imagemagick: fix recent security issues

Alexander Pyhalov

2017-03-15 9a68c5fdfa362918bf49668cecc0b382e8c339d6

imagemagick: fix recent security issues

 components/image/imagemagick/Makefile

@@ -29,7 +29,7 @@
COMPONENT_VERSION=        6.9.6
COMPONENT_MAJOR_VERSIOR=    $(shell echo $(COMPONENT_VERSION) | $(GSED) -e 's/\([0-9]\+\)\.[0-9]\+\.[0-9]\+/\1/')
COMPONENT_SUBVERSION=        5
COMPONENT_REVISION=        1
COMPONENT_REVISION=        2
HUMAN_VERSION=            $(COMPONENT_VERSION)-$(COMPONENT_SUBVERSION)
COMPONENT_FMRI=            image/imagemagick
COMPONENT_CLASSIFICATION=    System/Multimedia Libraries
@@ -102,15 +102,32 @@
# Remove build machine runpath from libMagick++-6.Q16.so.1.0.0
install:    $(INSTALL_32_and_64)

test:        $(TEST_32_and_64)

PKG_MACROS += COMPONENT_MAJOR_VERSION=$(COMPONENT_MAJOR_VERSION)
PKG_MACROS += PERL_PKG=$(PERL_PKG)

# ImageMagick tests have hard-coded absolute paths inside, so essentially they
# can be run only after ImageMagick is actually installed and this is not 
# possible, so the tests are not invoked.
#
test:        $(NO_TESTS)
    @echo "Tests can be run only after ImageMagick is installed."

# Needed for "gmake test" to work successfully.  If SHELLOPTS is exported (as
# it is by the Userland Makefiles), then all shell options get exported to
# child invocations of bash, which results in test failures due to nounset and
# xtrace being set unexpectedly, and errors such as "$1: unbound variable" and
# diffs failing due to script tracing in output files.
unexport SHELLOPTS

# Tests hang waiting for input unless stdin is redirected.
COMPONENT_TEST_TARGETS = check < /dev/null

# Master test transforms
COMPONENT_TEST_TRANSFORMS += \
       '-n '\
       '-e "/TOTAL/p" ' \
       '-e "/SKIP/p" ' \
       '-e "/PASS/p" ' \
       '-e "/FAIL/p" ' \
       '-e "/ERROR/p" ' 

COMPONENT_TEST_MASTER = $(COMPONENT_TEST_RESULTS_DIR)/results-all.master

REQUIRED_PACKAGES += SUNWcs
REQUIRED_PACKAGES += compress/bzip2
@@ -130,6 +147,7 @@
REQUIRED_PACKAGES += library/libwebp
REQUIRED_PACKAGES += library/libxml2
REQUIRED_PACKAGES += library/zlib
REQUIRED_PACKAGES += print/filter/ghostscript/fonts/gnu-gs-fonts-std
REQUIRED_PACKAGES += system/library
REQUIRED_PACKAGES += system/library/freetype-2
REQUIRED_PACKAGES += system/library/g++-4-runtime

 components/image/imagemagick/manifests/sample-manifest.p5m

@@ -1480,8 +1480,10 @@
file path=usr/share/doc/ImageMagick-6/www/links.html
file path=usr/share/doc/ImageMagick-6/www/magick++.html
file path=usr/share/doc/ImageMagick-6/www/magick-core.html
file path=usr/share/doc/ImageMagick-6/www/magick-script.html
file path=usr/share/doc/ImageMagick-6/www/magick-vector-graphics.html
file path=usr/share/doc/ImageMagick-6/www/magick-wand.html
file path=usr/share/doc/ImageMagick-6/www/magick.html
file path=usr/share/doc/ImageMagick-6/www/miff.html
file path=usr/share/doc/ImageMagick-6/www/mogrify.html
file path=usr/share/doc/ImageMagick-6/www/montage.html
@@ -1493,6 +1495,7 @@
file path=usr/share/doc/ImageMagick-6/www/quantize.html
file path=usr/share/doc/ImageMagick-6/www/resources.html
file path=usr/share/doc/ImageMagick-6/www/search.html
file path=usr/share/doc/ImageMagick-6/www/security-policy.html
file path=usr/share/doc/ImageMagick-6/www/sitemap.html
file path=usr/share/doc/ImageMagick-6/www/source/analyze.c
file path=usr/share/doc/ImageMagick-6/www/source/coder.xml

