Hi Markus,

> I'm fine with uploading tomorrow. Just send me your debdiff and I will
> incorporate your changes.

You can find the debdiff for CVE-2019-9956, CVE-2019-11598, CVE-2019-11597
and CVE-2019-10650 in attachement, along with appropriate DLA text entries.

I briefly thought of adding fixes for other recent CVEs, but given the
pain it was to backport CVE-2019-11598 and CVE-2019-11597 (multiple issues
in the patches, required extensive testing), I though it would maybe be
better to avoid very large uploads and keep them for future DLAs.

cheers,
Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru imagemagick-6.8.9.9/debian/changelog 
imagemagick-6.8.9.9/debian/changelog
--- imagemagick-6.8.9.9/debian/changelog        2018-11-11 17:03:02.000000000 
+0100
+++ imagemagick-6.8.9.9/debian/changelog        2019-05-05 13:46:47.000000000 
+0200
@@ -1,3 +1,17 @@
+imagemagick (8:6.8.9.9-5+deb8u16) jessie-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2019-9956: stack-based buffer overflow in PopHexPixel, allows DoS or
+    remote code execution (Closes: #925395).
+  * CVE-2019-11598: heap-based buffer over-read in WritePNMImage, allows DoS
+    or information disclosure (Closes: #928206).
+  * CVE-2019-11597: heap-based buffer over-read in WriteTIFFImage, allows Dos
+    or information disclosure (Closes: #928207).
+  * CVE-2019-10650: heap-based buffer over-read in WriteTIFFImage, allows DoS
+    or information disclosure (Closes: #926091).
+
+ -- Hugo Lefeuvre <h...@debian.org>  Sun, 05 May 2019 13:46:47 +0200
+
 imagemagick (8:6.8.9.9-5+deb8u15) jessie-security; urgency=high
 
