SECURITY UPDATE

This commit is contained in:
rtlhq 2023-07-17 22:41:41 +08:00
parent 1bc188585f
commit fcde5a9947
11 changed files with 761 additions and 1 deletions

14
debian/changelog vendored
View File

@ -1,3 +1,15 @@
imagemagick (8:6.9.11.60+dfsg-ok1.2) yangtze; urgency=medium
* SECURITY UPDATE: heap-based buffer overflow issue
- CVE-2021-3610
- CVE-2023-3428
- CVE-2023-1289
- CVE-2023-1906
- CVE-2023-3195
- CVE-2023-34151
-- rtlhq <nobelxyz@163.com> Mon, 17 Jul 2023 20:40:36 +0800
imagemagick (8:6.9.11.60+dfsg-ok1.1) yangtze; urgency=medium
* SECURITY UPDATE: heap-based buffer overflow issue
@ -24,4 +36,4 @@ imagemagick (8:6.9.11.60+dfsg-ok1) yangtze; urgency=medium
* Build for openKylin.
-- rtlhq <nobelxyz@163.com> Fri, 03 Feb 2023 12:00:43 +0800
-- rtlhq <nobelxyz@163.com> Fri, 03 Feb 2023 12:00:43 +0800

21
debian/patches/CVE-2021-3610.patch vendored Normal file
View File

@ -0,0 +1,21 @@
From 930ff0d1a9bc42925a7856e9ea53f5fc9f318bf3 Mon Sep 17 00:00:00 2001
From: Cristy <mikayla-grace@urban-warrior.org>
Date: Thu, 27 May 2021 10:30:17 -0400
Subject: [PATCH] eliminate heap buffer overflow vulnerability, thanks to
ZhangJiaxing (@r0fm1a) from Codesafe Team of Legendsec at Qi'anxin Group
---
coders/tiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- imagemagick-6.9.11.60+dfsg.orig/coders/tiff.c
+++ imagemagick-6.9.11.60+dfsg/coders/tiff.c
@@ -1872,7 +1872,7 @@ static Image *ReadTIFFImage(const ImageI
/*
Convert stripped TIFF image.
*/
- extent=2*TIFFStripSize(tiff);
+ extent=4*TIFFStripSize(tiff);
#if defined(TIFF_VERSION_BIG)
extent+=image->columns*sizeof(uint64);
#else

