!94 Fix CVE-2019-18853 CVE-2020-27755

From: @wang_yue111 Reviewed-by: Signed-off-by:
2021-04-14 11:02:28 +08:00 · 2021-04-14 11:02:28 +08:00 · eb35d9ac50
commit eb35d9ac50
parent cc9aa2148b aba61317a6
3 changed files with 89 additions and 1 deletions
--- a/CVE-2019-18853.patch
+++ b/CVE-2019-18853.patch
@ -0,0 +1,45 @@
+From 0e28baf9bcb3e2e759f51cd0d74750e5e195b1aa Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Wed, 23 Oct 2019 06:01:08 -0400
+Subject: [PATCH] [FG-VD-19-136] ImageMagick Convert SVG MacOS Denial Of
+ Service
+
+---
+ coders/svg.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/coders/svg.c b/coders/svg.c
+index 1fee4b8..26ac308 100644
+--- a/coders/svg.c
+++ b/coders/svg.c
+@@ -66,9 +66,10 @@
+ #include "magick/monitor.h"
+ #include "magick/monitor-private.h"
+ #include "magick/pixel-accessor.h"
+-#include "magick/quantum-private.h"
+#include "magick/option.h"
+ #include "magick/pixel-private.h"
+ #include "magick/property.h"
+#include "magick/quantum-private.h"
+ #include "magick/resource_.h"
+ #include "magick/static.h"
+ #include "magick/string_.h"
+@@ -3579,9 +3580,14 @@ static Image *ReadSVGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+   message[n]='\0';
+   if (n > 0)
+     {
+      const char
+        *value;
+
+       svg_info->parser=xmlCreatePushParserCtxt(sax_handler,svg_info,(char *)
+         message,n,image->filename);
+-      (void) xmlCtxtUseOptions(svg_info->parser,XML_PARSE_HUGE);
+      value=GetImageOption(image_info,"svg:xml-parse-huge");
+      if ((value != (char *) NULL) && (IsStringTrue(value) != MagickFalse))
+        (void) xmlCtxtUseOptions(svg_info->parser,XML_PARSE_HUGE);
+       while ((n=ReadBlob(image,MaxTextExtent-1,message)) != 0)
+       {
+         message[n]='\0';
+-- 
+2.30.0
+
--- a/CVE-2020-27755.patch
+++ b/CVE-2020-27755.patch
@ -0,0 +1,38 @@
+From 5fa0c9d4376d879855fb154e166c90775530edf4 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Wed, 16 Oct 2019 15:02:11 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1756
+
+---
+ magick/image.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/magick/image.c b/magick/image.c
+index 90cec87..d462c9e 100644
+--- a/magick/image.c
+++ b/magick/image.c
+@@ -2703,9 +2703,18 @@ MagickExport MagickBooleanType SetImageExtent(Image *image,const size_t columns,
+       image->filename);
+   image->columns=columns;
+   image->rows=rows;
+-  if ((image->depth == 0) || (image->depth > (8*sizeof(MagickSizeType))))
+-    ThrowBinaryImageException(ImageError,"ImageDepthNotSupported",
+-      image->filename);
+  if (image->depth == 0)
+    {
+      image->depth=8;
+      (void) ThrowMagickException(&image->exception,GetMagickModule(),
+        ImageError,"ImageDepthNotSupported","`%s'",image->filename);
+    }
+  if (image->depth > (8*sizeof(MagickSizeType)))
+    {
+      image->depth=8*sizeof(MagickSizeType);
+      (void) ThrowMagickException(&image->exception,GetMagickModule(),
+        ImageError,"ImageDepthNotSupported","`%s'",image->filename);
+    }
+   return(SyncImagePixelCache(image,&image->exception));
+ }
+ 
+-- 
+2.30.0
+
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@ -1,7 +1,7 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        6.9.10.67
-Release:        20
+Release:        21
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
@ -52,6 +52,8 @@ Patch0042:      CVE-2020-27775.patch
 Patch0043:      CVE-2020-25666-1.patch
 Patch0044:      CVE-2020-25666-2.patch
 Patch0045:      CVE-2020-25675.patch
+Patch0046:      CVE-2020-27755.patch
+Patch0047:      CVE-2019-18853.patch

 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -208,6 +210,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick++*

 %changelog
+* Mon Apr 12 2021 wangyue <wangyue92@huawei.com> - 6.9.10.67-21
+- Fix CVE-2019-18853 CVE-2020-27755
+
 * Tue Apr 6 2021 wangxiao <wangxiao65@huawei.com> - 6.9.10.67-20
 - Fix CVE-2020-25666 CVE-2020-25675