   * Non-maintainer upload by the LTS Team. 
diff -Nru imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch 
imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch
--- imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch 1970-01-01 
01:00:00.000000000 +0100
+++ imagemagick-6.8.9.9/debian/patches/0283-CVE-2019-9956.patch 2019-05-05 
13:46:47.000000000 +0200
@@ -0,0 +1,22 @@
+Subject: fix stack buffer overflow in PopHexPixel
+Author: Cristy <mikayla-gr...@urban-warrior.org>
+Origin: upstream, 
https://github.com/ImageMagick/ImageMagick6/commit/90401e430840c5ff31ad870f4370bbda1318ac94
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925395
+--- a/coders/ps.c      2019-05-05 13:46:32.000000000 +0200
++++ b/coders/ps.c      2019-05-11 08:03:04.238884795 +0200
+@@ -2206,8 +2206,13 @@
+                   p++;
+                 }
+                 q=PopHexPixel(hex_digits,(size_t) index,q);
+-                q=PopHexPixel(hex_digits,(size_t)
+-                  MagickMin(length,0xff),q);
++                q=PopHexPixel(hex_digits,(size_t) MagickMin(length,0xff),q);
++                if ((q-pixels+6) >= 80)
++                  {
++                    *q++='\n';
++                    (void) WriteBlob(image,q-pixels,pixels);
++                    q=pixels;
++                  }
+                 if (image->previous == (Image *) NULL)
+                   {
+                     status=SetImageProgress(image,SaveImageTag,
diff -Nru imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch 
imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch
--- imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch        
1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.8.9.9/debian/patches/0284-CVE-2019-10650.patch        
2019-05-05 13:46:47.000000000 +0200
@@ -0,0 +1,19 @@
+Subject: fix heap-buffer-overflow in WriteTIFFImage
+Author: Cristy <mikayla-gr...@urban-warrior.org>
+Origin: upstream, 
https://github.com/ImageMagick/ImageMagick6/commit/4800ae0dabdb3012f82820af946060c3ca9fdb87
+                  
https://github.com/ImageMagick/ImageMagick6/commit/d8d844c6f23f4d90d8fe893fe9225dd78fc1e6ef
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926091
+--- a/coders/tiff.c    2019-05-11 08:11:49.834745216 +0200
++++ b/coders/tiff.c    2019-05-11 08:15:36.645306260 +0200
+@@ -2946,6 +2946,11 @@
+       (void) TIFFSetErrorHandler(error_handler);
+       return(MagickFalse);
+     }
++  if (image->exception.severity > ErrorException)
++    {
++      TIFFClose(tiff);
++      return(MagickFalse);
++    }
+   scene=0;
+   debug=IsEventLogging();
+   (void) debug;
diff -Nru imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch 
imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch
--- imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch        
1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.8.9.9/debian/patches/0285-CVE-2019-11598.patch        
2019-05-05 13:46:47.000000000 +0200
@@ -0,0 +1,97 @@
+Subject: fix heap-buffer-overflow in SetGrayscaleImage()
+ This patch addresses a heap-buffer-overflow in SetGrayscaleImage(),
+ known as CVE-2019-11598.
+ .
+ The original upstream patch also included a few minor modifications
+ addressing potential overflow issues. Those were not removed during
+ the backporting process in order to ease diff comparison.
+Author: Cristy <mikayla-gr...@urban-warrior.org>
+Origin: upstream, 
https://github.com/ImageMagick/ImageMagick6/commit/e2a21735e3a3f3930bd431585ec36334c4c2eb77
+                  
https://github.com/ImageMagick/ImageMagick6/commit/e04581699db5c413ca6da4de08b3dc830faf265d
+                  
https://github.com/ImageMagick/ImageMagick6/commit/3771e33bed8e2889325e1ac5ae45bb6314b6ca5d
+                  
https://github.com/ImageMagick/ImageMagick6/commit/dd8efbac0b7fa9dd2da527ea3f629f39bf1c02cb
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928206
+--- a/magick/quantize.c        2019-05-12 10:44:41.305665460 +0200