View File

@ -0,0 +1,208 @@
From e8c0090c6d2df7b1553053dca2008e96724204bf Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Mon, 6 Mar 2023 14:46:21 -0500
Subject: [PATCH] recursion detection framework
---
magick/constitute.c | 12 +++++++++
magick/draw.c | 64 ++++++++++++++++++---------------------------
magick/draw.h | 3 +++
magick/image.c | 1 +
magick/image.h | 3 +++
5 files changed, 45 insertions(+), 38 deletions(-)
--- imagemagick-6.9.11.60+dfsg.orig/magick/constitute.c
+++ imagemagick-6.9.11.60+dfsg/magick/constitute.c
@@ -77,6 +77,11 @@
#include "magick/transform.h"
#include "magick/utility.h"
+/*
+ Define declarations.
+*/
+#define MaxReadRecursionDepth 100
+
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
@@ -558,9 +563,16 @@ MagickExport Image *ReadImage(const Imag
if ((thread_support & DecoderThreadSupport) == 0)
LockSemaphoreInfo(magick_info->semaphore);
status=IsCoderAuthorized(read_info->magick,ReadPolicyRights,exception);
+ if (((ImageInfo *) image_info)->recursion_depth++ > MaxReadRecursionDepth)
+ {
+ (void) ThrowMagickException(exception,GetMagickModule(),CoderError,
+ "NumberOfImagesIsNotSupported","`%s'",read_info->magick);
+ status=MagickFalse;
+ }
image=(Image *) NULL;
if (status != MagickFalse)
image=GetImageDecoder(magick_info)(read_info,exception);
+ ((ImageInfo *) image_info)->recursion_depth--;
if ((thread_support & DecoderThreadSupport) == 0)
UnlockSemaphoreInfo(magick_info->semaphore);
}
--- imagemagick-6.9.11.60+dfsg.orig/magick/draw.c
+++ imagemagick-6.9.11.60+dfsg/magick/draw.c
@@ -381,6 +381,7 @@ MagickExport DrawInfo *CloneDrawInfo(con
clone_info->composite_mask=CloneImage(draw_info->composite_mask,0,0,
MagickTrue,&draw_info->composite_mask->exception);
clone_info->render=draw_info->render;
+ clone_info->image_info=CloneImageInfo(draw_info->image_info);
clone_info->debug=IsEventLogging();
return(clone_info);
}
@@ -5820,21 +5821,18 @@ MagickExport void GetDrawInfo(const Imag
ExceptionInfo
*exception;
- ImageInfo
- *clone_info;
-
/*
Initialize draw attributes.
*/
(void) LogMagickEvent(TraceEvent,GetMagickModule(),"...");
assert(draw_info != (DrawInfo *) NULL);
(void) memset(draw_info,0,sizeof(*draw_info));
- clone_info=CloneImageInfo(image_info);
+ draw_info->image_info=CloneImageInfo(image_info);
GetAffineMatrix(&draw_info->affine);
exception=AcquireExceptionInfo();
(void) QueryColorDatabase("#000F",&draw_info->fill,exception);
(void) QueryColorDatabase("#FFF0",&draw_info->stroke,exception);
- draw_info->stroke_antialias=clone_info->antialias;
+ draw_info->stroke_antialias=draw_info->image_info->antialias;
draw_info->stroke_width=1.0;
draw_info->fill_rule=EvenOddRule;
draw_info->opacity=OpaqueOpacity;
@@ -5844,64 +5842,64 @@ MagickExport void GetDrawInfo(const Imag
draw_info->linejoin=MiterJoin;
draw_info->miterlimit=10;
draw_info->decorate=NoDecoration;
- if (clone_info->font != (char *) NULL)
- draw_info->font=AcquireString(clone_info->font);
- if (clone_info->density != (char *) NULL)
- draw_info->density=AcquireString(clone_info->density);
- draw_info->text_antialias=clone_info->antialias;
+ if (draw_info->image_info->font != (char *) NULL)
+ draw_info->font=AcquireString(draw_info->image_info->font);
+ if (draw_info->image_info->density != (char *) NULL)
+ draw_info->density=AcquireString(draw_info->image_info->density);
+ draw_info->text_antialias=draw_info->image_info->antialias;
draw_info->pointsize=12.0;
- if (fabs(clone_info->pointsize) >= MagickEpsilon)
- draw_info->pointsize=clone_info->pointsize;
+ if (fabs(draw_info->image_info->pointsize) >= MagickEpsilon)
+ draw_info->pointsize=draw_info->image_info->pointsize;
draw_info->undercolor.opacity=(Quantum) TransparentOpacity;
- draw_info->border_color=clone_info->border_color;
+ draw_info->border_color=draw_info->image_info->border_color;
draw_info->compose=OverCompositeOp;
- if (clone_info->server_name != (char *) NULL)
- draw_info->server_name=AcquireString(clone_info->server_name);
+ if (draw_info->image_info->server_name != (char *) NULL)
+ draw_info->server_name=AcquireString(draw_info->image_info->server_name);
draw_info->render=MagickTrue;
draw_info->clip_path=MagickFalse;
draw_info->debug=IsEventLogging();
- option=GetImageOption(clone_info,"direction");
+ option=GetImageOption(draw_info->image_info,"direction");
if (option != (const char *) NULL)
draw_info->direction=(DirectionType) ParseCommandOption(
MagickDirectionOptions,MagickFalse,option);
else
draw_info->direction=UndefinedDirection;
- option=GetImageOption(clone_info,"encoding");
+ option=GetImageOption(draw_info->image_info,"encoding");
if (option != (const char *) NULL)
(void) CloneString(&draw_info->encoding,option);
- option=GetImageOption(clone_info,"family");
+ option=GetImageOption(draw_info->image_info,"family");
if (option != (const char *) NULL)
(void) CloneString(&draw_info->family,option);
- option=GetImageOption(clone_info,"fill");
+ option=GetImageOption(draw_info->image_info,"fill");
if (option != (const char *) NULL)
(void) QueryColorDatabase(option,&draw_info->fill,exception);
- option=GetImageOption(clone_info,"gravity");
+ option=GetImageOption(draw_info->image_info,"gravity");
if (option != (const char *) NULL)
draw_info->gravity=(GravityType) ParseCommandOption(MagickGravityOptions,
MagickFalse,option);
- option=GetImageOption(clone_info,"interline-spacing");
+ option=GetImageOption(draw_info->image_info,"interline-spacing");
if (option != (const char *) NULL)
draw_info->interline_spacing=GetDrawValue(option,&next_token);
- option=GetImageOption(clone_info,"interword-spacing");
+ option=GetImageOption(draw_info->image_info,"interword-spacing");
if (option != (const char *) NULL)
draw_info->interword_spacing=GetDrawValue(option,&next_token);
- option=GetImageOption(clone_info,"kerning");
+ option=GetImageOption(draw_info->image_info,"kerning");
if (option != (const char *) NULL)
draw_info->kerning=GetDrawValue(option,&next_token);
- option=GetImageOption(clone_info,"stroke");
+ option=GetImageOption(draw_info->image_info,"stroke");
if (option != (const char *) NULL)
(void) QueryColorDatabase(option,&draw_info->stroke,exception);
- option=GetImageOption(clone_info,"strokewidth");
+ option=GetImageOption(draw_info->image_info,"strokewidth");
if (option != (const char *) NULL)
draw_info->stroke_width=GetDrawValue(option,&next_token);
- option=GetImageOption(clone_info,"style");
+ option=GetImageOption(draw_info->image_info,"style");
if (option != (const char *) NULL)
draw_info->style=(StyleType) ParseCommandOption(MagickStyleOptions,
MagickFalse,option);
- option=GetImageOption(clone_info,"undercolor");
+ option=GetImageOption(draw_info->image_info,"undercolor");
if (option != (const char *) NULL)
(void) QueryColorDatabase(option,&draw_info->undercolor,exception);
- option=GetImageOption(clone_info,"weight");
+ option=GetImageOption(draw_info->image_info,"weight");
if (option != (const char *) NULL)
{
ssize_t
@@ -5914,7 +5912,6 @@ MagickExport void GetDrawInfo(const Imag
}
exception=DestroyExceptionInfo(exception);
draw_info->signature=MagickCoreSignature;
- clone_info=DestroyImageInfo(clone_info);
}
/*
--- imagemagick-6.9.11.60+dfsg.orig/magick/draw.h
+++ imagemagick-6.9.11.60+dfsg/magick/draw.h
@@ -354,6 +354,9 @@ typedef struct _DrawInfo
char
*id;
+
+ ImageInfo
+ *image_info;
} DrawInfo;
typedef struct _PrimitiveInfo
--- imagemagick-6.9.11.60+dfsg.orig/magick/image.c
+++ imagemagick-6.9.11.60+dfsg/magick/image.c
@@ -1008,6 +1008,7 @@ MagickExport ImageInfo *CloneImageInfo(c
clone_info->subimage=image_info->scene; /* deprecated */
clone_info->subrange=image_info->number_scenes; /* deprecated */
clone_info->channel=image_info->channel;
+ clone_info->recursion_depth=image_info->recursion_depth;
clone_info->debug=IsEventLogging();
clone_info->signature=image_info->signature;
return(clone_info);
--- imagemagick-6.9.11.60+dfsg.orig/magick/image.h
+++ imagemagick-6.9.11.60+dfsg/magick/image.h
@@ -499,6 +499,9 @@ struct _ImageInfo
MagickBooleanType
synchronize;
+
+ size_t
+ recursion_depth; /* recursion detection */
};
extern MagickExport ExceptionType

