"ImageTragick" related security fixes

author Elan Ruusamäe <glen@delfi.ee>

Tue, 17 May 2016 09:22:36 +0000 (12:22 +0300)

committer Elan Ruusamäe <glen@delfi.ee>

Tue, 17 May 2016 09:23:56 +0000 (12:23 +0300)
author Elan Ruusamäe <glen@delfi.ee>
Tue, 17 May 2016 09:22:36 +0000 (12:22 +0300)
committer Elan Ruusamäe <glen@delfi.ee>
Tue, 17 May 2016 09:23:56 +0000 (12:23 +0300)
diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec

index 4ecf644411251653828ced16ee6d4315a6d0451a..da9addec5e1b1fc43fbd8606ef6d21cbf479ade9 100644 (file)
--- a/GraphicsMagick.spec
+++ b/GraphicsMagick.spec
@@ -5,11 +5,11 @@
  %bcond_without jasper          # without JPEG2000 module (which uses jasper library)
  %bcond_without cxx             # without Magick++ library
  %bcond_without openmp          # OpenMP support
-#
-%include       /usr/lib/rpm/macros.perl
-%define                QuantumDepth    16
+
  %define        pdir    Graphics
  %define        pnam    Magick
+%define        QuantumDepth    16
+%include       /usr/lib/rpm/macros.perl
  Summary:       Image display, conversion, and manipulation under X
  Summary(de.UTF-8):     Darstellen, Konvertieren und Bearbeiten von Grafiken unter X
  Summary(es.UTF-8):     Exhibidor, convertidor y manipulador de imágenes bajo X
@@ -21,13 +21,18 @@ Summary(tr.UTF-8):  X altında resim gösterme, çevirme ve değişiklik yapma
  Summary(uk.UTF-8):     Перегляд, конвертування та обробка зображень під X Window
  Name:          GraphicsMagick
  Version:       1.3.23
-Release:       1
+Release:       2
  License:       MIT
  Group:         X11/Applications/Graphics
  Source0:       http://downloads.sourceforge.net/graphicsmagick/%{name}-%{version}.tar.xz
  # Source0-md5: 9885ff5d91bc215a0adb3be1185e9777
  Patch0:                %{name}-link.patch
  Patch1:                %{name}-ldflags.patch
+# https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/
+Patch2:                elegates-safer.patch
+Patch3:                disable-mvg-ext.patch
+Patch4:                disable-tmp-magick-prefix.patch
+Patch5:                image-sanity-check.patch
  URL:           http://www.graphicsmagick.org/
  BuildRequires: autoconf >= 2.69
  BuildRequires: automake >= 1:1.11
@@ -562,6 +567,10 @@ Dokumentacja do GraphicsMagick.
  %setup -q
  %patch0 -p1
  %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
  
  find PerlMagick scripts www -type f -exec perl -pi -e 's=!%{_prefix}/local/bin/perl=!%{__perl}=' {} \;
  
@@ -598,7 +607,7 @@ install -d $RPM_BUILD_ROOT%{_examplesdir}/%{name}-perl-%{version}
         DESTDIR=$RPM_BUILD_ROOT \
         pkgdocdir=%{_docdir}/%{name}-devel-%{version}
  
-install PerlMagick/demo/* $RPM_BUILD_ROOT%{_examplesdir}/%{name}-perl-%{version}
+cp -p PerlMagick/demo/* $RPM_BUILD_ROOT%{_examplesdir}/%{name}-perl-%{version}
  
  %clean
  rm -rf $RPM_BUILD_ROOT
diff --git a/disable-mvg-ext.patch b/disable-mvg-ext.patch

new file mode 100644 (file)

index 0000000..3eeaf04
--- /dev/null
+++ b/disable-mvg-ext.patch
@@ -0,0 +1,11 @@
+diff -r 33200fc645f6 coders/mvg.c\r
+--- a/coders/mvg.c     Sat Nov 07 14:49:16 2015 -0600\r
++++ b/coders/mvg.c     Sat May 07 20:11:54 2016 -0500\r
+@@ -234,6 +234,7 @@\r
+   entry->seekable_stream=True;\r
+   entry->description="Magick Vector Graphics";\r
+   entry->module="MVG";\r
++  entry->extension_treatment=IgnoreExtensionTreatment;\r
+   (void) RegisterMagickInfo(entry);\r
+ }\r
+ \f\r
diff --git a/disable-tmp-magick-prefix.patch b/disable-tmp-magick-prefix.patch

new file mode 100644 (file)

index 0000000..0ff6abc
--- /dev/null
+++ b/disable-tmp-magick-prefix.patch
@@ -0,0 +1,13 @@
+diff -r 33200fc645f6 magick/image.c\r
+--- a/magick/image.c   Sat Nov 07 14:49:16 2015 -0600\r
++++ b/magick/image.c   Sat May 07 20:12:57 2016 -0500\r
+@@ -2780,9 +2780,6 @@\r
+               (void) strlcpy(image_info->magick,magic,MaxTextExtent);\r
+               if (LocaleCompare(magic,"TMP") != 0)\r
+                 image_info->affirm=MagickTrue;\r
+-              else\r
+-                /* input file will be automatically removed */\r
+-                image_info->temporary=MagickTrue;\r
+             }\r
+         }\r
+     }\r
diff --git a/elegates-safer.patch b/elegates-safer.patch

