diff --git a/CVE-2020-29599-1.patch b/CVE-2020-29599-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..80c1e0a4c0f359a1c12dc545a734a5dabbe4f9fe --- /dev/null +++ b/CVE-2020-29599-1.patch @@ -0,0 +1,71 @@ +From a7b2d8328c539da6e79a118a0b8e97462c7daa77 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 10 Nov 2019 14:53:23 -0500 +Subject: [PATCH] Santize ';' from SHOW and WIN delegates + +--- + magick/delegate.c | 26 +++++++++++++++++++++++++- + magick/string.c | 4 ++-- + 2 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/magick/delegate.c b/magick/delegate.c +index 37cd77b39..4fec87fc6 100644 +--- a/magick/delegate.c ++++ b/magick/delegate.c +@@ -507,6 +507,30 @@ MagickExport int ExternalDelegateCommand(const MagickBooleanType asynchronous, + % + */ + ++static char *SanitizeDelegateString(const char *source) ++{ ++ char ++ *sanitize_source; ++ ++ const char ++ *q; ++ ++ register char ++ *p; ++ ++ static char ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!*'(),{}|\\^~[]`\"><#%/?:@&="; ++ ++ sanitize_source=AcquireString(source); ++ p=sanitize_source; ++ q=sanitize_source+strlen(sanitize_source); ++ for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist)) ++ *p='_'; ++ return(sanitize_source); ++} ++ + static char *GetMagickPropertyLetter(const ImageInfo *image_info,Image *image, + const char letter) + { +@@ -918,7 +942,7 @@ static char *GetMagickPropertyLetter(const ImageInfo *image_info,Image *image, + break; + } + } +- return(SanitizeString(string)); ++ return(SanitizeDelegateString(string)); + } + + static char *InterpretDelegateProperties(const ImageInfo *image_info, +diff --git a/magick/string.c b/magick/string.c +index 828f12a0c..1e4ae55cb 100644 +--- a/magick/string.c ++++ b/magick/string.c +@@ -1588,10 +1588,10 @@ MagickExport void ResetStringInfo(StringInfo *string_info) + % % + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + % +-% SanitizeString() returns an new string removes all characters except ++% SanitizeString() returns a new string removes all characters except + % letters, digits and !#$%&'*+-=?^_`{|}~@.[]. + % +-% The returned string shoud be freed using DestoryString(). ++% Free the sanitized string with DestroyString(). + % + % The format of the SanitizeString method is: + % diff --git a/CVE-2020-29599-10.patch b/CVE-2020-29599-10.patch new file mode 100644 index 0000000000000000000000000000000000000000..7f266e9ed048359e87d966522d64636a4361b29c --- /dev/null +++ b/CVE-2020-29599-10.patch @@ -0,0 +1,30 @@ +From 83ec5b5b8ee7cae891fff59340be207b513a030d Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 21 Nov 2020 13:26:16 +0000 +Subject: [PATCH] restore passphrase support when rendering PDF's + +--- + coders/pdf.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index 31efd06e5..ce4f7a5f1 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -611,14 +611,13 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + (void) ConcatenateMagickString(options,"-dUseTrimBox ",MaxTextExtent); + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); +- option=GetImageOption(image_info,"authenticate"); +- if (option != (char *) NULL) ++ if (image_info->authenticate != (char *) NULL) + { + char + passphrase[MagickPathExtent], + *sanitize_passphrase; + +- sanitize_passphrase=SanitizeDelegateString(option); ++ sanitize_passphrase=SanitizeDelegateString(image_info->authenticate); + (void) FormatLocaleString(passphrase,MagickPathExtent, + "'-sPDFPassword=%s' ",sanitize_passphrase); + sanitize_passphrase=DestroyString(sanitize_passphrase); diff --git a/CVE-2020-29599-2.patch b/CVE-2020-29599-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..e211da1ca98d9694e0be09ddb0beeff9406864d7 --- /dev/null +++ b/CVE-2020-29599-2.patch @@ -0,0 +1,22 @@ +From 2eead004825d31e8f49022f0bc4ca0d3457b0bb1 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 20 Nov 2019 07:20:50 -0500 +Subject: [PATCH] Santize "'" from SHOW and WIN delegates + +--- + magick/delegate.