21
debian/patches/CVE-2023-1289.patch vendored Normal file
View File

@ -0,0 +1,21 @@
[Ubuntu note: darw.c file exist in "magick" folder instead of "MagickCore" for
this release]
From c5b23cbf2119540725e6dc81f4deb25798ead6a4 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Mon, 6 Mar 2023 15:26:32 -0500
Subject: [PATCH] erecursion detection
---
MagickCore/draw.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- imagemagick-6.9.11.60+dfsg.orig/magick/draw.c
+++ imagemagick-6.9.11.60+dfsg/magick/draw.c
@@ -5444,6 +5444,7 @@ MagickExport MagickBooleanType DrawPrimi
if (primitive_info->text == (char *) NULL)
break;
clone_info=AcquireImageInfo();
+ clone_info->recursion_depth=draw_info->image_info->recursion_depth;
composite_images=(Image *) NULL;
if (LocaleNCompare(primitive_info->text,"data:",5) == 0)
composite_images=ReadInlineImage(clone_info,primitive_info->text,

56
debian/patches/CVE-2023-1906.patch vendored Normal file
View File

@ -0,0 +1,56 @@
[Ubuntu note: this is backport of the original patch having multiple pre-patch
changes]
From e30c693b37c3b41723f1469d1226a2c814ca443d Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 1 Apr 2023 07:32:01 -0400
Subject: [PATCH] possible heap buffer overflow
(https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247)
---
coders/tiff.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- imagemagick-6.9.11.60+dfsg.orig/coders/tiff.c
+++ imagemagick-6.9.11.60+dfsg/coders/tiff.c
@@ -1872,12 +1872,8 @@ static Image *ReadTIFFImage(const ImageI
/*
Convert stripped TIFF image.
*/
- extent=4*TIFFStripSize(tiff);
-#if defined(TIFF_VERSION_BIG)
- extent+=image->columns*sizeof(uint64);
-#else
- extent+=image->columns*sizeof(uint32);
-#endif
+ extent=MagickMax(sizeof(uint32),(samples_per_pixel+extra_samples)*
+ (image->depth+7)/8)*image->columns*rows_per_strip;
strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*strip_pixels));
if (strip_pixels == (unsigned char *) NULL)
@@ -1972,12 +1968,8 @@ static Image *ReadTIFFImage(const ImageI
number_pixels=(MagickSizeType) columns*rows;
if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
- extent=TIFFTileSize(tiff);
-#if defined(TIFF_VERSION_BIG)
- extent+=columns*sizeof(uint64);
-#else
- extent+=columns*sizeof(uint32);
-#endif
+ extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
+ TIFFTileSize(tiff));
tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*tile_pixels));
if (tile_pixels == (unsigned char *) NULL)
@@ -2071,11 +2063,6 @@ static Image *ReadTIFFImage(const ImageI
if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
number_pixels=(MagickSizeType) image->columns*image->rows;
-#if defined(TIFF_VERSION_BIG)
- number_pixels+=image->columns*sizeof(uint64);
-#else
- number_pixels+=image->columns*sizeof(uint32);
-#endif
generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels));
if (generic_info == (MemoryInfo *) NULL)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");

