diff --git a/CVE-2020-25664.patch b/CVE-2020-25664.patch new file mode 100644 index 0000000000000000000000000000000000000000..e01255d42662cd1858e3451809b99372057a65f6 --- /dev/null +++ b/CVE-2020-25664.patch @@ -0,0 +1,27 @@ +From 27d3ddedb73f63fa984ff5b4d66e07eef654070f Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Fri, 4 Oct 2019 19:08:29 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1716 + +--- + coders/png.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/coders/png.c b/coders/png.c +index 410741059..ee6fba297 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -11177,11 +11177,11 @@ static MagickBooleanType WriteOnePNGImage(MngInfo *mng_info, + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Allocating %.20g bytes of memory for pixels",(double) rowbytes); + } +- pixel_info=AcquireVirtualMemory(rowbytes,sizeof(*ping_pixels)); ++ pixel_info=AcquireVirtualMemory(rowbytes+256,sizeof(*ping_pixels)); + if (pixel_info == (MemoryInfo *) NULL) + png_error(ping,"Allocation of memory for pixels failed"); + ping_pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); +- (void) memset(ping_pixels,0,rowbytes*sizeof(*ping_pixels)); ++ (void) memset(ping_pixels,0,(rowbytes+256)*sizeof(*ping_pixels)); + /* + Initialize image scanlines. + */ diff --git a/CVE-2020-27754-pre-1.patch b/CVE-2020-27754-pre-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..c6dd6b966c9c141658c72faa5809c0d8d3b9a84f --- /dev/null +++ b/CVE-2020-27754-pre-1.patch @@ -0,0 +1,24 @@ +From 2000dd1a7da8098483b8937b53ff3b6ff3048c97 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 13 Oct 2019 12:16:40 -0400 +Subject: [PATCH] ... + +--- + magick/quantize.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/magick/quantize.c b/magick/quantize.c +index 9c081d3f9..355d69de7 100644 +--- a/magick/quantize.c ++++ b/magick/quantize.c +@@ -3218,8 +3218,8 @@ static int IntensityCompare(const void *x,const void *y) + + color_1=(PixelPacket *) x; + color_2=(PixelPacket *) y; +- intensity=(ssize_t) (PixelPacketIntensity(color_1)- +- PixelPacketIntensity(color_2)); ++ intensity=(ssize_t) PixelPacketIntensity(color_1)- ++ (ssize_t) PixelPacketIntensity(color_2)); + return((int) intensity); + } + diff --git a/CVE-2020-27754-pre-2.patch b/CVE-2020-27754-pre-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..a0dde5fdfec222b856db4887bf90d7b2f7c3e961 --- /dev/null +++ b/CVE-2020-27754-pre-2.patch @@ -0,0 +1,22 @@ +From 8c5cbc85c397fff55b859b50c4bc2ab7a79571da Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 13 Oct 2019 15:22:43 -0400 +Subject: [PATCH] ... + +--- + magick/quantize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/magick/quantize.c b/magick/quantize.c +index 355d69de7..37f58914a 100644 +--- a/magick/quantize.c ++++ b/magick/quantize.c +@@ -3219,7 +3219,7 @@ static int IntensityCompare(const void *x,const void *y) + color_1=(PixelPacket *) x; + color_2=(PixelPacket *) y; + intensity=(ssize_t) PixelPacketIntensity(color_1)- +- (ssize_t) PixelPacketIntensity(color_2)); ++ (ssize_t) PixelPacketIntensity(color_2); + return((int) intensity); + } + diff --git a/CVE-2020-27754.patch b/CVE-2020-27754.patch new file mode 100644 index 0000000000000000000000000000000000000000..4a2110d8261ae4df3703a7aa4f1dfb407bd376f2 --- /dev/null +++ b/CVE-2020-27754.patch @@ -0,0 +1,40 @@ +From d5df600d43c8706df513a3273d09aee6f54a9233 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 14 Oct 2019 19:56:17 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1754 + +--- + magick/quantize.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/magick/quantize.c b/magick/quantize.c +index 37f58914a..1d8cc61ff 100644 +--- a/magick/quantize.c ++++ b/magick/quantize.c +@@ -3207,6 +3207,15 @@ MagickExport MagickBooleanType RemapImages(const QuantizeInfo *quantize_info, + extern "C" { + #endif + ++static inline double ConstrainPixelIntensity(double x) ++{ ++ if (x < (double) -(SSIZE_MAX-512)) ++ return((double) -(SSIZE_MAX-512)); ++ if (x > (double) (SSIZE_MAX-512)) ++ return((double) (SSIZE_MAX-512)); ++ return(x); ++} ++ + static int IntensityCompare(const void *x,const void *y) + { + PixelPacket +@@ -3218,8 +3227,8 @@ static int IntensityCompare(const void *x,const void *y) + + color_1=(PixelPacket *) x; + color_2=(PixelPacket *) y; +- intensity=(ssize_t) PixelPacketIntensity(color_1)- +- (ssize_t) PixelPacketIntensity(color_2); ++ intensity=(ssize_t) ConstrainPixelIntensity(PixelPacketIntensity(color_1))- ++ (ssize_t) ConstrainPixelIntensity(PixelPacketIntensity(color_2)); + return((int) intensity); + } + diff --git a/ImageMagick.spec b/ImageMagick.spec index 6275d04903bac753b4e6191ddeeebce9a2b1e57e..120e219485d596e0ab62bad3230436c5f787df37 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,7 +1,7 @@ Name: ImageMagick Epoch: 1 Version: 6.9.10.67 -Release: 9 +Release: 10 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick and MIT Url: http://www.imagemagick.org/ @@ -28,6 +28,10 @@ Patch0018: CVE-2020-29599-7.patch Patch0019: CVE-2020-29599-8.patch Patch0020: CVE-2020-29599-9.patch Patch0021: CVE-2020-29599-10.patch +Patch0022: CVE-2020-27754-pre-1.patch +Patch0023: CVE-2020-27754-pre-2.patch +Patch0024: CVE-2020-27754.patch +Patch0025: CVE-2020-25664.patch BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -184,6 +188,9 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick++* %changelog +* Wed Feb 10 2021 zhanghua - 6.9.10.67-10 +- fix CVE-2020-25664 CVE-2020-27754 + * Wed Jan 13 2021 wangxiao - 6.9.10.67-9 - fix CVE-2020-29599