new file mode 100644 (file)

index 0000000..bdff215
--- /dev/null
+++ b/elegates-safer.patch
@@ -0,0 +1,77 @@
+diff -r 33200fc645f6 config/delegates.mgk.in\r
+--- a/config/delegates.mgk.in  Sat Nov 07 14:49:16 2015 -0600\r
++++ b/config/delegates.mgk.in  Sun May 08 18:23:04 2016 -0500\r
+@@ -78,28 +78,27 @@\r
+   <delegate decode="dvi" command='"@DVIDecodeDelegate@" -q -o "%o" "%i"' />\r
+   <delegate decode="edit" stealth="True" command='"@EditorDelegate@" -title "Edit Image Comment" -e vi "%o"' />\r
+   <delegate decode="emf" command='"@WMFDecodeDelegate@" -o "%o" "%i"' />\r
+-  <delegate decode="eps" encode="pdf" mode="bi" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPDFDevice@ "-sOutputFile=%o" -- "%i" -c quit' />\r
+-  <delegate decode="eps" encode="ps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />\r
++  <delegate decode="eps" encode="pdf" mode="bi" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPDFDevice@ "-sOutputFile=%o" -- "%i" -c quit' />\r
++  <delegate decode="eps" encode="ps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />\r
+   <delegate decode="fig" command='"@FIGDecodeDelegate@" -L ps "%i" "%o"' />\r
+-  <delegate decode="gplt" command='"@EchoDelegate@" "set size 1.25,0.62; set terminal postscript portrait color solid; set output \"%o\"; load \"%i\"" > "%u"; "@GnuplotDecodeDelegate@" "%u"' />\r
+ \r
+   <!-- Read monochrome Postscript, EPS, and PDF  -->\r
+-  <delegate decode="gs-mono" stealth="True" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSMonoDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />\r
++  <delegate decode="gs-mono" stealth="True" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSMonoDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />\r
+ \r
+   <!-- Read grayscale Postscript, EPS, and PDF  -->\r
+-  <delegate decode="gs-gray" stealth="True" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSGrayDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />\r
++  <delegate decode="gs-gray" stealth="True" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSGrayDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />\r
+ \r
+   <!-- Read colormapped Postscript, EPS, and PDF  -->\r
+-  <delegate decode="gs-palette" stealth="True" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPaletteDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />\r
++  <delegate decode="gs-palette" stealth="True" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPaletteDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />\r
+ \r
+   <!-- Read color Postscript, EPS, and PDF  -->\r
+-  <delegate decode="gs-color" stealth="True" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSColorDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />\r
++  <delegate decode="gs-color" stealth="True" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSColorDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />\r
+ \r
+   <!-- Read color+alpha Postscript, EPS, and PDF  -->\r
+-  <delegate decode="gs-color+alpha" stealth="True" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSColorAlphaDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />\r
++  <delegate decode="gs-color+alpha" stealth="True" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSColorAlphaDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />\r
+ \r
+   <!-- Read CMYK Postscript, EPS, and PDF  -->\r
+-  <delegate decode="gs-cmyk" stealth="True" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSCMYKDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />\r
++  <delegate decode="gs-cmyk" stealth="True" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSCMYKDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />\r
+ \r
+   <delegate decode="hpg" command='"@HPGLDecodeDelegate@" -q -m eps -f `basename "%o"` "%i" && mv -f `basename "%o"` "%o"' />\r
+   <delegate decode="hpgl" command='"@HPGLDecodeDelegate@" -q -m eps -f `basename "%o"` "%i" && mv -f `basename "%o"` "%o"' />\r
+@@ -108,16 +107,14 @@\r
+   <!-- Read HTML file  -->\r
+   <delegate decode="html" command='"@HTMLDecodeDelegate@" -U -o "%o" "%i"' />\r
+   <delegate decode="ilbm" command='"@ILBMDecodeDelegate@" "%i" > "%o"' />\r
+-  <!-- Read UNIX manual page  -->\r
+-  <delegate decode="man" command='"@MANDelegate@" -man -Tps "%i" > "%o"' />\r
+   <!-- Read MPEG file using mpeg2decode  -->\r
+   <delegate decode="mpeg" command='"@MPEGDecodeDelegate@" -q -b "%i" -f -o3 "%u%%05d"; @GMDelegate@ convert -temporary "%u*.ppm" "miff:%o" ; rm -f "%u"*.ppm ' />\r
+   <!-- Write MPEG file using mpeg2encode -->\r
+   <delegate encode="mpeg-encode" stealth="True" command='"@MPEGEncodeDelegate@" "%i" "%o"' />\r
+   <!-- Convert PDF to Encapsulated Poscript using Ghostscript -->\r
+-  <delegate decode="pdf" encode="eps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSEPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />\r
++  <delegate decode="pdf" encode="eps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSEPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />\r
+   <!-- Convert PDF to Postcript using Ghostscript -->\r
+-  <delegate decode="pdf" encode="ps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />\r
++  <delegate decode="pdf" encode="ps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />\r
+   <!-- Convert PNM file to ILBM format using ppmtoilbm -->\r
+   <delegate decode="pnm" encode="ilbm" mode="encode" command='"@ILBMEncodeDelegate@" -24if "%i" > "%o"' />\r
+   <delegate decode="pnm" encode="launch" mode="encode" command='"@LaunchDelegate@" "%i"' />\r
+@@ -125,8 +122,8 @@\r
+   <!-- Read Persistance Of Vision file using povray  -->\r
+   <delegate decode="pov" command='@POVDelegate@ "+i"%i"" +o"%o" +fn%q +w%w +h%h +a -q9 -kfi"%s" -kff"%n"\r
+     "@GMDelegate@" convert -adjoin "%o*.png" "%o"' />\r
+-  <delegate decode="ps" encode="eps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSEPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />\r
+-  <delegate decode="ps" encode="pdf" mode="bi" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPDFDevice@ "-sOutputFile=%o" -- "%i" -c quit' />\r
++  <delegate decode="ps" encode="eps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSEPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />\r
++  <delegate decode="ps" encode="pdf" mode="bi" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPDFDevice@ "-sOutputFile=%o" -- "%i" -c quit' />\r
+   <delegate decode="ps" encode="print" mode="encode" command='"@PrintDelegate@" "%i"' />\r
+   <!-- Read Radiance file using ra_ppm -->\r
+   <delegate decode="rad" command='"@RADDecodeDelegate@" -g 1.0 "%i" "%o"' />\r
+@@ -141,5 +138,5 @@\r
+   <delegate decode="txt" encode="ps" mode="bi" command='"@TXTDelegate@" -o "%o" "%i"' />\r
+   <!-- Render WMF file using wmf2eps (fallback in case libwmf not available) -->\r
+   <delegate decode="wmf" command='"@WMFDecodeDelegate@" -o "%o" "%i"' />\r
+-  <delegate encode="show" stealth="True" command='"@GMDelegate@" display -immutable -delay 0 -window_group %g -title "%l of %f" "tmp:%o" &' />\r
++  <delegate encode="show" stealth="True" command='"@GMDelegate@" display -immutable -delay 0 -window_group %g -title "%l of %f" "%o" &' />\r
+ </delegatemap>\r
diff --git a/image-sanity-check.patch b/image-sanity-check.patch