25
debian/patches/CVE-2023-3195.patch vendored Normal file
View File

@ -0,0 +1,25 @@
[Ubuntu note: Backport for this release]
From 85a370c79afeb45a97842b0959366af5236e9023 Mon Sep 17 00:00:00 2001
From: Cristy <mikayla-grace@urban-warrior.org>
Date: Tue, 19 Oct 2021 14:53:41 -0400
Subject: [PATCH] fix stack overflow when parsing malicious tiff image
---
ChangeLog | 2 ++
coders/tiff.c | 5 +++++
2 files changed, 7 insertions(+)
--- imagemagick-6.9.11.60+dfsg.orig/coders/tiff.c
+++ imagemagick-6.9.11.60+dfsg/coders/tiff.c
@@ -1970,6 +1970,11 @@ static Image *ReadTIFFImage(const ImageI
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
TIFFTileSize(tiff));
+#if defined(TIFF_VERSION_BIG)
+ extent+=image->columns*sizeof(uint64);
+#else
+ extent+=image->columns*sizeof(uint32);
+#endif
tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*tile_pixels));
if (tile_pixels == (unsigned char *) NULL)

View File

@ -0,0 +1,44 @@
[Ubuntu note: just adding the required changes for image-private header file]
From ca4b4c6d3471ad2d19ccdf12a7380f0628e3ce77 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Thu, 13 Apr 2023 11:42:11 -0400
Subject: [PATCH] add additional checks for casting double to size_t
---
coders/histogram.c | 6 ++--
coders/jpeg.c | 3 +-
coders/pcl.c | 4 +--
coders/png.c | 16 +++++-----
coders/tiff.c | 4 +--
coders/txt.c | 4 +--
magick/annotate.c | 8 ++---
magick/constitute.c | 2 +-
magick/draw.c | 66 ++++++++++++++++++++---------------------
magick/effect.c | 8 ++---
magick/gem.c | 2 +-
magick/geometry.c | 32 ++++++++++----------
magick/image-private.h | 38 ++++++++++++++++--------
magick/image.c | 20 ++++++-------
magick/pixel.c | 12 ++++----
magick/profile.c | 8 ++---
magick/property.c | 4 +--
magick/shear.c | 18 +++++------
magick/studio.h | 2 --
magick/transform.c | 4 +--
magick/visual-effects.c | 40 ++++++++++++-------------
wand/drawing-wand.c | 8 ++---
wand/studio.h | 2 --
23 files changed, 161 insertions(+), 150 deletions(-)
--- imagemagick-6.9.11.60+dfsg.orig/magick/image-private.h
+++ imagemagick-6.9.11.60+dfsg/magick/image-private.h
@@ -41,6 +41,9 @@ extern "C" {
#define MagickSQ1_2 0.70710678118654752440084436210484903928483593768847
#define MagickSQ2 1.41421356237309504880168872420969807856967187537695
#define MagickSQ2PI 2.50662827463100024161235523934010416269302368164062
+#define MAGICK_SIZE_MAX (SIZE_MAX)
+#define MAGICK_SSIZE_MAX (SSIZE_MAX)
+#define MAGICK_SSIZE_MIN (-(SSIZE_MAX)-1)
#define MatteColor "#bdbdbd" /* gray */
#define PSDensityGeometry "72.0x72.0"
#define PSPageGeometry "612x792"

