commit GraphicsMagick for openSUSE:Factory

h_root Thu, 12 May 2016 00:34:14 -0700

Hello community,

here is the log from the commit of package GraphicsMagick for openSUSE:Factory 
checked in at 2016-05-12 09:33:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/GraphicsMagick (Old)
 and      /work/SRC/openSUSE:Factory/.GraphicsMagick.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "GraphicsMagick"

Changes:
--------
--- /work/SRC/openSUSE:Factory/GraphicsMagick/GraphicsMagick.changes    
2015-11-10 10:03:45.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.GraphicsMagick.new/GraphicsMagick.changes       
2016-05-12 09:33:35.000000000 +0200
@@ -1,0 +2,10 @@
+Mon May  9 12:35:32 UTC 2016 - sfl...@suse.de
+
+- Multiple security issues in GraphicsMagick/ImageMagick [boo#978061]
+  (CVE-2016-3714, CVE-2016-3718, CVE-2016-3715, CVE-2016-3717)
+  * GraphicsMagick-upstream-delegates-safer.patch
+  * GraphicsMagick-upstream-disable-mvg-ext.patch
+  * GraphicsMagick-upstream-disable-tmp-magick-prefix.patch
+  * GraphicsMagick-upstream-image-sanity-check.patch
+
+-------------------------------------------------------------------

New:
----
  GraphicsMagick-upstream-delegates-safer.patch
  GraphicsMagick-upstream-disable-mvg-ext.patch
  GraphicsMagick-upstream-disable-tmp-magick-prefix.patch
  GraphicsMagick-upstream-image-sanity-check.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ GraphicsMagick.spec ++++++
--- /var/tmp/diff_new_pack.V9yJgA/_old  2016-05-12 09:33:36.000000000 +0200
+++ /var/tmp/diff_new_pack.V9yJgA/_new  2016-05-12 09:33:36.000000000 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package GraphicsMagick
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -36,6 +36,10 @@
 Patch0:         %{name}-perl-link.patch
 Patch2:         %{name}-debian-fixed.patch
 Patch10:        %{name}-include.patch
+Patch11:        GraphicsMagick-upstream-delegates-safer.patch
+Patch12:        GraphicsMagick-upstream-disable-mvg-ext.patch
+Patch13:        GraphicsMagick-upstream-disable-tmp-magick-prefix.patch
+Patch14:        GraphicsMagick-upstream-image-sanity-check.patch
 BuildRequires:  cups-client
 BuildRequires:  dcraw
 BuildRequires:  freetype2-devel
@@ -231,6 +235,10 @@
 %patch0 -p1
 %patch2 -p1
 %patch10
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
 
 %build
 export PERLOPTS="PREFIX=%{buildroot}%{_prefix}"

++++++ GraphicsMagick-upstream-delegates-safer.patch ++++++
diff -r 33200fc645f6 config/delegates.mgk.in
--- a/config/delegates.mgk.in   Sat Nov 07 14:49:16 2015 -0600
+++ b/config/delegates.mgk.in   Sun May 08 18:23:04 2016 -0500
@@ -78,28 +78,27 @@
   <delegate decode="dvi" command='"@DVIDecodeDelegate@" -q -o "%o" "%i"' />
   <delegate decode="edit" stealth="True" command='"@EditorDelegate@" -title 
"Edit Image Comment" -e vi "%o"' />
   <delegate decode="emf" command='"@WMFDecodeDelegate@" -o "%o" "%i"' />
-  <delegate decode="eps" encode="pdf" mode="bi" command='"@PSDelegate@" -q 
-dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPDFDevice@ "-sOutputFile=%o" 
-- "%i" -c quit' />
-  <delegate decode="eps" encode="ps" mode="bi" command='"@PSDelegate@" -q 
-dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPSDevice@ "-sOutputFile=%o" 
-- "%i" -c quit' />
+  <delegate decode="eps" encode="pdf" mode="bi" command='"@PSDelegate@" -q 
-dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPDFDevice@ 
"-sOutputFile=%o" -- "%i" -c quit' />
+  <delegate decode="eps" encode="ps" mode="bi" command='"@PSDelegate@" -q 
-dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPSDevice@ 
"-sOutputFile=%o" -- "%i" -c quit' />
   <delegate decode="fig" command='"@FIGDecodeDelegate@" -L ps "%i" "%o"' />
-  <delegate decode="gplt" command='"@EchoDelegate@" "set size 1.25,0.62; set 
terminal postscript portrait color solid; set output \"%o\"; load \"%i\"" > 
"%u"; "@GnuplotDecodeDelegate@" "%u"' />
 
   <!-- Read monochrome Postscript, EPS, and PDF  -->
-  <delegate decode="gs-mono" stealth="True" command='"@PSDelegate@" -q -dBATCH 
-dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSMonoDevice@ -dTextAlphaBits=%u 
-dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
+  <delegate decode="gs-mono" stealth="True" command='"@PSDelegate@" -q -dBATCH 
-dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSMonoDevice@ 
-dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c 
quit' />
 
