From 519aa12fe24e78e774f0cff8b00c96fb1daea7f7 Mon Sep 17 00:00:00 2001 From: wangxiao65 <287608437@qq.com> Date: Tue, 12 Jan 2021 15:31:42 +0800 Subject: [PATCH] fix CVE-2020-29599 --- CVE-2020-29599-1.patch | 71 +++++++++++++++++++++++++++++++++ CVE-2020-29599-10.patch | 30 ++++++++++++++ CVE-2020-29599-2.patch | 22 +++++++++++ CVE-2020-29599-3.patch | 31 +++++++++++++++ CVE-2020-29599-4.patch | 33 ++++++++++++++++ CVE-2020-29599-5.patch | 60 ++++++++++++++++++++++++++++ CVE-2020-29599-6.patch | 30 ++++++++++++++ CVE-2020-29599-7.patch | 23 +++++++++++ CVE-2020-29599-8.patch | 24 +++++++++++ CVE-2020-29599-9.patch | 88 +++++++++++++++++++++++++++++++++++++++++ ImageMagick.spec | 15 ++++++- 11 files changed, 426 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-29599-1.patch create mode 100644 CVE-2020-29599-10.patch create mode 100644 CVE-2020-29599-2.patch create mode 100644 CVE-2020-29599-3.patch create mode 100644 CVE-2020-29599-4.patch create mode 100644 CVE-2020-29599-5.patch create mode 100644 CVE-2020-29599-6.patch create mode 100644 CVE-2020-29599-7.patch create mode 100644 CVE-2020-29599-8.patch create mode 100644 CVE-2020-29599-9.patch diff --git a/CVE-2020-29599-1.patch b/CVE-2020-29599-1.patch new file mode 100644 index 0000000..80c1e0a --- /dev/null +++ b/CVE-2020-29599-1.patch @@ -0,0 +1,71 @@ +From a7b2d8328c539da6e79a118a0b8e97462c7daa77 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 10 Nov 2019 14:53:23 -0500 +Subject: [PATCH] Santize ';' from SHOW and WIN delegates + +--- + magick/delegate.c | 26 +++++++++++++++++++++++++- + magick/string.c | 4 ++-- + 2 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/magick/delegate.c b/magick/delegate.c +index 37cd77b39..4fec87fc6 100644 +--- a/magick/delegate.c ++++ b/magick/delegate.c +@@ -507,6 +507,30 @@ MagickExport int ExternalDelegateCommand(const MagickBooleanType asynchronous, + % + */ + ++static char *SanitizeDelegateString(const char *source) ++{ ++ char ++ *sanitize_source; ++ ++ const char ++ *q; ++ ++ register char ++ *p; ++ ++ static char ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!*'(),{}|\\^~[]`\"><#%/?:@&="; ++ ++ sanitize_source=AcquireString(source); ++ p=sanitize_source; ++ q=sanitize_source+strlen(sanitize_source); ++ for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist)) ++ *p='_'; ++ return(sanitize_source); ++} ++ + static char *GetMagickPropertyLetter(const ImageInfo *image_info,Image *image, + const char letter) + { +@@ -918,7 +942,7 @@ static char *GetMagickPropertyLetter(const ImageInfo *image_info,Image *image, + break; + } + } +- return(SanitizeString(string)); ++ return(SanitizeDelegateString(string)); + } + + static char *InterpretDelegateProperties(const ImageInfo *image_info, +diff --git a/magick/string.c b/magick/string.c +index 828f12a0c..1e4ae55cb 100644 +--- a/magick/string.c ++++ b/magick/string.c +@@ -1588,10 +1588,10 @@ MagickExport void ResetStringInfo(StringInfo *string_info) + % % + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + % +-% SanitizeString() returns an new string removes all characters except ++% SanitizeString() returns a new string removes all characters except + % letters, digits and !#$%&'*+-=?^_`{|}~@.[]. + % +-% The returned string shoud be freed using DestoryString(). ++% Free the sanitized string with DestroyString(). + % + % The format of the SanitizeString method is: + % diff --git a/CVE-2020-29599-10.patch b/CVE-2020-29599-10.patch new file mode 100644 index 0000000..7f266e9 --- /dev/null +++ b/CVE-2020-29599-10.patch @@ -0,0 +1,30 @@ +From 83ec5b5b8ee7cae891fff59340be207b513a030d Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 21 Nov 2020 13:26:16 +0000 +Subject: [PATCH] restore passphrase support when rendering PDF's + +--- + coders/pdf.