packages/ImageMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 7.1.1.8 for Fix CVE-2023-1289,CVE-2023-1906

Browse Source 
(cherry picked from commit c2aaa58a4b7249b31c5f9a43d3241af8f2318198)
This commit is contained in:
wk333 2023-04-24 19:36:36 +08:00 committed by openeuler-sync-bot
parent 380c7216c6
commit c3a44c9fae
10 changed files with 11 additions and 385 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
7.1.0-28.tar.gz → 7.1.1-8.tar.gz
View File

Binary file not shown.

53
CVE-2022-3213-pre1.patch
View File

@ -1,53 +0,0 @@
From a854a0a8af977a1b67830f02a53d9eb4d877e10d Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Tue, 21 Jun 2022 15:06:58 -0400
Subject: [PATCH] prevent possible buffer overflow
---
coders/tiff.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index 49c1677cb7..2b64958930 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1903,9 +1903,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
*/
extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
#if defined(TIFF_VERSION_BIG)
- extent+=image->columns*sizeof(uint64);
+ extent+=samples_per_pixel*sizeof(uint64);
#else
- extent+=image->columns*sizeof(uint32);
+ extent+=samples_per_pixel*sizeof(uint64);
#endif
strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*strip_pixels));
@@ -2002,11 +2002,12 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
number_pixels=(MagickSizeType) columns*rows;
if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
- extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
+ extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
+ TIFFTileSize(tiff));
#if defined(TIFF_VERSION_BIG)
- extent+=image->columns*sizeof(uint64);
+ extent+=samples_per_pixel*sizeof(uint64);
#else
- extent+=image->columns*sizeof(uint32);
+ extent+=samples_per_pixel*sizeof(uint32);
#endif
tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*tile_pixels));
@@ -2101,9 +2102,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
number_pixels=(MagickSizeType) image->columns*image->rows;
#if defined(TIFF_VERSION_BIG)
- number_pixels+=image->columns*sizeof(uint64);
+ number_pixels+=samples_per_pixel*sizeof(uint64);
#else
- number_pixels+=image->columns*sizeof(uint32);
+ number_pixels+=samples_per_pixel*sizeof(uint32);
#endif
generic_info=AcquireVirtualMemory(number_pixels,sizeof(uint32));
if (generic_info == (MemoryInfo *) NULL)

22
CVE-2022-3213-pre2.patch
View File

@ -1,22 +0,0 @@
From b11d64704f46cedade2ca3cdcebbc8d1f315035e Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Tue, 21 Jun 2022 17:14:48 -0400
Subject: [PATCH] correct copy/paste error
---
coders/tiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index 2b64958930..e2c6ca1093 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1905,7 +1905,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
#if defined(TIFF_VERSION_BIG)
extent+=samples_per_pixel*sizeof(uint64);
#else
- extent+=samples_per_pixel*sizeof(uint64);
+ extent+=samples_per_pixel*sizeof(uint32);
#endif
strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*strip_pixels));

54
CVE-2022-3213-pre3.patch
View File

@ -1,54 +0,0 @@
From 309dfda1122f08fcf349b6f611b3b6df994d9297 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 29 Jun 2022 19:40:56 -0400
Subject: [PATCH] eliminate possible buffer overflow
---
coders/tiff.c | 19 ++-----------------
1 file changed, 2 insertions(+), 17 deletions(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index e2c6ca1093..6bf4b112e1 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1901,12 +1901,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
/*
Convert stripped TIFF image.
*/
- extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
-#if defined(TIFF_VERSION_BIG)
- extent+=samples_per_pixel*sizeof(uint64);
-#else
- extent+=samples_per_pixel*sizeof(uint32);
-#endif
+ extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff);
strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*strip_pixels));
if (strip_pixels == (unsigned char *) NULL)
@@ -2002,13 +1997,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
number_pixels=(MagickSizeType) columns*rows;
if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
- extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
+ extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
TIFFTileSize(tiff));
-#if defined(TIFF_VERSION_BIG)
- extent+=samples_per_pixel*sizeof(uint64);
-#else
- extent+=samples_per_pixel*sizeof(uint32);
-#endif
tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*tile_pixels));
if (tile_pixels == (unsigned char *) NULL)
@@ -2101,11 +2091,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
number_pixels=(MagickSizeType) image->columns*image->rows;
-#if defined(TIFF_VERSION_BIG)
- number_pixels+=samples_per_pixel*sizeof(uint64);
-#else
- number_pixels+=samples_per_pixel*sizeof(uint32);
-#endif
generic_info=AcquireVirtualMemory(number_pixels,sizeof(uint32));
if (generic_info == (MemoryInfo *) NULL)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");