   <!-- Read grayscale Postscript, EPS, and PDF  -->
-  <delegate decode="gs-gray" stealth="True" command='"@PSDelegate@" -q -dBATCH 
-dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSGrayDevice@ -dTextAlphaBits=%u 
-dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
+  <delegate decode="gs-gray" stealth="True" command='"@PSDelegate@" -q -dBATCH 
-dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSGrayDevice@ 
-dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c 
quit' />
 
   <!-- Read colormapped Postscript, EPS, and PDF  -->
-  <delegate decode="gs-palette" stealth="True" command='"@PSDelegate@" -q 
-dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPaletteDevice@ 
-dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c 
quit' />
+  <delegate decode="gs-palette" stealth="True" command='"@PSDelegate@" -q 
-dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPaletteDevice@ 
-dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c 
quit' />
 
   <!-- Read color Postscript, EPS, and PDF  -->
-  <delegate decode="gs-color" stealth="True" command='"@PSDelegate@" -q 
-dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSColorDevice@ 
-dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c 
quit' />
+  <delegate decode="gs-color" stealth="True" command='"@PSDelegate@" -q 
-dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSColorDevice@ 
-dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c 
quit' />
 
   <!-- Read color+alpha Postscript, EPS, and PDF  -->
-  <delegate decode="gs-color+alpha" stealth="True" command='"@PSDelegate@" -q 
-dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSColorAlphaDevice@ 
-dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c 
quit' />
+  <delegate decode="gs-color+alpha" stealth="True" command='"@PSDelegate@" -q 
-dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSColorAlphaDevice@ 
-dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c 
quit' />
 
   <!-- Read CMYK Postscript, EPS, and PDF  -->
-  <delegate decode="gs-cmyk" stealth="True" command='"@PSDelegate@" -q -dBATCH 
-dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSCMYKDevice@ -dTextAlphaBits=%u 
-dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
+  <delegate decode="gs-cmyk" stealth="True" command='"@PSDelegate@" -q -dBATCH 
-dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSCMYKDevice@ 
-dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c 
quit' />
 
