community/graphicsmagick: secfixes for CVE-2017-13775, CVE-2017-13776, CVE-2017-13777. Fixes #7789

2025-08-05 13:27:09 +02:00 · 2017-09-05 12:27:22 +00:00 · 2017-09-05 12:27:22 +00:00 · 4e1efd4523
commit 4e1efd4523
parent 4979439017
3 changed files with 363 additions and 13 deletions
--- a/community/graphicsmagick/APKBUILD
+++ b/community/graphicsmagick/APKBUILD
@ -2,15 +2,12 @@
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=graphicsmagick
 pkgver=1.3.26
-pkgrel=2
+pkgrel=3
 pkgdesc="Image processing system"
 url="http://www.graphicsmagick.org/"
 arch="all"
 license="MIT"
-depends=""
-depends_dev="jasper-dev libpng-dev tiff-dev libxml2-dev libwmf-dev"
-makedepends="$depends_dev libtool libltdl"
-install=""
+makedepends="jasper-dev libpng-dev tiff-dev libxml2-dev libwmf-dev libtool libltdl"
 subpackages="$pkgname-dev $pkgname-doc"
 source="http://downloads.sourceforge.net/$pkgname/$pkgname/$pkgver/GraphicsMagick-$pkgver.tar.xz
 	CVE-2017-11642.patch
@ -18,12 +15,17 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname/$pkgver/GraphicsMagic
 	CVE-2017-12935.patch
 	CVE-2017-12936.patch
 	CVE-2017-12937.patch
-	CVE-2017-13063-13064.patch"
-options="libtool"
-
+	CVE-2017-13063-13064.patch
+	CVE-2017-13775.patch
+	CVE-2017-13776-13777.patch"
+options="libtool !check"
 builddir="$srcdir"/GraphicsMagick-$pkgver

 # security fixes:
+#   1.3.26-r3:
+#     - CVE-2017-13775
+#     - CVE-2017-13776
+#     - CVE-2017-13777
 #   1.3.26-r2:
 #     - CVE-2017-11642
 #     - CVE-2017-11722
@ -50,14 +52,13 @@ build() {
 		--with-modules \
 		--with-threads \
 		--with-gs-font-dir=/usr/share/fonts/Type1 \
-		--with-quantum-depth=16 \
-		|| return 1
-	make || return 1
+		--with-quantum-depth=16
+	make
 }

 package() {
 	cd "$builddir"
-	make DESTDIR="$pkgdir" install || return 1
+	make DESTDIR="$pkgdir" install
 }

 sha512sums="b33ca0f1c858428693aee27a9089acff9e63d1110f85fa036894cfefe6274e7b2422758ea39852f94fdb4823c9c3f3c44b0d8906627503301f5928096f739f22  GraphicsMagick-1.3.26.tar.xz
@ -66,4 +67,6 @@ f9167ad79f54fc3881d81b9b5cb5b84f38e847103c6945af4fda516d6696ff8e95ec48cbae84161f
 2cb2ee3f88a835dff63c903bd215abb09c1812fedecbbb19c228fd2680c5762c6a20e6be1497c0fc3ed7a9b16eac6e7fe7f0fc9da4f6ef3e90fe75a049085ca7  CVE-2017-12935.patch
 b78b61d7b29c2316ecefe69c473b1aa1e93185e0da245f7cf2d351566ff737bce8e560e9b471334549e4ab76bc8752717f403e7afa9d393bdd64e191f8abbb9c  CVE-2017-12936.patch
 508ceee0aa73744e9b36c6e60b071d4dc4a5254b4d5265c4ee2bde317713b831db8958667fac44aa1e89b3cc8094027cade368f10f7f5f3d1a2980c2a70d516d  CVE-2017-12937.patch
-262434bab04541c276728111c9ec5d92abbb68e980813a50712d03505f3d3c4681b4daf02fd22e4ba11ed0daf5b553e4a47291c43f4c146554f1809292b73441  CVE-2017-13063-13064.patch"
+262434bab04541c276728111c9ec5d92abbb68e980813a50712d03505f3d3c4681b4daf02fd22e4ba11ed0daf5b553e4a47291c43f4c146554f1809292b73441  CVE-2017-13063-13064.patch
+b15d1c71a4f7e15cbc6a6a83590c99dfaf20d25f08e07a1ea8ff08f9e0f92d55da3a0afc86a259f88cae01ec0fa21c9b555a9085aae24f4bf3d36c48b29d56e5  CVE-2017-13775.patch
+f23c5e7d8e5c9e670ceb27b7e027910f181107033ec86538ce9778a2d37c29964008d5d8774bf59d4b45126b36630d73dc460636bfc55ab72ca64eefaae1768e  CVE-2017-13776-13777.patch"
--- a/community/graphicsmagick/CVE-2017-13775.patch
+++ b/community/graphicsmagick/CVE-2017-13775.patch
@ -0,0 +1,182 @@
+diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c
+--- a/coders/jnx.c	Tue Aug 22 08:08:30 2017 -0500
+++ b/coders/jnx.c	Sat Aug 26 14:14:13 2017 -0500