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index 31efd06e5..ce4f7a5f1 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -611,14 +611,13 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + (void) ConcatenateMagickString(options,"-dUseTrimBox ",MaxTextExtent); + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); +- option=GetImageOption(image_info,"authenticate"); +- if (option != (char *) NULL) ++ if (image_info->authenticate != (char *) NULL) + { + char + passphrase[MagickPathExtent], + *sanitize_passphrase; + +- sanitize_passphrase=SanitizeDelegateString(option); ++ sanitize_passphrase=SanitizeDelegateString(image_info->authenticate); + (void) FormatLocaleString(passphrase,MagickPathExtent, + "'-sPDFPassword=%s' ",sanitize_passphrase); + sanitize_passphrase=DestroyString(sanitize_passphrase); diff --git a/CVE-2020-29599-2.patch b/CVE-2020-29599-2.patch new file mode 100644 index 0000000..e211da1 --- /dev/null +++ b/CVE-2020-29599-2.patch @@ -0,0 +1,22 @@ +From 2eead004825d31e8f49022f0bc4ca0d3457b0bb1 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 20 Nov 2019 07:20:50 -0500 +Subject: [PATCH] Santize "'" from SHOW and WIN delegates + +--- + magick/delegate.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/magick/delegate.c b/magick/delegate.c +index 4fec87fc6..32beeb15e 100644 +--- a/magick/delegate.c ++++ b/magick/delegate.c +@@ -521,7 +521,7 @@ static char *SanitizeDelegateString(const char *source) + static char + whitelist[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!*'(),{}|\\^~[]`\"><#%/?:@&="; ++ "$-_.+!*;(),{}|\\^~[]`\"><#%/?:@&="; + + sanitize_source=AcquireString(source); + p=sanitize_source; diff --git a/CVE-2020-29599-3.patch b/CVE-2020-29599-3.patch new file mode 100644 index 0000000..60d1d1d --- /dev/null +++ b/CVE-2020-29599-3.patch @@ -0,0 +1,31 @@ +From 20f520ed5c8541ae6646bc38d9d3b480785be6c3 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 25 Nov 2019 13:33:50 -0500 +Subject: [PATCH] Per Enzo Puig, santize "'" from SHOW and WIN delegates under + Linux, '"\' for Windows + +--- + magick/delegate.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/magick/delegate.c b/magick/delegate.c +index 32beeb15e..bc83401fd 100644 +--- a/magick/delegate.c ++++ b/magick/delegate.c +@@ -519,9 +519,15 @@ static char *SanitizeDelegateString(const char *source) + *p; + + static char ++#if defined(MAGICKCORE_WINDOWS_SUPPORT) + whitelist[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!*;(),{}|\\^~[]`\"><#%/?:@&="; ++ "$-_.+!;*(),{}|^~[]`\'><#%/?:@&="; ++#else ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; ++#endif + + sanitize_source=AcquireString(source); + p=sanitize_source; diff --git a/CVE-2020-29599-4.patch b/CVE-2020-29599-4.patch new file mode 100644 index 0000000..c58a8ce --- /dev/null +++ b/CVE-2020-29599-4.patch @@ -0,0 +1,33 @@ +From a2b3dd8455da2f17849b55e6b6ddcce587e4a323 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 16 Nov 2020 17:01:57 +0000 +Subject: [PATCH] shell injection vulnerability via the -authenticate option + +--- + coders/pdf.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index 5e4edc760..63eda5d81 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -588,11 +588,14 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (option != (char *) NULL) + { + char +- passphrase[MaxTextExtent]; +- +- (void) FormatLocaleString(passphrase,MaxTextExtent, +- "\"-sPDFPassword=%s\" ",option); +- (void) ConcatenateMagickString(options,passphrase,MaxTextExtent); ++ message[MagickPathExtent], ++ *passphrase; ++ ++ passphrase=SanitizeString(option); ++ (void) FormatLocaleString(message,MagickPathExtent, ++ "\"-sPDFPassword=%s\" ",passphrase); ++ passphrase=DestroyString(passphrase); ++ (void) ConcatenateMagickString(options,message,MagickPathExtent); + } + read_info=CloneImageInfo(image_info); + *read_info->magick='\0'; diff --git a/CVE-2020-29599-5.patch b/CVE-2020-29599-5.patch new file mode 100644 index 0000000..e9f048a --- /dev/null +++ b/CVE-2020-29599-5.patch @@ -0,0 +1,60 @@ +From 7b0cce080345e5b7ef26d122f18809c93a19a80e Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 16 Nov 