From 7b08857a49df4c4efe95c890bf4b323fc13ed736 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Thu, 8 Jun 2023 14:19:08 +0800 Subject: [PATCH] Fix CVE-2023-34151 and CVE-2023-34153 (cherry picked from commit 1bfe2a0e52829d76057b3efb2b90d4505933e0e1) --- CVE-2023-34151.patch | 281 +++++++++++++++++++++++++++++++++++++++++++ CVE-2023-34153.patch | 138 +++++++++++++++++++++ ImageMagick.spec | 7 +- 3 files changed, 425 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-34151.patch create mode 100644 CVE-2023-34153.patch diff --git a/CVE-2023-34151.patch b/CVE-2023-34151.patch new file mode 100644 index 0000000..902d5cd --- /dev/null +++ b/CVE-2023-34151.patch @@ -0,0 +1,281 @@ +From 3d6d98d8a2be30d74172ab43b5b8e874d2deb158 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 17 May 2023 21:06:15 -0400 +Subject: [PATCH] properly cast double to size_t + (https://github.com/ImageMagick/ImageMagick/issues/6341) + +Link: https://github.com/ImageMagick/ImageMagick/commit/3d6d98d8a2be30d74172ab43b5b8e874d2deb158 + +--- + MagickCore/annotate.c | 4 ++-- + MagickCore/draw.c | 2 +- + MagickCore/geometry.c | 6 +++--- + MagickCore/shear.c | 6 +++--- + MagickCore/visual-effects.c | 4 ++-- + coders/caption.c | 10 +++++----- + coders/label.c | 10 +++++----- + coders/pcl.c | 4 ++-- + coders/pdf.c | 4 ++-- + coders/ps.c | 4 ++-- + coders/ps2.c | 4 ++-- + coders/ps3.c | 4 ++-- + coders/svg.c | 4 ++-- + 13 files changed, 33 insertions(+), 33 deletions(-) + +diff --git a/MagickCore/annotate.c b/MagickCore/annotate.c +index bd2da50f36..b635d36bfb 100644 +--- a/MagickCore/annotate.c ++++ b/MagickCore/annotate.c +@@ -341,7 +341,7 @@ MagickExport MagickBooleanType AnnotateImage(Image *image, + (void) CloneString(&annotate->text,textlist[i]); + if ((metrics.width == 0) || (annotate->gravity != NorthWestGravity)) + (void) GetTypeMetrics(image,annotate,&metrics,exception); +- height=(size_t) floor(metrics.ascent-metrics.descent+0.5); ++ height=CastDoubleToUnsigned(metrics.ascent-metrics.descent+0.5); + if (height == 0) + height=draw_info->pointsize; + height+=(size_t) floor(draw_info->interline_spacing+0.5); +@@ -673,7 +673,7 @@ MagickExport ssize_t FormatMagickCaption(Image *image,DrawInfo *draw_info, + status=GetTypeMetrics(image,draw_info,metrics,exception); + if (status == MagickFalse) + break; +- width=(size_t) floor(metrics->width+draw_info->stroke_width+0.5); ++ width=CastDoubleToUnsigned(metrics->width+draw_info->stroke_width+0.5); + if (width <= image->columns) + continue; + if (s != (char *) NULL) +diff --git a/MagickCore/draw.c b/MagickCore/draw.c +index 3d46ba2cb3..d88729d9da 100644 +--- a/MagickCore/draw.c ++++ b/MagickCore/draw.c +@@ -3515,7 +3515,7 @@ static MagickBooleanType RenderMVGContent(Image *image, + (void) GetNextToken(q,&q,extent,token); + if (*token == ',') + (void) GetNextToken(q,&q,extent,token); +- region.height=(size_t) floor(GetDrawValue(token,&next_token)+ ++ region.height=CastDoubleToUnsigned(GetDrawValue(token,&next_token)+ + 0.5); + if (token == next_token) + ThrowPointExpectedException(token,exception); +diff --git a/MagickCore/geometry.c b/MagickCore/geometry.c +index 977183b576..4d201f36d6 100644 +--- a/MagickCore/geometry.c ++++ b/MagickCore/geometry.c +@@ -1515,8 +1515,8 @@ MagickExport MagickStatusType ParseMetaGeometry(const char *geometry,ssize_t *x, + scale.y=geometry_info.sigma; + if ((percent_flags & SigmaValue) == 0) + scale.y=scale.x; +- *width=(size_t) floor(scale.x*stasis_width/100.0+0.5); +- *height=(size_t) floor(scale.y*stasis_height/100.0+0.5); ++ *width=CastDoubleToUnsigned(scale.x*stasis_width/100.0+0.5); ++ *height=CastDoubleToUnsigned(scale.y*stasis_height/100.0+0.5); + stasis_width=(*width); + stasis_height=(*height); + } +@@ -1536,7 +1536,7 @@ MagickExport MagickStatusType ParseMetaGeometry(const char *geometry,ssize_t *x, + if (geometry_ratio >= image_ratio) + { + *width=stasis_width; +- *height=(size_t) floor((double) (PerceptibleReciprocal( ++ *height=CastDoubleToUnsigned((double) (PerceptibleReciprocal( + geometry_ratio)*stasis_height*image_ratio)+0.5); + } + else +diff --git a/MagickCore/shear.c b/MagickCore/shear.c +index 5cfa7be965..04e785ea6c 100644 +--- a/MagickCore/shear.c ++++ b/MagickCore/shear.c +@@ -1768,9 +1768,9 @@ MagickExport Image *ShearRotateImage(const Image *image,const double degrees, + */ + width=integral_image->columns; + height=integral_image->rows; +- bounds.width=(size_t) floor(fabs((double) height*shear.x)+width+0.5); +- bounds.height=(size_t) floor(fabs((double) bounds.width*shear.y)+height+0.5); +- shear_width=(size_t) floor(fabs((double) bounds.height*shear.x)+ ++ bounds.width=CastDoubleToUnsigned(fabs((double) height*shear.x)+width+0.5); ++ bounds.height=CastDoubleToUnsigned(fabs((double) bounds.width*shear.y)+height+0.5); ++ shear_width=CastDoubleToUnsigned(fabs((double) bounds.height*shear.x)+ + bounds.width+0.5); + bounds.x=CastDoubleToLong(floor((double) ((shear_width > bounds.width) ? + width : bounds.width-shear_width+2)/2.0+0.5)); +diff --git a/MagickCore/visual-effects.c b/MagickCore/visual-effects.c +index 80024212e8..5257865ee3 100644 +--- a/MagickCore/visual-effects.c ++++ b/MagickCore/visual-effects.c +@@ -2060,8 +2060,8 @@ MagickExport Image *ShadowImage(const Image *image,const double alpha, + (void) SetImageColorspace(clone_image,sRGBColorspace,exception); + (void) SetImageVirtualPixelMethod(clone_image,EdgeVirtualPixelMethod, + exception); +- border_info.width=(size_t) floor(2.0*sigma+0.5); +- border_info.height=(size_t) floor(2.0*sigma+0.5); ++ border_info.width=CastDoubleToUnsigned(2.0*sigma+0.5); ++ border_info.height=CastDoubleToUnsigned(2.0*sigma+0.5); + border_info.x=0; + border_info.y=0; + (void) QueryColorCompliance("none",AllCompliance,&clone_image->border_color, +diff --git a/coders/caption.c b/coders/caption.c +index 81aeb15830..35f551b31d 100644 +--- a/coders/caption.c ++++ b/coders/caption.c +@@ -169,7 +169,7 @@ static Image *ReadCAPTIONImage(const ImageInfo *image_info, + return(DestroyImageList(image)); + (void) SetImageProperty(image,"caption",caption,exception); + draw_info=CloneDrawInfo(image_info,(DrawInfo *) NULL); +- width=(size_t) floor(0.5*draw_info->pointsize*strlen(caption)+0.5); ++ width=CastDoubleToUnsigned(0.5*draw_info->pointsize*strlen(caption)+0.5); + if (AcquireMagickResource(WidthResource,width) == MagickFalse) + { + caption=DestroyString(caption); +@@ -277,8 +277,8 @@ static Image *ReadCAPTIONImage(const ImageInfo *image_info, + if (status == MagickFalse) + break; + AdjustTypeMetricBounds(&metrics); +- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); +- height=(size_t) floor(metrics.height-metrics.underline_position+ ++ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5); ++ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+ + draw_info->interline_spacing+draw_info->stroke_width+0.5); + if ((image->columns != 0) && (image->rows != 0)) + { +@@ -310,8 +310,8 @@ static Image *ReadCAPTIONImage(const ImageInfo *image_info, + if (status == MagickFalse) + break; + AdjustTypeMetricBounds(&metrics); +- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); +- height=(size_t) floor(metrics.height-metrics.underline_position+ ++ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5); ++ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+ + draw_info->interline_spacing+draw_info->stroke_width+0.5); + if ((image->columns != 0) && (image->rows != 0)) + { +diff --git a/coders/label.c b/coders/label.c +index 1ec2508f60..5d08035a25 100644 +--- a/coders/label.c ++++ b/coders/label.c +@@ -151,7 +151,7 @@ static Image *ReadLABELImage(const ImageInfo *image_info, + return(DestroyImageList(image)); + (void) SetImageProperty(image,"label",label,exception); + draw_info=CloneDrawInfo(image_info,(DrawInfo *) NULL); +- width=(size_t) floor(0.5*draw_info->pointsize*strlen(label)+0.5); ++ width=CastDoubleToUnsigned(0.5*draw_info->pointsize*strlen(label)+0.5); + if (AcquireMagickResource(WidthResource,width) == MagickFalse) + { + label=DestroyString(label); +@@ -214,8 +214,8 @@ static Image *ReadLABELImage(const ImageInfo *image_info, + if (status == MagickFalse) + break; + AdjustTypeMetricBounds(&metrics); +- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); +- height=(size_t) floor(metrics.height-metrics.underline_position+ ++ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5); ++ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+ + draw_info->stroke_width+0.5); + if ((image->columns != 0) && (image->rows != 0)) + { +@@ -249,8 +249,8 @@ static Image *ReadLABELImage(const ImageInfo *image_info, + if (status == MagickFalse) + break; + AdjustTypeMetricBounds(&metrics); +- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); +- height=(size_t) floor(metrics.height-metrics.underline_position+ ++ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5); ++ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+ + draw_info->stroke_width+0.5); + if ((image->columns != 0) && (image->rows != 0)) + { +diff --git a/coders/pcl.c b/coders/pcl.c +index b5f6818bd3..0dae2772fa 100644 +--- a/coders/pcl.c ++++ b/coders/pcl.c +@@ -334,8 +334,8 @@ static Image *ReadPCLImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->resolution.x,image->resolution.y); + if (image_info->ping != MagickFalse) + (void) FormatLocaleString(density,MagickPathExtent,"2.0x2.0"); +- page.width=(size_t) floor(page.width*image->resolution.x/delta.x+0.5); +- page.height=(size_t) floor(page.height*image->resolution.y/delta.y+0.5); ++ page.width=CastDoubleToUnsigned(page.width*image->resolution.x/delta.x+0.5); ++ page.height=CastDoubleToUnsigned(page.height*image->resolution.y/delta.y+0.5); + (void) FormatLocaleString(options,MagickPathExtent,"-g%.20gx%.20g ",(double) + page.width,(double) page.height); + image=DestroyImage(image); +diff --git a/coders/pdf.c b/coders/pdf.c +index 2cf36bf1e9..5ba15aee2f 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -1867,9 +1867,9 @@ static MagickBooleanType WritePDFImage(const ImageInfo *image_info,Image *image, + (void) ParseMetaGeometry(temp,&geometry.x,&geometry.y, + &geometry.width,&geometry.height); + scale.x=(double) (geometry.width*delta.x)/resolution.x; +- geometry.width=(size_t) floor(scale.x+0.5); ++ geometry.width=CastDoubleToUnsigned(scale.x+0.5); + scale.y=(double) (geometry.height*delta.y)/resolution.y; +- geometry.height=(size_t) floor(scale.y+0.5); ++ geometry.height=CastDoubleToUnsigned(scale.y+0.5); + (void) ParseAbsoluteGeometry(temp,&media_info); + (void) ParseGravityGeometry(image,temp,&page_info,exception); + if (image->gravity != UndefinedGravity) +diff --git a/coders/ps.c b/coders/ps.c +index ce2bb91765..47e48f1f38 100644 +--- a/coders/ps.c ++++ b/coders/ps.c +@@ -1527,9 +1527,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image, + (void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y, + &geometry.width,&geometry.height); + scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x; +- geometry.width=(size_t) floor(scale.x+0.5); ++ geometry.width=CastDoubleToUnsigned(scale.x+0.5); + scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y; +- geometry.height=(size_t) floor(scale.y+0.5); ++ geometry.height=CastDoubleToUnsigned(scale.y+0.5); + (void) ParseAbsoluteGeometry(page_geometry,&media_info); + (void) ParseGravityGeometry(image,page_geometry,&page_info,exception); + if (image->gravity != UndefinedGravity) +diff --git a/coders/ps2.c b/coders/ps2.c +index 766874dc02..eb2d7cbda2 100644 +--- a/coders/ps2.c ++++ b/coders/ps2.c +@@ -533,9 +533,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image, + (void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y, + &geometry.width,&geometry.height); + scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x; +- geometry.width=(size_t) floor(scale.x+0.5); ++ geometry.width=CastDoubleToUnsigned(scale.x+0.5); + scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y; +- geometry.height=(size_t) floor(scale.y+0.5); ++ geometry.height=CastDoubleToUnsigned(scale.y+0.5); + (void) ParseAbsoluteGeometry(page_geometry,&media_info); + (void) ParseGravityGeometry(image,page_geometry,&page_info,exception); + if (image->gravity != UndefinedGravity) +diff --git a/coders/ps3.c b/coders/ps3.c +index b75787bd02..fd547fff41 100644 +--- a/coders/ps3.c ++++ b/coders/ps3.c +@@ -985,9 +985,9 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image, + (void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y, + &geometry.width,&geometry.height); + scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x; +- geometry.width=(size_t) floor(scale.x+0.5); ++ geometry.width=CastDoubleToUnsigned(scale.x+0.5); + scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y; +- geometry.height=(size_t) floor(scale.y+0.5); ++ geometry.height=CastDoubleToUnsigned(scale.y+0.5); + (void) ParseAbsoluteGeometry(page_geometry,&media_info); + (void) ParseGravityGeometry(image,page_geometry,&page_info,exception); + if (image->gravity != UndefinedGravity) +diff --git a/coders/svg.c b/coders/svg.c +index 5a1e61c76a..1155133390 100644 +--- a/coders/svg.c ++++ b/coders/svg.c +@@ -2826,10 +2826,10 @@ static void SVGStartElement(void *context,const xmlChar *name, + svg_info->view_box=svg_info->bounds; + svg_info->width=0; + if (svg_info->bounds.width >= MagickEpsilon) +- svg_info->width=(size_t) floor(svg_info->bounds.width+0.5); ++ svg_info->width=CastDoubleToUnsigned(svg_info->bounds.width+0.5); + svg_info->height=0; + if (svg_info->bounds.height >= MagickEpsilon) +- svg_info->height=(size_t) floor(svg_info->bounds.height+0.5); ++ svg_info->height=CastDoubleToUnsigned(svg_info->bounds.height+0.5); + (void) FormatLocaleFile(svg_info->file,"viewbox 0 0 %.20g %.20g\n", + (double) svg_info->width,(double) svg_info->height); + sx=PerceptibleReciprocal(svg_info->view_box.width)*svg_info->width; diff --git a/CVE-2023-34153.patch b/CVE-2023-34153.patch new file mode 100644 index 0000000..f13101d --- /dev/null +++ b/CVE-2023-34153.patch @@ -0,0 +1,138 @@ +From d31c80d15a2c82fc1dd8e889e0f97b0219079a57 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Wed, 17 May 2023 23:33:30 +0200 +Subject: [PATCH] Make sure options are properly quoted to resolve the issue + reported in #6338. + +Link: https://github.com/ImageMagick/ImageMagick/commit/d31c80d15a2c82fc1dd8e889e0f97b0219079a57 + +--- + MagickCore/delegate-private.h | 19 +++++++++++++++++++ + coders/pdf.c | 14 +++----------- + coders/video.c | 24 ++++++++---------------- + 3 files changed, 30 insertions(+), 27 deletions(-) + +diff --git a/MagickCore/delegate-private.h b/MagickCore/delegate-private.h +index 2851316dd6..2d9a8d42ac 100644 +--- a/MagickCore/delegate-private.h ++++ b/MagickCore/delegate-private.h +@@ -18,6 +18,7 @@ + #ifndef MAGICKCORE_DELEGATE_PRIVATE_H + #define MAGICKCORE_DELEGATE_PRIVATE_H + ++#include "MagickCore/locale_.h" + #include "MagickCore/string_.h" + + #if defined(MAGICKCORE_GS_DELEGATE) +@@ -110,6 +111,24 @@ static inline char *SanitizeDelegateString(const char *source) + return(sanitize_source); + } + ++static inline void FormatSanitizedDelegateOption(char *string, ++ const size_t length,const char *windows_format, ++ const char *non_windows_format,const char *option) ++{ ++ char ++ *sanitized_option; ++ ++ sanitized_option=SanitizeDelegateString(option); ++#if defined(MAGICKCORE_WINDOWS_SUPPORT) ++ magick_unreferenced(non_windows_format); ++ (void) FormatLocaleString(string,length,windows_format,sanitized_option); ++#else ++ magick_unreferenced(windows_format); ++ (void) FormatLocaleString(string,length,non_windows_format,sanitized_option); ++#endif ++ sanitized_option=DestroyString(sanitized_option); ++} ++ + extern MagickPrivate MagickBooleanType + DelegateComponentGenesis(void); + +diff --git a/coders/pdf.c b/coders/pdf.c +index 926661e023..2cf36bf1e9 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -625,18 +625,10 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (option != (char *) NULL) + { + char +- passphrase[MagickPathExtent], +- *sanitize_passphrase; ++ passphrase[MagickPathExtent]; + +- sanitize_passphrase=SanitizeDelegateString(option); +-#if defined(MAGICKCORE_WINDOWS_SUPPORT) +- (void) FormatLocaleString(passphrase,MagickPathExtent, +- "\"-sPDFPassword=%s\" ",sanitize_passphrase); +-#else +- (void) FormatLocaleString(passphrase,MagickPathExtent, +- "-sPDFPassword='%s' ",sanitize_passphrase); +-#endif +- sanitize_passphrase=DestroyString(sanitize_passphrase); ++ FormatSanitizedDelegateOption(passphrase,MagickPathExtent, ++ "\"-sPDFPassword=%s\" ","-sPDFPassword='%s' ",option); + (void) ConcatenateMagickString(options,passphrase,MagickPathExtent); + } + read_info=CloneImageInfo(image_info); +diff --git a/coders/video.c b/coders/video.c +index e7cfcc0d72..ab546448b2 100644 +--- a/coders/video.c ++++ b/coders/video.c +@@ -217,8 +217,7 @@ static Image *ReadVIDEOImage(const ImageInfo *image_info, + message[MagickPathExtent]; + + char +- *options, +- *sanitized_option; ++ *options; + + const char + *intermediate_format, +@@ -234,19 +233,15 @@ static Image *ReadVIDEOImage(const ImageInfo *image_info, + option=GetImageOption(image_info,"video:vsync"); + if (option != (const char *) NULL) + { +- sanitized_option=SanitizeDelegateString(option); +- (void) FormatLocaleString(command,MagickPathExtent," -vsync %s", +- sanitized_option); +- DestroyString(sanitized_option); ++ FormatSanitizedDelegateOption(command,MagickPathExtent, ++ " -vsync \"%s\""," -vsync '%s'",option); + (void) ConcatenateMagickString(options,command,MagickPathExtent); + } + option=GetImageOption(image_info,"video:pixel-format"); + if (option != (const char *) NULL) + { +- sanitized_option=SanitizeDelegateString(option); +- (void) FormatLocaleString(command,MagickPathExtent," -pix_fmt %s", +- sanitized_option); +- DestroyString(sanitized_option); ++ FormatSanitizedDelegateOption(command,MagickPathExtent, ++ " -pix_fmt \"%s\""," -pix_fmt '%s'",option); + (void) ConcatenateMagickString(options,command,MagickPathExtent); + } + else +@@ -685,8 +680,7 @@ static MagickBooleanType WriteVIDEOImage(const ImageInfo *image_info, + message[MagickPathExtent]; + + char +- *options, +- *sanitized_option; ++ *options; + + const char + *option; +@@ -700,10 +694,8 @@ static MagickBooleanType WriteVIDEOImage(const ImageInfo *image_info, + option=GetImageOption(image_info,"video:pixel-format"); + if (option != (const char *) NULL) + { +- sanitized_option=SanitizeDelegateString(option); +- (void) FormatLocaleString(command,MagickPathExtent," -pix_fmt %s", +- sanitized_option); +- DestroyString(sanitized_option); ++ FormatSanitizedDelegateOption(command,MagickPathExtent, ++ " -pix_fmt \"%s\""," -pix_fmt '%s'",option); + (void) ConcatenateMagickString(options,command,MagickPathExtent); + } + AcquireUniqueFilename(write_info->unique); diff --git a/ImageMagick.spec b/ImageMagick.spec index e6aff57..4e008ed 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,11 +1,13 @@ Name: ImageMagick Epoch: 1 Version: 7.1.1.8 -Release: 1 +Release: 2 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick and MIT Url: http://www.imagemagick.org/ Source0: https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1.1-8.tar.gz +Patch0: CVE-2023-34151.patch +Patch1: CVE-2023-34153.patch BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -160,6 +162,9 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick* %changelog +* Thu Jun 08 2023 wangkai <13474090681@163.com> - 1:7.1.1.8-2 +- Fix CVE-2023-34151 and CVE-2023-34153 + * Mon Apr 24 2023 wangkai <13474090681@163.com> - 1:7.1.1.8-1 - Update to 7.1.1.8 for Fix CVE-2023-1289,CVE-2023-1906 -- Gitee