From 366755ee745e7503a023d4c37a916c6058d70be4 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Elan=20Ruusam=C3=A4e?= <glen@delfi.ee>
Date: Tue, 17 May 2016 12:22:36 +0300
Subject: [PATCH] "ImageTragick" related security fixes - related:
 CVE-2016-3714, CVE-2016-3718, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717

patches from mailing list archive
---
 GraphicsMagick.spec             | 19 +++++---
 disable-mvg-ext.patch           | 11 +++++
 disable-tmp-magick-prefix.patch | 13 ++++++
 elegates-safer.patch            | 77 +++++++++++++++++++++++++++++++++
 image-sanity-check.patch        | 28 ++++++++++++
 5 files changed, 143 insertions(+), 5 deletions(-)
 create mode 100644 disable-mvg-ext.patch
 create mode 100644 disable-tmp-magick-prefix.patch
 create mode 100644 elegates-safer.patch
 create mode 100644 image-sanity-check.patch

diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec
index 4ecf644..da9adde 100644
--- a/GraphicsMagick.spec
+++ b/GraphicsMagick.spec
@@ -5,11 +5,11 @@
 %bcond_without	jasper		# without JPEG2000 module (which uses jasper library)
 %bcond_without	cxx		# without Magick++ library
 %bcond_without	openmp		# OpenMP support
-#
-%include	/usr/lib/rpm/macros.perl
-%define		QuantumDepth	16
+
 %define	pdir	Graphics
 %define	pnam	Magick
+%define	QuantumDepth	16
+%include	/usr/lib/rpm/macros.perl
 Summary:	Image display, conversion, and manipulation under X
 Summary(de.UTF-8):	Darstellen, Konvertieren und Bearbeiten von Grafiken unter X
 Summary(es.UTF-8):	Exhibidor, convertidor y manipulador de imÃ¡genes bajo X
@@ -21,13 +21,18 @@ Summary(tr.UTF-8):	X altÄ±nda resim gÃ¶sterme, Ã§evirme ve deÄiÅiklik yapma
 Summary(uk.UTF-8):	ÐÐµÑÐµÐ³Ð»ÑÐ´, ÐºÐ¾Ð½Ð²ÐµÑÑÑÐ²Ð°Ð½Ð½Ñ ÑÐ° Ð¾Ð±ÑÐ¾Ð±ÐºÐ° Ð·Ð¾Ð±ÑÐ°Ð¶ÐµÐ½Ñ Ð¿ÑÐ´ X Window
 Name:		GraphicsMagick
 Version:	1.3.23
-Release:	1
+Release:	2
 License:	MIT
 Group:		X11/Applications/Graphics
 Source0:	http://downloads.sourceforge.net/graphicsmagick/%{name}-%{version}.tar.xz
 # Source0-md5:	9885ff5d91bc215a0adb3be1185e9777
 Patch0:		%{name}-link.patch
 Patch1:		%{name}-ldflags.patch
+# https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/
+Patch2:		elegates-safer.patch
+Patch3:		disable-mvg-ext.patch
+Patch4:		disable-tmp-magick-prefix.patch
+Patch5:		image-sanity-check.patch
 URL:		http://www.graphicsmagick.org/
 BuildRequires:	autoconf >= 2.69
 BuildRequires:	automake >= 1:1.11
@@ -562,6 +567,10 @@ Dokumentacja do GraphicsMagick.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 find PerlMagick scripts www -type f -exec perl -pi -e 's=!%{_prefix}/local/bin/perl=!%{__perl}=' {} \;
 
@@ -598,7 +607,7 @@ install -d $RPM_BUILD_ROOT%{_examplesdir}/%{name}-perl-%{version}
 	DESTDIR=$RPM_BUILD_ROOT \
 	pkgdocdir=%{_docdir}/%{name}-devel-%{version}
 
-install PerlMagick/demo/* $RPM_BUILD_ROOT%{_examplesdir}/%{name}-perl-%{version}
+cp -p PerlMagick/demo/* $RPM_BUILD_ROOT%{_examplesdir}/%{name}-perl-%{version}
 