View File

@ -0,0 +1,62 @@
[Ubuntu note: Just add the required changes from this patch which is to
introduce new method called CastDoubleToUnsigned() for this release]
From 0b8553cd2042438dde215c7e8cd21e1d7307f813 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 15 Apr 2023 09:44:37 -0400
Subject: [PATCH] improved range checking
---
coders/histogram.c | 6 ++--
coders/icon.c | 3 +-
coders/pcd.c | 1 +
coders/pcl.c | 4 +--
coders/png.c | 17 +++++-----
coders/tiff.c | 4 +--
coders/txt.c | 4 +--
configure | 4 +--
magick/annotate.c | 8 ++---
magick/constitute.c | 2 +-
magick/draw.c | 66 +++++++++++++++++++--------------------
magick/effect.c | 8 ++---
magick/gem.c | 2 +-
magick/geometry.c | 24 +++++++-------
magick/image-private.h | 69 ++++++++++++++++++++++++++++-------------
magick/image.c | 20 ++++++------
magick/pixel.c | 12 +++----
magick/profile.c | 8 ++---
magick/property.c | 4 +--
magick/shear.c | 18 +++++------
magick/transform.c | 4 +--
magick/visual-effects.c | 40 ++++++++++++------------
wand/drawing-wand.c | 8 ++---
23 files changed, 181 insertions(+), 155 deletions(-)
--- imagemagick-6.9.11.60+dfsg.orig/magick/image-private.h
+++ imagemagick-6.9.11.60+dfsg/magick/image-private.h
@@ -61,6 +61,26 @@ static inline ssize_t CastDoubleToLong(c
return((ssize_t) value);
}
+static inline size_t CastDoubleToUnsigned(const double x)
+{
+ if (IsNaN(x) != 0)
+ {
+ errno=ERANGE;
+ return(0);
+ }
+ if (floor(x) > ((double) MAGICK_SSIZE_MAX-1))
+ {
+ errno=ERANGE;
+ return((size_t) MAGICK_SIZE_MAX);
+ }
+ if (ceil(x) < 0.0)
+ {
+ errno=ERANGE;
+ return(0);
+ }
+ return((size_t) x);
+}
+
static inline double DegreesToRadians(const double degrees)
{
return((double) (MagickPI*degrees/180.0));