22
CVE-2022-3213.patch
View File

@ -1,22 +0,0 @@
From 30ccf9a0da1f47161b5935a95be854fe84e6c2a2 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 27 Aug 2022 08:38:57 -0400
Subject: [PATCH] squash heap-buffer-overflow, PoC TIFF from Hardik
---
coders/tiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index 132008efbf..a166bea177 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1892,7 +1892,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
/*
Convert stripped TIFF image.
*/
- extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff);
+ extent=4*((image->depth+7)/8)*(samples_per_pixel+1)*TIFFStripSize(tiff);
strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*strip_pixels));
if (strip_pixels == (unsigned char *) NULL)

43
CVE-2022-32547.patch
View File

@ -1,43 +0,0 @@
From eac8ce4d873f28bb6a46aa3a662fb196b49b95d0 Mon Sep 17 00:00:00 2001
From: xiaoxiaoafeifei <lliangliang2007@163.com>
Date: Sat, 9 Apr 2022 20:34:03 +0800
Subject: [PATCH] fix #5033: runtime error: load of misaligned address (#5034)
* fix Division by zero in XMenuWidget() of MagickCore/widget.c
* Fix memory leak in AnimateImageCommand() of MagickWand/animate.c and DisplayImageCommand() of MagickWand/display.c
* fix Division by zero in ReadEnhMetaFile() of coders/emf.c
* Resolve conflicts
* fix issue: outside the range of representable values of type 'unsigned char' at coders/psd.c:1025
* fix error: 4e+26 is outside the range of representable values of type 'unsigned long' at coders/pcl.c:299
* fix #5033:runtime error: load of misaligned address
Co-authored-by: zhailiangliang <zhailiangliang@loongson.cn>
---
MagickCore/property.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/MagickCore/property.c b/MagickCore/property.c
index 8175dd1f73..6e72cac157 100644
--- a/MagickCore/property.c
+++ b/MagickCore/property.c
@@ -1545,12 +1545,12 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
}
case EXIF_FMT_SINGLE:
{
- EXIFMultipleValues(4,"%f",(double) *(float *) p1);
+ EXIFMultipleValues(4,"%f",(double)ReadPropertySignedLong(endian,p1));
break;
}
case EXIF_FMT_DOUBLE:
{
- EXIFMultipleValues(8,"%f",*(double *) p1);
+ EXIFMultipleValues(8,"%f",(double)ReadPropertySignedLong(endian,p1));
break;
}
case EXIF_FMT_STRING:

22
CVE-2022-44267_CVE-2022-44268.patch
View File

@ -1,22 +0,0 @@
From 05673e63c919e61ffa1107804d1138c46547a475 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 22 Oct 2022 13:28:46 -0400
Subject: [PATCH] possible DoS @ stdin (OCE-2022-70); possible arbitrary file
leak (OCE-2022-72)
---
coders/png.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/coders/png.c b/coders/png.c
index c83d937c93..4f8c8909bf 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -3980,6 +3980,7 @@ static Image *ReadOnePNGImage(MngInfo *mng_info,
(void) FormatLocaleString(key,MagickPathExtent,"%s",
text[i].key);
if ((LocaleCompare(key,"version") == 0) ||
+ (LocaleCompare(key,"profile") == 0) ||
(LocaleCompare(key,"width") == 0))
(void) FormatLocaleString(key,MagickPathExtent,"png:%s",
text[i].key);

