diff --git a/CVE-2020-27759.patch b/CVE-2020-27759.patch new file mode 100644 index 0000000000000000000000000000000000000000..5526548448227bfb6251956e7b37c05718e29c9d --- /dev/null +++ b/CVE-2020-27759.patch @@ -0,0 +1,35 @@ +From 460dea07066e2001bc4671fcd8d53233f0fc29b3 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 5 Oct 2019 09:53:19 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1720 + +--- + magick/quantize.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/magick/quantize.c b/magick/quantize.c +index d4c841b68..fb0646661 100644 +--- a/magick/quantize.c ++++ b/magick/quantize.c +@@ -3212,16 +3212,17 @@ extern "C" { + + static int IntensityCompare(const void *x,const void *y) + { +- double +- intensity; +- + PixelPacket + *color_1, + *color_2; + ++ ssize_t ++ intensity; ++ + color_1=(PixelPacket *) x; + color_2=(PixelPacket *) y; +- intensity=PixelPacketIntensity(color_1)-PixelPacketIntensity(color_2); ++ intensity=(ssize_t) (PixelPacketIntensity(color_1)- ++ PixelPacketIntensity(color_2)); + return((int) intensity); + } + diff --git a/CVE-2020-27760.patch b/CVE-2020-27760.patch new file mode 100644 index 0000000000000000000000000000000000000000..6d2bb7ac71f08f4b66275aab17ece203b680f4ec --- /dev/null +++ b/CVE-2020-27760.patch @@ -0,0 +1,86 @@ +From 83cd04f580ccf4cc194813777c1fcfba78e602aa Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Fri, 4 Oct 2019 18:04:09 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1717 + +--- + magick/enhance.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/magick/enhance.c b/magick/enhance.c +index a100cf8b7..614269e3a 100644 +--- a/magick/enhance.c ++++ b/magick/enhance.c +@@ -2207,7 +2207,8 @@ MagickExport MagickBooleanType GammaImageChannel(Image *image, + if (gamma != 0.0) + for (i=0; i <= (ssize_t) MaxMap; i++) + gamma_map[i]=ClampToQuantum((MagickRealType) ScaleMapToQuantum(( +- MagickRealType) (MaxMap*pow((double) i/MaxMap,1.0/gamma)))); ++ MagickRealType) (MaxMap*pow((double) i/MaxMap, ++ PerceptibleReciprocal(gamma))))); + if (image->storage_class == PseudoClass) + { + /* +@@ -2238,18 +2239,18 @@ MagickExport MagickBooleanType GammaImageChannel(Image *image, + #else + if ((channel & RedChannel) != 0) + image->colormap[i].red=QuantumRange*gamma_pow(QuantumScale* +- image->colormap[i].red,1.0/gamma); ++ image->colormap[i].red,PerceptibleReciprocal(gamma)); + if ((channel & GreenChannel) != 0) + image->colormap[i].green=QuantumRange*gamma_pow(QuantumScale* +- image->colormap[i].green,1.0/gamma); ++ image->colormap[i].green,PerceptibleReciprocal(gamma)); + if ((channel & BlueChannel) != 0) + image->colormap[i].blue=QuantumRange*gamma_pow(QuantumScale* +- image->colormap[i].blue,1.0/gamma); ++ image->colormap[i].blue,PerceptibleReciprocal(gamma)); + if ((channel & OpacityChannel) != 0) + { + if (image->matte == MagickFalse) + image->colormap[i].opacity=QuantumRange*gamma_pow(QuantumScale* +- image->colormap[i].opacity,1.0/gamma); ++ image->colormap[i].opacity,PerceptibleReciprocal(gamma)); + else + image->colormap[i].opacity=QuantumRange-QuantumRange*gamma_pow( + QuantumScale*(QuantumRange-image->colormap[i].opacity),1.0/ +@@ -2319,31 +2320,31 @@ MagickExport MagickBooleanType GammaImageChannel(Image *image, + if ((channel & SyncChannels) != 0) + { + SetPixelRed(q,QuantumRange*gamma_pow(QuantumScale*GetPixelRed(q), +- 1.0/gamma)); ++ PerceptibleReciprocal(gamma))); + SetPixelGreen(q,QuantumRange*gamma_pow(QuantumScale*GetPixelGreen(q), +- 1.0/gamma)); ++ PerceptibleReciprocal(gamma))); + SetPixelBlue(q,QuantumRange*gamma_pow(QuantumScale*GetPixelBlue(q), +- 1.0/gamma)); ++ PerceptibleReciprocal(gamma))); + } + else + { + if ((channel & RedChannel) != 0) + SetPixelRed(q,QuantumRange*gamma_pow(QuantumScale*GetPixelRed(q), +- 1.0/gamma)); ++ PerceptibleReciprocal(gamma))); + if ((channel & GreenChannel) != 