+@@ -1,5 +1,5 @@
+ /*
+-% Copyright (C) 2012-2015 GraphicsMagick Group
+% Copyright (C) 2012-2017 GraphicsMagick Group
+ %
+ % This program is covered by multiple licenses, which are described in
+ % Copyright.txt. You should have received a copy of Copyright.txt with this
+@@ -100,6 +100,7 @@
+ 
+   char img_label_str[MaxTextExtent];
+ 
+
+   alloc_size = TileInfo->PicSize + 2;
+ 
+   if (image->logging)
+@@ -242,6 +243,9 @@
+     total_tiles,
+     current_tile;
+ 
+  magick_off_t
+    file_size;
+
+   /* Open image file. */
+   assert(image_info != (const ImageInfo *) NULL);
+   assert(image_info->signature == MagickSignature);
+@@ -254,9 +258,8 @@
+   if (status == False)
+     ThrowReaderException(FileOpenError, UnableToOpenFile, image);
+ 
+-  memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
+-
+   /* Read JNX image header. */
+  (void) memset(&JNXHeader, 0, sizeof(JNXHeader));
+   JNXHeader.Version = ReadBlobLSBLong(image);
+   if (JNXHeader.Version > 4)
+     ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
+@@ -266,8 +269,6 @@
+   JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image);
+   JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image);
+   JNXHeader.Levels = ReadBlobLSBLong(image);
+-  if (JNXHeader.Levels > 20)
+-    ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
+   JNXHeader.Expiration = ReadBlobLSBLong(image);
+   JNXHeader.ProductID = ReadBlobLSBLong(image);
+   JNXHeader.CRC = ReadBlobLSBLong(image);
+@@ -279,7 +280,41 @@
+   if (EOFBlob(image))
+     ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ 
+  file_size = GetBlobSize(image);
+
+  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                        "JNX Header:\n"
+                        "    Version:    %u\n"
+                        "    DeviceSN:   %u\n"
+                        "    MapBounds:\n"
+                        "      NorthEast: lat = %u, lon = %u\n"
+                        "      SouthWest: lat = %u, lon = %u\n"
+                        "    Levels:     %u\n"
+                        "    Expiration: %u\n"
+                        "    ProductID:  %u\n"
+                        "    CRC:        %u\n"
+                        "    SigVersion: %u\n"
+                        "    SigOffset:  %u\n"
+                        "    ZOrder:     %u",
+                        JNXHeader.Version,
+                        JNXHeader.DeviceSN,
+                        JNXHeader.MapBounds.NorthEast.lat,
+                        JNXHeader.MapBounds.NorthEast.lon,
+                        JNXHeader.MapBounds.SouthWest.lat,
+                        JNXHeader.MapBounds.SouthWest.lon,
+                        JNXHeader.Levels,
+                        JNXHeader.Expiration,
+                        JNXHeader.ProductID,
+                        JNXHeader.CRC,
+                        JNXHeader.SigVersion,
+                        JNXHeader.SigOffset,
+                        JNXHeader.ZOrder);
+
+  if (JNXHeader.Levels > 20)
+    ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
+
+   /* Read JNX image level info. */
+  memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
+   total_tiles = 0;
+   current_tile = 0;
+   for (i = 0; i < JNXHeader.Levels; i++)
+@@ -302,11 +337,23 @@
+         {
+           JNXLevelInfo[i].Copyright = NULL;
+         }
+
+      if (EOFBlob(image))
+        ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+
+      if (image->logging)
