diff --git a/CVE-2020-25666-1.patch b/CVE-2020-25666-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..429c392c39980db2ec015b522e6a5b0335911a28 --- /dev/null +++ b/CVE-2020-25666-1.patch @@ -0,0 +1,30 @@ +From 91ae12c57f3b9b23f2072462c27a8378b59f395e Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 13 Oct 2019 11:56:58 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1750 + +--- + magick/histogram.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/magick/histogram.c b/magick/histogram.c +index 36b803a77..68e25fc83 100644 +--- a/magick/histogram.c ++++ b/magick/histogram.c +@@ -1157,12 +1157,12 @@ static int HistogramCompare(const void *x,const void *y) + color_1=(const ColorPacket *) x; + color_2=(const ColorPacket *) y; + if (color_2->pixel.red != color_1->pixel.red) +- return((int) color_1->pixel.red-(int) color_2->pixel.red); ++ return((int) ((ssize_t) color_1->red-(ssize_t) color_2->red)); + if (color_2->pixel.green != color_1->pixel.green) +- return((int) color_1->pixel.green-(int) color_2->pixel.green); ++ return((int) ((ssize_t) color_1->green-(ssize_t) color_2->green)); + if (color_2->pixel.blue != color_1->pixel.blue) +- return((int) color_1->pixel.blue-(int) color_2->pixel.blue); +- return((int) color_2->count-(int) color_1->count); ++ return((int) ((ssize_t) color_1->blue-(ssize_t) color_2->blue)); ++ return((int) ((ssize_t) color_2->count-(ssize_t) color_1->count)); + } + + #if defined(__cplusplus) || defined(c_plusplus) diff --git a/CVE-2020-25666-2.patch b/CVE-2020-25666-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..8404ce0f223e40da2f63c390926b11d3b8910a28 --- /dev/null +++ b/CVE-2020-25666-2.patch @@ -0,0 +1,28 @@ +From 245d884e1868ff9b932adad5fcacf9e3e1eb4c7f Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 13 Oct 2019 14:44:54 -0400 +Subject: [PATCH] ... + +--- + magick/histogram.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/magick/histogram.c b/magick/histogram.c +index 68e25fc83..ca210f71c 100644 +--- a/magick/histogram.c ++++ b/magick/histogram.c +@@ -1157,11 +1157,11 @@ static int HistogramCompare(const void *x,const void *y) + color_1=(const ColorPacket *) x; + color_2=(const ColorPacket *) y; + if (color_2->pixel.red != color_1->pixel.red) +- return((int) ((ssize_t) color_1->red-(ssize_t) color_2->red)); ++ return((int) ((ssize_t) color_1->pixel.red-(ssize_t) color_2->pixel.red)); + if (color_2->pixel.green != color_1->pixel.green) +- return((int) ((ssize_t) color_1->green-(ssize_t) color_2->green)); ++ return((int) ((ssize_t) color_1->pixel.green-(ssize_t) color_2->pixel.green)); + if (color_2->pixel.blue != color_1->pixel.blue) +- return((int) ((ssize_t) color_1->blue-(ssize_t) color_2->blue)); ++ return((int) ((ssize_t) color_1->pixel.blue-(ssize_t) color_2->pixel.blue)); + return((int) ((ssize_t) color_2->count-(ssize_t) color_1->count)); + } + diff --git a/CVE-2020-25675.patch b/CVE-2020-25675.patch new file mode 100644 index 0000000000000000000000000000000000000000..8708db90d150b2cd15a3c04dfe39ab920d96007e --- /dev/null +++ b/CVE-2020-25675.patch @@ -0,0 +1,86 @@ +From 6b169173585127299f4724f7880b575879c7f033 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 8 Oct 2019 19:06:11 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1731 + +--- + magick/transform.c | 31 ++++++++++++++++++++----------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +diff --git a/magick/transform.c b/magick/transform.c +index 9edac6210..bbf351aa8 100644 +--- a/magick/transform.c ++++ b/magick/transform.c +@@ -829,14 +829,23 @@ MagickExport