28
ImageMagick.spec
View File

@ -1,20 +1,11 @@
Name: ImageMagick Name: ImageMagick
Epoch: 1 Epoch: 1
Version: 7.1.0.28 Version: 7.1.1.8
Release: 6 Release: 1
Summary: Create, edit, compose, or convert bitmap images Summary: Create, edit, compose, or convert bitmap images
License: ImageMagick and MIT License: ImageMagick and MIT
Url: http://www.imagemagick.org/ Url: http://www.imagemagick.org/
Source0: https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1.0-28.tar.gz Source0: https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1.1-8.tar.gz
Patch0001: backport-fix-CVE-2022-2719.patch
Patch0002: backport-fix-CVE-2022-1115.patch
Patch0003: CVE-2022-3213-pre1.patch
Patch0004: CVE-2022-3213-pre2.patch
Patch0005: CVE-2022-3213-pre3.patch
Patch0006: CVE-2022-3213.patch
Patch0007: CVE-2022-32547.patch
Patch0008: CVE-2022-44267_CVE-2022-44268.patch
BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -81,7 +72,7 @@ Requires: ImageMagick-devel = %{epoch}:%{version}-%{release}
Development files for ImageMagick-c++. Development files for ImageMagick-c++.
%prep %prep
%autosetup -n ImageMagick-7.1.0-28 -p1 %autosetup -n ImageMagick-7.1.1-8 -p1
install -d Magick++/examples install -d Magick++/examples
cp -p Magick++/demo/*.cpp Magick++/demo/*.miff Magick++/examples cp -p Magick++/demo/*.cpp Magick++/demo/*.miff Magick++/examples
@ -98,7 +89,7 @@ export CFLAGS="%{optflags} -DIMPNG_SETJMP_IS_THREAD_SAFE"
%install %install
%make_install %make_install
cp -a www/source %{buildroot}%{_datadir}/doc/ImageMagick-7.1.0 cp -a www/source %{buildroot}%{_datadir}/doc/ImageMagick-7.1.1
rm %{buildroot}%{_libdir}/*.la rm %{buildroot}%{_libdir}/*.la
%{__perl} -MExtUtils::MakeMaker -e 'MY->fixin(@ARGV)' PerlMagick/demo/*.pl %{__perl} -MExtUtils::MakeMaker -e 'MY->fixin(@ARGV)' PerlMagick/demo/*.pl
@ -127,7 +118,7 @@ rm PerlMagick/demo/Generic.ttf
%{_bindir}/[a-z]* %{_bindir}/[a-z]*
%{_libdir}/libMagickCore-7.Q16HDRI.so.10* %{_libdir}/libMagickCore-7.Q16HDRI.so.10*
%{_libdir}/libMagickWand-7.Q16HDRI.so.10* %{_libdir}/libMagickWand-7.Q16HDRI.so.10*
%{_libdir}/ImageMagick-7.1.0 %{_libdir}/ImageMagick-7.1.1
%{_datadir}/ImageMagick-7 %{_datadir}/ImageMagick-7
%dir %{_sysconfdir}/ImageMagick-7 %dir %{_sysconfdir}/ImageMagick-7
%config(noreplace) %{_sysconfdir}/ImageMagick-7/*.xml %config(noreplace) %{_sysconfdir}/ImageMagick-7/*.xml
@ -145,9 +136,9 @@ rm PerlMagick/demo/Generic.ttf
%{_includedir}/%{name}-7/MagickCore/* %{_includedir}/%{name}-7/MagickCore/*
%files help %files help
%doc README.txt NEWS.txt ChangeLog.md QuickStart.txt %doc README.txt NEWS.txt QuickStart.txt
%doc %{_datadir}/doc/ImageMagick-7 %doc %{_datadir}/doc/ImageMagick-7
%doc %{_datadir}/doc/ImageMagick-7.1.0 %doc %{_datadir}/doc/ImageMagick-7.1.1
%{_mandir}/man[145]/[a-z]* %{_mandir}/man[145]/[a-z]*
%{_mandir}/man1/* %{_mandir}/man1/*
%{_mandir}/man3/* %{_mandir}/man3/*
@ -169,6 +160,9 @@ rm PerlMagick/demo/Generic.ttf
%{_libdir}/pkgconfig/ImageMagick* %{_libdir}/pkgconfig/ImageMagick*
%changelog %changelog
* Mon Apr 24 2023 wangkai <13474090681@163.com> - 1:7.1.1.8-1
- Update to 7.1.1.8 for Fix CVE-2023-1289,CVE-2023-1906
* Thu Feb 09 2023 yaoxin <yaoxin30@h-partners.com> - 1:7.1.0.28-6 * Thu Feb 09 2023 yaoxin <yaoxin30@h-partners.com> - 1:7.1.0.28-6
- Fix CVE-2022-44267 and CVE-2022-44268 - Fix CVE-2022-44267 and CVE-2022-44268