 components/image/imagemagick/patches/01-la.patch

 components/image/imagemagick/patches/02-no__attribute__.patch

 components/image/imagemagick/patches/03-perl_LD_RUN_PATH.patch

 components/image/imagemagick/patches/04-perl_overrides.patch

 components/image/imagemagick/patches/05-png.patch

 components/image/imagemagick/patches/06-test-exceptions.patch

 components/image/imagemagick/patches/07-CVE-2017-6498.patch

New file
@@ -0,0 +1,48 @@
From 55ccd66ef296d221f327b9bcdeb1ab339764a126 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Thu, 19 Jan 2017 19:30:48 -0500
Subject: [PATCH] Fix an assertion faillure in TGA

bug: https://github.com/ImageMagick/ImageMagick/pull/359
bug-debian: https://bugs.debian.org/856878
origin: https://github.com/ImageMagick/ImageMagick/commit/65f75a32a93ae4044c528a987a68366ecd4b46b9

(cherry picked from commit 65f75a32a93ae4044c528a987a68366ecd4b46b9)
---
 coders/tga.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/coders/tga.c b/coders/tga.c
index d8adc52f7..7b87278ef 100644
--- a/coders/tga.c
+++ b/coders/tga.c
@@ -710,6 +710,7 @@ static MagickBooleanType WriteTGAImage(const ImageInfo *image_info,Image *image)
     compression;
 
   const char
+    *comment,
     *value;
 
   const double
@@ -766,9 +767,9 @@ static MagickBooleanType WriteTGAImage(const ImageInfo *image_info,Image *image)
     compression=image_info->compression;
   range=GetQuantumRange(5UL);
   tga_info.id_length=0;
-  value=GetImageProperty(image,"comment");
-  if (value != (const char *) NULL)
-    tga_info.id_length=(unsigned char) MagickMin(strlen(value),255);
+  comment=GetImageProperty(image,"comment");
+  if (comment != (const char *) NULL)
+    tga_info.id_length=(unsigned char) MagickMin(strlen(comment),255);
   tga_info.colormap_type=0;
   tga_info.colormap_index=0;
   tga_info.colormap_length=0;
@@ -852,7 +853,7 @@ static MagickBooleanType WriteTGAImage(const ImageInfo *image_info,Image *image)
   (void) WriteBlobByte(image,tga_info.bits_per_pixel);
   (void) WriteBlobByte(image,tga_info.attributes);
   if (tga_info.id_length != 0)
-    (void) WriteBlob(image,tga_info.id_length,(unsigned char *) value);
+    (void) WriteBlob(image,tga_info.id_length,(unsigned char *) comment);
   if (tga_info.colormap_type != 0)
     {
       unsigned char

 components/image/imagemagick/patches/08-CVE-2017-6500.patch

New file
@@ -0,0 +1,28 @@
From b7923d8eab6c340b985e6714780f9594cc435a68 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 8 Feb 2017 13:38:04 -0500
Subject: [PATCH] Fix an out of bound error in sun file handling

bug: https://github.com/ImageMagick/ImageMagick/issues/375
bug: https://github.com/ImageMagick/ImageMagick/issues/376
bug-debian: https://bugs.debian.org/856879
origin: https://github.com/ImageMagick/ImageMagick/commit/3007531bfd326c5c1e29cd41d2cd80c166de8528