Image *CropImage(const Image *image,const RectangleInfo *geometry, + % + */ + +-static inline double MagickRound(double x) ++static inline double ConstrainPixelOffset(double x) ++{ ++ if (x < (double) -(SSIZE_MAX-512)) ++ return((double) -(SSIZE_MAX-512)); ++ if (x > (double) (SSIZE_MAX-512)) ++ return((double) (SSIZE_MAX-512)); ++ return(x); ++} ++ ++static inline ssize_t PixelRoundOffset(double x) + { + /* + Round the fraction to nearest integer. + */ + if ((x-floor(x)) < (ceil(x)-x)) +- return(floor(x)); +- return(ceil(x)); ++ return((ssize_t) floor(ConstrainPixelOffset(x))); ++ return((ssize_t) ceil(ConstrainPixelOffset(x))); + } + + MagickExport Image *CropImageToTiles(const Image *image, +@@ -901,18 +910,18 @@ MagickExport Image *CropImageToTiles(const Image *image, + { + if ((flags & AspectValue) == 0) + { +- crop.y=(ssize_t) MagickRound((MagickRealType) (offset.y- ++ crop.y=PixelRoundOffset((MagickRealType) (offset.y- + (geometry.y > 0 ? 0 : geometry.y))); + offset.y+=delta.y; /* increment now to find width */ +- crop.height=(size_t) MagickRound((MagickRealType) (offset.y+ ++ crop.height=(size_t) PixelRoundOffset((MagickRealType) (offset.y+ + (geometry.y < 0 ? 0 : geometry.y))); + } + else + { +- crop.y=(ssize_t) MagickRound((MagickRealType) (offset.y- ++ crop.y=PixelRoundOffset((MagickRealType) (offset.y- + (geometry.y > 0 ? geometry.y : 0))); + offset.y+=delta.y; /* increment now to find width */ +- crop.height=(size_t) MagickRound((MagickRealType) (offset.y+ ++ crop.height=(size_t) PixelRoundOffset((MagickRealType) (offset.y+ + (geometry.y < 0 ? geometry.y : 0))); + } + crop.height-=crop.y; +@@ -921,18 +930,18 @@ MagickExport Image *CropImageToTiles(const Image *image, + { + if ((flags & AspectValue) == 0) + { +- crop.x=(ssize_t) MagickRound((MagickRealType) (offset.x- ++ crop.x=PixelRoundOffset((MagickRealType) (offset.x- + (geometry.x > 0 ? 0 : geometry.x))); + offset.x+=delta.x; /* increment now to find height */ +- crop.width=(size_t) MagickRound((MagickRealType) (offset.x+ ++ crop.width=(size_t) PixelRoundOffset((MagickRealType) (offset.x+ + (geometry.x < 0 ? 0 : geometry.x))); + } + else + { +- crop.x=(ssize_t) MagickRound((MagickRealType) (offset.x- ++ crop.x=PixelRoundOffset((MagickRealType) (offset.x- + (geometry.x > 0 ? geometry.x : 0))); + offset.x+=delta.x; /* increment now to find height */ +- crop.width=(size_t) MagickRound((MagickRealType) (offset.x+ ++ crop.width=(size_t) PixelRoundOffset((MagickRealType) (offset.x+ + (geometry.x < 0 ? geometry.x : 0))); + } + crop.width-=crop.x; diff --git a/ImageMagick.spec b/ImageMagick.spec index 5c06fb9e728a67bcf0d779afa22e71aa00c869fc..8303a6b535ab69b4ed07190e6d1fd614972d357f 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,7 +1,7 @@ Name: ImageMagick Epoch: 1 Version: 6.9.10.67 -Release: 19 +Release: 20 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick and MIT Url: http://www.imagemagick.org/ @@ -49,6 +49,9 @@ Patch0039: CVE-2020-27758.patch Patch0040: CVE-2020-27771.patch Patch0041: CVE-2020-27772.patch Patch0042: CVE-2020-27775.patch +Patch0043: CVE-2020-25666-1.patch +Patch0044: CVE-2020-25666-2.patch +Patch0045: CVE-2020-25675.patch BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -205,6 +208,9 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick++* %changelog +* Tue Apr 6 2021 wangxiao - 6.9.10.67-20 +- Fix CVE-2020-25666 CVE-2020-25675 + * Wed Mar 31 2021 wangxiao - 6.9.10.67-19 - Fix CVE-2020-25676 CVE-2020-27757 CVE-2020-27758 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2020-27751