diff --git a/7.1.0-28.tar.gz b/7.1.1-8.tar.gz similarity index 64% rename from 7.1.0-28.tar.gz rename to 7.1.1-8.tar.gz index 2f4da9721b2c6a195eb594ae96c7316d52c211a9..d4543d5c320cb077b892d0b3c9db7c5803f598db 100644 Binary files a/7.1.0-28.tar.gz and b/7.1.1-8.tar.gz differ diff --git a/CVE-2022-3213-pre1.patch b/CVE-2022-3213-pre1.patch deleted file mode 100644 index a9a24ed7b525aa2a62ee1b34ecc53b76bcfcf63e..0000000000000000000000000000000000000000 --- a/CVE-2022-3213-pre1.patch +++ /dev/null @@ -1,53 +0,0 @@ -From a854a0a8af977a1b67830f02a53d9eb4d877e10d Mon Sep 17 00:00:00 2001 -From: Cristy -Date: Tue, 21 Jun 2022 15:06:58 -0400 -Subject: [PATCH] prevent possible buffer overflow - ---- - coders/tiff.c | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - -diff --git a/coders/tiff.c b/coders/tiff.c -index 49c1677cb7..2b64958930 100644 ---- a/coders/tiff.c -+++ b/coders/tiff.c -@@ -1903,9 +1903,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - */ - extent=(samples_per_pixel+1)*TIFFStripSize(tiff); - #if defined(TIFF_VERSION_BIG) -- extent+=image->columns*sizeof(uint64); -+ extent+=samples_per_pixel*sizeof(uint64); - #else -- extent+=image->columns*sizeof(uint32); -+ extent+=samples_per_pixel*sizeof(uint64); - #endif - strip_pixels=(unsigned char *) AcquireQuantumMemory(extent, - sizeof(*strip_pixels)); -@@ -2002,11 +2002,12 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - number_pixels=(MagickSizeType) columns*rows; - if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse) - ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); -- extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff)); -+ extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff), -+ TIFFTileSize(tiff)); - #if defined(TIFF_VERSION_BIG) -- extent+=image->columns*sizeof(uint64); -+ extent+=samples_per_pixel*sizeof(uint64); - #else -- extent+=image->columns*sizeof(uint32); -+ extent+=samples_per_pixel*sizeof(uint32); - #endif - tile_pixels=(unsigned char *) AcquireQuantumMemory(extent, - sizeof(*tile_pixels)); -@@ -2101,9 +2102,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); - number_pixels=(MagickSizeType) image->columns*image->rows; - #if defined(TIFF_VERSION_BIG) -- number_pixels+=image->columns*sizeof(uint64); -+ number_pixels+=samples_per_pixel*sizeof(uint64); - #else -- number_pixels+=image->columns*sizeof(uint32); -+ number_pixels+=samples_per_pixel*sizeof(uint32); - #endif - generic_info=AcquireVirtualMemory(number_pixels,sizeof(uint32)); - if (generic_info == (MemoryInfo *) NULL) diff --git a/CVE-2022-3213-pre2.patch b/CVE-2022-3213-pre2.patch deleted file mode 100644 index 0d4e14e5cd0fb9c2ac7ff8a6fb486ffa7d4ae4f9..0000000000000000000000000000000000000000 --- a/CVE-2022-3213-pre2.patch +++ /dev/null @@ -1,22 +0,0 @@ -From b11d64704f46cedade2ca3cdcebbc8d1f315035e Mon Sep 17 00:00:00 2001 -From: Cristy -Date: Tue, 21 Jun 2022 17:14:48 -0400 -Subject: [PATCH] correct copy/paste error - ---- - coders/tiff.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/coders/tiff.c b/coders/tiff.c -index 2b64958930..e2c6ca1093 100644 ---- a/coders/tiff.c -+++ b/coders/tiff.c -@@ -1905,7 +1905,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - #if defined(TIFF_VERSION_BIG) - extent+=samples_per_pixel*sizeof(uint64); - #else -- extent+=samples_per_pixel*sizeof(uint64); -+ extent+=samples_per_pixel*sizeof(uint32); - #endif - strip_pixels=(unsigned char *) AcquireQuantumMemory(extent, - sizeof(*strip_pixels)); diff --git a/CVE-2022-3213-pre3.patch b/CVE-2022-3213-pre3.patch deleted file mode 100644 index ac77458640639f287b7f721a63b992aa6ea1be4f..0000000000000000000000000000000000000000 --- a/CVE-2022-3213-pre3.