2020 18:17:31 +0000 +Subject: [PATCH] fix shell injection vulnerability via the -authenticate + option + +--- + coders/pdf.c | 15 ++++++--------- + magick/string.c | 8 +++++++- + 2 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index 63eda5d81..074ba3f64 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -585,17 +585,14 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); + option=GetImageOption(image_info,"authenticate"); +- if (option != (char *) NULL) ++ if ((option != (char *) NULL) && (strpbrk(option,"&;<>|") == (char *) NULL)) + { + char +- message[MagickPathExtent], +- *passphrase; +- +- passphrase=SanitizeString(option); +- (void) FormatLocaleString(message,MagickPathExtent, +- "\"-sPDFPassword=%s\" ",passphrase); +- passphrase=DestroyString(passphrase); +- (void) ConcatenateMagickString(options,message,MagickPathExtent); ++ passphrase[MagickPathExtent]; ++ ++ (void) FormatLocaleString(passphrase,MagickPathExtent, ++ "\"-sPDFPassword=%s\" ",option); ++ (void) ConcatenateMagickString(options,passphrase,MagickPathExtent); + } + read_info=CloneImageInfo(image_info); + *read_info->magick='\0'; +diff --git a/magick/string.c b/magick/string.c +index c8ffa086f..7f6eebc3b 100644 +--- a/magick/string.c ++++ b/magick/string.c +@@ -1604,9 +1604,15 @@ MagickExport char *SanitizeString(const char *source) + *p; + + static char ++#if defined(MAGICKCORE_WINDOWS_SUPPORT) + whitelist[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!*'(),{}|\\^~[]`\"><#%;/?:@&="; ++ "$-_.+!;*(),{}|^~[]`\'><#%/?:@&="; ++#else ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; ++#endif + + sanitize_source=AcquireString(source); + p=sanitize_source; diff --git a/CVE-2020-29599-6.patch b/CVE-2020-29599-6.patch new file mode 100644 index 0000000..5dbb0d4 --- /dev/null +++ b/CVE-2020-29599-6.patch @@ -0,0 +1,30 @@ +From 875fdf773d6e822364f876bed14c1785a01b45a7 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 16 Nov 2020 23:18:42 +0000 +Subject: [PATCH] revert whitelist mod + +--- + magick/string.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/magick/string.c b/magick/string.c +index 7f6eebc3b..c8ffa086f 100644 +--- a/magick/string.c ++++ b/magick/string.c +@@ -1604,15 +1604,9 @@ MagickExport char *SanitizeString(const char *source) + *p; + + static char +-#if defined(MAGICKCORE_WINDOWS_SUPPORT) + whitelist[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!;*(),{}|^~[]`\'><#%/?:@&="; +-#else +- whitelist[] = +- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; +-#endif ++ "$-_.+!*'(),{}|\\^~[]`\"><#%;/?:@&="; + + sanitize_source=AcquireString(source); + p=sanitize_source; diff --git a/CVE-2020-29599-7.patch b/CVE-2020-29599-7.patch new file mode 100644 index 0000000..2ff31e5 --- /dev/null +++ b/CVE-2020-29599-7.patch @@ -0,0 +1,23 @@ +From ab2e97d2f7520d1d9ff36ef421caf2a899e14ce4 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 19 Nov 2020 18:36:05 +0000 +Subject: [PATCH] fix shell injection vulnerability via the -authenticate + option + +--- + coders/pdf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index 074ba3f64..ef1567b29 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -585,7 +585,7 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); + option=GetImageOption(image_info,"authenticate"); +- if ((option != (char *) NULL) && (strpbrk(option,"&;<>|") == (char *) NULL)) ++ if ((option != (char *) NULL) && (strpbrk(option,"&;<>|\"") == (char *) NULL)) + { + char + passphrase[MagickPathExtent]; diff --git a/CVE-2020-29599-8.patch b/CVE-2020-29599-8.patch new file mode 100644 index 0000000..1acdf13 --- /dev/null +++ b/CVE-2020-29599-8.patch @@ -0,0 +1,24 @@ +From 869e38717fa91325da87c2a4cedc148a770a07ec Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 19 Nov 2020 18:39:30 +0000 +Subject: [PATCH] fix shell injection vulnerability via the -authenticate + option + +--- + coders/pdf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index ef1567b29..d5ed56596 