281
debian/patches/CVE-2023-34151.patch vendored Normal file
View File

@ -0,0 +1,281 @@
From 133089f716f23ce0b80d89ccc1fd680960235512 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 17 May 2023 21:06:18 -0400
Subject: [PATCH] properly cast double to size_t
(https://github.com/ImageMagick/ImageMagick/issues/6341)
---
coders/caption.c | 10 +++++-----
coders/label.c | 10 +++++-----
coders/pcl.c | 4 ++--
coders/pdf.c | 4 ++--
coders/ps.c | 4 ++--
coders/ps2.c | 4 ++--
coders/ps3.c | 4 ++--
coders/svg.c | 4 ++--
magick/annotate.c | 4 ++--
magick/draw.c | 8 ++++----
magick/geometry.c | 4 ++--
magick/shear.c | 10 +++++-----
magick/visual-effects.c | 4 ++--
13 files changed, 37 insertions(+), 37 deletions(-)
--- imagemagick-6.9.11.60+dfsg.orig/coders/caption.c
+++ imagemagick-6.9.11.60+dfsg/coders/caption.c
@@ -154,7 +154,7 @@ static Image *ReadCAPTIONImage(const Ima
return(DestroyImageList(image));
(void) SetImageProperty(image,"caption",caption);
draw_info=CloneDrawInfo(image_info,(DrawInfo *) NULL);
- width=(size_t) floor(draw_info->pointsize*strlen(caption)+0.5);
+ width=CastDoubleToUnsigned(draw_info->pointsize*strlen(caption)+0.5);
if (AcquireMagickResource(WidthResource,width) == MagickFalse)
{
caption=DestroyString(caption);
@@ -239,8 +239,8 @@ static Image *ReadCAPTIONImage(const Ima
status=GetMultilineTypeMetrics(image,draw_info,&metrics);
if (status == MagickFalse)
break;
- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
- height=(size_t) floor(metrics.height+draw_info->interline_spacing+
+ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5);
+ height=CastDoubleToUnsigned(metrics.height+draw_info->interline_spacing+
draw_info->stroke_width+0.5);
if ((image->columns != 0) && (image->rows != 0))
{
@@ -267,8 +267,8 @@ static Image *ReadCAPTIONImage(const Ima
status=GetMultilineTypeMetrics(image,draw_info,&metrics);
if (status == MagickFalse)
break;
- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
- height=(size_t) floor(metrics.height+draw_info->interline_spacing+
+ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5);
+ height=CastDoubleToUnsigned(metrics.height+draw_info->interline_spacing+
draw_info->stroke_width+0.5);
if ((image->columns != 0) && (image->rows != 0))
{
--- imagemagick-6.9.11.60+dfsg.orig/coders/label.c
+++ imagemagick-6.9.11.60+dfsg/coders/label.c
@@ -135,7 +135,7 @@ static Image *ReadLABELImage(const Image
return(DestroyImageList(image));
(void) SetImageProperty(image,"label",label);
draw_info=CloneDrawInfo(image_info,(DrawInfo *) NULL);
- width=(size_t) floor(draw_info->pointsize*strlen(label)+0.5);
+ width=CastDoubleToUnsigned(draw_info->pointsize*strlen(label)+0.5);
if (AcquireMagickResource(WidthResource,width) == MagickFalse)
{
label=DestroyString(label);
@@ -174,8 +174,8 @@ static Image *ReadLABELImage(const Image
status=GetMultilineTypeMetrics(image,draw_info,&metrics);
if (status == MagickFalse)
break;
- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
- height=(size_t) floor(metrics.height+draw_info->stroke_width+0.5);
+ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5);
+ height=CastDoubleToUnsigned(metrics.height+draw_info->stroke_width+0.5);
if ((image->columns != 0) && (image->rows != 0))
{
if ((width >= image->columns) && (height >= image->rows))
@@ -204,8 +204,8 @@ static Image *ReadLABELImage(const Image
status=GetMultilineTypeMetrics(image,draw_info,&metrics);
if (status == MagickFalse)
break;
- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
- height=(size_t) floor(metrics.height+draw_info->stroke_width+0.5);
+ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5);
+ height=CastDoubleToUnsigned(metrics.height+draw_info->stroke_width+0.5);
if ((image->columns != 0) && (image->rows != 0))
{
if ((width < image->columns) && (height < image->rows))
--- imagemagick-6.9.11.60+dfsg.orig/coders/pcl.c
+++ imagemagick-6.9.11.60+dfsg/coders/pcl.c
@@ -333,9 +333,9 @@ static Image *ReadPCLImage(const ImageIn
image->x_resolution,image->y_resolution);
if (image_info->ping != MagickFalse)
(void) FormatLocaleString(density,MagickPathExtent,"2.0x2.0");
- page.width=(size_t) floor((double) page.width*image->x_resolution/delta.x+
+ page.width=CastDoubleToUnsigned((double) page.width*image->x_resolution/delta.x+
0.5);
- page.height=(size_t) floor((double) page.height*image->y_resolution/delta.y+
+ page.height=CastDoubleToUnsigned((double) page.height*image->y_resolution/delta.y+
0.5);
(void) FormatLocaleString(options,MaxTextExtent,"-g%.20gx%.20g ",(double)
page.width,(double) page.height);
--- imagemagick-6.9.11.60+dfsg.orig/coders/pdf.c
+++ imagemagick-6.9.11.60+dfsg/coders/pdf.c
@@ -1587,9 +1587,9 @@ static MagickBooleanType WritePDFImage(c
(void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y,
&geometry.width,&geometry.height);
scale.x=(double) (geometry.width*delta.x)/resolution.x;
- geometry.width=(size_t) floor(scale.x+0.5);
+ geometry.width=CastDoubleToUnsigned(scale.x+0.5);
scale.y=(double) (geometry.height*delta.y)/resolution.y;
- geometry.height=(size_t) floor(scale.y+0.5);
+ geometry.height=CastDoubleToUnsigned(scale.y+0.5);
(void) ParseAbsoluteGeometry(page_geometry,&media_info);
(void) ParseGravityGeometry(image,page_geometry,&page_info,
&image->exception);
--- imagemagick-6.9.11.60+dfsg.orig/coders/ps.c
+++ imagemagick-6.9.11.60+dfsg/coders/ps.c
@@ -1502,9 +1502,9 @@ static MagickBooleanType WritePSImage(co
(void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y,
&geometry.width,&geometry.height);
scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x;
- geometry.width=(size_t) floor(scale.x+0.5);
+ geometry.width=CastDoubleToUnsigned(scale.x+0.5);
scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y;
- geometry.height=(size_t) floor(scale.y+0.5);
+ geometry.height=CastDoubleToUnsigned(scale.y+0.5);
(void) ParseAbsoluteGeometry(page_geometry,&media_info);
(void) ParseGravityGeometry(image,page_geometry,&page_info,
&image->exception);
--- imagemagick-6.9.11.60+dfsg.orig/coders/ps2.c
+++ imagemagick-6.9.11.60+dfsg/coders/ps2.c
@@ -533,9 +533,9 @@ static MagickBooleanType WritePS2Image(c
(void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y,
&geometry.width,&geometry.height);
scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x;
- geometry.width=(size_t) floor(scale.x+0.5);
+ geometry.width=CastDoubleToUnsigned(scale.x+0.5);
scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y;
- geometry.height=(size_t) floor(scale.y+0.5);
+ geometry.height=CastDoubleToUnsigned(scale.y+0.5);