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 309dfda1122f08fcf349b6f611b3b6df994d9297 Mon Sep 17 00:00:00 2001 -From: Cristy -Date: Wed, 29 Jun 2022 19:40:56 -0400 -Subject: [PATCH] eliminate possible buffer overflow - ---- - coders/tiff.c | 19 ++----------------- - 1 file changed, 2 insertions(+), 17 deletions(-) - -diff --git a/coders/tiff.c b/coders/tiff.c -index e2c6ca1093..6bf4b112e1 100644 ---- a/coders/tiff.c -+++ b/coders/tiff.c -@@ -1901,12 +1901,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - /* - Convert stripped TIFF image. - */ -- extent=(samples_per_pixel+1)*TIFFStripSize(tiff); --#if defined(TIFF_VERSION_BIG) -- extent+=samples_per_pixel*sizeof(uint64); --#else -- extent+=samples_per_pixel*sizeof(uint32); --#endif -+ extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff); - strip_pixels=(unsigned char *) AcquireQuantumMemory(extent, - sizeof(*strip_pixels)); - if (strip_pixels == (unsigned char *) NULL) -@@ -2002,13 +1997,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - number_pixels=(MagickSizeType) columns*rows; - if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse) - ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); -- extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff), -+ extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff), - TIFFTileSize(tiff)); --#if defined(TIFF_VERSION_BIG) -- extent+=samples_per_pixel*sizeof(uint64); --#else -- extent+=samples_per_pixel*sizeof(uint32); --#endif - tile_pixels=(unsigned char *) AcquireQuantumMemory(extent, - sizeof(*tile_pixels)); - if (tile_pixels == (unsigned char *) NULL) -@@ -2101,11 +2091,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse) - ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); - number_pixels=(MagickSizeType) image->columns*image->rows; --#if defined(TIFF_VERSION_BIG) -- number_pixels+=samples_per_pixel*sizeof(uint64); --#else -- number_pixels+=samples_per_pixel*sizeof(uint32); --#endif - generic_info=AcquireVirtualMemory(number_pixels,sizeof(uint32)); - if (generic_info == (MemoryInfo *) NULL) - ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); diff --git a/CVE-2022-3213.patch b/CVE-2022-3213.patch deleted file mode 100644 index 9d5d30a5da4d30ad32bf1bb40932f5ebd5d50474..0000000000000000000000000000000000000000 --- a/CVE-2022-3213.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 30ccf9a0da1f47161b5935a95be854fe84e6c2a2 Mon Sep 17 00:00:00 2001 -From: Cristy -Date: Sat, 27 Aug 2022 08:38:57 -0400 -Subject: [PATCH] squash heap-buffer-overflow, PoC TIFF from Hardik - ---- - coders/tiff.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/coders/tiff.c b/coders/tiff.c -index 132008efbf..a166bea177 100644 ---- a/coders/tiff.c -+++ b/coders/tiff.c -@@ -1892,7 +1892,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - /* - Convert stripped TIFF image. - */ -- extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff); -+ extent=4*((image->depth+7)/8)*(samples_per_pixel+1)*TIFFStripSize(tiff); - strip_pixels=(unsigned char *) AcquireQuantumMemory(extent, - sizeof(*strip_pixels)); - if (strip_pixels == (unsigned char *) NULL) diff --git a/CVE-2022-32547.patch b/CVE-2022-32547.patch