packages/ImageMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-34474 and CVE-2023-34475

Browse Source 
(cherry picked from commit d84cb786f94463ab80ecb942f3506854c178f7de)
This commit is contained in:
wk333 2023-06-29 15:41:47 +08:00 committed by openeuler-sync-bot
parent 0a45da6b6b
commit 62c158e42f
2 changed files with 56 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
CVE-2023-34474-and-CVE-2023-34475.patch Normal file
View File

@ -0,0 +1,51 @@
From 1061db7f80fdc9ef572ac60b55f408f7bab6e1b0 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Mon, 15 May 2023 14:22:11 -0400
Subject: [PATCH] carefully crafted image files (TIM2, JPEG) no longer overflow
buffer nor use heap after free (thanks to Juzhi Lu, Zhen Zhou, Likang Luo of
NSFOCUS Security Team)
Origin: https://github.com/ImageMagick/ImageMagick/commit/1061db7f80fdc9ef572ac60b55f408f7bab6e1b0
---
MagickCore/profile.c | 5 +++--
coders/tim2.c | 4 +++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/MagickCore/profile.c b/MagickCore/profile.c
index 57909092d2..382583a524 100644
--- a/MagickCore/profile.c
+++ b/MagickCore/profile.c
@@ -2458,11 +2458,12 @@ static void ReplaceXmpValue(StringInfo *profile,size_t start,size_t end,
if (new_length > length)
SetStringInfoLength(profile,new_length);
datum=(char *) GetStringInfoDatum(profile);
- memmove(datum+start+value_length,datum+end,length-end);
- memcpy(datum+start,value,value_length);
+ (void) memmove(datum+start+value_length,datum+end,length-end);
+ (void) memcpy(datum+start,value,value_length);
if (new_length < length)
{
SetStringInfoLength(profile,new_length);
+ datum=(char *) GetStringInfoDatum(profile);
*(datum+new_length)='\0';
}
}
diff --git a/coders/tim2.c b/coders/tim2.c
index 0445985dcc..d30afaf05d 100644
--- a/coders/tim2.c
+++ b/coders/tim2.c
@@ -517,10 +517,12 @@ static MagickBooleanType ReadTIM2ImageData(const ImageInfo *image_info,
/*
* ### Read CLUT Data ###
*/
- clut_data=(unsigned char *) AcquireQuantumMemory(1,header->clut_size);
+ clut_data=(unsigned char *) AcquireQuantumMemory(2,
+ MagickMax(header->clut_size,image->colors));
if (clut_data == (unsigned char *) NULL)
ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
image_info->filename);
+ (void) memset(clut_data,0,2*MagickMax(header->clut_size,image->colors));
count=ReadBlob(image,header->clut_size,clut_data);
if (count != (ssize_t) (header->clut_size))
{

6
ImageMagick.spec
View File

@ -1,13 +1,14 @@
Name: ImageMagick Name: ImageMagick
Epoch: 1 Epoch: 1
Version: 7.1.1.8 Version: 7.1.1.8
Release: 2 Release: 3
Summary: Create, edit, compose, or convert bitmap images Summary: Create, edit, compose, or convert bitmap images
License: ImageMagick and MIT License: ImageMagick and MIT
Url: http://www.imagemagick.org/ Url: http://www.imagemagick.org/
Source0: https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1.1-8.tar.gz Source0: https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1.1-8.tar.gz
Patch0: CVE-2023-34151.patch Patch0: CVE-2023-34151.patch
Patch1: CVE-2023-34153.patch Patch1: CVE-2023-34153.patch
Patch2: CVE-2023-34474-and-CVE-2023-34475.patch
BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -162,6 +163,9 @@ rm PerlMagick/demo/Generic.ttf
%{_libdir}/pkgconfig/ImageMagick* %{_libdir}/pkgconfig/ImageMagick*
%changelog %changelog
* Thu Jun 29 2023 wangkai <13474090681@163.com> - 1:7.1.1.8-3
- Fix CVE-2023-34474 and CVE-2023-34475
* Thu Jun 08 2023 wangkai <13474090681@163.com> - 1:7.1.1.8-2 * Thu Jun 08 2023 wangkai <13474090681@163.com> - 1:7.1.1.8-2
- Fix CVE-2023-34151 and CVE-2023-34153 - Fix CVE-2023-34151 and CVE-2023-34153