(void) ParseAbsoluteGeometry(page_geometry,&media_info);
(void) ParseGravityGeometry(image,page_geometry,&page_info,
&image->exception);
--- imagemagick-6.9.11.60+dfsg.orig/coders/ps3.c
+++ imagemagick-6.9.11.60+dfsg/coders/ps3.c
@@ -980,9 +980,9 @@ static MagickBooleanType WritePS3Image(c
(void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y,
&geometry.width,&geometry.height);
scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x;
- geometry.width=(size_t) floor(scale.x+0.5);
+ geometry.width=CastDoubleToUnsigned(scale.x+0.5);
scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y;
- geometry.height=(size_t) floor(scale.y+0.5);
+ geometry.height=CastDoubleToUnsigned(scale.y+0.5);
(void) ParseAbsoluteGeometry(page_geometry,&media_info);
(void) ParseGravityGeometry(image,page_geometry,&page_info,
&image->exception);
--- imagemagick-6.9.11.60+dfsg.orig/coders/svg.c
+++ imagemagick-6.9.11.60+dfsg/coders/svg.c
@@ -2519,10 +2519,10 @@ static void SVGStartElement(void *contex
svg_info->view_box=svg_info->bounds;
svg_info->width=0;
if (svg_info->bounds.width > 0.0)
- svg_info->width=(size_t) floor(svg_info->bounds.width+0.5);
+ svg_info->width=CastDoubleToUnsigned(svg_info->bounds.width+0.5);
svg_info->height=0;
if (svg_info->bounds.height > 0.0)
- svg_info->height=(size_t) floor(svg_info->bounds.height+0.5);
+ svg_info->height=CastDoubleToUnsigned(svg_info->bounds.height+0.5);
(void) FormatLocaleFile(svg_info->file,"viewbox 0 0 %.20g %.20g\n",
(double) svg_info->width,(double) svg_info->height);
sx=PerceptibleReciprocal(svg_info->view_box.width)*svg_info->width;
--- imagemagick-6.9.11.60+dfsg.orig/magick/annotate.c
+++ imagemagick-6.9.11.60+dfsg/magick/annotate.c
@@ -325,7 +325,7 @@ MagickExport MagickBooleanType AnnotateI
(void) CloneString(&annotate->text,textlist[i]);
if ((metrics.width == 0) || (annotate->gravity != NorthWestGravity))
(void) GetTypeMetrics(image,annotate,&metrics);
- height=(size_t) floor(metrics.ascent-metrics.descent+0.5);
+ height=CastDoubleToUnsigned(metrics.ascent-metrics.descent+0.5);
if (height == 0)
height=draw_info->pointsize;
height+=(size_t) floor(draw_info->interline_spacing+0.5);
@@ -610,7 +610,7 @@ MagickExport ssize_t FormatMagickCaption
status=GetTypeMetrics(image,draw_info,metrics);
if (status == MagickFalse)
break;
- width=(size_t) floor(metrics->width+draw_info->stroke_width+0.5);
+ width=CastDoubleToUnsigned(metrics->width+draw_info->stroke_width+0.5);
if (width <= image->columns)
continue;
if (s != (char *) NULL)
--- imagemagick-6.9.11.60+dfsg.orig/magick/draw.c
+++ imagemagick-6.9.11.60+dfsg/magick/draw.c
@@ -3447,14 +3447,14 @@ static MagickBooleanType RenderMVGConten
(void) GetNextToken(q,&q,extent,token);
if (*token == ',')
(void) GetNextToken(q,&q,extent,token);
- bounds.width=(size_t) floor(GetDrawValue(token,&next_token)+
+ bounds.width=CastDoubleToUnsigned(GetDrawValue(token,&next_token)+
0.5);
if (token == next_token)
ThrowPointExpectedException(image,token);
(void) GetNextToken(q,&q,extent,token);
if (*token == ',')
(void) GetNextToken(q,&q,extent,token);
- bounds.height=(size_t) floor(GetDrawValue(token,&next_token)+
+ bounds.height=CastDoubleToUnsigned(GetDrawValue(token,&next_token)+
0.5);
if (token == next_token)
ThrowPointExpectedException(image,token);
@@ -3859,14 +3859,14 @@ static MagickBooleanType RenderMVGConten
(void) GetNextToken(q,&q,extent,token);
if (*token == ',')
(void) GetNextToken(q,&q,extent,token);
- graphic_context[n]->viewbox.width=(size_t) floor(GetDrawValue(
+ graphic_context[n]->viewbox.width=CastDoubleToUnsigned(GetDrawValue(
token,&next_token)+0.5);
if (token == next_token)
ThrowPointExpectedException(image,token);
(void) GetNextToken(q,&q,extent,token);
if (*token == ',')
(void) GetNextToken(q,&q,extent,token);
- graphic_context[n]->viewbox.height=(size_t) floor(GetDrawValue(
+ graphic_context[n]->viewbox.height=CastDoubleToUnsigned(GetDrawValue(
token,&next_token)+0.5);
if (token == next_token)
ThrowPointExpectedException(image,token);
--- imagemagick-6.9.11.60+dfsg.orig/magick/geometry.c
+++ imagemagick-6.9.11.60+dfsg/magick/geometry.c
@@ -1411,8 +1411,8 @@ MagickExport MagickStatusType ParseMetaG
scale.y=geometry_info.sigma;
if ((flags & SigmaValue) == 0)
scale.y=scale.x;
- *width=(size_t) floor(scale.x*former_width/100.0+0.5);
- *height=(size_t) floor(scale.y*former_height/100.0+0.5);
+ *width=CastDoubleToUnsigned(scale.x*former_width/100.0+0.5);
+ *height=CastDoubleToUnsigned(scale.y*former_height/100.0+0.5);
former_width=(*width);
former_height=(*height);
}
--- imagemagick-6.9.11.60+dfsg.orig/magick/shear.c
+++ imagemagick-6.9.11.60+dfsg/magick/shear.c
@@ -166,8 +166,8 @@ static MagickBooleanType CropToFitImage(
}
geometry.x=CastDoubleToLong(ceil(min.x-0.5));
geometry.y=CastDoubleToLong(ceil(min.y-0.5));
- geometry.width=(size_t) floor(max.x-min.x+0.5);
- geometry.height=(size_t) floor(max.y-min.y+0.5);
+ geometry.width=CastDoubleToUnsigned(max.x-min.x+0.5);
+ geometry.height=CastDoubleToUnsigned(max.y-min.y+0.5);
page=(*image)->page;
(void) ParseAbsoluteGeometry("0x0+0+0",&(*image)->page);
crop_image=CropImage(*image,&geometry,exception);
@@ -1787,9 +1787,9 @@ MagickExport Image *ShearRotateImage(con
*/
width=integral_image->columns;
height=integral_image->rows;
- bounds.width=(size_t) floor(fabs((double) height*shear.x)+width+0.5);
- bounds.height=(size_t) floor(fabs((double) bounds.width*shear.y)+height+0.5);
- shear_width=(size_t) floor(fabs((double) bounds.height*shear.x)+
+ bounds.width=CastDoubleToUnsigned(fabs((double) height*shear.x)+width+0.5);
+ bounds.height=CastDoubleToUnsigned(fabs((double) bounds.width*shear.y)+height+0.5);
+ shear_width=CastDoubleToUnsigned(fabs((double) bounds.height*shear.x)+
bounds.width+0.5);
bounds.x=CastDoubleToLong(floor((double) ((shear_width > bounds.width) ?
width : bounds.width-shear_width+2)/2.0+0.5));
--- imagemagick-6.9.11.60+dfsg.orig/magick/visual-effects.c
+++ imagemagick-6.9.11.60+dfsg/magick/visual-effects.c
@@ -2052,8 +2052,8 @@ MagickExport Image *ShadowImage(const Im
(void) SetImageColorspace(clone_image,sRGBColorspace);
(void) SetImageVirtualPixelMethod(clone_image,EdgeVirtualPixelMethod);
clone_image->compose=OverCompositeOp;
- border_info.width=(size_t) floor(2.0*sigma+0.5);
- border_info.height=(size_t) floor(2.0*sigma+0.5);
+ border_info.width=CastDoubleToUnsigned(2.0*sigma+0.5);
+ border_info.height=CastDoubleToUnsigned(2.0*sigma+0.5);
border_info.x=0;
border_info.y=0;
(void) QueryColorDatabase("none",&clone_image->border_color,exception);

