diff --git a/CVE-2022-3213-pre1.patch b/CVE-2022-3213-pre1.patch deleted file mode 100644 index 5ead78d58f8db02121d778c137583a7301fa270e..0000000000000000000000000000000000000000 --- a/CVE-2022-3213-pre1.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 4393e83230128de1cb798b67e798101d683380b1 Mon Sep 17 00:00:00 2001 -From: Cristy -Date: Tue, 21 Jun 2022 15:06:40 -0400 -Subject: [PATCH] prevent possible buffer overrun - ---- - coders/tiff.c | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - -diff --git a/coders/tiff.c b/coders/tiff.c -index e278ca7c0a..d5e30293db 100644 ---- a/coders/tiff.c -+++ b/coders/tiff.c -@@ -1796,9 +1796,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - */ - extent=(samples_per_pixel+1)*TIFFStripSize(tiff); - #if defined(TIFF_VERSION_BIG) -- extent+=image->columns*sizeof(uint64); -+ extent+=samples_per_pixel*sizeof(uint64); - #else -- extent+=image->columns*sizeof(uint32); -+ extent+=samples_per_pixel*sizeof(uint32); - #endif - strip_pixels=(unsigned char *) AcquireQuantumMemory(extent, - sizeof(*strip_pixels)); -@@ -1894,11 +1894,12 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - number_pixels=(MagickSizeType) columns*rows; - if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse) - ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); -- extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff)); -+ extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff), -+ TIFFTileSize(tiff)); - #if defined(TIFF_VERSION_BIG) -- extent+=image->columns*sizeof(uint64); -+ extent+=samples_per_pixel*sizeof(uint64); - #else -- extent+=image->columns*sizeof(uint32); -+ extent+=samples_per_pixel*sizeof(uint32); - #endif - tile_pixels=(unsigned char *) AcquireQuantumMemory(extent, - sizeof(*tile_pixels)); -@@ -1996,9 +1997,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); - number_pixels=(MagickSizeType) image->columns*image->rows; - #if defined(TIFF_VERSION_BIG) -- number_pixels+=image->columns*sizeof(uint64); -+ number_pixels+=samples_per_pixel*sizeof(uint64); - #else -- number_pixels+=image->columns*sizeof(uint32); -+ number_pixels+=samples_per_pixel*sizeof(uint32); - #endif - generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels)); - if (generic_info == (MemoryInfo *) NULL) diff --git a/CVE-2022-3213-pre2.patch b/CVE-2022-3213-pre2.patch deleted file mode 100644 index 46a9e6eba5ccebb45c4c59400fc776de9ef852b1..0000000000000000000000000000000000000000 --- a/CVE-2022-3213-pre2.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 2b4eabb9d09b278f16727c635e928bd951c58773 Mon Sep 17 00:00:00 2001 -From: Cristy -Date: Wed, 29 Jun 2022 19:41:14 -0400 -Subject: [PATCH] eliminate possible buffer overflow - ---- - coders/tiff.c | 19 ++----------------- - 1 file changed, 2 insertions(+), 17 deletions(-) - -diff --git a/coders/tiff.c b/coders/tiff.c -index d5e30293db..d88711f941 100644 ---- a/coders/tiff.c -+++ b/coders/tiff.c -@@ -1794,12 +1794,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - /* - Convert stripped TIFF image. - */ -- extent=(samples_per_pixel+1)*TIFFStripSize(tiff); --#if defined(TIFF_VERSION_BIG) -- extent+=samples_per_pixel*sizeof(uint64); --#else -- extent+=samples_per_pixel*sizeof(uint32); --#endif -+ extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff); - strip_pixels=(unsigned char *) AcquireQuantumMemory(extent, - sizeof(*strip_pixels)); - if (strip_pixels == (unsigned char *) NULL) -@@ -1894,13 +1889,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - number_pixels=(MagickSizeType) columns*rows; - if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse) - ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); -- extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff), -+ extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff), - TIFFTileSize(tiff)); --#if defined(TIFF_VERSION_BIG) -- extent+=samples_per_pixel*sizeof(uint64); --#else -- extent+=samples_per_pixel*sizeof(uint32); --#endif - tile_pixels=(unsigned char *) AcquireQuantumMemory(extent, - sizeof(*tile_pixels)); - if (tile_pixels == (unsigned char *) NULL) -@@ -1996,11 +1986,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse) - ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); - number_pixels=(MagickSizeType) image->columns*image->rows; --#if defined(TIFF_VERSION_BIG) -- number_pixels+=samples_per_pixel*sizeof(uint64); --#else -- number_pixels+=samples_per_pixel*sizeof(uint32); --#endif - generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels)); - if (generic_info == (MemoryInfo *) NULL) - ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); diff --git a/CVE-2022-3213.patch b/CVE-2022-3213.patch deleted file mode 100644 index f78e4b877973044723bc288a3db19ecd1e575888..0000000000000000000000000000000000000000 --- a/CVE-2022-3213.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 1aea203eb36409ce6903b9e41fe7cb70030e8750 Mon Sep 17 00:00:00 2001 -From: Cristy -Date: Sat, 27 Aug 2022 08:38:18 -0400 -Subject: [PATCH] squash heap-buffer-overflow, PoC TIFF from Hardik - ---- - coders/tiff.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/coders/tiff.c b/coders/tiff.c -index 3165ab925..05549f9e5 100644 ---- a/coders/tiff.c -+++ b/coders/tiff.c -@@ -1798,7 +1798,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - /* - Convert stripped TIFF image. - */ -- extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff); -+ extent=4*((image->depth+7)/8)*(samples_per_pixel+1)*TIFFStripSize(tiff); - strip_pixels=(unsigned char *) AcquireQuantumMemory(extent, - sizeof(*strip_pixels)); - if (strip_pixels == (unsigned char *) NULL) diff --git a/CVE-2022-32547.patch b/CVE-2022-32547.patch deleted file mode 100644 index dddc7699140d17ebf3cd06ed4962befd4da4d97c..0000000000000000000000000000000000000000 --- a/CVE-2022-32547.patch +++ /dev/null @@ -1,30 +0,0 @@ -From dc070da861a015d3c97488fdcca6063b44d47a7b Mon Sep 17 00:00:00 2001 -From: Cristy -Date: Sat, 9 Apr 2022 08:40:54 -0400 -Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/pull/5034 - ---- - magick/property.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/magick/property.c b/magick/property.c -index 2d80493dd2..bfc689466d 100644 ---- a/magick/property.c -+++ b/magick/property.c -@@ -1526,12 +1526,14 @@ static MagickBooleanType GetEXIFProperty(const Image *image, - } - case EXIF_FMT_SINGLE: - { -- EXIFMultipleValues(4,"%f",(double) *(float *) p1); -+ EXIFMultipleValues(4,"%.20g",(double) -+ ReadPropertySignedLong(endian,p1)); - break; - } - case EXIF_FMT_DOUBLE: - { -- EXIFMultipleValues(8,"%f",*(double *) p1); -+ EXIFMultipleValues(8,"%.20g",(double) -+ ReadPropertySignedLong(endian,p1)); - break; - } - case EXIF_FMT_STRING: diff --git a/CVE-2022-44267_CVE-2022-44268.patch b/CVE-2022-44267_CVE-2022-44268.patch deleted file mode 100644 index 330a5cea569936ddd31f9230010bb3c33df898e4..0000000000000000000000000000000000000000 --- a/CVE-2022-44267_CVE-2022-44268.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 3c5188b41902a909e163492fb0c19e49efefcefe Mon Sep 17 00:00:00 2001 -From: Cristy -Date: Sat, 22 Oct 2022 13:28:51 -0400 -Subject: [PATCH] possible DoS @ stdin (OCE-2022-70); possible arbitrary file - leak (OCE-2022-72) - ---- - coders/png.