25
backport-fix-CVE-2022-1115.patch
View File

@ -1,25 +0,0 @@
From 7c8ab995a65a32b8283297226e108ce828a5679a Mon Sep 17 00:00:00 2001
From: cenhuilin <cenhuilin@kylinos.cn>
Date: Fri, 19 Aug 2022 21:02:49 +0800
Subject: [PATCH] heap-buffer-overflow in magick at quantum-private.h PushShortPixel
---
coders/tiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index 31839f6..32ae00a 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1987,7 +1987,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
number_pixels=(MagickSizeType) columns*rows;
if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
- extent=MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
+ extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
#if defined(TIFF_VERSION_BIG)
extent+=image->columns*sizeof(uint64);
#else
--
2.33.0

127
backport-fix-CVE-2022-2719.patch
View File

@ -1,127 +0,0 @@
From 7a358f02b613cdb22ca2461ad50275b9e77cb9bd Mon Sep 17 00:00:00 2001
From: cenhuilin <cenhuilin@kylinos.cn>
Date: Wed, 10 Aug 2022 03:55:57 +0000
Subject: [PATCH] do not attempt to write a null image list
---
MagickWand/operation.c | 3 ++-
coders/tim2.c | 22 ++++++++++------------
2 files changed, 12 insertions(+), 13 deletions(-)
diff --git a/MagickWand/operation.c b/MagickWand/operation.c
index 383dc7c..9559603 100644
--- a/MagickWand/operation.c
+++ b/MagickWand/operation.c
@@ -4923,7 +4923,8 @@ WandPrivate void CLINoImageOperator(MagickCLI *cli_wand,
(void) DeleteImageRegistry(key);
write_images=CloneImageList(_images,_exception);
write_info=CloneImageInfo(_image_info);
- (void) WriteImages(write_info,write_images,arg1,_exception);
+ if (write_images != (Image *) NULL)
+ (void) WriteImages(write_info,write_images,arg1,_exception);
write_info=DestroyImageInfo(write_info);
write_images=DestroyImageList(write_images);
break;
diff --git a/coders/tim2.c b/coders/tim2.c
index e55170d..c333b86 100644
--- a/coders/tim2.c
+++ b/coders/tim2.c
@@ -61,7 +61,6 @@
#include "MagickCore/string_.h"
#include "MagickCore/module.h"
-
/*
Typedef declarations
*/
@@ -124,7 +123,6 @@ typedef enum
RGBA16=2,
} TIM2ColorEncoding;
-
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
@@ -142,7 +140,8 @@ typedef enum
%
% The format of the ReadTIM2Image method is:
%
-% Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception)
+% Image *ReadTIM2Image(const ImageInfo *image_info,
+% ExceptionInfo *exception)
%
% A description of each parameter follows:
%
@@ -600,13 +599,13 @@ static MagickBooleanType ReadTIM2ImageData(const ImageInfo *image_info,
image_info->filename);
break;
}
- if (csm==CSM1)
+ if (csm == CSM1)
{
PixelInfo
*oldColormap;
- oldColormap=(PixelInfo *) AcquireQuantumMemory((size_t)(image->colors)+1,
- sizeof(*image->colormap));
+ oldColormap=(PixelInfo *) AcquireQuantumMemory((size_t)(image->colors)+
+ 1,sizeof(*image->colormap));
if (oldColormap == (PixelInfo *) NULL)
ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
image_info->filename);
@@ -617,7 +616,8 @@ static MagickBooleanType ReadTIM2ImageData(const ImageInfo *image_info,
return(status);
}
-static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception)
+static Image *ReadTIM2Image(const ImageInfo *image_info,
+ ExceptionInfo *exception)
{
Image
*image;
@@ -626,6 +626,7 @@ static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception
status;
ssize_t
+ i,
str_read;
TIM2FileHeader
@@ -685,7 +686,7 @@ static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception
*/
if (file_header.image_count != 1)
ThrowReaderException(CoderError,"NumberOfImagesIsNotSupported");
- for (int i=0; i < file_header.image_count; ++i)
+ for (i=0; i < (ssize_t) file_header.image_count; i++)
{
char
clut_depth,
@@ -780,8 +781,7 @@ static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception
break;
}
image=SyncNextImageInList(image);
- status=SetImageProgress(image,LoadImagesTag,image->scene-1,
- image->scene);
+ status=SetImageProgress(image,LoadImagesTag,image->scene-1,image->scene);
if (status == MagickFalse)
break;
}
@@ -791,7 +791,6 @@ static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception
return(GetFirstImageInList(image));
}
-
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
@@ -826,7 +825,6 @@ ModuleExport size_t RegisterTIM2Image(void)
return(MagickImageCoderSignature);
}
-
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
--
2.33.0