0) + SetPixelGreen(q,QuantumRange*gamma_pow(QuantumScale* +- GetPixelGreen(q),1.0/gamma)); ++ GetPixelGreen(q),PerceptibleReciprocal(gamma))); + if ((channel & BlueChannel) != 0) + SetPixelBlue(q,QuantumRange*gamma_pow(QuantumScale*GetPixelBlue(q), +- 1.0/gamma)); ++ PerceptibleReciprocal(gamma))); + if ((channel & OpacityChannel) != 0) + { + if (image->matte == MagickFalse) + SetPixelOpacity(q,QuantumRange*gamma_pow(QuantumScale* +- GetPixelOpacity(q),1.0/gamma)); ++ GetPixelOpacity(q),PerceptibleReciprocal(gamma))); + else + SetPixelAlpha(q,QuantumRange*gamma_pow(QuantumScale* +- GetPixelAlpha(q),1.0/gamma)); ++ GetPixelAlpha(q),PerceptibleReciprocal(gamma))); + } + } + #endif diff --git a/CVE-2020-27761.patch b/CVE-2020-27761.patch new file mode 100644 index 0000000000000000000000000000000000000000..9ba4e7ac233911670c417b253f1da1420c6dd6fa --- /dev/null +++ b/CVE-2020-27761.patch @@ -0,0 +1,28 @@ +From 14c90fb315eb3666a4cf6d784cbde74c69c934ec Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 7 Oct 2019 18:13:37 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1726 + +--- + coders/palm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/coders/palm.c b/coders/palm.c +index 4cd5522a4..a3eae1d82 100644 +--- a/coders/palm.c ++++ b/coders/palm.c +@@ -908,10 +908,10 @@ static MagickBooleanType WritePALMImage(const ImageInfo *image_info, + { + for (x=0; x < (ssize_t) image->columns; x++) + { +- color16=(unsigned short) ((((31*(size_t) GetPixelRed(p))/ +- (size_t) QuantumRange) << 11) | +- (((63*(size_t) GetPixelGreen(p))/(size_t) QuantumRange) << 5) | +- ((31*(size_t) GetPixelBlue(p))/(size_t) QuantumRange)); ++ color16=(unsigned short) ((((31*(ssize_t) GetPixelRed(p))/ ++ (ssize_t) QuantumRange) << 11) | ++ (((63*(ssize_t) GetPixelGreen(p))/(ssize_t) QuantumRange) << 5) | ++ ((31*(ssize_t) GetPixelBlue(p))/(ssize_t) QuantumRange)); + if (GetPixelOpacity(p) == (Quantum) TransparentOpacity) + { + transpix.red=GetPixelRed(p); diff --git a/CVE-2020-27762.patch b/CVE-2020-27762.patch new file mode 100644 index 0000000000000000000000000000000000000000..8508cab0a73e40bd0cb993a5b84d45f369589151 --- /dev/null +++ b/CVE-2020-27762.patch @@ -0,0 +1,29 @@ +From 3e10f7c3c9f0394dfd6ebd372bc34a172dabc8ff Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 3 Oct 2019 18:24:44 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1713 + +--- + coders/hdr.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/coders/hdr.c b/coders/hdr.c +index ab02f8e52..77e3c6336 100644 +--- a/coders/hdr.c ++++ b/coders/hdr.c +@@ -786,9 +786,12 @@ static MagickBooleanType WriteHDRImage(const ImageInfo *image_info,Image *image) + exponent; + + gamma=frexp(gamma,&exponent)*256.0/gamma; +- pixel[0]=(unsigned char) (gamma*QuantumScale*GetPixelRed(p)); +- pixel[1]=(unsigned char) (gamma*QuantumScale*GetPixelGreen(p)); +- pixel[2]=(unsigned char) (gamma*QuantumScale*GetPixelBlue(p)); ++ if (GetPixelRed(p) > 0) ++ pixel[0]=(unsigned char) (gamma*QuantumScale*GetPixelRed(p)); ++ if (GetPixelGreen(p) > 0) ++ pixel[1]=(unsigned char) (gamma*QuantumScale*GetPixelGreen(p)); ++ if (GetPixelBlue(p) > 0) ++ pixel[2]=(unsigned char) (gamma*QuantumScale*GetPixelBlue(p)); + pixel[3]=(unsigned char) (exponent+128); + } + if ((image->columns >= 8) && (image->columns <= 0x7ffff)) diff --git a/CVE-2020-27764.patch b/CVE-2020-27764.patch new file mode 100644 index 0000000000000000000000000000000000000000..57e9805bfd20f5cce691f80b1a3ac9c90431e47d --- /dev/null +++ b/CVE-2020-27764.patch @@ -0,0 +1,58 @@ +From 3e21bc8a58b4ae38d24c7e283837cc279f35b6a5 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 9 Oct 2019 18:44:16 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1735 + +--- + magick/statistic.