(cherry picked from commit 3007531bfd326c5c1e29cd41d2cd80c166de8528)
---
 coders/sun.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/coders/sun.c b/coders/sun.c
index 150f3357f..c11a33c62 100644
--- a/coders/sun.c
+++ b/coders/sun.c
@@ -458,7 +458,7 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
         ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
       }
     pixels_length=height*bytes_per_line;
-    sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length,
+    sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length+image->rows,
       sizeof(*sun_pixels));
     if (sun_pixels == (unsigned char *) NULL)
       {

 components/image/imagemagick/patches/09-CVE-2017-6499.patch

New file
@@ -0,0 +1,40 @@
From a69d89789fb41b11ff8a0082ac6f1518e836cacb Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@git.imagemagick.org>
Date: Thu, 9 Feb 2017 21:53:23 +0100
Subject: [PATCH] Fixed memory leak when creating nested exceptions in
 Magick++.

bug: : https://www.imagemagick.org/discourse-server/viewtopic.php?f=23&p=142634
bug-debian: https://bugs.debian.org/856880
origin: https://github.com/ImageMagick/ImageMagick/commit/3358f060fc182551822576b2c0a8850faab5d543
---
 Magick++/lib/Exception.cpp | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/Magick++/lib/Exception.cpp b/Magick++/lib/Exception.cpp
index 92ca62970..8ef34bc0a 100644
--- a/Magick++/lib/Exception.cpp
+++ b/Magick++/lib/Exception.cpp
@@ -852,12 +852,18 @@ MagickPPExport void Magick::throwException(ExceptionInfo *exception_,
             exception_->description) != 0))
           {
             if (nestedException == (Exception *) NULL)
-              nestedException=createException(p);
+              {
+                nestedException=createException(p);
+                q=nestedException;
+              }
             else
               {
-                q=createException(p);
-                nestedException->nested(q);
-                nestedException=q;
+                Exception
+                  *r;
+
+                r=createException(p);
+                q->nested(r);
+                q=r;
               }
           }
       }

 components/image/imagemagick/patches/10-CVE-2017-6501.patch

New file
@@ -0,0 +1,31 @@
From 4e2a12626b681f8fbfab79bf3632cf5dbaf1ca41 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Thu, 9 Feb 2017 18:13:47 -0500
Subject: [PATCH] Check for image list before we destroy the last image in XCF
 coder
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

patch sent privately by Андрей Черный

bug-debian: https://bugs.debian.org/856881
origin: https://github.com/ImageMagick/ImageMagick/commit/d31fec57e9dfb0516deead2053a856e3c71e9751
---
 coders/xcf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/coders/xcf.c b/coders/xcf.c
index 083f217ca..2feef82ff 100644
--- a/coders/xcf.c
+++ b/coders/xcf.c
@@ -1445,7 +1445,8 @@ static Image *ReadXCFImage(const ImageInfo *image_info,ExceptionInfo *exception)
   }
 
   (void) CloseBlob(image);
-  DestroyImage(RemoveFirstImageFromList(&image));
+  if (GetNextImageInList(image) != (Image *) NULL)
+    DestroyImage(RemoveFirstImageFromList(&image));
   if (image_type == GIMP_GRAY)
     image->type=GrayscaleType;
   return(GetFirstImageInList(image));

 components/image/imagemagick/patches/11-CVE-2017-6500.patch

New file
@@ -0,0 +1,31 @@
From 841331fe20d5b55583d79592334eb35430266871 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@git.imagemagick.org>
Date: Sat, 11 Feb 2017 10:31:39 +0100
Subject: [PATCH] Added missing null check.

bug-debian: https://bugs.debian.org/856882
origin: https://github.com/ImageMagick/ImageMagick/commit/7f2dc7a1afc067d0c89f12c82bcdec0445fb1b94

(cherry picked from commit 7f2dc7a1afc067d0c89f12c82bcdec0445fb1b94)
---
 coders/psd.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/coders/psd.c b/coders/psd.c
index 14e375b9e..fb93c57dd 100644
--- a/coders/psd.c
+++ b/coders/psd.c
@@ -1284,8 +1284,11 @@ static MagickBooleanType ReadPSDChannel(Image *image,
       }
       mask=CloneImage(image,layer_info->mask.page.width,
         layer_info->mask.page.height,MagickFalse,exception);
-      mask->matte=MagickFalse;
-      channel_image=mask;
+      if (mask != (Image *) NULL)
+        {
+          mask->matte=MagickFalse;
+          channel_image=mask;
+        }
     }
 