   <delegate decode="hpg" command='"@HPGLDecodeDelegate@" -q -m eps -f 
`basename "%o"` "%i" && mv -f `basename "%o"` "%o"' />
   <delegate decode="hpgl" command='"@HPGLDecodeDelegate@" -q -m eps -f 
`basename "%o"` "%i" && mv -f `basename "%o"` "%o"' />
@@ -108,16 +107,14 @@
   <!-- Read HTML file  -->
   <delegate decode="html" command='"@HTMLDecodeDelegate@" -U -o "%o" "%i"' />
   <delegate decode="ilbm" command='"@ILBMDecodeDelegate@" "%i" > "%o"' />
-  <!-- Read UNIX manual page  -->
-  <delegate decode="man" command='"@MANDelegate@" -man -Tps "%i" > "%o"' />
   <!-- Read MPEG file using mpeg2decode  -->
   <delegate decode="mpeg" command='"@MPEGDecodeDelegate@" -q -b "%i" -f -o3 
"%u%%05d"; @GMDelegate@ convert -temporary "%u*.ppm" "miff:%o" ; rm -f 
"%u"*.ppm ' />
   <!-- Write MPEG file using mpeg2encode -->
   <delegate encode="mpeg-encode" stealth="True" 
command='"@MPEGEncodeDelegate@" "%i" "%o"' />
   <!-- Convert PDF to Encapsulated Poscript using Ghostscript -->
-  <delegate decode="pdf" encode="eps" mode="bi" command='"@PSDelegate@" -q 
-dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSEPSDevice@ "-sOutputFile=%o" 
-- "%i" -c quit' />
+  <delegate decode="pdf" encode="eps" mode="bi" command='"@PSDelegate@" -q 
-dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSEPSDevice@ 
"-sOutputFile=%o" -- "%i" -c quit' />
   <!-- Convert PDF to Postcript using Ghostscript -->
-  <delegate decode="pdf" encode="ps" mode="bi" command='"@PSDelegate@" -q 
-dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPSDevice@ "-sOutputFile=%o" 
-- "%i" -c quit' />
+  <delegate decode="pdf" encode="ps" mode="bi" command='"@PSDelegate@" -q 
-dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPSDevice@ 
"-sOutputFile=%o" -- "%i" -c quit' />
   <!-- Convert PNM file to ILBM format using ppmtoilbm -->
   <delegate decode="pnm" encode="ilbm" mode="encode" 
command='"@ILBMEncodeDelegate@" -24if "%i" > "%o"' />
   <delegate decode="pnm" encode="launch" mode="encode" 
command='"@LaunchDelegate@" "%i"' />
@@ -125,8 +122,8 @@
   <!-- Read Persistance Of Vision file using povray  -->
   <delegate decode="pov" command='@POVDelegate@ "+i"%i"" +o"%o" +fn%q +w%w 
+h%h +a -q9 -kfi"%s" -kff"%n"
     "@GMDelegate@" convert -adjoin "%o*.png" "%o"' />
-  <delegate decode="ps" encode="eps" mode="bi" command='"@PSDelegate@" -q 
-dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSEPSDevice@ "-sOutputFile=%o" 
-- "%i" -c quit' />
-  <delegate decode="ps" encode="pdf" mode="bi" command='"@PSDelegate@" -q 
-dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPDFDevice@ "-sOutputFile=%o" 
-- "%i" -c quit' />
+  <delegate decode="ps" encode="eps" mode="bi" command='"@PSDelegate@" -q 
-dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSEPSDevice@ 
"-sOutputFile=%o" -- "%i" -c quit' />
+  <delegate decode="ps" encode="pdf" mode="bi" command='"@PSDelegate@" -q 
-dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPDFDevice@ 
"-sOutputFile=%o" -- "%i" -c quit' />
   <delegate decode="ps" encode="print" mode="encode" 
command='"@PrintDelegate@" "%i"' />
   <!-- Read Radiance file using ra_ppm -->
   <delegate decode="rad" command='"@RADDecodeDelegate@" -g 1.0 "%i" "%o"' />
@@ -141,5 +138,5 @@
   <delegate decode="txt" encode="ps" mode="bi" command='"@TXTDelegate@" -o 
"%o" "%i"' />
   <!-- Render WMF file using wmf2eps (fallback in case libwmf not available) 
-->
   <delegate decode="wmf" command='"@WMFDecodeDelegate@" -o "%o" "%i"' />
-  <delegate encode="show" stealth="True" command='"@GMDelegate@" display 
-immutable -delay 0 -window_group %g -title "%l of %f" "tmp:%o" &' />
+  <delegate encode="show" stealth="True" command='"@GMDelegate@" display 
-immutable -delay 0 -window_group %g -title "%l of %f" "%o" &' />
 </delegatemap>
++++++ GraphicsMagick-upstream-disable-mvg-ext.patch ++++++
diff -r 33200fc645f6 coders/mvg.c
--- a/coders/mvg.c      Sat Nov 07 14:49:16 2015 -0600
+++ b/coders/mvg.c      Sat May 07 20:11:54 2016 -0500
@@ -234,6 +234,7 @@
   entry->seekable_stream=True;
   entry->description="Magick Vector Graphics";
   entry->module="MVG";
+  entry->extension_treatment=IgnoreExtensionTreatment;
   (void) RegisterMagickInfo(entry);
 }
 
++++++ GraphicsMagick-upstream-disable-tmp-magick-prefix.patch ++++++
diff -r 33200fc645f6 magick/image.c
--- a/magick/image.c    Sat Nov 07 14:49:16 2015 -0600
+++ b/magick/image.c    Sat May 07 20:12:57 2016 -0500
@@ -2780,9 +2780,6 @@
               (void) strlcpy(image_info->magick,magic,MaxTextExtent);
               if (LocaleCompare(magic,"TMP") != 0)
                 image_info->affirm=MagickTrue;
-              else
-                /* input file will be automatically removed */
-                image_info->temporary=MagickTrue;
             }
         }
     }
++++++ GraphicsMagick-upstream-image-sanity-check.patch ++++++
diff -r 33200fc645f6 magick/render.c
--- a/magick/render.c   Sat Nov 07 14:49:16 2015 -0600
+++ b/magick/render.c   Sun May 08 18:21:47 2016 -0500
@@ -4096,6 +4096,24 @@
           &image->exception);
       else
         {
+          /*
+            Sanity check URL/path before passing it to ReadImage()
+
+            This is a temporary fix until suitable flags can be passed
+            to keep SetImageInfo() from doing potentially dangerous
+            magick things.
+          */
+#define VALID_PREFIX(str,url) (LocaleNCompare(str,url,sizeof(str)-1) == 0)
+          if (!VALID_PREFIX("http://";, primitive_info->text) &&
+              !VALID_PREFIX("https://";, primitive_info->text) &&
+              !VALID_PREFIX("ftp://";, primitive_info->text)  &&
+              !(IsAccessibleNoLogging(primitive_info->text))
+              )
+            {
+              
ThrowException(&image->exception,FileOpenError,UnableToOpenFile,primitive_info->text);
+              status=MagickFail;
+              break;
+            }
           (void) strlcpy(clone_info->filename,primitive_info->text,
             MaxTextExtent);
           composite_image=ReadImage(clone_info,&image->exception);

commit GraphicsMagick for openSUSE:Factory

Reply via email to