diff --git a/CVE-2020-25676.patch b/CVE-2020-25676.patch new file mode 100644 index 0000000000000000000000000000000000000000..374b8c7f6ea670e01a20ed60e7e4948076cb09af --- /dev/null +++ b/CVE-2020-25676.patch @@ -0,0 +1,51 @@ +From 94aeb3c40d25aee1051ba8eb3a31601558ef2506 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 8 Oct 2019 18:35:50 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1732 + +--- + magick/pixel.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/magick/pixel.c b/magick/pixel.c +index 96eaf95db..1450a93e2 100644 +--- a/magick/pixel.c ++++ b/magick/pixel.c +@@ -4418,6 +4418,15 @@ static inline void CatromWeights(const MagickRealType x, + (*weights)[2]=x-(*weights)[3]-gamma; + } + ++static inline double ConstrainPixelOffset(double x) ++{ ++ if (x < (double) -(SSIZE_MAX-512)) ++ return((double) -(SSIZE_MAX-512)); ++ if (x > (double) (SSIZE_MAX-512)) ++ return((double) (SSIZE_MAX-512)); ++ return(x); ++} ++ + static inline void SplineWeights(const MagickRealType x, + MagickRealType (*weights)[4]) + { +@@ -4483,8 +4492,8 @@ MagickExport MagickBooleanType InterpolateMagickPixelPacket( + assert(image->signature == MagickCoreSignature); + assert(image_view != (CacheView *) NULL); + status=MagickTrue; +- x_offset=(ssize_t) floor(x); +- y_offset=(ssize_t) floor(y); ++ x_offset=(ssize_t) floor(ConstrainPixelOffset(x)); ++ y_offset=(ssize_t) floor(ConstrainPixelOffset(y)); + interpolate = method; + if (interpolate == UndefinedInterpolatePixel) + interpolate=image->interpolate; +@@ -4502,8 +4511,8 @@ MagickExport MagickBooleanType InterpolateMagickPixelPacket( + if (interpolate == Average9InterpolatePixel) + { + count=3; +- x_offset=(ssize_t) (floor(x+0.5)-1); +- y_offset=(ssize_t) (floor(y+0.5)-1); ++ x_offset=(ssize_t) (floor(ConstrainPixelOffset(x)+0.5)-1); ++ y_offset=(ssize_t) (floor(ConstrainPixelOffset(y)+0.5)-1); + } + else + if (interpolate == Average16InterpolatePixel) diff --git a/CVE-2020-27768-pre2.patch b/CVE-2020-27751.patch similarity index 100% rename from CVE-2020-27768-pre2.patch rename to CVE-2020-27751.patch diff --git a/CVE-2020-27768-pre1.patch b/CVE-2020-27757.patch similarity index 100% rename from CVE-2020-27768-pre1.patch rename to CVE-2020-27757.patch diff --git a/CVE-2020-27758.patch b/CVE-2020-27758.patch new file mode 100644 index 0000000000000000000000000000000000000000..5ba3aaa07a797d39f6b29da07073470edd53f591 --- /dev/null +++ b/CVE-2020-27758.patch @@ -0,0 +1,40 @@ +From e5e15b4456c825f78554e2ef1cc6344fa1218448 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 5 Oct 2019 09:44:24 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1719 + +--- + coders/txt.