diff -Nru imagemagick-6.8.9.9/debian/changelog imagemagick-6.8.9.9/debian/changelog --- imagemagick-6.8.9.9/debian/changelog 2014-12-29 11:53:11.000000000 +0100 +++ imagemagick-6.8.9.9/debian/changelog 2015-08-01 11:37:32.000000000 +0200 @@ -1,3 +1,14 @@ +imagemagick (8:6.8.9.9-5+deb8u1) jessie-security; urgency=medium + + * Fix build on mips by printing progress (Closes: #770009). + * Fix four security bugs: + - A DOS on specially crafted MIFF file (TEMP-0000000-FDAC72). + - A DOS on specially crafted Vicar file (TEMP-0000000-EEF23C). + - A DOS on specially crafted HDR file (TEMP-0000000-7C079F). + - A DOs on specially crafted PDB file (TEMP-0000000-2FC21E). + + -- Bastien Roucariès Wed, 14 Jan 2015 20:04:45 +0100 + imagemagick (8:6.8.9.9-5) unstable; urgency=high * Fix incorrect fix for xpm security problem. diff -Nru imagemagick-6.8.9.9/debian/patches/0057-Fix-a-miff-security-bug.patch imagemagick-6.8.9.9/debian/patches/0057-Fix-a-miff-security-bug.patch --- imagemagick-6.8.9.9/debian/patches/0057-Fix-a-miff-security-bug.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-6.8.9.9/debian/patches/0057-Fix-a-miff-security-bug.patch 2015-08-01 11:44:21.000000000 +0200 @@ -0,0 +1,72 @@ +From 75657e1145de7d6904fd67f4f235bbeec652ad3b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= +Date: Fri, 31 Jul 2015 19:08:37 +0200 +Subject: [PATCH] Fix a miff security bug + +Specially crafted MIFF file could lead to DOS by using excessive CPU. + +Fix TEMP-0000000-FDAC72 + +origin: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26931 +git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17854 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 +--- + coders/miff.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/coders/miff.c b/coders/miff.c +index a55879a..958ab46 100644 +--- a/coders/miff.c ++++ b/coders/miff.c +@@ -1405,6 +1405,9 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + bzip_info.avail_out=(unsigned int) (packet_size*image->columns); + do + { ++ int ++ code; ++ + if (bzip_info.avail_in == 0) + { + bzip_info.next_in=(char *) compress_pixels; +@@ -1414,7 +1417,13 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + bzip_info.avail_in=(unsigned int) ReadBlob(image,length, + (unsigned char *) bzip_info.next_in); + } +- if (BZ2_bzDecompress(&bzip_info) == BZ_STREAM_END) ++ code=BZ2_bzDecompress(&bzip_info); ++ if (code < 0) ++ { ++ status=MagickFalse; ++ break; ++ } ++ if (code == BZ_STREAM_END) + break; + } while (bzip_info.avail_out != 0); + (void) ImportQuantumPixels(image,(CacheView *) NULL,quantum_info, +@@ -1461,6 +1470,9 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + zip_info.avail_out=(uInt) (packet_size*image->columns); + do + { ++ int ++ code; ++ + if (zip_info.avail_in == 0) + { + zip_info.next_in=compress_pixels; +@@ -1470,7 +1482,13 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + zip_info.avail_in=(unsigned int) ReadBlob(image,length, + zip_info.next_in); + } +- if (inflate(&zip_info,Z_SYNC_FLUSH) == Z_STREAM_END) ++ code=inflate(&zip_info,Z_SYNC_FLUSH); ++ if (code < 0) ++ { ++ status=MagickFalse; ++ break; ++ } ++ if (code == Z_STREAM_END) + break; + } while (zip_info.avail_out != 0); + (void) ImportQuantumPixels(image,(CacheView *) NULL,quantum_info, +-- +2.1.4 + diff -Nru imagemagick-6.8.9.9/debian/patches/0058-Fix-a-DOS-in-viccar-file-handling.patch imagemagick-6.8.9.9/debian/patches/0058-Fix-a-DOS-in-viccar-file-handling.patch --- imagemagick-6.8.9.9/debian/patches/0058-Fix-a-DOS-in-viccar-file-handling.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-6.8.9.9/debian/patches/0058-Fix-a-DOS-in-viccar-file-handling.patch 2015-08-01 11:44:21.000000000 +0200 @@ -0,0 +1,29 @@ +From aa2bed6c629866065a6e4ad47563e6152cc4bd41 Mon Sep 17 00:00:00 2001 +From: cristy +Date: Sun, 25 Jan 2015 17:31:57 +0000 +Subject: [PATCH] Fix a DOS in viccar file handling + +The current code does not check for EOF condition leading to infinite loop + +origin: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26933 +git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17856 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 +--- + coders/vicar.