From fcde5a9947a314758fcda6f80c96895dceb84c8c Mon Sep 17 00:00:00 2001 From: rtlhq Date: Mon, 17 Jul 2023 22:41:41 +0800 Subject: [PATCH] SECURITY UPDATE --- debian/changelog | 14 +- debian/patches/CVE-2021-3610.patch | 21 ++ debian/patches/CVE-2023-1289-prepatch.patch | 208 +++++++++++++ debian/patches/CVE-2023-1289.patch | 21 ++ debian/patches/CVE-2023-1906.patch | 56 ++++ debian/patches/CVE-2023-3195.patch | 25 ++ .../patches/CVE-2023-34151-prepatch-2.patch | 44 +++ debian/patches/CVE-2023-34151-prepatch.patch | 62 ++++ debian/patches/CVE-2023-34151.patch | 281 ++++++++++++++++++ debian/patches/CVE-2023-3428.patch | 21 ++ debian/patches/series | 9 + 11 files changed, 761 insertions(+), 1 deletion(-) create mode 100644 debian/patches/CVE-2021-3610.patch create mode 100644 debian/patches/CVE-2023-1289-prepatch.patch create mode 100644 debian/patches/CVE-2023-1289.patch create mode 100644 debian/patches/CVE-2023-1906.patch create mode 100644 debian/patches/CVE-2023-3195.patch create mode 100644 debian/patches/CVE-2023-34151-prepatch-2.patch create mode 100644 debian/patches/CVE-2023-34151-prepatch.patch create mode 100644 debian/patches/CVE-2023-34151.patch create mode 100644 debian/patches/CVE-2023-3428.patch diff --git a/debian/changelog b/debian/changelog index eb021bf..1b74e92 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +imagemagick (8:6.9.11.60+dfsg-ok1.2) yangtze; urgency=medium + + * SECURITY UPDATE: heap-based buffer overflow issue + - CVE-2021-3610 + - CVE-2023-3428 + - CVE-2023-1289 + - CVE-2023-1906 + - CVE-2023-3195 + - CVE-2023-34151 + + -- rtlhq Mon, 17 Jul 2023 20:40:36 +0800 + imagemagick (8:6.9.11.60+dfsg-ok1.1) yangtze; urgency=medium * SECURITY UPDATE: heap-based buffer overflow issue @@ -24,4 +36,4 @@ imagemagick (8:6.9.11.60+dfsg-ok1) yangtze; urgency=medium * Build for openKylin. - -- rtlhq Fri, 03 Feb 2023 12:00:43 +0800 + -- rtlhq Fri, 03 Feb 2023 12:00:43 +0800 \ No newline at end of file diff --git a/debian/patches/CVE-2021-3610.patch b/debian/patches/CVE-2021-3610.patch new file mode 100644 index 0000000..a5963b4 --- /dev/null +++ b/debian/patches/CVE-2021-3610.patch @@ -0,0 +1,21 @@ +From 930ff0d1a9bc42925a7856e9ea53f5fc9f318bf3 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 27 May 2021 10:30:17 -0400 +Subject: [PATCH] eliminate heap buffer overflow vulnerability, thanks to + ZhangJiaxing (@r0fm1a) from Codesafe Team of Legendsec at Qi'anxin Group + +--- + coders/tiff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- imagemagick-6.9.11.60+dfsg.orig/coders/tiff.c ++++ imagemagick-6.9.11.60+dfsg/coders/tiff.c +@@ -1872,7 +1872,7 @@ static Image *ReadTIFFImage(const ImageI + /* + Convert stripped TIFF image. + */ +- extent=2*TIFFStripSize(tiff); ++ extent=4*TIFFStripSize(tiff); + #if defined(TIFF_VERSION_BIG) + extent+=image->columns*sizeof(uint64); + #else diff --git a/debian/patches/CVE-2023-1289-prepatch.patch b/debian/patches/CVE-2023-1289-prepatch.patch new file mode 100644 index 0000000..beec473 --- /dev/null +++ b/debian/patches/CVE-2023-1289-prepatch.patch @@ -0,0 +1,208 @@ +From e8c0090c6d2df7b1553053dca2008e96724204bf Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 6 Mar 2023 14:46:21 -0500 +Subject: [PATCH] recursion detection framework + +--- + magick/constitute.c | 12 +++++++++ + magick/draw.c | 64 ++++++++++++++++++--------------------------- + magick/draw.h | 3 +++ + magick/image.c | 1 + + magick/image.h | 3 +++ + 5 files changed, 45 insertions(+), 38 deletions(-) + +--- imagemagick-6.9.11.60+dfsg.orig/magick/constitute.c ++++ imagemagick-6.9.11.60+dfsg/magick/constitute.c +@@ -77,6 +77,11 @@ + #include "magick/transform.h" + #include "magick/utility.h" + ++/* ++ Define declarations. ++*/ ++#define MaxReadRecursionDepth 100 ++ + /* + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + % % +@@ -558,9 +563,16 @@ MagickExport Image *ReadImage(const Imag + if ((thread_support & DecoderThreadSupport) == 0) + LockSemaphoreInfo(magick_info->semaphore); + status=IsCoderAuthorized(read_info->magick,ReadPolicyRights,exception); ++ if (((ImageInfo *) image_info)->recursion_depth++ > MaxReadRecursionDepth) ++ { ++ (void) ThrowMagickException(exception,GetMagickModule(),CoderError, ++ "NumberOfImagesIsNotSupported","`%s'",read_info->magick); ++ status=MagickFalse; ++ } + image=(Image *) NULL; + if (status != MagickFalse) + image=GetImageDecoder(magick_info)(read_info,exception); ++ ((ImageInfo *) image_info)->recursion_depth--; + if ((thread_support & DecoderThreadSupport) == 0) + UnlockSemaphoreInfo(magick_info->semaphore); + } +--- imagemagick-6.9.11.60+dfsg.orig/magick/draw.c ++++ imagemagick-6.9.11.60+dfsg/magick/draw.c +@@ -381,6 +381,7 @@ MagickExport DrawInfo *CloneDrawInfo(con + clone_info->composite_mask=CloneImage(draw_info->composite_mask,0,0, + MagickTrue,&draw_info->composite_mask->exception); + clone_info->render=draw_info->render; ++ clone_info->image_info=CloneImageInfo(draw_info->image_info); + clone_info->debug=IsEventLogging(); + return(clone_info); + } +@@ -5820,21 +5821,18 @@ MagickExport void GetDrawInfo(const Imag + ExceptionInfo + *exception; + +- ImageInfo +- *clone_info; +- + /* + Initialize draw attributes. + */ + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"..."); + assert(draw_info != (DrawInfo *) NULL); + (void) memset(draw_info,0,sizeof(*draw_info)); +- clone_info=CloneImageInfo(image_info); ++ draw_info->image_info=CloneImageInfo(image_info); + GetAffineMatrix(&draw_info->affine); + exception=AcquireExceptionInfo(); + (void) QueryColorDatabase("#000F",&draw_info->fill,exception); + (void) QueryColorDatabase("#FFF0",&draw_info->stroke,exception); +- draw_info->stroke_antialias=clone_info->antialias; ++ draw_info->stroke_antialias=draw_info->image_info->antialias; + draw_info->stroke_width=1.0; + draw_info->fill_rule=EvenOddRule; + draw_info->opacity=OpaqueOpacity; +@@ -5844,64 +5842,64 @@ MagickExport void GetDrawInfo(const Imag + draw_info->linejoin=MiterJoin; + draw_info->miterlimit=10; + draw_info->decorate=NoDecoration; +- if (clone_info->font != (char *) NULL) +- draw_info->font=AcquireString(clone_info->font); +- if (clone_info->density != (char *) NULL) +- draw_info->density=AcquireString(clone_info->density); +- draw_info->text_antialias=clone_info->antialias; ++ if (draw_info->image_info->font != (char *) NULL) ++ draw_info->font=AcquireString(draw_info->image_info->font); ++ if (draw_info->image_info->density != (char *) NULL) ++ draw_info->density=AcquireString(draw_info->image_info->density); ++ draw_info->text_antialias=draw_info->image_info->antialias; + draw_info->pointsize=12.0; +- if (fabs(clone_info->pointsize) >= MagickEpsilon) +- draw_info->pointsize=clone_info->pointsize; ++ if (fabs(draw_info->image_info->pointsize) >= MagickEpsilon) ++ draw_info->pointsize=draw_info->image_info->pointsize; + draw_info->undercolor.opacity=(Quantum) TransparentOpacity; +- draw_info->border_color=clone_info->border_color; ++ draw_info->border_color=draw_info->image_info->border_color; + draw_info->compose=OverCompositeOp; +- if (clone_info->server_name != (char *) NULL) +- draw_info->server_name=AcquireString(clone_info->server_name); ++ if (draw_info->image_info->server_name != (char *) NULL) ++ draw_info->server_name=AcquireString(draw_info->image_info->server_name); + draw_info->render=MagickTrue; + draw_info->clip_path=MagickFalse; + draw_info->debug=IsEventLogging(); +- option=GetImageOption(clone_info,"direction"); ++ option=GetImageOption(draw_info->image_info,"direction"); + if (option != (const char *) NULL) + draw_info->direction=(DirectionType) ParseCommandOption( + MagickDirectionOptions,MagickFalse,option); + else + draw_info->direction=UndefinedDirection; +- option=GetImageOption(clone_info,"encoding"); ++ option=GetImageOption(draw_info->image_info,"encoding"); + if (option != (const char *) NULL) + (void) CloneString(&draw_info->encoding,option); +- option=GetImageOption(clone_info,"family"); ++ option=GetImageOption(draw_info->image_info,"family"); + if (option != (const char *) NULL) + (void) CloneString(&draw_info->family,option); +- option=GetImageOption(clone_info,"fill"); ++ option=GetImageOption(draw_info->image_info,"fill"); + if (option != (const char *) NULL) + (void) QueryColorDatabase(option,&draw_info->fill,exception); +- option=GetImageOption(clone_info,"gravity"); ++ option=GetImageOption(draw_info->image_info,"gravity"); + if (option != (const char *) NULL) + draw_info->gravity=(GravityType) ParseCommandOption(MagickGravityOptions, + MagickFalse,option); +- option=GetImageOption(clone_info,"interline-spacing"); ++ option=GetImageOption(draw_info->image_info,"interline-spacing"); + if (option != (const char *) NULL) + draw_info->interline_spacing=GetDrawValue(option,&next_token); +- option=GetImageOption(clone_info,"interword-spacing"); ++ option=GetImageOption(draw_info->image_info,"interword-spacing"); + if (option != (const char *) NULL) + draw_info->interword_spacing=GetDrawValue(option,&next_token); +- option=GetImageOption(clone_info,"kerning"); ++ option=GetImageOption(draw_info->image_info,"kerning"); + if (option != (const char *) NULL) + draw_info->kerning=GetDrawValue(option,&next_token); +- option=GetImageOption(clone_info,"stroke"); ++ option=GetImageOption(draw_info->image_info,"stroke"); + if (option != (const char *) NULL) + (void) QueryColorDatabase(option,&draw_info->stroke,exception); +- option=GetImageOption(clone_info,"strokewidth"); ++ option=GetImageOption(draw_info->image_info,"strokewidth"); + if (option != (const char *) NULL) + draw_info->stroke_width=GetDrawValue(option,&next_token); +- option=GetImageOption(clone_info,"style"); ++ option=GetImageOption(draw_info->image_info,"style"); + if (option != (const char *) NULL) + draw_info->style=(StyleType) ParseCommandOption(MagickStyleOptions, + MagickFalse,option); +- option=GetImageOption(clone_info,"undercolor"); ++ option=GetImageOption(draw_info->image_info,"undercolor"); + if (option != (const char *) NULL) + (void) QueryColorDatabase(option,&draw_info->undercolor,exception); +- option=GetImageOption(clone_info,"weight"); ++ option=GetImageOption(draw_info->image_info,"weight"); + if (option != (const char *) NULL) + { + ssize_t +@@ -5914,7 +5912,6 @@ MagickExport void GetDrawInfo(const Imag + } + exception=DestroyExceptionInfo(exception); + draw_info->signature=MagickCoreSignature; +- clone_info=DestroyImageInfo(clone_info); + } + + /* +--- imagemagick-6.9.11.60+dfsg.orig/magick/draw.h ++++ imagemagick-6.9.11.60+dfsg/magick/draw.h +@@ -354,6 +354,9 @@ typedef struct _DrawInfo + + char + *id; ++ ++ ImageInfo ++ *image_info; + } DrawInfo; + + typedef struct _PrimitiveInfo +--- imagemagick-6.9.11.60+dfsg.orig/magick/image.c ++++ imagemagick-6.9.11.60+dfsg/magick/image.c +@@ -1008,6 +1008,7 @@ MagickExport ImageInfo *CloneImageInfo(c + clone_info->subimage=image_info->scene; /* deprecated */ + clone_info->subrange=image_info->number_scenes; /* deprecated */ + clone_info->channel=image_info->channel; ++ clone_info->recursion_depth=image_info->recursion_depth; + clone_info->debug=IsEventLogging(); + clone_info->signature=image_info->signature; + return(clone_info); +--- imagemagick-6.9.11.60+dfsg.orig/magick/image.h ++++ imagemagick-6.9.11.60+dfsg/magick/image.h +@@ -499,6 +499,9 @@ struct _ImageInfo + + MagickBooleanType + synchronize; ++ ++ size_t ++ recursion_depth; /* recursion detection */ + }; + + extern MagickExport ExceptionType diff --git a/debian/patches/CVE-2023-1289.patch b/debian/patches/CVE-2023-1289.patch new file mode 100644 index 0000000..120a4bb --- /dev/null +++ b/debian/patches/CVE-2023-1289.patch @@ -0,0 +1,21 @@ +[Ubuntu note: darw.c file exist in "magick" folder instead of "MagickCore" for + this release] +From c5b23cbf2119540725e6dc81f4deb25798ead6a4 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 6 Mar 2023 15:26:32 -0500 +Subject: [PATCH] erecursion detection + +--- + MagickCore/draw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- imagemagick-6.9.11.60+dfsg.orig/magick/draw.c ++++ imagemagick-6.9.11.60+dfsg/magick/draw.c +@@ -5444,6 +5444,7 @@ MagickExport MagickBooleanType DrawPrimi + if (primitive_info->text == (char *) NULL) + break; + clone_info=AcquireImageInfo(); ++ clone_info->recursion_depth=draw_info->image_info->recursion_depth; + composite_images=(Image *) NULL; + if (LocaleNCompare(primitive_info->text,"data:",5) == 0) + composite_images=ReadInlineImage(clone_info,primitive_info->text, diff --git a/debian/patches/CVE-2023-1906.patch b/debian/patches/CVE-2023-1906.patch new file mode 100644 index 0000000..2b30853 --- /dev/null +++ b/debian/patches/CVE-2023-1906.patch @@ -0,0 +1,56 @@ +[Ubuntu note: this is backport of the original patch having multiple pre-patch +changes] +From e30c693b37c3b41723f1469d1226a2c814ca443d Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 1 Apr 2023 07:32:01 -0400 +Subject: [PATCH] possible heap buffer overflow + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247) + +--- + coders/tiff.