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/coders/txt.c b/coders/txt.c +index 3a57bcece..9f0354ffb 100644 +--- a/coders/txt.c ++++ b/coders/txt.c +@@ -572,16 +572,16 @@ static Image *ReadTXTImage(const ImageInfo *image_info,ExceptionInfo *exception) + green+=(range+1)/2.0; + blue+=(range+1)/2.0; + } +- pixel.red=(MagickRealType) ScaleAnyToQuantum((QuantumAny) (red+0.5), +- range); +- pixel.green=(MagickRealType) ScaleAnyToQuantum((QuantumAny) (green+0.5), +- range); +- pixel.blue=(MagickRealType) ScaleAnyToQuantum((QuantumAny) (blue+0.5), +- range); +- pixel.index=(MagickRealType) ScaleAnyToQuantum((QuantumAny) (index+0.5), +- range); +- pixel.opacity=(MagickRealType) ScaleAnyToQuantum((QuantumAny) (opacity+ +- 0.5),range); ++ pixel.red=(MagickRealType) ScaleAnyToQuantum((QuantumAny) ++ MagickMax(red+0.5,0.0),range); ++ pixel.green=(MagickRealType) ScaleAnyToQuantum((QuantumAny) ++ MagickMax(green+0.5,0.0),range); ++ pixel.blue=(MagickRealType) ScaleAnyToQuantum((QuantumAny) ++ MagickMax(blue+0.5,0.0),range); ++ pixel.index=(MagickRealType) ScaleAnyToQuantum((QuantumAny) ++ MagickMax(index+0.5,0.0),range); ++ pixel.opacity=(MagickRealType) ScaleAnyToQuantum((QuantumAny) ++ MagickMax(opacity+0.5,0.0),range); + q=GetAuthenticPixels(image,(ssize_t) x_offset,(ssize_t) y_offset,1,1, + exception); + if (q == (PixelPacket *) NULL) diff --git a/CVE-2020-27766.patch b/CVE-2020-27766-CVE-2020-27774.patch similarity index 100% rename from CVE-2020-27766.patch rename to CVE-2020-27766-CVE-2020-27774.patch diff --git a/CVE-2020-27771.patch b/CVE-2020-27771.patch new file mode 100644 index 0000000000000000000000000000000000000000..a0928c3094b0fa6fe5e79d7069830a4e95c6d7f8 --- /dev/null +++ b/CVE-2020-27771.patch @@ -0,0 +1,50 @@ +From a07ecde4c1c3a3efaa628434adc903295f6bb2b3 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 14 Oct 2019 19:41:20 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1753 + +--- + coders/pdf.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/coders/pdf.c b/coders/pdf.c +index 4da13db33..dd1a504e5 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -1991,7 +1991,7 @@ RestoreMSCWarning + break; + indexes=GetVirtualIndexQueue(image); + for (x=0; x < (ssize_t) image->columns; x++) +- *q++=(unsigned char) GetPixelIndex(indexes+x); ++ *q++=(unsigned char) ((ssize_t) GetPixelIndex(indexes+x)); + if (image->previous == (Image *) NULL) + { + status=SetImageProgress(image,SaveImageTag, +@@ -2033,7 +2033,7 @@ RestoreMSCWarning + indexes=GetVirtualIndexQueue(image); + for (x=0; x < (ssize_t) image->columns; x++) + Ascii85Encode(image,(unsigned char) +- GetPixelIndex(indexes+x)); ++ ((ssize_t) GetPixelIndex(indexes+x))); + if (image->previous == (Image *) NULL) + { + status=SetImageProgress(image,SaveImageTag, +@@ -2491,7 +2491,7 @@ RestoreMSCWarning + break; + indexes=GetVirtualIndexQueue(tile_image); + for (x=0; x < (ssize_t) tile_image->columns; x++) +- *q++=(unsigned char) GetPixelIndex(indexes+x); ++ *q++=(unsigned char) ((ssize_t) GetPixelIndex(indexes+x)); + } + #if defined(MAGICKCORE_ZLIB_DELEGATE) + if (compression == ZipCompression) +@@ -2525,7 +2525,8 @@ RestoreMSCWarning + break; + indexes=GetVirtualIndexQueue(tile_image); + for (x=0; x < (ssize_t) tile_image->columns; x++) +- Ascii85Encode(image,(unsigned char) GetPixelIndex(indexes+x)); ++ Ascii85Encode(image,(unsigned char) ++ ((ssize_t) GetPixelIndex(indexes+x))); + } + Ascii85Flush(image); + break; diff --git a/CVE-2020-27772.patch b/CVE-2020-27772.patch new file mode 100644 index 0000000000000000000000000000000000000000..d3b901495dbfa95cf3066b1f81dd25871b1f8c0b --- /dev/null +++ b/CVE-2020-27772.patch @@ -0,0 +1,72 @@ +From 7f819ef8855608d9cb1ded5e4f30cdfff1da7c11 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 13 Oct 2019 11:50:29 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1749 + +--- + PerlMagick/t/write.t | 2 +- + coders/bmp.c | 24 ++++++++++++------------ + 2 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/PerlMagick/t/write.t b/PerlMagick/t/write.t +index 3c530f154..d410fa48e 100644 +--- a/PerlMagick/t/write.t ++++ b/PerlMagick/t/write.t +@@ -107,7 +107,7 @@ print("Portable bitmap format (black and white), binary format ...\n"); + testReadWrite( 'PBM:input_p4.pbm', + 'PBM:output_p4.pbm', + q//, +- '83175f7bcc43fb71212dee254c85e355c18bcd25f35d3b9caba66fff7341fa64'); ++ '217921c0cce7fff17eea865d2ee2075afbc054ce7f4209b3cfeb22f58d8b3e3e'); + + print("ZSoft IBM PC Paintbrush file ...\n"); + ++$test; +diff --git a/coders/bmp.c b/coders/bmp.c +index 13ccefcfc..f7104a212 100644 +--- a/coders/bmp.c ++++ b/coders/bmp.c +@@ -2311,32 +2311,32 @@ static MagickBooleanType WriteBMPImage(const ImageInfo *image_info,Image *image) + (void) WriteBlobLSBLong(image,0x73524742U); /* sRGB */ + } + (void) WriteBlobLSBLong(image,(unsigned int) +- (image->chromaticity.red_primary.x*0x40000000)); ++ ((ssize_t) image->chromaticity.red_primary.x*0x40000000)); + (void) WriteBlobLSBLong(image,(unsigned int) +- (image->chromaticity.red_primary.y*0x40000000)); ++ ((ssize_t) image->chromaticity.red_primary.y*0x40000000)); + (void) WriteBlobLSBLong(image,(unsigned int) +- ((1.000f-(image->chromaticity.red_primary.x+ ++ ((ssize_t) (1.000f-(image->chromaticity.red_primary.x+ + image->chromaticity.red_primary.y))*0x40000000)); + (void) WriteBlobLSBLong(image,(unsigned int) +- (image->chromaticity.green_primary.x*0x40000000)); ++ ((ssize_t) image->chromaticity.green_primary.x*0x40000000)); + (void) WriteBlobLSBLong(image,(unsigned int) +- (image->chromaticity.green_primary.y*0x40000000)); ++ ((ssize_t) image->chromaticity.green_primary.y*0x40000000)); + (void) WriteBlobLSBLong(image,(unsigned int) +- ((1.000f-(image->chromaticity.green_primary.x+ ++ ((ssize_t) (1.000f-(image->chromaticity.green_primary.x+ + image->chromaticity.green_primary.y))*0x40000000)); + (void) WriteBlobLSBLong(image,(unsigned int) +- (image->chromaticity.blue_primary.x*0x40000000)); ++ ((ssize_t) image->chromaticity.blue_primary.x*0x40000000)); + (void) WriteBlobLSBLong(image,(unsigned int) +- (image->chromaticity.blue_primary.y*0x40000000)); ++ ((ssize_t) image->chromaticity.blue_primary.y*0x40000000)); + (void) WriteBlobLSBLong(image,(unsigned int) +- ((1.000f-(image->chromaticity.blue_primary.x+ ++ ((ssize_t) (1.000f-(image->chromaticity.blue_primary.x+ + image->chromaticity.blue_primary.y))*0x40000000)); + (void) WriteBlobLSBLong(image,(unsigned int) +- (bmp_info.gamma_scale.x*0x10000)); ++ ((ssize_t) bmp_info.gamma_scale.x*0x10000)); + (void) WriteBlobLSBLong(image,(unsigned int) +- (bmp_info.gamma_scale.y*0x10000)); ++ ((ssize_t) bmp_info.gamma_scale.y*0x10000)); + (void) WriteBlobLSBLong(image,(unsigned int) +- (bmp_info.gamma_scale.z*0x10000)); ++ ((ssize_t) bmp_info.gamma_scale.z*0x10000)); + if ((image->rendering_intent != UndefinedIntent) || + (profile != (StringInfo *) NULL)) + { diff --git a/CVE-2020-27775.patch b/CVE-2020-27775.patch new file mode 100644 index 0000000000000000000000000000000000000000..c06864e9c3f58e91b0a8396397279696883e5a91 --- /dev/null +++ b/CVE-2020-27775.patch @@ -0,0 +1,28 @@ +From 78d9987ae80a95865c9f139afde0dcf3fd832ddc Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 9 Oct 2019 19:34:55 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1737 + +--- + magick/statistic.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/magick/statistic.c b/magick/statistic.c +index 87a9a42f4..2db7c858f 100644 +--- a/magick/statistic.c ++++ b/magick/statistic.c +@@ -353,8 +353,12 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info, + } + case PowEvaluateOperator: + { +- result=(MagickRealType) (QuantumRange*pow((double) (QuantumScale*pixel), +- (double) value)); ++ if (pixel < 0) ++ result=(MagickRealType) -(QuantumRange*pow((double) -(QuantumScale* ++ pixel),(double) value)); ++ else ++ result=(MagickRealType) (QuantumRange*pow((double) (QuantumScale*pixel), ++ (double) value)); + break; + } + case RightShiftEvaluateOperator: diff --git a/ImageMagick.spec b/ImageMagick.spec index 7ed341c61907742fd1c2000bd2d3f2c4b54d57ac..9efad5d18b44bd899a14d9773f34feccc0b08b3f 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,7 +1,7 @@ Name: ImageMagick Epoch: 1 Version: 6.9.10.67 -Release: 17 +Release: 19 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick and MIT Url: http://www.imagemagick.org/ @@ -15,7 +15,7 @@ Patch0005: CVE-2020-27761.patch Patch0006: CVE-2020-27762.patch Patch0007: CVE-2020-27764.patch Patch0008: CVE-2020-27765.patch -Patch0009: CVE-2020-27766.patch +Patch0009: CVE-2020-27766-CVE-2020-27774.patch Patch0010: CVE-2020-27767.patch Patch0011: CVE-2020-27770.patch Patch0012: CVE-2020-29599-1.patch @@ -35,8 +35,8 @@ Patch0025: CVE-2020-25664.patch Patch0026: CVE-2021-20176.patch Patch0027: CVE-2020-27763.patch Patch0028: CVE-2020-27773.patch -Patch0029: CVE-2020-27768-pre1.patch -Patch0030: CVE-2020-27768-pre2.patch +Patch0029: CVE-2020-27757.patch +Patch0030: CVE-2020-27751.patch Patch0031: CVE-2020-27768.patch Patch0032: CVE-2020-27750.patch Patch0033: CVE-2020-25665.patch @@ -44,6 +44,11 @@ Patch0034: CVE-2020-25674.patch Patch0035: CVE-2021-20241-CVE-2021-20243.patch Patch0036: CVE-2021-20244.patch Patch0037: CVE-2021-20246.patch +Patch0038: CVE-2020-25676.patch +Patch0039: CVE-2020-27758.patch +Patch0040: CVE-2020-27771.patch +Patch0041: CVE-2020-27772.patch +Patch0042: CVE-2020-27775.patch BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -200,7 +205,11 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick++* %changelog -* Tue Mar 23 2021 zhanghua - 6.9.10.67-17 +* Wed Mar 31 2021 wangxiao - 6.9.10.67-19 +- Fix CVE-2020-25676 CVE-2020-27757 CVE-2020-27758 CVE-2020-27771 + CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2020-27751 + +* Tue Mar 23 2021 zhanghua - 6.9.10.67-18 - Fix CVE-2021-20246 * Mon Mar 22 2021 wangxiao - 6.9.10.67-16