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/vicar.c b/coders/vicar.c +index 78b4732..9a148a0 100644 +--- a/coders/vicar.c ++++ b/coders/vicar.c +@@ -275,6 +275,8 @@ static Image *ReadVICARImage(const ImageInfo *image_info, + while (count < (ssize_t) length) + { + c=ReadBlobByte(image); ++ if (c == EOF) ++ break; + count++; + } + if ((image->columns == 0) || (image->rows == 0)) +-- +2.1.4 + diff -Nru imagemagick-6.8.9.9/debian/patches/0059-Fix-a-DOS-in-HDR-file.patch imagemagick-6.8.9.9/debian/patches/0059-Fix-a-DOS-in-HDR-file.patch --- imagemagick-6.8.9.9/debian/patches/0059-Fix-a-DOS-in-HDR-file.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-6.8.9.9/debian/patches/0059-Fix-a-DOS-in-HDR-file.patch 2015-08-01 11:44:21.000000000 +0200 @@ -0,0 +1,77 @@ +From 36132fa46fc18445f48a36be50473921d1aa7f93 Mon Sep 17 00:00:00 2001 +From: dirk +Date: Sun, 25 Jan 2015 07:32:56 +0000 +Subject: [PATCH] Fix a DOS in HDR file + +Fixed infinite loop and added checks for the sscanf result. + +git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17846 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 +origin: http://trac.imagemagick.org/changeset/17846 +--- + coders/hdr.c | 36 ++++++++++++++++++++---------------- + 1 file changed, 20 insertions(+), 16 deletions(-) + +diff --git a/coders/hdr.c b/coders/hdr.c +index 393dc89..5c3414f 100644 +--- a/coders/hdr.c ++++ b/coders/hdr.c +@@ -274,7 +274,7 @@ static Image *ReadHDRImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (value_expected == MagickFalse) + continue; + p=value; +- while ((c != '\n') && (c != '\0')) ++ while ((c != '\n') && (c != '\0') && (c != EOF)) + { + if ((size_t) (p-value) < (MaxTextExtent-1)) + *p++=c; +@@ -319,18 +319,20 @@ static Image *ReadHDRImage(const ImageInfo *image_info,ExceptionInfo *exception) + chromaticity[6], + white_point[2]; + +- (void) sscanf(value,"%g %g %g %g %g %g %g %g", +- &chromaticity[0],&chromaticity[1],&chromaticity[2], +- &chromaticity[3],&chromaticity[4],&chromaticity[5], +- &white_point[0],&white_point[1]); +- image->chromaticity.red_primary.x=chromaticity[0]; +- image->chromaticity.red_primary.y=chromaticity[1]; +- image->chromaticity.green_primary.x=chromaticity[2]; +- image->chromaticity.green_primary.y=chromaticity[3]; +- image->chromaticity.blue_primary.x=chromaticity[4]; +- image->chromaticity.blue_primary.y=chromaticity[5]; +- image->chromaticity.white_point.x=white_point[0], +- image->chromaticity.white_point.y=white_point[1]; ++ if (sscanf(value,"%g %g %g %g %g %g %g %g",&chromaticity[0], ++ &chromaticity[1],&chromaticity[2],&chromaticity[3], ++ &chromaticity[4],&chromaticity[5],&white_point[0], ++ &white_point[1]) == 8) ++ { ++ image->chromaticity.red_primary.x=chromaticity[0]; ++ image->chromaticity.red_primary.y=chromaticity[1]; ++ image->chromaticity.green_primary.x=chromaticity[2]; ++ image->chromaticity.green_primary.y=chromaticity[3]; ++ image->chromaticity.blue_primary.x=chromaticity[4]; ++ image->chromaticity.blue_primary.y=chromaticity[5]; ++ image->chromaticity.white_point.x=white_point[0], ++ image->chromaticity.white_point.y=white_point[1]; ++ } + break; + } + (void) FormatLocaleString(tag,MaxTextExtent,"hdr:%s",keyword); +@@ -346,9 +348,11 @@ static Image *ReadHDRImage(const ImageInfo *image_info,ExceptionInfo *exception) + height, + width; + +- (void) sscanf(value,"%d +X %d",&height,&width); +- image->columns=(size_t) width; +- image->rows=(size_t) height; ++ if (sscanf(value,"%d +X %d",&height,&width) == 2) ++ { ++ image->columns=(size_t) width; ++ image->rows=(size_t) height; ++ } + break; + } + (void) FormatLocaleString(tag,MaxTextExtent,"hdr:%s",keyword); +-- +2.1.4 + diff -Nru imagemagick-6.8.9.9/debian/patches/0060-Fix-a-DOS-in-PDB-file-handling.patch imagemagick-6.8.9.9/debian/patches/0060-Fix-a-DOS-in-PDB-file-handling.patch --- imagemagick-6.8.9.9/debian/patches/0060-Fix-a-DOS-in-PDB-file-handling.