+        (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                              "Level[%u] Info:"
+                              "  TileCount: %4u"
+                              "  TilesOffset: %6u"
+                              "  Scale: %04u",
+                              i,
+                              JNXLevelInfo[i].TileCount,
+                              JNXLevelInfo[i].TilesOffset,
+                              JNXLevelInfo[i].Scale
+                              );
+     }
+ 
+-  if (EOFBlob(image))
+-    ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+-
+   /* Get the current limit */
+   SaveLimit = GetMagickResourceLimit(MapResource);
+ 
+@@ -316,11 +363,32 @@
+   /* Read JNX image data. */
+   for (i = 0; i < JNXHeader.Levels; i++)
+     {
+      /*
+        Validate TileCount against remaining file data
+      */
+      const magick_off_t current_offset = TellBlob(image);
+      const size_t pos_list_entry_size =
+        sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) +
+        sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) +
+        sizeof(magick_uint32_t) + sizeof(magick_uint32_t);
+      const magick_off_t remaining = file_size-current_offset;
+      const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount);
+
+      if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed))
+        {
+          (void) SetMagickResourceLimit(MapResource, SaveLimit);
+          ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+        }
+
+       PositionList = MagickAllocateArray(TJNXTileInfo *,
+                                          JNXLevelInfo[i].TileCount,
+                                          sizeof(TJNXTileInfo));
+       if (PositionList == NULL)
+-        continue;
+        {
+          (void) SetMagickResourceLimit(MapResource, SaveLimit);
+          ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+                               image);
+        }
+ 
+       (void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET);
+       for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
+@@ -333,12 +401,15 @@
+           PositionList[j].PicHeight = ReadBlobLSBShort(image);
+           PositionList[j].PicSize = ReadBlobLSBLong(image);
+           PositionList[j].PicOffset = ReadBlobLSBLong(image);
+-        }
+ 
+-      if (EOFBlob(image))
+-        {
+-          MagickFreeMemory(PositionList);
+-          ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+          if (EOFBlob(image) ||
+              ((magick_off_t) PositionList[j].PicOffset +
+               PositionList[j].PicSize > file_size))
+            {
+              (void) SetMagickResourceLimit(MapResource, SaveLimit);
+              MagickFreeMemory(PositionList);
+              ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+            }
+         }
+ 
+       for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
+@@ -351,6 +422,9 @@
+           image = ExtractTileJPG(image, image_info, PositionList+j, exception);
+           (void) SetMonitorHandler(previous_handler);
+ 
+          if (exception->severity >= ErrorException)
+            break;
+
+           current_tile++;
+           if (QuantumTick(current_tile,total_tiles))
+             if (!MagickMonitorFormatted(current_tile,total_tiles,exception,
--- a/community/graphicsmagick/CVE-2017-13776-13777.patch
+++ b/community/graphicsmagick/CVE-2017-13776-13777.patch
@ -0,0 +1,165 @@
