/pnm.c ++++ b/coders/pnm.c +@@ -526,6 +526,9 @@ + } + } + ++ if ((format == XV_332_Format) && (max_value != 255)) ++ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); ++ + if (max_value <= 1) + bits_per_sample=1; + else if (max_value <= 255U) +@@ -569,6 +572,9 @@ + /* + Create colormap. + */ ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "Allocating colormap with %u colors", ++ image->colors); + if (!AllocateImageColormap(image,image->colors)) + ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, + image); +@@ -888,6 +894,9 @@ + quantum_type=CMYKAQuantum; + } + } ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "using %s QuantumType", ++ QuantumTypeToString(quantum_type)); + + + diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14733.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14733.patch --- graphicsmagick-1.3.16/debian/patches/CVE-2017-14733.patch 1970-01-01 10:00:00.000000000 +1000 +++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14733.patch 2017-09-18 17:15:11.000000000 +1000 @@ -0,0 +1,10 @@ +--- a/coders/rle.c ++++ b/coders/rle.c +@@ -215,6 +215,7 @@ + number_colormaps=ReadBlobByte(image); + map_length=1U << ReadBlobByte(image); + if ((number_planes == 0) || (number_planes == 2) || (bits_per_pixel != 8) || ++ ((flags & 0x04) && ((number_planes > 254) || (number_planes < 3))) || + (image->columns == 0)) + ThrowReaderException(CoderError,DataEncodingSchemeIsNotSupported,image); + (void) memset(background_color,0,sizeof(background_color)); diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14994.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14994.patch --- graphicsmagick-1.3.16/debian/patches/CVE-2017-14994.patch 1970-01-01 10:00:00.000000000 +1000 +++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14994.patch 2017-09-18 17:15:11.000000000 +1000 @@ -0,0 +1,35 @@ +--- a/coders/dcm.c ++++ b/coders/dcm.c +@@ -1,5 +1,5 @@ + /* +-% Copyright (C) 2003-2009 GraphicsMagick Group ++% Copyright (C) 2003-2017 GraphicsMagick Group + % Copyright (C) 2002 ImageMagick Studio + % Copyright 1991-1999 E. I. du Pont de Nemours and Company + % +@@ -4804,10 +4804,21 @@ + MagickFreeMemory(dcm.rescale_map); + if (status == MagickPass) + { +- while (image->previous != (Image *) NULL) +- image=image->previous; +- CloseBlob(image); +- return(image); ++ /* It is possible to have success status yet have no image */ ++ if (image != (Image *) NULL) ++ { ++ while (image->previous != (Image *) NULL) ++ image=image->previous; ++ CloseBlob(image); ++ return(image); ++ } ++ else ++ { ++ ThrowException(exception,CorruptImageError, ++ ImageFileDoesNotContainAnyImageData, ++ image_info->filename); ++ return (Image *) NULL; ++ } + } + else + { diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-14997.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-14997.patch --- graphicsmagick-1.3.16/debian/patches/CVE-2017-14997.patch 1970-01-01 10:00:00.000000000 +1000 +++ graphicsmagick-1.3.16/debian/patches/CVE-2017-14997.patch 2017-09-18 17:15:11.000000000 +1000 @@ -0,0 +1,11 @@ +--- a/coders/pict.c ++++ b/coders/pict.c +@@ -1186,7 +1186,7 @@ + if (length == 0) + break; + (void) ReadBlobMSBLong(image); +- length-=4; ++ length-=Min(4,length); + if (length == 0) + break; + info=MagickAllocateMemory(unsigned char *,length); diff -Nru graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch --- graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch 1970-01-01 10:00:00.000000000 +1000 +++ graphicsmagick-1.3.16/debian/patches/fix_infinite_read.patch 2017-09-15 17:05:34.000000000 +1000 @@ -0,0 +1,23 @@ +--- graphicsmagick-1.3.16.orig/coders/png.c ++++ graphicsmagick-1.3.16/coders/png.c +@@ -3121,8 +3121,18 @@ static Image *ReadOneJNGImage(MngInfo *m + if (chunk == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, + image); +- for (i=0; i < (long) length; i++) +- chunk[i]=ReadBlobByte(image); ++ if (ReadBlob(image,length,chunk) < length) ++ { ++ if (color_image_info != (ImageInfo *)NULL) ++ { ++ DestroyImageInfo(color_image_info); ++ } ++ if (alpha_image_info != (ImageInfo *)NULL) ++ { ++ DestroyImageInfo(alpha_image_info); ++ } ++ ThrowReaderException(CorruptImageError,CorruptImage,image); ++ } + p=chunk; + } + (void) ReadBlobMSBLong(image); /* read crc word */ diff -Nru graphicsmagick-1.3.16/debian/patches/series graphicsmagick-1.3.16/debian/patches/series --- graphicsmagick-1.3.16/debian/patches/series 2017-09-01 03:13:57.000000000 +1000 +++ graphicsmagick-1.3.16/debian/patches/series 2017-09-18 17:15:11.000000000 +1000 @@ -28,3 +28,10 @@ CVE-2017-12937.patch CVE-2017-13063-13064-13065.patch CVE-2017-13776-13777.patch +fix_infinite_read.patch +CVE-2017-14103.patch +CVE-2017-14314.patch +CVE-2017-14504.patch +CVE-2017-14733.patch +CVE-2017-14994.patch +CVE-2017-14997.patch -- Brian May <[email protected]>