new file mode 100644 (file)

index 0000000..6b99c25
--- /dev/null
+++ b/image-sanity-check.patch
@@ -0,0 +1,28 @@
+diff -r 33200fc645f6 magick/render.c\r
+--- a/magick/render.c  Sat Nov 07 14:49:16 2015 -0600\r
++++ b/magick/render.c  Sun May 08 18:21:47 2016 -0500\r
+@@ -4096,6 +4096,24 @@\r
+           &image->exception);\r
+       else\r
+         {\r
++          /*\r
++            Sanity check URL/path before passing it to ReadImage()\r
++\r
++            This is a temporary fix until suitable flags can be passed\r
++            to keep SetImageInfo() from doing potentially dangerous\r
++            magick things.\r
++          */\r
++#define VALID_PREFIX(str,url) (LocaleNCompare(str,url,sizeof(str)-1) == 0)\r
++          if (!VALID_PREFIX("http://", primitive_info->text) &&\r
++              !VALID_PREFIX("https://", primitive_info->text) &&\r
++              !VALID_PREFIX("ftp://", primitive_info->text)  &&\r
++              !(IsAccessibleNoLogging(primitive_info->text))\r
++              )\r
++            {\r
++              ThrowException(&image->exception,FileOpenError,UnableToOpenFile,primitive_info->text);\r
++              status=MagickFail;\r
++              break;\r
++            }\r
+           (void) strlcpy(clone_info->filename,primitive_info->text,\r
+             MaxTextExtent);\r
+           composite_image=ReadImage(clone_info,&image->exception);\r
author	Elan Ruusamäe <glen@delfi.ee>
	Tue, 17 May 2016 09:22:36 +0000 (12:22 +0300)
committer	Elan Ruusamäe <glen@delfi.ee>
	Tue, 17 May 2016 09:23:56 +0000 (12:23 +0300)
GraphicsMagick.spec		patch \| blob \| blame \| history
disable-mvg-ext.patch	[new file with mode: 0644]	patch \| blob
disable-tmp-magick-prefix.patch	[new file with mode: 0644]	patch \| blob
elegates-safer.patch	[new file with mode: 0644]	patch \| blob
image-sanity-check.patch	[new file with mode: 0644]	patch \| blob