++++ b/magick/quantize.c        2019-05-12 10:44:41.297665517 +0200
+@@ -2148,10 +2148,8 @@
+     mean_error,
+     mean_error_per_pixel;
+ 
+-  size_t
+-    index;
+-
+   ssize_t
++    index,
+     y;
+ 
+   assert(image != (Image *) NULL);
+@@ -2184,7 +2182,7 @@
+     indexes=GetCacheViewAuthenticIndexQueue(image_view);
+     for (x=0; x < (ssize_t) image->columns; x++)
+     {
+-      index=1UL*GetPixelIndex(indexes+x);
++      index=(ssize_t) GetPixelIndex(indexes+x);
+       if (image->matte != MagickFalse)
+         {
+           alpha=(MagickRealType) (QuantumScale*(GetPixelAlpha(p)));
+@@ -3302,16 +3300,16 @@
+ 
+ static int IntensityCompare(const void *x,const void *y)
+ {
++  double
++    intensity;
++
+   PixelPacket
+     *color_1,
+     *color_2;
+ 
+-  int
+-    intensity;
+-
+   color_1=(PixelPacket *) x;
+   color_2=(PixelPacket *) y;
+-  intensity=PixelPacketIntensity(color_1)-(int) PixelPacketIntensity(color_2);
++  intensity=PixelPacketIntensity(color_1)-PixelPacketIntensity(color_2);
+   return((int) intensity);
+ }
+ 
+@@ -3336,6 +3334,9 @@
+   register ssize_t
+     i;
+ 
++  size_t
++    extent;
++
+   ssize_t
+     *colormap_index,
+     j,
+@@ -3345,7 +3346,8 @@
+   assert(image->signature == MagickSignature);
+   if (image->type != GrayscaleType)
+     (void) TransformImageColorspace(image,GRAYColorspace);
+-  colormap_index=(ssize_t *) AcquireQuantumMemory(MaxMap+1,
++  extent=MagickMax(image->colors+1,MagickMax(MaxColormapSize,MaxMap+1));
++  colormap_index=(ssize_t *) AcquireQuantumMemory(extent,
+     sizeof(*colormap_index));
+   if (colormap_index == (ssize_t *) NULL)
+     ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+@@ -3355,9 +3357,8 @@
+       ExceptionInfo
+         *exception;
+ 
+-      for (i=0; i <= (ssize_t) MaxMap; i++)
+-        colormap_index[i]=(-1);
+-      if (AcquireImageColormap(image,MaxMap+1) == MagickFalse)
++      (void) memset(colormap_index,(-1),extent*sizeof(*colormap_index));
++      if (AcquireImageColormap(image,MaxColormapSize) == MagickFalse)
+         ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+           image->filename);
+       image->colors=0;
+@@ -3417,6 +3418,7 @@
+       }
+       image_view=DestroyCacheView(image_view);
+     }
++  (void) memset(colormap_index,0,extent*sizeof(*colormap_index));
+   for (i=0; i < (ssize_t) image->colors; i++)
+     image->colormap[i].opacity=(unsigned short) i;
+   qsort((void *) image->colormap,image->colors,sizeof(PixelPacket),
diff -Nru imagemagick-6.8.9.9/debian/patches/0286-CVE-2019-11597.patch 
imagemagick-6.8.9.9/debian/patches/0286-CVE-2019-11597.patch
--- imagemagick-6.8.9.9/debian/patches/0286-CVE-2019-11597.patch        
1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.8.9.9/debian/patches/0286-CVE-2019-11597.patch        
2019-05-05 13:46:47.000000000 +0200
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow in WriteTIFFImage
+ This patch also addresses a few memory leaks bundled to the same CVE.
+Author: Dirk Lemstra <d...@lemstra.org>,
+        Cristy <mikayla-gr...@urban-warrior.org>
+Origin: upstream, 
https://github.com/ImageMagick/ImageMagick6/commit/1d6c036f0388d7857c725342f7212b60e39a14c1
+                  
https://github.com/ImageMagick/ImageMagick6/commit/c979b348d64a25a04f12ea7fe7888b2b23f230a7
+                  
https://github.com/ImageMagick/ImageMagick6/commit/3c53413eb544cc567309b4c86485eae43e956112
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928207
+--- a/coders/pdf.c     2019-05-12 13:38:13.017924318 +0200
++++ b/coders/pdf.c     2019-05-12 13:38:13.013924347 +0200
+@@ -1015,19 +1015,19 @@
+   unsigned char
+     *group4;
+ 
++  group4_image=CloneImage(inject_image,0,0,MagickTrue,&image->exception);
++  if (group4_image == (Image *) NULL)
++    return(MagickFalse);
+   status=MagickTrue;
+   write_info=CloneImageInfo(image_info);
+   (void) CopyMagickString(write_info->filename,"GROUP4:",MaxTextExtent);