   offset=TellBlob(image);

 components/image/imagemagick/test/results-all.master

New file
@@ -0,0 +1,83 @@
PASS: tests/cli-pipe.tap 1
PASS: tests/cli-pipe.tap 2
PASS: tests/cli-pipe.tap 3
PASS: tests/cli-pipe.tap 4
PASS: tests/cli-pipe.tap 5
PASS: tests/cli-pipe.tap 6
PASS: tests/cli-pipe.tap 7
PASS: tests/cli-pipe.tap 8
PASS: tests/cli-colorspace.tap 1
PASS: tests/cli-colorspace.tap 2
PASS: tests/cli-colorspace.tap 3
PASS: tests/cli-colorspace.tap 4
PASS: tests/cli-colorspace.tap 5
PASS: tests/cli-colorspace.tap 6
PASS: tests/cli-colorspace.tap 7
PASS: tests/cli-colorspace.tap 8
PASS: tests/cli-colorspace.tap 9
PASS: tests/cli-colorspace.tap 10
PASS: tests/cli-colorspace.tap 11
PASS: tests/cli-colorspace.tap 12
PASS: tests/cli-colorspace.tap 13
PASS: tests/cli-colorspace.tap 14
PASS: tests/cli-colorspace.tap 15
PASS: tests/cli-colorspace.tap 16
PASS: tests/cli-colorspace.tap 17
PASS: tests/cli-colorspace.tap 18
PASS: tests/cli-colorspace.tap 19
PASS: tests/validate-colorspace.tap 1
PASS: tests/validate-compare.tap 1
PASS: tests/validate-composite.tap 1
PASS: tests/validate-convert.tap 1
PASS: tests/validate-formats-disk.tap 1
PASS: tests/validate-formats-map.tap 1
PASS: tests/validate-formats-memory.tap 1
PASS: tests/validate-identify.tap 1
PASS: tests/validate-import.tap 1
PASS: tests/validate-montage.tap 1
PASS: tests/validate-stream.tap 1
PASS: tests/drawtest.tap 1
PASS: tests/wandtest.tap 1
PASS: Magick++/tests/tests.tap 1
PASS: Magick++/tests/tests.tap 2
PASS: Magick++/tests/tests.tap 3
PASS: Magick++/tests/tests.tap 4
PASS: Magick++/tests/tests.tap 5
PASS: Magick++/tests/tests.tap 6
PASS: Magick++/tests/tests.tap 7
PASS: Magick++/tests/tests.tap 8
PASS: Magick++/tests/tests.tap 9
PASS: Magick++/tests/tests.tap 10
PASS: Magick++/tests/tests.tap 11
PASS: Magick++/tests/tests.tap 12
PASS: Magick++/demo/demos.tap 1
PASS: Magick++/demo/demos.tap 2
PASS: Magick++/demo/demos.tap 3
PASS: Magick++/demo/demos.tap 4
PASS: Magick++/demo/demos.tap 5
PASS: Magick++/demo/demos.tap 6
PASS: Magick++/demo/demos.tap 7
PASS: Magick++/demo/demos.tap 8
PASS: Magick++/demo/demos.tap 9
PASS: Magick++/demo/demos.tap 10
PASS: Magick++/demo/demos.tap 11
PASS: Magick++/demo/demos.tap 12
PASS: Magick++/demo/demos.tap 13
PASS: Magick++/demo/demos.tap 14
PASS: Magick++/demo/demos.tap 15
PASS: Magick++/demo/demos.tap 16
PASS: Magick++/demo/demos.tap 17
PASS: Magick++/demo/demos.tap 18
PASS: Magick++/demo/demos.tap 19
PASS: Magick++/demo/demos.tap 20
PASS: Magick++/demo/demos.tap 21
PASS: Magick++/demo/demos.tap 22
PASS: Magick++/demo/demos.tap 23
PASS: Magick++/demo/demos.tap 24
# TOTAL: 76
# PASS:  76
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0