deleted file mode 100644 index 14bbe50717df58e725f6aaeed4d680aa9e54e19f..0000000000000000000000000000000000000000 --- a/CVE-2022-32547.patch +++ /dev/null @@ -1,43 +0,0 @@ -From eac8ce4d873f28bb6a46aa3a662fb196b49b95d0 Mon Sep 17 00:00:00 2001 -From: xiaoxiaoafeifei -Date: Sat, 9 Apr 2022 20:34:03 +0800 -Subject: [PATCH] fix #5033: runtime error: load of misaligned address (#5034) - -* fix Division by zero in XMenuWidget() of MagickCore/widget.c - -* Fix memory leak in AnimateImageCommand() of MagickWand/animate.c and DisplayImageCommand() of MagickWand/display.c - -* fix Division by zero in ReadEnhMetaFile() of coders/emf.c - -* Resolve conflicts - -* fix issue: outside the range of representable values of type 'unsigned char' at coders/psd.c:1025 - -* fix error: 4e+26 is outside the range of representable values of type 'unsigned long' at coders/pcl.c:299 - -* fix #5033:runtime error: load of misaligned address - -Co-authored-by: zhailiangliang ---- - MagickCore/property.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/MagickCore/property.c b/MagickCore/property.c -index 8175dd1f73..6e72cac157 100644 ---- a/MagickCore/property.c -+++ b/MagickCore/property.c -@@ -1545,12 +1545,12 @@ static MagickBooleanType GetEXIFProperty(const Image *image, - } - case EXIF_FMT_SINGLE: - { -- EXIFMultipleValues(4,"%f",(double) *(float *) p1); -+ EXIFMultipleValues(4,"%f",(double)ReadPropertySignedLong(endian,p1)); - break; - } - case EXIF_FMT_DOUBLE: - { -- EXIFMultipleValues(8,"%f",*(double *) p1); -+ EXIFMultipleValues(8,"%f",(double)ReadPropertySignedLong(endian,p1)); - break; - } - case EXIF_FMT_STRING: diff --git a/CVE-2022-44267_CVE-2022-44268.patch b/CVE-2022-44267_CVE-2022-44268.patch deleted file mode 100644 index be18c013a7498a6a3454ab22e310aa1a83365600..0000000000000000000000000000000000000000 --- a/CVE-2022-44267_CVE-2022-44268.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 05673e63c919e61ffa1107804d1138c46547a475 Mon Sep 17 00:00:00 2001 -From: Cristy -Date: Sat, 22 Oct 2022 13:28:46 -0400 -Subject: [PATCH] possible DoS @ stdin (OCE-2022-70); possible arbitrary file - leak (OCE-2022-72) - ---- - coders/png.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/coders/png.c b/coders/png.c -index c83d937c93..4f8c8909bf 100644 ---- a/coders/png.c -+++ b/coders/png.c -@@ -3980,6 +3980,7 @@ static Image *ReadOnePNGImage(MngInfo *mng_info, - (void) FormatLocaleString(key,MagickPathExtent,"%s", - text[i].key); - if ((LocaleCompare(key,"version") == 0) || -+ (LocaleCompare(key,"profile") == 0) || - (LocaleCompare(key,"width") == 0)) - (void) FormatLocaleString(key,MagickPathExtent,"png:%s", - text[i].key); diff --git a/ImageMagick.spec b/ImageMagick.spec index 1eb5f75409a3c91713240465f54c7c1505cfa97f..e6aff57a844aa941105297f19df36ce193ed556b 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,20 +1,11 @@ Name: ImageMagick Epoch: 1 -Version: 7.1.0.28 -Release: 6 +Version: 7.1.1.8 +Release: 1 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick and MIT Url: http://www.imagemagick.org/ -Source0: https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1.0-28.tar.gz - -Patch0001: backport-fix-CVE-2022-2719.patch -Patch0002: backport-fix-CVE-2022-1115.patch -Patch0003: CVE-2022-3213-pre1.patch -Patch0004: CVE-2022-3213-pre2.patch -Patch0005: CVE-2022-3213-pre3.patch -Patch0006: CVE-2022-3213.patch -Patch0007: CVE-2022-32547.patch -Patch0008: CVE-2022-44267_CVE-2022-44268.patch +Source0: https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1.1-8.tar.gz BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -81,7 +72,7 @@ Requires: ImageMagick-devel = %{epoch}:%{version}-%{release} Development files for ImageMagick-c++. %prep -%autosetup -n ImageMagick-7.1.0-28 -p1 +%autosetup -n ImageMagick-7.1.1-8 -p1 install -d Magick++/examples cp -p Magick++/demo/*.cpp Magick++/demo/*.miff Magick++/examples @@ -98,7 +89,7 @@ export CFLAGS="%{optflags} -DIMPNG_SETJMP_IS_THREAD_SAFE" %install %make_install -cp -a www/source %{buildroot}%{_datadir}/doc/ImageMagick-7.1.0 +cp -a www/source %{buildroot}%{_datadir}/doc/ImageMagick-7.1.1 rm %{buildroot}%{_libdir}/*.la %{__perl} -MExtUtils::MakeMaker -e 'MY->fixin(@ARGV)' PerlMagick/demo/*.pl @@ -127,7 +118,7 @@ rm PerlMagick/demo/Generic.ttf %{_bindir}/[a-z]* %{_libdir}/libMagickCore-7.Q16HDRI.so.10* %{_libdir}/libMagickWand-7.Q16HDRI.so.10* -%{_libdir}/ImageMagick-7.1.0 +%{_libdir}/ImageMagick-7.1.1 %{_datadir}/ImageMagick-7 %dir %{_sysconfdir}/ImageMagick-7 %config(noreplace) %{_sysconfdir}/ImageMagick-7/*.xml @@ -145,9 +136,9 @@ rm PerlMagick/demo/Generic.ttf %{_includedir}/%{name}-7/MagickCore/* %files help -%doc README.txt NEWS.txt ChangeLog.md QuickStart.txt +%doc README.txt NEWS.txt QuickStart.txt %doc %{_datadir}/doc/ImageMagick-7 -%doc %{_datadir}/doc/ImageMagick-7.1.0 +%doc %{_datadir}/doc/ImageMagick-7.1.1 %{_mandir}/man[145]/[a-z]* %{_mandir}/man1/* %{_mandir}/man3/* @@ -169,6 +160,9 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick* %changelog +* Mon Apr 24 2023 wangkai <13474090681@163.com> - 1:7.1.1.8-1 +- Update to 7.1.1.8 for Fix CVE-2023-1289,CVE-2023-1906 + * Thu Feb 09 2023 yaoxin - 1:7.1.0.28-6 - Fix CVE-2022-44267 and CVE-2022-44268 diff --git a/backport-fix-CVE-2022-1115.patch b/backport-fix-CVE-2022-1115.patch deleted file mode 100644 index 1c06d9d922f1aaf73b3ddf0403685e00fdcbb80b..0000000000000000000000000000000000000000 --- a/backport-fix-CVE-2022-1115.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 7c8ab995a65a32b8283297226e108ce828a5679a Mon Sep 17 00:00:00 2001 -From: cenhuilin -Date: Fri, 19 Aug 2022 21:02:49 +0800 -Subject: [PATCH] heap-buffer-overflow in magick at quantum-private.h PushShortPixel - ---- - coders/tiff.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/coders/tiff.c b/coders/tiff.c -index 31839f6..32ae00a 100644 ---- a/coders/tiff.c -+++ b/coders/tiff.c -@@ -1987,7 +1987,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, - number_pixels=(MagickSizeType) columns*rows; - if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse) - ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); -- extent=MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff)); -+ extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff)); - #if defined(TIFF_VERSION_BIG) - extent+=image->columns*sizeof(uint64); - #else --- -2.33.0 - diff --git a/backport-fix-CVE-2022-2719.patch b/backport-fix-CVE-2022-2719.patch deleted file mode 100644 index f3bf2e6b2f061c0e99530bb67ad33bb76c1f1eed..0000000000000000000000000000000000000000 --- a/backport-fix-CVE-2022-2719.