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/coders/png.c b/coders/png.c -index dae894d9c..887827636 100644 ---- a/coders/png.c -+++ b/coders/png.c -@@ -3793,13 +3793,14 @@ static Image *ReadOnePNGImage(MngInfo *mng_info, - */ - if (!png_get_valid(ping,ping_info,PNG_INFO_pHYs) || - (LocaleCompare(text[i].key,"density") != 0 && -- LocaleCompare(text[i].key,"units") != 0)) -+ LocaleCompare(text[i].key,"units") != 0)) - { - char - key[MaxTextExtent]; - - (void) FormatLocaleString(key,MaxTextExtent,"%s",text[i].key); - if ((LocaleCompare(key,"version") == 0) || -+ (LocaleCompare(key,"profile") == 0) || - (LocaleCompare(key,"width") == 0)) - (void) FormatLocaleString(key,MagickPathExtent,"png:%s", - text[i].key); diff --git a/ImageMagick-6.9.12-43.tar.xz b/ImageMagick-6.9.12-86.tar.xz similarity index 55% rename from ImageMagick-6.9.12-43.tar.xz rename to ImageMagick-6.9.12-86.tar.xz index bad25602f720c15775cb4e9f68c57c668d8ad981..56c9ca01f84035dfaca5364b32fcfbd5e92de67f 100644 Binary files a/ImageMagick-6.9.12-43.tar.xz and b/ImageMagick-6.9.12-86.tar.xz differ diff --git a/ImageMagick.spec b/ImageMagick.spec index 4a481845f033e39ccaf6ddba5dbc7274e6f0c8ed..ec2d5b090fcd70de8cf4d4370d1866239fe76691 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,19 +1,11 @@ Name: ImageMagick Epoch: 1 -Version: 6.9.12.43 -Release: 5 +Version: 6.9.12.86 +Release: 1 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick and MIT Url: http://www.imagemagick.org/ -Source0: https://www.imagemagick.org/download/ImageMagick-6.9.12-43.tar.xz - -Patch0001: backport-fix-CVE-2022-1115.patch -Patch0002: CVE-2022-3213-pre1.patch -Patch0003: CVE-2022-3213-pre2.patch -Patch0004: CVE-2022-3213.patch -Patch0005: CVE-2022-32547.patch -Patch0006: CVE-2022-44267_CVE-2022-44268.patch - +Source0: https://www.imagemagick.org/download/ImageMagick-6.9.12-86.tar.xz BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -79,7 +71,7 @@ Requires: ImageMagick-devel = %{epoch}:%{version}-%{release} Development files for ImageMagick-c++. %prep -%autosetup -n ImageMagick-6.9.12-43 -p1 +%autosetup -n ImageMagick-6.9.12-86 -p1 install -d Magick++/examples cp -p Magick++/demo/*.cpp Magick++/demo/*.miff Magick++/examples @@ -147,7 +139,7 @@ rm PerlMagick/demo/Generic.ttf %{_includedir}/%{name}-6/wand %files help -%doc README.txt NEWS.txt ChangeLog.md QuickStart.txt +%doc README.txt NEWS.txt QuickStart.txt %doc %{_datadir}/doc/ImageMagick-6 %doc %{_datadir}/doc/ImageMagick-6.9.12 %{_mandir}/man[145]/[a-z]* @@ -171,6 +163,9 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick++* %changelog +* Mon Apr 24 2023 wangkai <13474090681@163.com> - 1:6.9.12.86-1 +- Update to 6.9.12.86 for Fix CVE-2023-1289,CVE-2023-1906 + * Thu Feb 09 2023 yaoxin - 1:6.9.12.43-5 - Fix CVE-2022-44267 and CVE-2022-44268 diff --git a/backport-fix-CVE-2022-1115.patch b/backport-fix-CVE-2022-1115.patch deleted file mode 100644 index e158711fd1604b9572041098bb1fdf11ed3df801..0000000000000000000000000000000000000000 --- a/backport-fix-CVE-2022-1115.patch +++ /dev/null @@ -1,25 +0,0 @@ -From e88576bc495951a1c08a6e9cdbc2121b4c9d8ac8 Mon Sep 17 00:00:00 2001 -From: cenhuilin -Date: Mon, 5 Sep 2022 06:39:50 +0000 -Subject: [PATCH] heap-buffer-overflow in magick at quantum-private.h PushShortPixel - ---- - coders/tiff.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/coders/tiff.c b/coders/tiff.c -index 8fd1451..b4c94bb 100644 ---- a/coders/tiff.c -+++ b/coders/tiff.c -@@ -1894,7 +1894,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - number_pixels=(MagickSizeType) columns*rows; - if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse) - ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); -- extent=MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff)); -+ extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff)); - #if defined(TIFF_VERSION_BIG) - extent+=image->columns*sizeof(uint64); - #else --- -2.33.0 -