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/magick/delegate.c b/magick/delegate.c +index 4fec87fc6..32beeb15e 100644 +--- a/magick/delegate.c ++++ b/magick/delegate.c +@@ -521,7 +521,7 @@ static char *SanitizeDelegateString(const char *source) + static char + whitelist[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!*'(),{}|\\^~[]`\"><#%/?:@&="; ++ "$-_.+!*;(),{}|\\^~[]`\"><#%/?:@&="; + + sanitize_source=AcquireString(source); + p=sanitize_source; diff --git a/CVE-2020-29599-3.patch b/CVE-2020-29599-3.patch new file mode 100644 index 0000000000000000000000000000000000000000..60d1d1d29a004666375c4e613481c7be63bd529b --- /dev/null +++ b/CVE-2020-29599-3.patch @@ -0,0 +1,31 @@ +From 20f520ed5c8541ae6646bc38d9d3b480785be6c3 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 25 Nov 2019 13:33:50 -0500 +Subject: [PATCH] Per Enzo Puig, santize "'" from SHOW and WIN delegates under + Linux, '"\' for Windows + +--- + magick/delegate.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/magick/delegate.c b/magick/delegate.c +index 32beeb15e..bc83401fd 100644 +--- a/magick/delegate.c ++++ b/magick/delegate.c +@@ -519,9 +519,15 @@ static char *SanitizeDelegateString(const char *source) + *p; + + static char ++#if defined(MAGICKCORE_WINDOWS_SUPPORT) + whitelist[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!*;(),{}|\\^~[]`\"><#%/?:@&="; ++ "$-_.+!;*(),{}|^~[]`\'><#%/?:@&="; ++#else ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; ++#endif + + sanitize_source=AcquireString(source); + p=sanitize_source; diff --git a/CVE-2020-29599-4.patch b/CVE-2020-29599-4.patch new file mode 100644 index 0000000000000000000000000000000000000000..c58a8ce05fdcf48a6f826cff1b6e7d369a1daa28 --- /dev/null +++ b/CVE-2020-29599-4.patch @@ -0,0 +1,33 @@ +From a2b3dd8455da2f17849b55e6b6ddcce587e4a323 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 16 Nov 2020 17:01:57 +0000 +Subject: [PATCH] shell injection vulnerability via the -authenticate option + +--- + coders/pdf.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index 5e4edc760..63eda5d81 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -588,11 +588,14 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (option != (char *) NULL) + { + char +- passphrase[MaxTextExtent]; +- +- (void) FormatLocaleString(passphrase,MaxTextExtent, +- "\"-sPDFPassword=%s\" ",option); +- (void) ConcatenateMagickString(options,passphrase,MaxTextExtent); ++ message[MagickPathExtent], ++ *passphrase; ++ ++ passphrase=SanitizeString(option); ++ (void) FormatLocaleString(message,MagickPathExtent, ++ "\"-sPDFPassword=%s\" ",passphrase); ++ passphrase=DestroyString(passphrase); ++ (void) ConcatenateMagickString(options,message,MagickPathExtent); + } + read_info=CloneImageInfo(image_info); + *read_info->magick='\0'; diff --git a/CVE-2020-29599-5.patch b/CVE-2020-29599-5.patch new file mode 100644 index 0000000000000000000000000000000000000000..e9f048a7a2b27fba656abfa4ca8ff028dcf0327e --- /dev/null +++ b/CVE-2020-29599-5.patch @@ -0,0 +1,60 @@ +From 7b0cce080345e5b7ef26d122f18809c93a19a80e Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 16 Nov 2020 18:17:31 +0000 +Subject: [PATCH] fix shell injection vulnerability via the -authenticate + option + +--- + coders/pdf.c | 15 ++++++--------- + magick/string.c | 8 +++++++- + 2 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index 63eda5d81..074ba3f64 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -585,17 +585,14 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); + option=GetImageOption(image_info,"authenticate"); +- if (option != (char *) NULL) ++ if ((option != (char *) NULL) && (strpbrk(option,"&;<>|") == (char *) NULL)) + { + char +- message[MagickPathExtent], +- *passphrase; +- +- passphrase=SanitizeString(option); +- (void) FormatLocaleString(message,MagickPathExtent, +- "\"-sPDFPassword=%s\" ",passphrase); +- passphrase=DestroyString(passphrase); +- (void) ConcatenateMagickString(options,message,MagickPathExtent); ++ passphrase[MagickPathExtent]; ++ ++ (void) FormatLocaleString(passphrase,MagickPathExtent, ++ "\"-sPDFPassword=%s\" ",option); ++ (void) ConcatenateMagickString(options,passphrase,MagickPathExtent); + } + read_info=CloneImageInfo(image_info); + *read_info->magick='\0'; +diff --git a/magick/string.c b/magick/string.c +index c8ffa086f..7f6eebc3b 100644 +--- a/magick/string.c ++++ b/magick/string.c +@@ -1604,9 +1604,15 @@ MagickExport char *SanitizeString(const char *source) + *p; + + static char ++#if defined(MAGICKCORE_WINDOWS_SUPPORT) + whitelist[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!*'(),{}|\\^~[]`\"><#%;/?:@&="; ++ "$-_.+!;*(),{}|^~[]`\'><#%/?:@&="; ++#else ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; ++#endif + + sanitize_source=AcquireString(source); + p=sanitize_source; diff --git a/CVE-2020-29599-6.patch b/CVE-2020-29599-6.patch new file mode 100644 index 0000000000000000000000000000000000000000..5dbb0d45570a1171ed20b468650a344bec5cb64b --- /dev/null +++ b/CVE-2020-29599-6.patch @@ -0,0 +1,30 @@ +From 875fdf773d6e822364f876bed14c1785a01b45a7 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 16 Nov 2020 23:18:42 +0000 +Subject: [PATCH] revert whitelist mod + +--- + magick/string.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/magick/string.c b/magick/string.c +index 7f6eebc3b..c8ffa086f 100644 +--- a/magick/string.c ++++ b/magick/string.c +@@ -1604,15 +1604,9 @@ MagickExport char *SanitizeString(const char *source) + *p; + + static char +-#if defined(MAGICKCORE_WINDOWS_SUPPORT) + whitelist[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!;*(),{}|^~[]`\'><#%/?:@&="; +-#else +- whitelist[] = +- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " +- "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; +-#endif ++ "$-_.+!*'(),{}|\\^~[]`\"><#%;/?:@&="; + + sanitize_source=AcquireString(source); + p=sanitize_source; diff --git a/CVE-2020-29599-7.patch b/CVE-2020-29599-7.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ff31e5d8d8a73fd2d7b3cbbf1bd645b26d28bcd --- /dev/null +++ b/CVE-2020-29599-7.patch @@ -0,0 +1,23 @@ +From ab2e97d2f7520d1d9ff36ef421caf2a899e14ce4 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 19 Nov 2020 18:36:05 +0000 +Subject: [PATCH] fix shell injection vulnerability via the -authenticate + option + +--- + coders/pdf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index 074ba3f64..ef1567b29 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -585,7 +585,7 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); + option=GetImageOption(image_info,"authenticate"); +- if ((option != (char *) NULL) && (strpbrk(option,"&;<>|") == (char *) NULL)) ++ if ((option != (char *) NULL) && (strpbrk(option,"&;<>|\"") == (char *) NULL)) + { + char + passphrase[MagickPathExtent]; diff --git a/CVE-2020-29599-8.patch b/CVE-2020-29599-8.patch new file mode 100644 index 0000000000000000000000000000000000000000..1acdf1381b042754d376c7ffde0a07aa188fa699 --- /dev/null +++ b/CVE-2020-29599-8.patch @@ -0,0 +1,24 @@ +From 869e38717fa91325da87c2a4cedc148a770a07ec Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 19 Nov 2020 18:39:30 +0000 +Subject: [PATCH] fix shell injection vulnerability via the -authenticate + option + +--- + coders/pdf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index ef1567b29..d5ed56596 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -585,7 +585,8 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); + option=GetImageOption(image_info,"authenticate"); +- if ((option != (char *) NULL) && (strpbrk(option,"&;<>|\"") == (char *) NULL)) ++ if ((option != (char *) NULL) && ++ (strpbrk(option,"&;<>|\"'") == (char *) NULL)) + { + char + passphrase[MagickPathExtent]; diff --git a/CVE-2020-29599-9.patch b/CVE-2020-29599-9.patch new file mode 100644 index 