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-6.8.9.9/debian/patches/0060-Fix-a-DOS-in-PDB-file-handling.patch 2015-08-01 11:44:21.000000000 +0200 @@ -0,0 +1,39 @@ +From 13fe49da6e584b8ae8a06095b2d1db0af5a81b13 Mon Sep 17 00:00:00 2001 +From: cristy +Date: Sun, 25 Jan 2015 17:29:48 +0000 +Subject: [PATCH] Fix a DOS in PDB file handling + +Avoid an infinite loop by checking EOF. + +http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26932 + +origin: http://trac.imagemagick.org/changeset/17855 +git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17855 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 +--- + coders/pdb.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/coders/pdb.c b/coders/pdb.c +index af6bfec..914d4c3 100644 +--- a/coders/pdb.c ++++ b/coders/pdb.c +@@ -370,7 +370,15 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception) + ThrowReaderException(CorruptImageError,"CorruptImage"); + } + num_pad_bytes = (size_t) (img_offset - TellBlob( image )); +- while (num_pad_bytes--) ReadBlobByte( image ); ++ while (num_pad_bytes-- != 0) ++ { ++ int ++ c; ++ ++ c=ReadBlobByte(image); ++ if (c == EOF) ++ break; ++ } + /* + Read image header. + */ +-- +2.1.4 + diff -Nru imagemagick-6.8.9.9/debian/patches/series imagemagick-6.8.9.9/debian/patches/series --- imagemagick-6.8.9.9/debian/patches/series 2014-12-29 11:55:39.000000000 +0100 +++ imagemagick-6.8.9.9/debian/patches/series 2015-08-01 11:44:22.000000000 +0200 @@ -55,3 +55,7 @@ 0054-Replaced-calls-to-ConstrainColormapIndex-with-IsVali.patch 0055-During-identification-of-image-do-not-fill-memory.patch 0056-Fix-correctly-the-xpm-crash-problem.patch +0057-Fix-a-miff-security-bug.patch +0058-Fix-a-DOS-in-viccar-file-handling.patch +0059-Fix-a-DOS-in-HDR-file.patch +0060-Fix-a-DOS-in-PDB-file-handling.patch diff -Nru imagemagick-6.8.9.9/debian/rules imagemagick-6.8.9.9/debian/rules --- imagemagick-6.8.9.9/debian/rules 2014-12-29 11:53:11.000000000 +0100 +++ imagemagick-6.8.9.9/debian/rules 2015-08-01 11:37:32.000000000 +0200 @@ -211,17 +211,21 @@ while read SIZE; do \ mkdir -p $(CURDIR)/debian/tmp-$*/usr/share/icons/hicolor/$$SIZE/apps/ ;\ cd $(CURDIR)/debian/build-quantum-$*; \ + echo "Make icons for size $$SIZE..."; \ $(CONVERT) $(CURDIR)/debian/display-im$(DEB_UPSTREAM_VERSION_MAJOR).svg \ $(CONVERT_FLAGS) -resize $$SIZE \ -gravity center -extent $$SIZE \ $(CURDIR)/debian/tmp-$*/usr/share/icons/hicolor/$$SIZE/apps/display-im$(DEB_UPSTREAM_VERSION_MAJOR).${shell echo $* | sed -e 's/\(.*\)/\L\1/'}.png; \ + echo "Done"; \ done < $(CURDIR)/debian/display-im$(DEB_UPSTREAM_VERSION_MAJOR).iconssize # make xpm mkdir -p $(CURDIR)/debian/tmp-$*/usr/share/pixmaps/ cd $(CURDIR)/debian/build-quantum-$*; \ + echo "Make xpm size 32x32..." ; \ $(CONVERT) $(CURDIR)/debian/display-im$(DEB_UPSTREAM_VERSION_MAJOR).svg $(CONVERT_FLAGS) -resize 32x32 \ -gravity center -extent 32x32 \ - $(CURDIR)/debian/tmp-$*/usr/share/pixmaps/display-im$(DEB_UPSTREAM_VERSION_MAJOR).${shell echo $* | sed -e 's/\(.*\)/\L\1/'}.xpm + $(CURDIR)/debian/tmp-$*/usr/share/pixmaps/display-im$(DEB_UPSTREAM_VERSION_MAJOR).${shell echo $* | sed -e 's/\(.*\)/\L\1/'}.xpm ;\ + echo "Done" # do not forget svgz mkdir -p $(CURDIR)/debian/tmp-$*/usr/share/icons/hicolor/scalable/apps/ gzip -c -n -9 $(CURDIR)/debian/display-im$(DEB_UPSTREAM_VERSION_MAJOR).svg \ diff -Nru imagemagick-6.8.9.9/debian/source/git-patches imagemagick-6.8.9.9/debian/source/git-patches --- imagemagick-6.8.9.9/debian/source/git-patches 2014-12-29 11:53:11.000000000 +0100 +++ imagemagick-6.8.9.9/debian/source/git-patches 2015-08-01 11:37:32.000000000 +0200 @@ -1 +1,2 @@ -upstream/$UPSTREAM_REF..debian-patches/$DEB_REF +upstream/$UPSTREAM_REF..debian-patches/6.8.9.9-5 +debian-patches/6.8.9.9-5..debian-patches/6.8.9.9-5+deb8u1