Ola Lundqvist <[email protected]> writes: > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of graphicsmagick: > https://security-tracker.debian.org/tracker/CVE-2017-13737 > https://security-tracker.debian.org/tracker/CVE-2017-15277
I have created a fix for these issues in Debian wheezy. A patch is below. The upstream patch for CVE-2017-15277 seemed to include unrelated changes, most of which I excluded. One of these changes - checking the number of colours we read - looked like it could be another security issue, so I included it just in case. There is a version for testing at https://people.debian.org/~bam/debian/pool/main/g/graphicsmagick/ - not I got the name of the patch file wrong in this upload (but not the diff below). This will be corrected for the final upload. diff -Nru graphicsmagick-1.3.16/debian/changelog graphicsmagick-1.3.16/debian/changelog --- graphicsmagick-1.3.16/debian/changelog 2017-10-10 17:57:27.000000000 +1100 +++ graphicsmagick-1.3.16/debian/changelog 2017-10-16 15:21:09.000000000 +1100 @@ -1,3 +1,13 @@ +graphicsmagick (1.3.16-1.1+deb7u11) wheezy-security; urgency=medium + + * Non-maintainer upload by the LTS Team. + * Fix CVE-2017-13737: Fix incorrect rounding up, resulting + in scrambling the heap beyond the allocation. + * Fix CVE-2017-15277: Leaves the palette uninitialized when processing a GIF + file that has neither a global nor local palette. + + -- Brian May <[email protected]> Mon, 16 Oct 2017 15:21:09 +1100 + graphicsmagick (1.3.16-1.1+deb7u10) wheezy-security; urgency=high * Non-maintainer upload by the LTS Team. diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-13737.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-13737.patch --- graphicsmagick-1.3.16/debian/patches/CVE-2017-13737.patch 1970-01-01 10:00:00.000000000 +1000 +++ graphicsmagick-1.3.16/debian/patches/CVE-2017-13737.patch 2017-10-16 15:20:44.000000000 +1100 @@ -0,0 +1,11 @@ +--- a/magick/studio.h ++++ b/magick/studio.h +@@ -336,7 +336,7 @@ + #define MagickSQ2PI 2.50662827463100024161235523934010416269302368164062 + #define Max(x,y) (((x) > (y)) ? (x) : (y)) + #define Min(x,y) (((x) < (y)) ? (x) : (y)) +-#define NumberOfObjectsInArray(octets,size) ((octets+size-1)/size) ++#define NumberOfObjectsInArray(octets,size) (octets/size) /* rounds down */ + #define QuantumTick(i,span) \ + ((((i) % ((Max(101,span)-1)/100)) == 0) || \ + ((magick_int64_t) (i) == ((magick_int64_t) (span)-1))) diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2017-15277.patch graphicsmagick-1.3.16/debian/patches/CVE-2017-15277.patch --- graphicsmagick-1.3.16/debian/patches/CVE-2017-15277.patch 1970-01-01 10:00:00.000000000 +1000 +++ graphicsmagick-1.3.16/debian/patches/CVE-2017-15277.patch 2017-10-16 15:21:09.000000000 +1100 @@ -0,0 +1,19 @@ +--- a/coders/gif.c ++++ b/coders/gif.c +@@ -873,8 +873,15 @@ + global_colormap=MagickAllocateMemory(unsigned char *,3*Max(global_colors,256)); + if (global_colormap == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); ++ (void) memset(global_colormap,0,3*Max(global_colors,256U)); + if (BitSet(flag,0x80)) +- (void) ReadBlob(image,3*global_colors,(char *) global_colormap); ++ { ++ if (ReadBlob(image,3*global_colors,(char *) global_colormap) != 3U*global_colors) ++ { ++ MagickFreeMemory(global_colormap); ++ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); ++ } ++ } + delay=0; + dispose=0; + iterations=1; diff -Nru graphicsmagick-1.3.16/debian/patches/series graphicsmagick-1.3.16/debian/patches/series --- graphicsmagick-1.3.16/debian/patches/series 2017-10-09 17:53:49.000000000 +1100 +++ graphicsmagick-1.3.16/debian/patches/series 2017-10-16 15:21:09.000000000 +1100 @@ -35,3 +35,5 @@ CVE-2017-14733.patch CVE-2017-14994.patch CVE-2017-14997.patch +CVE-2017-13737.patch +CVE-2017-15277.patch -- Brian May <[email protected]>