0000000000000000000000000000000000000000..31561cddfa789bc2b5e125e783c383f354ca4009 --- /dev/null +++ b/CVE-2020-29599-9.patch @@ -0,0 +1,88 @@ +From 226804980651bb4eb5f3ba3b9d7e992f2eda4710 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 19 Nov 2020 20:50:44 +0000 +Subject: [PATCH] fix shell injection vulnerability via the -authenticate + option + +--- + coders/pdf.c | 46 ++++++++++++++++++++++++++++++++++------- + config/delegates.xml.in | 4 ++-- + 2 files changed, 42 insertions(+), 9 deletions(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index d5ed56596..31efd06e5 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -368,6 +368,36 @@ static inline void CleanupPDFInfo(PDFInfo *pdf_info) + pdf_info->profile=DestroyStringInfo(pdf_info->profile); + } + ++static char *SanitizeDelegateString(const char *source) ++{ ++ char ++ *sanitize_source; ++ ++ const char ++ *q; ++ ++ register char ++ *p; ++ ++ static char ++#if defined(MAGICKCORE_WINDOWS_SUPPORT) ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!;*(),{}|^~[]`\'><#%/?:@&="; ++#else ++ whitelist[] = ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " ++ "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; ++#endif ++ ++ sanitize_source=AcquireString(source); ++ p=sanitize_source; ++ q=sanitize_source+strlen(sanitize_source); ++ for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist)) ++ *p='_'; ++ return(sanitize_source); ++} ++ + static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + { + char +@@ -585,14 +615,16 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (stop_on_error != MagickFalse) + (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); + option=GetImageOption(image_info,"authenticate"); +- if ((option != (char *) NULL) && +- (strpbrk(option,"&;<>|\"'") == (char *) NULL)) ++ if (option != (char *) NULL) + { + char +- passphrase[MagickPathExtent]; ++ passphrase[MagickPathExtent], ++ *sanitize_passphrase; + ++ sanitize_passphrase=SanitizeDelegateString(option); + (void) FormatLocaleString(passphrase,MagickPathExtent, +- "\"-sPDFPassword=%s\" ",option); ++ "'-sPDFPassword=%s' ",sanitize_passphrase); ++ sanitize_passphrase=DestroyString(sanitize_passphrase); + (void) ConcatenateMagickString(options,passphrase,MagickPathExtent); + } + read_info=CloneImageInfo(image_info); +diff --git a/config/delegates.xml.in b/config/delegates.xml.in +index d93387ac1..4fc3acc3f 100644 +--- a/config/delegates.xml.in ++++ b/config/delegates.xml.in +@@ -89,8 +89,8 @@ + + + +- +- ++ ++ + + + diff --git a/ImageMagick.spec b/ImageMagick.spec index 5b064821eac3c5433824554aeee0e1a24f3d2ec2..0f6036d85e9e312cc3c690b6be10b6a015b58bfb 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,9 +1,9 @@ Name: ImageMagick Epoch: 1 Version: 6.9.10.67 -Release: 9 +Release: 10 Summary: Create, edit, compose, or convert bitmap images -License: ImageMagick +License: ImageMagick and MIT Url: http://www.imagemagick.org/ Source0: https://mirrors.sohu.com/gentoo/distfiles/db/ImageMagick-6.9.10-67.tar.xz @@ -18,6 +18,16 @@ Patch0008: CVE-2020-27765.patch Patch0009: CVE-2020-27766.patch Patch0010: CVE-2020-27767.patch Patch0011: CVE-2020-27770.patch +Patch0012: CVE-2020-29599-1.patch +Patch0013: CVE-2020-29599-2.patch +Patch0014: CVE-2020-29599-3.patch +Patch0015: CVE-2020-29599-4.patch +Patch0016: CVE-2020-29599-5.patch +Patch0017: CVE-2020-29599-6.patch +Patch0018: CVE-2020-29599-7.patch +Patch0019: CVE-2020-29599-8.patch +Patch0020: CVE-2020-29599-9.patch +Patch0021: CVE-2020-29599-10.patch BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -175,6 +185,9 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick++* %changelog +* Wed Jan 13 2021 wangxiao - 6.9.10.67-10 +- fix CVE-2020-29599 + * Mon Jan 04 2021 wangxiao - 6.9.10.67-9 - fix CVE-2018-16329 CVE-2020-27759 CVE-2020-27760 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27765 CVE-2020-27765 CVE-2020-27766 CVE-2020-27767 CVE-2020-27770