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/magick/statistic.c b/magick/statistic.c +index 7bc816360..87a9a42f4 100644 +--- a/magick/statistic.c ++++ b/magick/statistic.c +@@ -259,7 +259,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info, + } + case AndEvaluateOperator: + { +- result=(MagickRealType) ((size_t) pixel & (size_t) (value+0.5)); ++ result=(MagickRealType) ((ssize_t) pixel & (ssize_t) (value+0.5)); + break; + } + case CosineEvaluateOperator: +@@ -299,7 +299,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info, + } + case LeftShiftEvaluateOperator: + { +- result=(MagickRealType) ((size_t) pixel << (size_t) (value+0.5)); ++ result=(MagickRealType) ((ssize_t) pixel << (ssize_t) (value+0.5)); + break; + } + case LogEvaluateOperator: +@@ -342,7 +342,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info, + } + case OrEvaluateOperator: + { +- result=(MagickRealType) ((size_t) pixel | (size_t) (value+0.5)); ++ result=(MagickRealType) ((ssize_t) pixel | (ssize_t) (value+0.5)); + break; + } + case PoissonNoiseEvaluateOperator: +@@ -359,7 +359,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info, + } + case RightShiftEvaluateOperator: + { +- result=(MagickRealType) ((size_t) pixel >> (size_t) (value+0.5)); ++ result=(MagickRealType) ((ssize_t) pixel >> (ssize_t) (value+0.5)); + break; + } + case RootMeanSquareEvaluateOperator: +@@ -413,7 +413,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info, + } + case XorEvaluateOperator: + { +- result=(MagickRealType) ((size_t) pixel ^ (size_t) (value+0.5)); ++ result=(MagickRealType) ((ssize_t) pixel ^ (ssize_t) (value+0.5)); + break; + } + } diff --git a/CVE-2020-27765.patch b/CVE-2020-27765.patch new file mode 100644 index 0000000000000000000000000000000000000000..25a7707a3a6c80c7ccebe22e8e3c15045c58d47c --- /dev/null +++ b/CVE-2020-27765.patch @@ -0,0 +1,22 @@ +From 4321934be544bc2888c6799fd6b50d8188a3d832 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 8 Oct 2019 17:27:35 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1730 + +--- + magick/segment.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/magick/segment.c b/magick/segment.c +index 8f03c22ef..46fae277f 100644 +--- a/magick/segment.c ++++ b/magick/segment.c +@@ -1696,7 +1696,7 @@ static MagickRealType OptimalTau(const ssize_t *histogram,const double max_tau, + average_tau=0.0; + for (i=0; i < number_nodes; i++) + average_tau+=list[i]->tau; +- average_tau/=(MagickRealType) number_nodes; ++ average_tau*=PerceptibleReciprocal((MagickRealType) number_nodes); + /* + Relinquish resources. + */ diff --git a/CVE-2020-27766.patch b/CVE-2020-27766.patch new file mode 100644 index 0000000000000000000000000000000000000000..1c3fbdf4c7fdce2d2294ecbadf8636dad262ade9 --- /dev/null +++ b/CVE-2020-27766.patch @@ -0,0 +1,45 @@ +From 052175e4b190598141fbcc64641cd5ee4db3602d Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 10 Oct 2019 20:40:18 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1743 + +--- + magick/statistic.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/magick/statistic.c b/magick/statistic.c +index 2db7c858f..827d87fa6 100644 +--- a/magick/statistic.c ++++ b/magick/statistic.c +@@ -230,6 +230,9 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info, + MagickRealType + result; + ++ register ssize_t ++ i; ++ + result=0.0; + switch (op) + { +@@ -299,7 +302,9 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info, + } + case LeftShiftEvaluateOperator: + { +- result=(MagickRealType) ((ssize_t) pixel << (ssize_t) (value+0.5)); ++ result=(double) pixel; ++ for (i=0; i < (ssize_t) value; i++) ++ result*=2.0; + break; + } + case LogEvaluateOperator: +@@ -359,7 +364,9 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info, + } + case RightShiftEvaluateOperator: + { +- result=(MagickRealType) ((ssize_t) pixel >> (ssize_t) (value+0.5)); ++ result=(MagickRealType) pixel; ++ for (i=0; i < (ssize_t) value; i++) ++ result/=2.0; + break; + } + case RootMeanSquareEvaluateOperator: diff --git a/CVE-2020-27767.patch