 %clean
 rm -rf $RPM_BUILD_ROOT
diff --git a/disable-mvg-ext.patch b/disable-mvg-ext.patch
new file mode 100644
index 0000000..3eeaf04
--- /dev/null
+++ b/disable-mvg-ext.patch
@@ -0,0 +1,11 @@
+diff -r 33200fc645f6 coders/mvg.c
+--- a/coders/mvg.c	Sat Nov 07 14:49:16 2015 -0600
++++ b/coders/mvg.c	Sat May 07 20:11:54 2016 -0500
+@@ -234,6 +234,7 @@
+   entry->seekable_stream=True;
+   entry->description="Magick Vector Graphics";
+   entry->module="MVG";
++  entry->extension_treatment=IgnoreExtensionTreatment;
+   (void) RegisterMagickInfo(entry);
+ }
+ 
diff --git a/disable-tmp-magick-prefix.patch b/disable-tmp-magick-prefix.patch
new file mode 100644
index 0000000..0ff6abc
--- /dev/null
+++ b/disable-tmp-magick-prefix.patch
@@ -0,0 +1,13 @@
+diff -r 33200fc645f6 magick/image.c
+--- a/magick/image.c	Sat Nov 07 14:49:16 2015 -0600
++++ b/magick/image.c	Sat May 07 20:12:57 2016 -0500
+@@ -2780,9 +2780,6 @@
+               (void) strlcpy(image_info->magick,magic,MaxTextExtent);
+               if (LocaleCompare(magic,"TMP") != 0)
+                 image_info->affirm=MagickTrue;
+-              else
+-                /* input file will be automatically removed */
+-                image_info->temporary=MagickTrue;
+             }
+         }
+     }
diff --git a/elegates-safer.patch b/elegates-safer.patch
new file mode 100644
index 0000000..bdff215
--- /dev/null
+++ b/elegates-safer.patch
@@ -0,0 +1,77 @@
+diff -r 33200fc645f6 config/delegates.mgk.in
+--- a/config/delegates.mgk.in	Sat Nov 07 14:49:16 2015 -0600
++++ b/config/delegates.mgk.in	Sun May 08 18:23:04 2016 -0500
+@@ -78,28 +78,27 @@
+   <delegate decode="dvi" command='"@DVIDecodeDelegate@" -q -o "%o" "%i"' />
+   <delegate decode="edit" stealth="True" command='"@EditorDelegate@" -title "Edit Image Comment" -e vi "%o"' />
+   <delegate decode="emf" command='"@WMFDecodeDelegate@" -o "%o" "%i"' />
+-  <delegate decode="eps" encode="pdf" mode="bi" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPDFDevice@ "-sOutputFile=%o" -- "%i" -c quit' />
+-  <delegate decode="eps" encode="ps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />
++  <delegate decode="eps" encode="pdf" mode="bi" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPDFDevice@ "-sOutputFile=%o" -- "%i" -c quit' />
++  <delegate decode="eps" encode="ps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />
+   <delegate decode="fig" command='"@FIGDecodeDelegate@" -L ps "%i" "%o"' />
+-  <delegate decode="gplt" command='"@EchoDelegate@" "set size 1.25,0.62; set terminal postscript portrait color solid; set output \"%o\"; load \"%i\"" > "%u"; "@GnuplotDecodeDelegate@" "%u"' />
+ 
+   <!-- Read monochrome Postscript, EPS, and PDF  -->
+-  <delegate decode="gs-mono" stealth="True" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSMonoDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
++  <delegate decode="gs-mono" stealth="True" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSMonoDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
+ 
+   <!-- Read grayscale Postscript, EPS, and PDF  -->
+-  <delegate decode="gs-gray" stealth="True" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSGrayDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
++  <delegate decode="gs-gray" stealth="True" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSGrayDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
+ 
+   <!-- Read colormapped Postscript, EPS, and PDF  -->
+-  <delegate decode="gs-palette" stealth="True" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPaletteDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
++  <delegate decode="gs-palette" stealth="True" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPaletteDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
+ 
+   <!-- Read color Postscript, EPS, and PDF  -->
+-  <delegate decode="gs-color" stealth="True" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSColorDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
++  <delegate decode="gs-color" stealth="True" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSColorDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
+ 
+   <!-- Read color+alpha Postscript, EPS, and PDF  -->
+-  <delegate decode="gs-color+alpha" stealth="True" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSColorAlphaDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
++  <delegate decode="gs-color+alpha" stealth="True" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSColorAlphaDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
+ 
+   <!-- Read CMYK Postscript, EPS, and PDF  -->
+-  <delegate decode="gs-cmyk" stealth="True" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSCMYKDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
++  <delegate decode="gs-cmyk" stealth="True" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSCMYKDevice@ -dTextAlphaBits=%u -dGraphicsAlphaBits=%u -r%s %s "-sOutputFile=%s" -- "%s" -c quit' />