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 7a358f02b613cdb22ca2461ad50275b9e77cb9bd Mon Sep 17 00:00:00 2001 -From: cenhuilin -Date: Wed, 10 Aug 2022 03:55:57 +0000 -Subject: [PATCH] do not attempt to write a null image list - ---- - MagickWand/operation.c | 3 ++- - coders/tim2.c | 22 ++++++++++------------ - 2 files changed, 12 insertions(+), 13 deletions(-) - -diff --git a/MagickWand/operation.c b/MagickWand/operation.c -index 383dc7c..9559603 100644 ---- a/MagickWand/operation.c -+++ b/MagickWand/operation.c -@@ -4923,7 +4923,8 @@ WandPrivate void CLINoImageOperator(MagickCLI *cli_wand, - (void) DeleteImageRegistry(key); - write_images=CloneImageList(_images,_exception); - write_info=CloneImageInfo(_image_info); -- (void) WriteImages(write_info,write_images,arg1,_exception); -+ if (write_images != (Image *) NULL) -+ (void) WriteImages(write_info,write_images,arg1,_exception); - write_info=DestroyImageInfo(write_info); - write_images=DestroyImageList(write_images); - break; -diff --git a/coders/tim2.c b/coders/tim2.c -index e55170d..c333b86 100644 ---- a/coders/tim2.c -+++ b/coders/tim2.c -@@ -61,7 +61,6 @@ - #include "MagickCore/string_.h" - #include "MagickCore/module.h" - -- - /* - Typedef declarations - */ -@@ -124,7 +123,6 @@ typedef enum - RGBA16=2, - } TIM2ColorEncoding; - -- - /* - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - % % -@@ -142,7 +140,8 @@ typedef enum - % - % The format of the ReadTIM2Image method is: - % --% Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception) -+% Image *ReadTIM2Image(const ImageInfo *image_info, -+% ExceptionInfo *exception) - % - % A description of each parameter follows: - % -@@ -600,13 +599,13 @@ static MagickBooleanType ReadTIM2ImageData(const ImageInfo *image_info, - image_info->filename); - break; - } -- if (csm==CSM1) -+ if (csm == CSM1) - { - PixelInfo - *oldColormap; - -- oldColormap=(PixelInfo *) AcquireQuantumMemory((size_t)(image->colors)+1, -- sizeof(*image->colormap)); -+ oldColormap=(PixelInfo *) AcquireQuantumMemory((size_t)(image->colors)+ -+ 1,sizeof(*image->colormap)); - if (oldColormap == (PixelInfo *) NULL) - ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed", - image_info->filename); -@@ -617,7 +616,8 @@ static MagickBooleanType ReadTIM2ImageData(const ImageInfo *image_info, - return(status); - } - --static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception) -+static Image *ReadTIM2Image(const ImageInfo *image_info, -+ ExceptionInfo *exception) - { - Image - *image; -@@ -626,6 +626,7 @@ static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception - status; - - ssize_t -+ i, - str_read; - - TIM2FileHeader -@@ -685,7 +686,7 @@ static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception - */ - if (file_header.image_count != 1) - ThrowReaderException(CoderError,"NumberOfImagesIsNotSupported"); -- for (int i=0; i < file_header.image_count; ++i) -+ for (i=0; i < (ssize_t) file_header.image_count; i++) - { - char - clut_depth, -@@ -780,8 +781,7 @@ static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception - break; - } - image=SyncNextImageInList(image); -- status=SetImageProgress(image,LoadImagesTag,image->scene-1, -- image->scene); -+ status=SetImageProgress(image,LoadImagesTag,image->scene-1,image->scene); - if (status == MagickFalse) - break; - } -@@ -791,7 +791,6 @@ static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception - return(GetFirstImageInList(image)); - } - -- - /* - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - % % -@@ -826,7 +825,6 @@ ModuleExport size_t RegisterTIM2Image(void) - return(MagickImageCoderSignature); - } - -- - /* - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - % % --- -2.33.0 -