b/CVE-2020-27767.patch new file mode 100644 index 0000000000000000000000000000000000000000..cbd74b80a1581ea2761a81a5be498fd9601ff989 --- /dev/null +++ b/CVE-2020-27767.patch @@ -0,0 +1,68 @@ +From c2f66e7fc9189a652f77a021bd047c4146d634d1 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 10 Oct 2019 21:03:00 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1741 + +--- + magick/quantum.h | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/magick/quantum.h b/magick/quantum.h +index 821680de0..6c05c212a 100644 +--- a/magick/quantum.h ++++ b/magick/quantum.h +@@ -18,6 +18,7 @@ + #ifndef MAGICKCORE_QUANTUM_H + #define MAGICKCORE_QUANTUM_H + ++#include + #include "magick/image.h" + #include "magick/semaphore.h" + +@@ -87,6 +88,10 @@ typedef struct _QuantumInfo + static inline Quantum ClampToQuantum(const MagickRealType value) + { + #if defined(MAGICKCORE_HDRI_SUPPORT) ++ if (value < FLT_MIN) ++ return((Quantum) FLT_MIN); ++ if (value > FLT_MAX) ++ return((Quantum) FLT_MAX); + return((Quantum) value); + #else + if (value <= 0.0f) +@@ -103,7 +108,7 @@ static inline unsigned char ScaleQuantumToChar(const Quantum quantum) + #if !defined(MAGICKCORE_HDRI_SUPPORT) + return((unsigned char) quantum); + #else +- if (quantum <= 0.0) ++ if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0)) + return(0); + if (quantum >= 255.0) + return(255); +@@ -116,7 +121,7 @@ static inline unsigned char ScaleQuantumToChar(const Quantum quantum) + #if !defined(MAGICKCORE_HDRI_SUPPORT) + return((unsigned char) (((quantum+128UL)-((quantum+128UL) >> 8)) >> 8)); + #else +- if (quantum <= 0.0) ++ if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0)) + return(0); + if ((quantum/257.0) >= 255.0) + return(255); +@@ -130,7 +135,7 @@ static inline unsigned char ScaleQuantumToChar(const Quantum quantum) + return((unsigned char) ((quantum+MagickULLConstant(8421504))/ + MagickULLConstant(16843009))); + #else +- if (quantum <= 0.0) ++ if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0)) + return(0); + if ((quantum/16843009.0) >= 255.0) + return(255); +@@ -143,7 +148,7 @@ static inline unsigned char ScaleQuantumToChar(const Quantum quantum) + #if !defined(MAGICKCORE_HDRI_SUPPORT) + return((unsigned char) (quantum/72340172838076673.0+0.5)); + #else +- if (quantum <= 0.0) ++ if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0)) + return(0); + if ((quantum/72340172838076673.0) >= 255.0) + return(255); diff --git a/CVE-2020-27770.patch b/CVE-2020-27770.patch new file mode 100644 index 0000000000000000000000000000000000000000..752198831b6f911305a4df013d48ccfb5459ac77 --- /dev/null +++ b/CVE-2020-27770.patch @@ -0,0 +1,33 @@ +From c01495f91ac71c5205f52713430b68e80d851149 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 5 Oct 2019 08:56:29 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1721 + +--- + magick/string.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/magick/string.c b/magick/string.c +index f6f7b9318..1b47f562e 100644 +--- a/magick/string.c ++++ b/magick/string.c +@@ -2534,7 +2534,7 @@ MagickExport MagickBooleanType SubstituteString(char **string, + { + if (search_extent == 0) + search_extent=strlen(search); +- if (strncmp(p,search,search_extent) != 0) ++ if ((*p == *search) && (strncmp(p,search,search_extent) != 0)) + continue; + /* + We found a match. +@@ -2562,7 +2562,9 @@ MagickExport MagickBooleanType SubstituteString(char **string, + (void) memmove(p+replace_extent,p+search_extent, + strlen(p+search_extent)+1); + (void) memcpy(p,replace,replace_extent); +- p+=replace_extent-1; ++ p+=replace_extent; ++ if (replace_extent != 0) ++ p--; + } + return(status); + } diff --git a/CVE-2020-29599-1.patch b/CVE-2020-29599-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..80c1e0a4c0f359a1c12dc545a734a5dabbe4f9fe --- /dev/null +++ b/CVE-2020-29599-1.patch @@ -0,0 +1,71 @@ +From a7b2d8328c539da6e79a118a0b8e97462c7daa77 