+diff -r b037d79b6ccd -r 233a720bfd5e coders/xbm.c
+--- a/coders/xbm.c	Sat Aug 26 14:14:13 2017 -0500
+++ b/coders/xbm.c	Sat Aug 26 15:26:15 2017 -0500
+@@ -1,5 +1,5 @@
+ /*
+-% Copyright (C) 2003 -2012 GraphicsMagick Group
+% Copyright (C) 2003-2017 GraphicsMagick Group
+ % Copyright (C) 2002 ImageMagick Studio
+ % Copyright 1991-1999 E. I. du Pont de Nemours and Company
+ %
+@@ -121,13 +121,15 @@
+ 
+ static int XBMInteger(Image *image,short int *hex_digits)
+ {
+  unsigned int
+    flag;
+
+   int
+     c,
+-    flag,
+     value;
+ 
+   value=0;
+-  flag=0;
+  flag=0U;
+   for ( ; ; )
+   {
+     c=ReadBlobByte(image);
+@@ -158,18 +160,14 @@
+   Image
+     *image;
+ 
+-  int
+-    bit;
+-
+-  long
+-    y;
+-
+   register IndexPacket
+     *indexes;
+ 
+-  register long
+  register size_t
+    bytes_per_line,
+     i,
+-    x;
+    x,
+    y;
+ 
+   register PixelPacket
+     *q;
+@@ -177,22 +175,24 @@
+   register unsigned char
+     *p;
+ 
+-  short int
+-    hex_digits[256];
+-
+   unsigned char
+     *data;
+ 
+   unsigned int
+    bit,
+    byte,
+    padding,
+    version;
+
+  int
+    value;
+
+  short int
+    hex_digits[256];
+
+  MagickPassFail
+     status;
+ 
+-  unsigned long
+-    byte,
+-    bytes_per_line,
+-    padding,
+-    value,
+-    version;
+-
+   /*
+     Open image file.
+   */
+@@ -207,6 +207,8 @@
+   /*
+     Read X bitmap header.
+   */
+  (void) memset(buffer,0,sizeof(buffer));
+  name[0]='\0';
+   while (ReadBlobString(image,buffer) != (char *) NULL)
+     if (sscanf(buffer,"#define %s %lu",name,&image->columns) == 2)
+       if ((strlen(name) >= 6) &&
+@@ -278,6 +280,8 @@
+   /*
+     Initialize hex values.
+   */
+  for (i = 0; i < sizeof(hex_digits)/sizeof(hex_digits[0]); i++)
+    hex_digits[i]=(-1);
+   hex_digits['0']=0;
+   hex_digits['1']=1;
+   hex_digits['2']=2;
+@@ -311,40 +315,50 @@
+   */
+   p=data;
+   if (version == 10)
+-    for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2))
+    for (i=0; i < (bytes_per_line*image->rows); (i+=2))
+     {
+       value=XBMInteger(image,hex_digits);
+      if (value < 0)
+        {
+          MagickFreeMemory(data);
+          ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+        }
+       *p++=(unsigned char) value;
+       if (!padding || ((i+2) % bytes_per_line))
+         *p++=(unsigned char) (value >> 8);
+     }
+   else
+-    for (i=0; i < (long) (bytes_per_line*image->rows); i++)
+    for (i=0; i < (bytes_per_line*image->rows); i++)
+     {
+       value=XBMInteger(image,hex_digits);
+      if (value < 0)
+        {
+          MagickFreeMemory(data);
+          ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+        }
+       *p++=(unsigned char) value;
+     }
+   /*
+     Convert X bitmap image to pixel packets.
+   */
+   p=data;
+-  for (y=0; y < (long) image->rows; y++)
+  for (y=0; y < image->rows; y++)
+   {
+     q=SetImagePixels(image,0,y,image->columns,1);
+     if (q == (PixelPacket *) NULL)
+       break;
+     indexes=AccessMutableIndexes(image);
+-    bit=0;
+-    byte=0;
+-    for (x=0; x < (long) image->columns; x++)
+    bit=0U;
+    byte=0U;
+    for (x=0; x < image->columns; x++)
+     {
+-      if (bit == 0)
+      if (bit == 0U)
+         byte=(*p++);
+       indexes[x]=byte & 0x01 ? 0x01 : 0x00;
+       bit++;
+-      byte>>=1;
+-      if (bit == 8)
+-        bit=0;
+      byte>>=1U;
+      if (bit == 8U)
+        bit=0U;
+     }
+     if (!SyncImagePixels(image))
+       break;