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -585,7 +585,8 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); + option=GetImageOption(image_info,"authenticate"); +- if ((option != (char *) NULL) && (strpbrk(option,"&;<>|\"") == (char *) NULL)) ++ if ((option != (char *) NULL) && ++ (strpbrk(option,"&;<>|\"'") == (char *) NULL)) + { + char + passphrase[MagickPathExtent]; diff --git a/CVE-2020-29599-9.patch b/CVE-2020-29599-9.patch new file mode 100644 index 0000000..31561cd --- /dev/null +++ b/CVE-2020-29599-9.patch @@ -0,0 +1,88 @@ +From 226804980651bb4eb5f3ba3b9d7e992f2eda4710 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 19 Nov 2020 20:50:44 +0000 +Subject: [PATCH] fix shell injection vulnerability via the -authenticate + option + +--- + coders/pdf.c | 46 ++++++++++++++++++++++++++++++++++------- + config/delegates.xml.in | 4 ++-- + 2 files changed, 42 insertions(+), 9 deletions(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index d5ed56596..31efd06e5 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -368,6 +368,36 @@ static inline void CleanupPDFInfo(PDFInfo *pdf_info) + pdf_info->profile=DestroyStringInfo(pdf_info->profile); + } + ++static char *SanitizeDelegateString(const char *source) ++{ ++ char ++ *sanitize_source; ++ ++ const char ++ *q; ++ ++ register char ++ *p; ++ ++ static char ++#if defined(MAGICKCORE_WINDOWS_SUPPORT) ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!;*(),{}|^~[]`\'><#%/?:@&="; ++#else ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; ++#endif ++ ++ sanitize_source=AcquireString(source); ++ p=sanitize_source; ++ q=sanitize_source+strlen(sanitize_source); ++ for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist)) ++ *p='_'; ++ return(sanitize_source); ++} ++ + static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + { + char +@@ -585,14 +615,16 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); + option=GetImageOption(image_info,"authenticate"); +- if ((option != (char *) NULL) && +- (strpbrk(option,"&;<>|\"'") == (char *) NULL)) ++ if (option != (char *) NULL) + { + char +- passphrase[MagickPathExtent]; ++ passphrase[MagickPathExtent], ++ *sanitize_passphrase; + ++ sanitize_passphrase=SanitizeDelegateString(option); + (void) FormatLocaleString(passphrase,MagickPathExtent, +- "\"-sPDFPassword=%s\" ",option); ++ "'-sPDFPassword=%s' ",sanitize_passphrase); ++ sanitize_passphrase=DestroyString(sanitize_passphrase); + (void) ConcatenateMagickString(options,passphrase,MagickPathExtent); + } + read_info=CloneImageInfo(image_info); +diff --git a/config/delegates.xml.in b/config/delegates.xml.in +index d93387ac1..4fc3acc3f 100644 +--- a/config/delegates.xml.in ++++ b/config/delegates.xml.in +@@ -89,8 +89,8 @@ + + + +- +- ++ ++ + + + diff --git a/ImageMagick.spec b/ImageMagick.spec index dce5bb4..83bfc21 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,7 +1,7 @@ Name: ImageMagick Epoch: 1 Version: 6.9.10.67 -Release: 8 +Release: 9 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick Url: http://www.imagemagick.org/ @@ -18,6 +18,16 @@ Patch0008: CVE-2020-27765.patch Patch0009: CVE-2020-27766.patch Patch0010: CVE-2020-27767.patch Patch0011: CVE-2020-27770.patch +Patch0012: CVE-2020-29599-1.patch +Patch0013: CVE-2020-29599-2.patch +Patch0014: CVE-2020-29599-3.patch +Patch0015: CVE-2020-29599-4.patch +Patch0016: CVE-2020-29599-5.patch +Patch0017: CVE-2020-29599-6.patch +Patch0018: CVE-2020-29599-7.patch +Patch0019: CVE-2020-29599-8.patch +Patch0020: CVE-2020-29599-9.patch +Patch0021: CVE-2020-29599-10.patch BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -174,6 +184,9 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick++* %changelog +* Tue Jan 12 2021 wangxiao - 6.9.10.67-9 +- fix CVE-2020-29599 + * Mon Jan 04 2021 wangxiao - 6.9.10.67-8 - fix CVE-2020-27759 CVE-2020-27760 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27765 CVE-2020-27765 CVE-2020-27766 CVE-2020-27767 CVE-2020-27770 -- Gitee