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 10 Nov 2019 14:53:23 -0500 +Subject: [PATCH] Santize ';' from SHOW and WIN delegates + +--- + magick/delegate.c | 26 +++++++++++++++++++++++++- + magick/string.c | 4 ++-- + 2 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/magick/delegate.c b/magick/delegate.c +index 37cd77b39..4fec87fc6 100644 +--- a/magick/delegate.c ++++ b/magick/delegate.c +@@ -507,6 +507,30 @@ MagickExport int ExternalDelegateCommand(const MagickBooleanType asynchronous, + % + */ + ++static char *SanitizeDelegateString(const char *source) ++{ ++ char ++ *sanitize_source; ++ ++ const char ++ *q; ++ ++ register char ++ *p; ++ ++ static char ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!*'(),{}|\\^~[]`\"><#%/?:@&="; ++ ++ sanitize_source=AcquireString(source); ++ p=sanitize_source; ++ q=sanitize_source+strlen(sanitize_source); ++ for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist)) ++ *p='_'; ++ return(sanitize_source); ++} ++ + static char *GetMagickPropertyLetter(const ImageInfo *image_info,Image *image, + const char letter) + { +@@ -918,7 +942,7 @@ static char *GetMagickPropertyLetter(const ImageInfo *image_info,Image *image, + break; + } + } +- return(SanitizeString(string)); ++ return(SanitizeDelegateString(string)); + } + + static char *InterpretDelegateProperties(const ImageInfo *image_info, +diff --git a/magick/string.c b/magick/string.c +index 828f12a0c..1e4ae55cb 100644 +--- a/magick/string.c ++++ b/magick/string.c +@@ -1588,10 +1588,10 @@ MagickExport void ResetStringInfo(StringInfo *string_info) + % % + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + % +-% SanitizeString() returns an new string removes all characters except ++% SanitizeString() returns a new string removes all characters except + % letters, digits and !#$%&'*+-=?^_`{|}~@.[]. + % +-% The returned string shoud be freed using DestoryString(). ++% Free the sanitized string with DestroyString(). + % + % The format of the SanitizeString method is: + % diff --git a/CVE-2020-29599-10.patch b/CVE-2020-29599-10.patch new file mode 100644 index 0000000000000000000000000000000000000000..7f266e9ed048359e87d966522d64636a4361b29c --- /dev/null +++ b/CVE-2020-29599-10.patch @@ -0,0 +1,30 @@ +From 83ec5b5b8ee7cae891fff59340be207b513a030d Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 21 Nov 2020 13:26:16 +0000 +Subject: [PATCH] restore passphrase support when rendering PDF's + +--- + coders/pdf.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index 31efd06e5..ce4f7a5f1 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -611,14 +611,13 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + (void) ConcatenateMagickString(options,"-dUseTrimBox ",MaxTextExtent); + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); +- option=GetImageOption(image_info,"authenticate"); +- if (option != (char *) NULL) ++ if (image_info->authenticate != (char *) NULL) + { + char + passphrase[MagickPathExtent], + *sanitize_passphrase; + +- sanitize_passphrase=SanitizeDelegateString(option); ++ sanitize_passphrase=SanitizeDelegateString(image_info->authenticate); + (void) FormatLocaleString(passphrase,MagickPathExtent, + "'-sPDFPassword=%s' ",sanitize_passphrase); + sanitize_passphrase=DestroyString(sanitize_passphrase); diff --git a/CVE-2020-29599-2.patch b/CVE-2020-29599-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..e211da1ca98d9694e0be09ddb0beeff9406864d7 --- /dev/null +++ b/CVE-2020-29599-2.patch @@ -0,0 +1,22 @@ +From 2eead004825d31e8f49022f0bc4ca0d3457b0bb1 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 20 Nov 2019 07:20:50 -0500 +Subject: [PATCH] Santize "'" from SHOW and WIN delegates + +--- + magick/delegate.