+ 
+   <delegate decode="hpg" command='"@HPGLDecodeDelegate@" -q -m eps -f `basename "%o"` "%i" && mv -f `basename "%o"` "%o"' />
+   <delegate decode="hpgl" command='"@HPGLDecodeDelegate@" -q -m eps -f `basename "%o"` "%i" && mv -f `basename "%o"` "%o"' />
+@@ -108,16 +107,14 @@
+   <!-- Read HTML file  -->
+   <delegate decode="html" command='"@HTMLDecodeDelegate@" -U -o "%o" "%i"' />
+   <delegate decode="ilbm" command='"@ILBMDecodeDelegate@" "%i" > "%o"' />
+-  <!-- Read UNIX manual page  -->
+-  <delegate decode="man" command='"@MANDelegate@" -man -Tps "%i" > "%o"' />
+   <!-- Read MPEG file using mpeg2decode  -->
+   <delegate decode="mpeg" command='"@MPEGDecodeDelegate@" -q -b "%i" -f -o3 "%u%%05d"; @GMDelegate@ convert -temporary "%u*.ppm" "miff:%o" ; rm -f "%u"*.ppm ' />
+   <!-- Write MPEG file using mpeg2encode -->
+   <delegate encode="mpeg-encode" stealth="True" command='"@MPEGEncodeDelegate@" "%i" "%o"' />
+   <!-- Convert PDF to Encapsulated Poscript using Ghostscript -->
+-  <delegate decode="pdf" encode="eps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSEPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />
++  <delegate decode="pdf" encode="eps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSEPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />
+   <!-- Convert PDF to Postcript using Ghostscript -->
+-  <delegate decode="pdf" encode="ps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />
++  <delegate decode="pdf" encode="ps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />
+   <!-- Convert PNM file to ILBM format using ppmtoilbm -->
+   <delegate decode="pnm" encode="ilbm" mode="encode" command='"@ILBMEncodeDelegate@" -24if "%i" > "%o"' />
+   <delegate decode="pnm" encode="launch" mode="encode" command='"@LaunchDelegate@" "%i"' />
+@@ -125,8 +122,8 @@
+   <!-- Read Persistance Of Vision file using povray  -->
+   <delegate decode="pov" command='@POVDelegate@ "+i"%i"" +o"%o" +fn%q +w%w +h%h +a -q9 -kfi"%s" -kff"%n"
+     "@GMDelegate@" convert -adjoin "%o*.png" "%o"' />
+-  <delegate decode="ps" encode="eps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSEPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />
+-  <delegate decode="ps" encode="pdf" mode="bi" command='"@PSDelegate@" -q -dBATCH -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPDFDevice@ "-sOutputFile=%o" -- "%i" -c quit' />
++  <delegate decode="ps" encode="eps" mode="bi" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSEPSDevice@ "-sOutputFile=%o" -- "%i" -c quit' />
++  <delegate decode="ps" encode="pdf" mode="bi" command='"@PSDelegate@" -q -dBATCH -dSAFER -dMaxBitmap=50000000 -dNOPAUSE -sDEVICE=@GSPDFDevice@ "-sOutputFile=%o" -- "%i" -c quit' />
+   <delegate decode="ps" encode="print" mode="encode" command='"@PrintDelegate@" "%i"' />
+   <!-- Read Radiance file using ra_ppm -->
+   <delegate decode="rad" command='"@RADDecodeDelegate@" -g 1.0 "%i" "%o"' />
+@@ -141,5 +138,5 @@
+   <delegate decode="txt" encode="ps" mode="bi" command='"@TXTDelegate@" -o "%o" "%i"' />
+   <!-- Render WMF file using wmf2eps (fallback in case libwmf not available) -->
+   <delegate decode="wmf" command='"@WMFDecodeDelegate@" -o "%o" "%i"' />
+-  <delegate encode="show" stealth="True" command='"@GMDelegate@" display -immutable -delay 0 -window_group %g -title "%l of %f" "tmp:%o" &' />
++  <delegate encode="show" stealth="True" command='"@GMDelegate@" display -immutable -delay 0 -window_group %g -title "%l of %f" "%o" &' />
+ </delegatemap>
diff --git a/image-sanity-check.patch b/image-sanity-check.patch
new file mode 100644
index 0000000..6b99c25
--- /dev/null
+++ b/image-sanity-check.patch
@@ -0,0 +1,28 @@
+diff -r 33200fc645f6 magick/render.c
+--- a/magick/render.c	Sat Nov 07 14:49:16 2015 -0600
++++ b/magick/render.c	Sun May 08 18:21:47 2016 -0500
+@@ -4096,6 +4096,24 @@
+           &image->exception);
+       else
+         {
++          /*
++            Sanity check URL/path before passing it to ReadImage()
++
++            This is a temporary fix until suitable flags can be passed
++            to keep SetImageInfo() from doing potentially dangerous
++            magick things.
++          */
++#define VALID_PREFIX(str,url) (LocaleNCompare(str,url,sizeof(str)-1) == 0)
++          if (!VALID_PREFIX("http://", primitive_info->text) &&
++              !VALID_PREFIX("https://", primitive_info->text) &&
++              !VALID_PREFIX("ftp://", primitive_info->text)  &&
++              !(IsAccessibleNoLogging(primitive_info->text))
++              )
++            {
++              ThrowException(&image->exception,FileOpenError,UnableToOpenFile,primitive_info->text);
++              status=MagickFail;
++              break;
++            }
+           (void) strlcpy(clone_info->filename,primitive_info->text,
+             MaxTextExtent);
+           composite_image=ReadImage(clone_info,&image->exception);
-- 
2.44.0