21
debian/patches/CVE-2023-3428.patch vendored Normal file
View File

@ -0,0 +1,21 @@
From 0d00400727170b0540a355a1bc52787bc7bcdea5 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Mon, 26 Jun 2023 19:39:43 -0400
Subject: [PATCH] heap-buffer-overflow in ImageMagick <= 7.1.1-12, contributed
by Hardik shah of Vehere (Dawn Treaders team)
---
coders/tiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- imagemagick-6.9.11.60+dfsg.orig/coders/tiff.c
+++ imagemagick-6.9.11.60+dfsg/coders/tiff.c
@@ -1968,7 +1968,7 @@ static Image *ReadTIFFImage(const ImageI
number_pixels=(MagickSizeType) columns*rows;
if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
- extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
+ extent=4*(samples_per_pixel+1)*MagickMax((rows+1)*TIFFTileRowSize(tiff),
TIFFTileSize(tiff));
#if defined(TIFF_VERSION_BIG)
extent+=image->columns*sizeof(uint64);

View File

@ -38,3 +38,12 @@ CVE-2022-28463.patch
CVE-2022-32545.patch
CVE-2022-32546.patch
CVE-2022-32547.patch
CVE-2021-3610.patch
CVE-2023-1289-prepatch.patch
CVE-2023-1289.patch
CVE-2023-1906.patch
CVE-2023-3195.patch
CVE-2023-34151-prepatch.patch
CVE-2023-34151-prepatch-2.patch
CVE-2023-34151.patch
CVE-2023-3428.patch