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/magick/delegate.c b/magick/delegate.c +index 4fec87fc6..32beeb15e 100644 +--- a/magick/delegate.c ++++ b/magick/delegate.c +@@ -521,7 +521,7 @@ static char *SanitizeDelegateString(const char *source) + static char + whitelist[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!*'(),{}|\\^~[]`\"><#%/?:@&="; ++ "$-_.+!*;(),{}|\\^~[]`\"><#%/?:@&="; + + sanitize_source=AcquireString(source); + p=sanitize_source; diff --git a/CVE-2020-29599-3.patch b/CVE-2020-29599-3.patch new file mode 100644 index 0000000000000000000000000000000000000000..60d1d1d29a004666375c4e613481c7be63bd529b --- /dev/null +++ b/CVE-2020-29599-3.patch @@ -0,0 +1,31 @@ +From 20f520ed5c8541ae6646bc38d9d3b480785be6c3 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 25 Nov 2019 13:33:50 -0500 +Subject: [PATCH] Per Enzo Puig, santize "'" from SHOW and WIN delegates under + Linux, '"\' for Windows + +--- + magick/delegate.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/magick/delegate.c b/magick/delegate.c +index 32beeb15e..bc83401fd 100644 +--- a/magick/delegate.c ++++ b/magick/delegate.c +@@ -519,9 +519,15 @@ static char *SanitizeDelegateString(const char *source) + *p; + + static char ++#if defined(MAGICKCORE_WINDOWS_SUPPORT) + whitelist[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!*;(),{}|\\^~[]`\"><#%/?:@&="; ++ "$-_.+!;*(),{}|^~[]`\'><#%/?:@&="; ++#else ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; ++#endif + + sanitize_source=AcquireString(source); + p=sanitize_source; diff --git a/CVE-2020-29599-4.patch b/CVE-2020-29599-4.patch new file mode 100644 index 0000000000000000000000000000000000000000..c58a8ce05fdcf48a6f826cff1b6e7d369a1daa28 --- /dev/null +++ b/CVE-2020-29599-4.patch @@ -0,0 +1,33 @@ +From a2b3dd8455da2f17849b55e6b6ddcce587e4a323 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 16 Nov 2020 17:01:57 +0000 +Subject: [PATCH] shell injection vulnerability via the -authenticate option + +--- + coders/pdf.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index 5e4edc760..63eda5d81 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -588,11 +588,14 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (option != (char *) NULL) + { + char +- passphrase[MaxTextExtent]; +- +- (void) FormatLocaleString(passphrase,MaxTextExtent, +- "\"-sPDFPassword=%s\" ",option); +- (void) ConcatenateMagickString(options,passphrase,MaxTextExtent); ++ message[MagickPathExtent], ++ *passphrase; ++ ++ passphrase=SanitizeString(option); ++ (void) FormatLocaleString(message,MagickPathExtent, ++ "\"-sPDFPassword=%s\" ",passphrase); ++ passphrase=DestroyString(passphrase); ++ (void) ConcatenateMagickString(options,message,MagickPathExtent); + } + read_info=CloneImageInfo(image_info); + *read_info->magick='\0'; diff --git a/CVE-2020-29599-5.patch b/CVE-2020-29599-5.patch new file mode 100644 index 0000000000000000000000000000000000000000..e9f048a7a2b27fba656abfa4ca8ff028dcf0327e --- /dev/null +++ b/CVE-2020-29599-5.patch @@ -0,0 +1,60 @@ +From 7b0cce080345e5b7ef26d122f18809c93a19a80e Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 16 Nov 2020 18:17:31 +0000 +Subject: [PATCH] fix shell injection vulnerability via the -authenticate + option + +--- + coders/pdf.c | 15 ++++++--------- + magick/string.c | 8 +++++++- + 2 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index 63eda5d81..074ba3f64 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -585,17 +585,14 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); + option=GetImageOption(image_info,"authenticate"); +- if (option != (char *) NULL) ++ if ((option != (char *) NULL) && (strpbrk(option,"&;<>|") == (char *) NULL)) + { + char +- message[MagickPathExtent], +- *passphrase; +- +- passphrase=SanitizeString(option); +- (void) FormatLocaleString(message,MagickPathExtent, +- "\"-sPDFPassword=%s\" ",passphrase); +- passphrase=DestroyString(passphrase); +- (void) ConcatenateMagickString(options,message,MagickPathExtent); ++ passphrase[MagickPathExtent]; ++ ++ (void) FormatLocaleString(passphrase,MagickPathExtent, ++ "\"-sPDFPassword=%s\" ",option); ++ (void) ConcatenateMagickString(options,passphrase,MagickPathExtent); + } + read_info=CloneImageInfo(image_info); + *read_info->magick='\0'; +diff --git a/magick/string.c b/magick/string.c +index c8ffa086f..7f6eebc3b 100644 +--- a/magick/string.c ++++ b/magick/string.c +@@ -1604,9 +1604,15 @@ MagickExport char *SanitizeString(const char *source) + *p; + + static char ++#if defined(MAGICKCORE_WINDOWS_SUPPORT) + whitelist[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!*'(),{}|\\^~[]`\"><#%;/?:@&="; ++ "$-_.+!;*(),{}|^~[]`\'><#%/?:@&="; ++#else ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; ++#endif + + sanitize_source=AcquireString(source); + p=sanitize_source; diff --git a/CVE-2020-29599-6.patch b/CVE-2020-29599-6.patch new file mode 100644 index 0000000000000000000000000000000000000000..5dbb0d45570a1171ed20b468650a344bec5cb64b --- /dev/null +++ b/CVE-2020-29599-6.patch @@ -0,0 +1,30 @@ +From 875fdf773d6e822364f876bed14c1785a01b45a7 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 16 Nov 2020 23:18:42 +0000 +Subject: [PATCH] revert whitelist mod + +--- + magick/string.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/magick/string.c b/magick/string.c +index 7f6eebc3b..c8ffa086f 100644 +--- a/magick/string.c ++++ b/magick/string.c +@@ -1604,15 +1604,9 @@ MagickExport char *SanitizeString(const char *source) + *p; + + static char +-#if defined(MAGICKCORE_WINDOWS_SUPPORT) + whitelist[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!;*(),{}|^~[]`\'><#%/?:@&="; +-#else +- whitelist[] = +- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; +-#endif ++ "$-_.+!*'(),{}|\\^~[]`\"><#%;/?:@&="; + + sanitize_source=AcquireString(source); + p=sanitize_source; diff --git a/CVE-2020-29599-7.patch b/CVE-2020-29599-7.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ff31e5d8d8a73fd2d7b3cbbf1bd645b26d28bcd --- /dev/null +++ b/CVE-2020-29599-7.patch @@ -0,0 +1,23 @@ +From ab2e97d2f7520d1d9ff36ef421caf2a899e14ce4 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 19 Nov 2020 18:36:05 +0000 +Subject: [PATCH] fix shell injection vulnerability via the -authenticate + option + +--- + coders/pdf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index 074ba3f64..ef1567b29 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -585,7 +585,7 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); + option=GetImageOption(image_info,"authenticate"); +- if ((option != (char *) NULL) && (strpbrk(option,"&;<>|") == (char *) NULL)) ++ if ((option != (char *) NULL) && (strpbrk(option,"&;<>|\"") == (char *) NULL)) + { + char + passphrase[MagickPathExtent]; diff --git a/CVE-2020-29599-8.patch b/CVE-2020-29599-8.patch new file mode 100644 index 0000000000000000000000000000000000000000..1acdf1381b042754d376c7ffde0a07aa188fa699 --- /dev/null +++ b/CVE-2020-29599-8.patch @@ -0,0 +1,24 @@ +From 869e38717fa91325da87c2a4cedc148a770a07ec Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 19 Nov 2020 18:39:30 +0000 +Subject: [PATCH] fix shell injection vulnerability via the -authenticate + option + +--- + coders/pdf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index ef1567b29..d5ed56596 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -585,7 +585,8 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); + option=GetImageOption(image_info,"authenticate"); +- if ((option != (char *) NULL) && (strpbrk(option,"&;<>|\"") == (char *) NULL)) ++ if ((option != (char *) NULL) && ++ (strpbrk(option,"&;<>|\"'") == (char *) NULL)) + { + char + passphrase[MagickPathExtent]; diff --git a/CVE-2020-29599-9.patch b/CVE-2020-29599-9.patch new file mode 100644 index 0000000000000000000000000000000000000000..31561cddfa789bc2b5e125e783c383f354ca4009 --- /dev/null +++ b/CVE-2020-29599-9.patch @@ -0,0 +1,88 @@ +From 