+   (void) CopyMagickString(write_info->magick,"GROUP4",MaxTextExtent);
+-  group4_image=CloneImage(inject_image,0,0,MagickTrue,&image->exception);
+-  if (group4_image == (Image *) NULL)
+-    return(MagickFalse);
+   group4=(unsigned char *) ImageToBlob(write_info,group4_image,&length,
+     &image->exception);
+   group4_image=DestroyImage(group4_image);
++  write_info=DestroyImageInfo(write_info);
+   if (group4 == (unsigned char *) NULL)
+     return(MagickFalse);
+-  write_info=DestroyImageInfo(write_info);
+   if (WriteBlob(image,length,group4) != (ssize_t) length)
+     status=MagickFalse;
+   group4=(unsigned char *) RelinquishMagickMemory(group4);
+--- a/coders/ps3.c     2019-05-12 13:38:13.017924318 +0200
++++ b/coders/ps3.c     2019-05-12 13:38:13.013924347 +0200
+@@ -217,19 +217,19 @@
+   unsigned char
+     *group4;
+ 
++  group4_image=CloneImage(inject_image,0,0,MagickTrue,&image->exception);
++  if (group4_image == (Image *) NULL)
++    return(MagickFalse);
+   status=MagickTrue;
+   write_info=CloneImageInfo(image_info);
+   (void) CopyMagickString(write_info->filename,"GROUP4:",MaxTextExtent);
+   (void) CopyMagickString(write_info->magick,"GROUP4",MaxTextExtent);
+-  group4_image=CloneImage(inject_image,0,0,MagickTrue,&image->exception);
+-  if (group4_image == (Image *) NULL)
+-    return(MagickFalse);
+   group4=(unsigned char *) ImageToBlob(write_info,group4_image,&length,
+     &image->exception);
+   group4_image=DestroyImage(group4_image);
++  write_info=DestroyImageInfo(write_info);
+   if (group4 == (unsigned char *) NULL)
+     return(MagickFalse);
+-  write_info=DestroyImageInfo(write_info);
+   if (WriteBlob(image,length,group4) != (ssize_t) length)
+     status=MagickFalse;
+   group4=(unsigned char *) RelinquishMagickMemory(group4);
+--- a/coders/tiff.c    2019-05-12 13:38:13.017924318 +0200
++++ b/coders/tiff.c    2019-05-12 13:39:41.797294897 +0200
+@@ -3703,7 +3703,11 @@
+     if (0 && (image_info->verbose != MagickFalse))
+ RestoreMSCWarning
+       TIFFPrintDirectory(tiff,stdout,MagickFalse);
+-    (void) TIFFWriteDirectory(tiff);
++    if (TIFFWriteDirectory(tiff) == 0)
++      {
++        status=MagickFalse;
++        break;
++      }
+     image=SyncNextImageInList(image);
+     if (image == (Image *) NULL)
+       break;
+@@ -3715,6 +3719,6 @@
+   (void) TIFFSetWarningHandler(warning_handler);
+   (void) TIFFSetErrorHandler(error_handler);
+   TIFFClose(tiff);
+-  return(MagickTrue);
++  return(status);
+ }
+ #endif
diff -Nru imagemagick-6.8.9.9/debian/patches/series 
imagemagick-6.8.9.9/debian/patches/series
--- imagemagick-6.8.9.9/debian/patches/series   2018-11-11 17:03:02.000000000 
+0100
+++ imagemagick-6.8.9.9/debian/patches/series   2019-05-05 13:46:47.000000000 
+0200
@@ -282,3 +282,7 @@
 0281-CVE-2018-16749.patch
 0282-CVE-2018-18025.patch
 #XXX do not enable yet, see #907336: 0300-disable-ghostscript-formats.patch
+0283-CVE-2019-9956.patch
+0284-CVE-2019-10650.patch
+0285-CVE-2019-11598.patch
+0286-CVE-2019-11597.patch
CVE-2019-9956

    The PopHexPixel function of coders/ps.c is affected by a stack-based
    buffer overflow. This vulnerability might be leveraged by remote
    attackers to cause denial of service or remote code execution via a
    crafted PostScript file.

CVE-2019-11598

    The WritePNMImage function of coders/pnm.c is affected by a heap-based
    buffer over-read vulnerability. This flaw might be leveraged by remote
    attackers to cause denial of service or unauthorized disclosure of
    information via a crafted PNM file.

CVE-2019-11597
CVE-2019-10650

    The WriteTIFFImage function of coders/tiff.c is affected by two
    heap-based buffer over-read vulnerabilities. These flaws might be
    triggered by remote attackers to cause denial of service or
    unauthorized disclosure of information via a crafted TIFF file.

Attachment: signature.asc
Description: PGP signature

Reply via email to