226804980651bb4eb5f3ba3b9d7e992f2eda4710 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 19 Nov 2020 20:50:44 +0000 +Subject: [PATCH] fix shell injection vulnerability via the -authenticate + option + +--- + coders/pdf.c | 46 ++++++++++++++++++++++++++++++++++------- + config/delegates.xml.in | 4 ++-- + 2 files changed, 42 insertions(+), 9 deletions(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index d5ed56596..31efd06e5 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -368,6 +368,36 @@ static inline void CleanupPDFInfo(PDFInfo *pdf_info) + pdf_info->profile=DestroyStringInfo(pdf_info->profile); + } + ++static char *SanitizeDelegateString(const char *source) ++{ ++ char ++ *sanitize_source; ++ ++ const char ++ *q; ++ ++ register char ++ *p; ++ ++ static char ++#if defined(MAGICKCORE_WINDOWS_SUPPORT) ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!;*(),{}|^~[]`\'><#%/?:@&="; ++#else ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; ++#endif ++ ++ sanitize_source=AcquireString(source); ++ p=sanitize_source; ++ q=sanitize_source+strlen(sanitize_source); ++ for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist)) ++ *p='_'; ++ return(sanitize_source); ++} ++ + static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + { + char +@@ -585,14 +615,16 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); + option=GetImageOption(image_info,"authenticate"); +- if ((option != (char *) NULL) && +- (strpbrk(option,"&;<>|\"'") == (char *) NULL)) ++ if (option != (char *) NULL) + { + char +- passphrase[MagickPathExtent]; ++ passphrase[MagickPathExtent], ++ *sanitize_passphrase; + ++ sanitize_passphrase=SanitizeDelegateString(option); + (void) FormatLocaleString(passphrase,MagickPathExtent, +- "\"-sPDFPassword=%s\" ",option); ++ "'-sPDFPassword=%s' ",sanitize_passphrase); ++ sanitize_passphrase=DestroyString(sanitize_passphrase); + (void) ConcatenateMagickString(options,passphrase,MagickPathExtent); + } + read_info=CloneImageInfo(image_info); +diff --git a/config/delegates.xml.in b/config/delegates.xml.in +index d93387ac1..4fc3acc3f 100644 +--- a/config/delegates.xml.in ++++ b/config/delegates.xml.in +@@ -89,8 +89,8 @@ + + + +- +- ++ ++ + + + diff --git a/ImageMagick.spec b/ImageMagick.spec index 114a5742b296200be4f9a8db48cf50ae0f118c2f..83bfc215bf11a874a712d78ad34b2c6492d57099 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,7 +1,7 @@ Name: ImageMagick Epoch: 1 Version: 6.9.10.67 -Release: 7 +Release: 9 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick Url: http://www.imagemagick.org/ @@ -9,6 +9,25 @@ Source0: https://mirrors.sohu.com/gentoo/distfiles/db/ImageMagick-6.9.10- Patch0001: CVE-2019-7397.patch Patch0002: CVE-2018-16329.patch +Patch0003: CVE-2020-27759.patch +Patch0004: CVE-2020-27760.patch +Patch0005: CVE-2020-27761.patch +Patch0006: CVE-2020-27762.patch +Patch0007: CVE-2020-27764.patch +Patch0008: CVE-2020-27765.patch +Patch0009: CVE-2020-27766.patch +Patch0010: CVE-2020-27767.patch +Patch0011: CVE-2020-27770.patch +Patch0012: CVE-2020-29599-1.patch +Patch0013: CVE-2020-29599-2.patch +Patch0014: CVE-2020-29599-3.patch +Patch0015: CVE-2020-29599-4.patch +Patch0016: CVE-2020-29599-5.patch +Patch0017: CVE-2020-29599-6.patch +Patch0018: CVE-2020-29599-7.patch +Patch0019: CVE-2020-29599-8.patch +Patch0020: CVE-2020-29599-9.patch +Patch0021: CVE-2020-29599-10.patch BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -165,6 +184,13 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick++* %changelog +* Tue Jan 12 2021 wangxiao - 6.9.10.67-9 +- fix CVE-2020-29599 + +* Mon Jan 04 2021 wangxiao - 6.9.10.67-8 +- fix CVE-2020-27759 CVE-2020-27760 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 + CVE-2020-27765 CVE-2020-27765 CVE-2020-27766 CVE-2020-27767 CVE-2020-27770 + * Sun Apr 26 2020 openEuler Buildteam - 6.9.10.67-7 - Type:cves - ID:CVE-2018-16329