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- imagemagick-6.9.11.60+dfsg.orig/coders/tiff.c ++++ imagemagick-6.9.11.60+dfsg/coders/tiff.c +@@ -1872,12 +1872,8 @@ static Image *ReadTIFFImage(const ImageI + /* + Convert stripped TIFF image. + */ +- extent=4*TIFFStripSize(tiff); +-#if defined(TIFF_VERSION_BIG) +- extent+=image->columns*sizeof(uint64); +-#else +- extent+=image->columns*sizeof(uint32); +-#endif ++ extent=MagickMax(sizeof(uint32),(samples_per_pixel+extra_samples)* ++ (image->depth+7)/8)*image->columns*rows_per_strip; + strip_pixels=(unsigned char *) AcquireQuantumMemory(extent, + sizeof(*strip_pixels)); + if (strip_pixels == (unsigned char *) NULL) +@@ -1972,12 +1968,8 @@ static Image *ReadTIFFImage(const ImageI + number_pixels=(MagickSizeType) columns*rows; + if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse) + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); +- extent=TIFFTileSize(tiff); +-#if defined(TIFF_VERSION_BIG) +- extent+=columns*sizeof(uint64); +-#else +- extent+=columns*sizeof(uint32); +-#endif ++ extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff), ++ TIFFTileSize(tiff)); + tile_pixels=(unsigned char *) AcquireQuantumMemory(extent, + sizeof(*tile_pixels)); + if (tile_pixels == (unsigned char *) NULL) +@@ -2071,11 +2063,6 @@ static Image *ReadTIFFImage(const ImageI + if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse) + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); + number_pixels=(MagickSizeType) image->columns*image->rows; +-#if defined(TIFF_VERSION_BIG) +- number_pixels+=image->columns*sizeof(uint64); +-#else +- number_pixels+=image->columns*sizeof(uint32); +-#endif + generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels)); + if (generic_info == (MemoryInfo *) NULL) + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); diff --git a/debian/patches/CVE-2023-3195.patch b/debian/patches/CVE-2023-3195.patch new file mode 100644 index 0000000..9c44901 --- /dev/null +++ b/debian/patches/CVE-2023-3195.patch @@ -0,0 +1,25 @@ +[Ubuntu note: Backport for this release] +From 85a370c79afeb45a97842b0959366af5236e9023 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 19 Oct 2021 14:53:41 -0400 +Subject: [PATCH] fix stack overflow when parsing malicious tiff image + +--- + ChangeLog | 2 ++ + coders/tiff.c | 5 +++++ + 2 files changed, 7 insertions(+) + +--- imagemagick-6.9.11.60+dfsg.orig/coders/tiff.c ++++ imagemagick-6.9.11.60+dfsg/coders/tiff.c +@@ -1970,6 +1970,11 @@ static Image *ReadTIFFImage(const ImageI + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); + extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff), + TIFFTileSize(tiff)); ++#if defined(TIFF_VERSION_BIG) ++ extent+=image->columns*sizeof(uint64); ++#else ++ extent+=image->columns*sizeof(uint32); ++#endif + tile_pixels=(unsigned char *) AcquireQuantumMemory(extent, + sizeof(*tile_pixels)); + if (tile_pixels == (unsigned char *) NULL) diff --git a/debian/patches/CVE-2023-34151-prepatch-2.patch b/debian/patches/CVE-2023-34151-prepatch-2.patch new file mode 100644 index 0000000..b8dda95 --- /dev/null +++ b/debian/patches/CVE-2023-34151-prepatch-2.patch @@ -0,0 +1,44 @@ +[Ubuntu note: just adding the required changes for image-private header file] +From ca4b4c6d3471ad2d19ccdf12a7380f0628e3ce77 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 13 Apr 2023 11:42:11 -0400 +Subject: [PATCH] add additional checks for casting double to size_t + +--- + coders/histogram.c | 6 ++-- + coders/jpeg.c | 3 +- + coders/pcl.c | 4 +-- + coders/png.c | 16 +++++----- + coders/tiff.c | 4 +-- + coders/txt.c | 4 +-- + magick/annotate.c | 8 ++--- + magick/constitute.c | 2 +- + magick/draw.c | 66 ++++++++++++++++++++--------------------- + magick/effect.c | 8 ++--- + magick/gem.c | 2 +- + magick/geometry.c | 32 ++++++++++---------- + magick/image-private.h | 38 ++++++++++++++++-------- + magick/image.c | 20 ++++++------- + magick/pixel.c | 12 ++++---- + magick/profile.c | 8 ++--- + magick/property.c | 4 +-- + magick/shear.c | 18 +++++------ + magick/studio.h | 2 -- + magick/transform.c | 4 +-- + magick/visual-effects.c | 40 ++++++++++++------------- + wand/drawing-wand.c | 8 ++--- + wand/studio.h | 2 -- + 23 files changed, 161 insertions(+), 150 deletions(-) + +--- imagemagick-6.9.11.60+dfsg.orig/magick/image-private.h ++++ imagemagick-6.9.11.60+dfsg/magick/image-private.h +@@ -41,6 +41,9 @@ extern "C" { + #define MagickSQ1_2 0.70710678118654752440084436210484903928483593768847 + #define MagickSQ2 1.41421356237309504880168872420969807856967187537695 + #define MagickSQ2PI 2.50662827463100024161235523934010416269302368164062 ++#define MAGICK_SIZE_MAX (SIZE_MAX) ++#define MAGICK_SSIZE_MAX (SSIZE_MAX) ++#define MAGICK_SSIZE_MIN (-(SSIZE_MAX)-1) + #define MatteColor "#bdbdbd" /* gray */ + #define PSDensityGeometry "72.0x72.0" + #define PSPageGeometry "612x792" diff --git a/debian/patches/CVE-2023-34151-prepatch.patch b/debian/patches/CVE-2023-34151-prepatch.patch new file mode 100644 index 0000000..3e216c8 --- /dev/null +++ b/debian/patches/CVE-2023-34151-prepatch.patch @@ -0,0 +1,62 @@ +[Ubuntu note: Just add the required changes from this patch which is to + introduce new method called CastDoubleToUnsigned() for this release] +From 0b8553cd2042438dde215c7e8cd21e1d7307f813 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 15 Apr 2023 09:44:37 -0400 +Subject: [PATCH] improved range checking + +--- + coders/histogram.c | 6 ++-- + coders/icon.c | 3 +- + coders/pcd.c | 1 + + coders/pcl.c | 4 +-- + coders/png.c | 17 +++++----- + coders/tiff.c | 4 +-- + coders/txt.c | 4 +-- + configure | 4 +-- + magick/annotate.c | 8 ++--- + magick/constitute.c | 2 +- + magick/draw.c | 66 +++++++++++++++++++-------------------- + magick/effect.c | 8 ++--- + magick/gem.c | 2 +- + magick/geometry.c | 24 +++++++------- + magick/image-private.h | 69 ++++++++++++++++++++++++++++------------- + magick/image.c | 20 ++++++------ + magick/pixel.c | 12 +++---- + magick/profile.c | 8 ++--- + magick/property.c | 4 +-- + magick/shear.c | 18 +++++------ + magick/transform.c | 4 +-- + magick/visual-effects.c | 40 ++++++++++++------------ + wand/drawing-wand.c | 8 ++--- + 23 files changed, 181 insertions(+), 155 deletions(-) + +--- imagemagick-6.9.11.60+dfsg.orig/magick/image-private.h ++++ imagemagick-6.9.11.60+dfsg/magick/image-private.h +@@ -61,6 +61,26 @@ static inline ssize_t CastDoubleToLong(c + return((ssize_t) value); + } + ++static inline size_t CastDoubleToUnsigned(const double x) ++{ ++ if (IsNaN(x) != 0) ++ { ++ errno=ERANGE; ++ return(0); ++ } ++ if (floor(x) > ((double) MAGICK_SSIZE_MAX-1)) ++ { ++ errno=ERANGE; ++ return((size_t) MAGICK_SIZE_MAX); ++ } ++ if (ceil(x) < 0.0) ++ { ++ errno=ERANGE; ++ return(0); ++ } ++ return((size_t) x); ++} ++ + static inline double DegreesToRadians(const double degrees) + { + return((double) (MagickPI*degrees/180.0)); diff --git a/debian/patches/CVE-2023-34151.patch b/debian/patches/CVE-2023-34151.patch new file mode 100644 index 0000000..c182276 --- /dev/null +++ b/debian/patches/CVE-2023-34151.patch @@ -0,0 +1,281 @@ +From 133089f716f23ce0b80d89ccc1fd680960235512 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 17 May 2023 21:06:18 -0400 +Subject: [PATCH] properly cast double to size_t + (https://github.com/ImageMagick/ImageMagick/issues/6341) + +--- + coders/caption.c | 10 +++++----- + coders/label.c | 10 +++++----- + coders/pcl.c | 4 ++-- + coders/pdf.c | 4 ++-- + coders/ps.c | 4 ++-- + coders/ps2.c | 4 ++-- + coders/ps3.c | 4 ++-- + coders/svg.c | 4 ++-- + magick/annotate.c | 4 ++-- + magick/draw.c | 8 ++++---- + magick/geometry.c | 4 ++-- + magick/shear.c | 10 +++++----- + magick/visual-effects.c | 4 ++-- + 13 files changed, 37 insertions(+), 37 deletions(-) + +--- imagemagick-6.9.11.60+dfsg.orig/coders/caption.c ++++ imagemagick-6.9.11.60+dfsg/coders/caption.c +@@ -154,7 +154,7 @@ static Image *ReadCAPTIONImage(const Ima + return(DestroyImageList(image)); + (void) SetImageProperty(image,"caption",caption); + draw_info=CloneDrawInfo(image_info,(DrawInfo *) NULL); +- width=(size_t) floor(draw_info->pointsize*strlen(caption)+0.5); ++ width=CastDoubleToUnsigned(draw_info->pointsize*strlen(caption)+0.5); + if (AcquireMagickResource(WidthResource,width) == MagickFalse) + { + caption=DestroyString(caption); +@@ -239,8 +239,8 @@ static Image *ReadCAPTIONImage(const Ima + status=GetMultilineTypeMetrics(image,draw_info,&metrics); + if (status == MagickFalse) + break; +- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); +- height=(size_t) floor(metrics.height+draw_info->interline_spacing+ ++ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5); ++ height=CastDoubleToUnsigned(metrics.height+draw_info->interline_spacing+ + draw_info->stroke_width+0.5); + if ((image->columns != 0) && (image->rows != 0)) + { +@@ -267,8 +267,8 @@ static Image *ReadCAPTIONImage(const Ima + status=GetMultilineTypeMetrics(image,draw_info,&metrics); + if (status == MagickFalse) + break; +- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); +- height=(size_t) floor(metrics.height+draw_info->interline_spacing+ ++ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5); ++ height=CastDoubleToUnsigned(metrics.height+draw_info->interline_spacing+ + draw_info->stroke_width+0.5); + if ((image->columns != 0) && (image->rows != 0)) + { +--- imagemagick-6.9.11.60+dfsg.orig/coders/label.c ++++ imagemagick-6.9.11.60+dfsg/coders/label.c +@@ -135,7 +135,7 @@ static Image *ReadLABELImage(const Image + return(DestroyImageList(image)); + (void) SetImageProperty(image,"label",label); + draw_info=CloneDrawInfo(image_info,(DrawInfo *) NULL); +- width=(size_t) floor(draw_info->pointsize*strlen(label)+0.5); ++ width=CastDoubleToUnsigned(draw_info->pointsize*strlen(label)+0.5); + if (AcquireMagickResource(WidthResource,width) == MagickFalse) + { + label=DestroyString(label); +@@ -174,8 +174,8 @@ static Image *ReadLABELImage(const Image + status=GetMultilineTypeMetrics(image,draw_info,&metrics); + if (status == MagickFalse) + break; +- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); +- height=(size_t) floor(metrics.height+draw_info->stroke_width+0.5); ++ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5); ++ height=CastDoubleToUnsigned(metrics.height+draw_info->stroke_width+0.5); + if ((image->columns != 0) && (image->rows != 0)) + { + if ((width >= image->columns) && (height >= image->rows)) +@@ -204,8 +204,8 @@ static Image *ReadLABELImage(const Image + status=GetMultilineTypeMetrics(image,draw_info,&metrics); + if (status == MagickFalse) + break; +- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); +- height=(size_t) floor(metrics.height+draw_info->stroke_width+0.5); ++ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5); ++ height=CastDoubleToUnsigned(metrics.height+draw_info->stroke_width+0.5); + if ((image->columns != 0) && (image->rows != 0)) + { + if ((width < image->columns) && (height < image->rows)) +--- imagemagick-6.9.11.60+dfsg.orig/coders/pcl.c ++++ imagemagick-6.9.11.60+dfsg/coders/pcl.c +@@ -333,9 +333,9 @@ static Image *ReadPCLImage(const ImageIn + image->x_resolution,image->y_resolution); + if (image_info->ping != MagickFalse) + (void) FormatLocaleString(density,MagickPathExtent,"2.0x2.0"); +- page.width=(size_t) floor((double) page.width*image->x_resolution/delta.x+ ++ page.width=CastDoubleToUnsigned((double) page.width*image->x_resolution/delta.x+ + 0.5); +- page.height=(size_t) floor((double) page.height*image->y_resolution/delta.y+ ++ page.height=CastDoubleToUnsigned((double) page.height*image->y_resolution/delta.y+ + 0.5); + (void) FormatLocaleString(options,MaxTextExtent,"-g%.20gx%.20g ",(double) + page.width,(double) page.height); +--- imagemagick-6.9.11.60+dfsg.orig/coders/pdf.c ++++ imagemagick-6.9.11.60+dfsg/coders/pdf.c +@@ -1587,9 +1587,9 @@ static MagickBooleanType WritePDFImage(c + (void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y, + &geometry.width,&geometry.height); + scale.x=(double) (geometry.width*delta.x)/resolution.x; +- geometry.width=(size_t) floor(scale.x+0.5); ++ geometry.width=CastDoubleToUnsigned(scale.x+0.5); + scale.y=(double) (geometry.height*delta.y)/resolution.y; +- geometry.height=(size_t) floor(scale.y+0.5); ++ geometry.height=CastDoubleToUnsigned(scale.y+0.5); + (void) ParseAbsoluteGeometry(page_geometry,&media_info); + (void) ParseGravityGeometry(image,page_geometry,&page_info, + &image->exception); +--- imagemagick-6.9.11.60+dfsg.orig/coders/ps.c ++++ imagemagick-6.9.11.60+dfsg/coders/ps.c +@@ -1502,9 +1502,9 @@ static MagickBooleanType WritePSImage(co + (void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y, + &geometry.width,&geometry.height); + scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x; +- geometry.width=(size_t) floor(scale.x+0.5); ++ geometry.width=CastDoubleToUnsigned(scale.x+0.5); + scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y; +- geometry.height=(size_t) floor(scale.y+0.5); ++ geometry.height=CastDoubleToUnsigned(scale.y+0.5); + (void) ParseAbsoluteGeometry(page_geometry,&media_info); + (void) ParseGravityGeometry(image,page_geometry,&page_info, + &image->exception); +--- imagemagick-6.9.11.60+dfsg.orig/coders/ps2.c ++++ imagemagick-6.9.11.60+dfsg/coders/ps2.c +@@ -533,9 +533,9 @@ static MagickBooleanType WritePS2Image(c + (void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y, + &geometry.width,&geometry.height); + scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x; +- geometry.width=(size_t) floor(scale.x+0.5); ++ geometry.width=CastDoubleToUnsigned(scale.x+0.5); + scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y; +- geometry.height=(size_t) floor(scale.y+0.5); ++ geometry.height=CastDoubleToUnsigned(scale.y+0.5); + (void) ParseAbsoluteGeometry(page_geometry,&media_info); + (void) ParseGravityGeometry(image,page_geometry,&page_info, + &image->exception); +--- imagemagick-6.9.11.60+dfsg.orig/coders/ps3.c ++++ imagemagick-6.9.11.60+dfsg/coders/ps3.c +@@ -980,9 +980,9 @@ static MagickBooleanType WritePS3Image(c + (void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y, + &geometry.width,&geometry.height); + scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x; +- geometry.width=(size_t) floor(scale.x+0.5); ++ geometry.width=CastDoubleToUnsigned(scale.x+0.5); + scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y; +- geometry.height=(size_t) floor(scale.y+0.5); ++ geometry.height=CastDoubleToUnsigned(scale.y+0.5); + (void) ParseAbsoluteGeometry(page_geometry,&media_info); + (void) ParseGravityGeometry(image,page_geometry,&page_info, + &image->exception); +--- imagemagick-6.9.11.60+dfsg.orig/coders/svg.c ++++ imagemagick-6.9.11.60+dfsg/coders/svg.c +@@ -2519,10 +2519,10 @@ static void SVGStartElement(void *contex + svg_info->view_box=svg_info->bounds; + svg_info->width=0; + if (svg_info->bounds.width > 0.0) +- svg_info->width=(size_t) floor(svg_info->bounds.width+0.5); ++ svg_info->width=CastDoubleToUnsigned(svg_info->bounds.width+0.5); + svg_info->height=0; + if (svg_info->bounds.height > 0.0) +- svg_info->height=(size_t) floor(svg_info->bounds.height+0.5); ++ svg_info->height=CastDoubleToUnsigned(svg_info->bounds.height+0.5); + (void) FormatLocaleFile(svg_info->file,"viewbox 0 0 %.20g %.20g\n", + (double) svg_info->width,(double) svg_info->height); + sx=PerceptibleReciprocal(svg_info->view_box.width)*svg_info->width; +--- imagemagick-6.9.11.60+dfsg.orig/magick/annotate.c ++++ imagemagick-6.9.11.60+dfsg/magick/annotate.c +@@ -325,7 +325,7 @@ MagickExport MagickBooleanType AnnotateI + (void) CloneString(&annotate->text,textlist[i]); + if ((metrics.width == 0) || (annotate->gravity != NorthWestGravity)) + (void) GetTypeMetrics(image,annotate,&metrics); +- height=(size_t) floor(metrics.ascent-metrics.descent+0.5); ++ height=CastDoubleToUnsigned(metrics.ascent-metrics.descent+0.5); + if (height == 0) + height=draw_info->pointsize; + height+=(size_t) floor(draw_info->interline_spacing+0.5); +@@ -610,7 +610,7 @@ MagickExport ssize_t FormatMagickCaption + status=GetTypeMetrics(image,draw_info,metrics); + if (status == MagickFalse) + break; +- width=(size_t) floor(metrics->width+draw_info->stroke_width+0.5); ++ width=CastDoubleToUnsigned(metrics->width+draw_info->stroke_width+0.5); + if (width <= image->columns) + continue; + if (s != (char *) NULL) +--- imagemagick-6.9.11.60+dfsg.orig/magick/draw.c ++++ imagemagick-6.9.11.60+dfsg/magick/draw.c +@@ -3447,14 +3447,14 @@ static MagickBooleanType RenderMVGConten + (void) GetNextToken(q,&q,extent,token); + if (*token == ',') + (void) GetNextToken(q,&q,extent,token); +- bounds.width=(size_t) floor(GetDrawValue(token,&next_token)+ ++ bounds.width=CastDoubleToUnsigned(GetDrawValue(token,&next_token)+ + 0.5); + if (token == next_token) + ThrowPointExpectedException(image,token); + (void) GetNextToken(q,&q,extent,token); + if (*token == ',') + (void) GetNextToken(q,&q,extent,token); +- bounds.height=(size_t) floor(GetDrawValue(token,&next_token)+ ++ bounds.height=CastDoubleToUnsigned(GetDrawValue(token,&next_token)+ + 0.5); + if (token == next_token) + ThrowPointExpectedException(image,token); +@@ -3859,14 +3859,14 @@ static MagickBooleanType RenderMVGConten + (void) GetNextToken(q,&q,extent,token); + if (*token == ',') + (void) GetNextToken(q,&q,extent,token); +- graphic_context[n]->viewbox.width=(size_t) floor(GetDrawValue( ++ graphic_context[n]->viewbox.width=CastDoubleToUnsigned(GetDrawValue( + token,&next_token)+0.5); + if (token == next_token) + ThrowPointExpectedException(image,token); + (void) GetNextToken(q,&q,extent,token); + if (*token == ',') + (void) GetNextToken(q,&q,extent,token); +- graphic_context[n]->viewbox.height=(size_t) floor(GetDrawValue( ++ graphic_context[n]->viewbox.height=CastDoubleToUnsigned(GetDrawValue( + token,&next_token)+0.5); + if (token == next_token) + ThrowPointExpectedException(image,token); +--- imagemagick-6.9.11.60+dfsg.orig/magick/geometry.c ++++ imagemagick-6.9.11.60+dfsg/magick/geometry.c +@@ -1411,8 +1411,8 @@ MagickExport MagickStatusType ParseMetaG + scale.y=geometry_info.sigma; + if ((flags & SigmaValue) == 0) + scale.y=scale.x; +- *width=(size_t) floor(scale.x*former_width/100.0+0.5); +- *height=(size_t) floor(scale.y*former_height/100.0+0.5); ++ *width=CastDoubleToUnsigned(scale.x*former_width/100.0+0.5); ++ *height=CastDoubleToUnsigned(scale.y*former_height/100.0+0.5); + former_width=(*width); + former_height=(*height); + } +--- imagemagick-6.9.11.60+dfsg.orig/magick/shear.c ++++ imagemagick-6.9.11.60+dfsg/magick/shear.c +@@ -166,8 +166,8 @@ static MagickBooleanType CropToFitImage( + } + geometry.x=CastDoubleToLong(ceil(min.x-0.5)); + geometry.y=CastDoubleToLong(ceil(min.y-0.5)); +- geometry.width=(size_t) floor(max.x-min.x+0.5); +- geometry.height=(size_t) floor(max.y-min.y+0.5); ++ geometry.width=CastDoubleToUnsigned(max.x-min.x+0.5); ++ geometry.height=CastDoubleToUnsigned(max.y-min.y+0.5); + page=(*image)->page; + (void) ParseAbsoluteGeometry("0x0+0+0",&(*image)->page); + crop_image=CropImage(*image,&geometry,exception); +@@ -1787,9 +1787,9 @@ MagickExport Image *ShearRotateImage(con + */ + width=integral_image->columns; + height=integral_image->rows; +- bounds.width=(size_t) floor(fabs((double) height*shear.x)+width+0.5); +- bounds.height=(size_t) floor(fabs((double) bounds.width*shear.y)+height+0.5); +- shear_width=(size_t) floor(fabs((double) bounds.height*shear.x)+ ++ bounds.width=CastDoubleToUnsigned(fabs((double) height*shear.x)+width+0.5); ++ bounds.height=CastDoubleToUnsigned(fabs((double) bounds.width*shear.y)+height+0.5); ++ shear_width=CastDoubleToUnsigned(fabs((double) bounds.height*shear.x)+ + bounds.width+0.5); + bounds.x=CastDoubleToLong(floor((double) ((shear_width > bounds.width) ? + width : bounds.width-shear_width+2)/2.0+0.5)); +--- imagemagick-6.9.11.60+dfsg.orig/magick/visual-effects.c ++++ imagemagick-6.9.11.60+dfsg/magick/visual-effects.c +@@ -2052,8 +2052,8 @@ MagickExport Image *ShadowImage(const Im + (void) SetImageColorspace(clone_image,sRGBColorspace); + (void) SetImageVirtualPixelMethod(clone_image,EdgeVirtualPixelMethod); + clone_image->compose=OverCompositeOp; +- border_info.width=(size_t) floor(2.0*sigma+0.5); +- border_info.height=(size_t) floor(2.0*sigma+0.5); ++ border_info.width=CastDoubleToUnsigned(2.0*sigma+0.5); ++ border_info.height=CastDoubleToUnsigned(2.0*sigma+0.5); + border_info.x=0; + border_info.y=0; + (void) QueryColorDatabase("none",&clone_image->border_color,exception); diff --git a/debian/patches/CVE-2023-3428.patch b/debian/patches/CVE-2023-3428.patch new file mode 100644 index 0000000..4975d38 --- /dev/null +++ b/debian/patches/CVE-2023-3428.patch @@ -0,0 +1,21 @@ +From 0d00400727170b0540a355a1bc52787bc7bcdea5 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 26 Jun 2023 19:39:43 -0400 +Subject: [PATCH] heap-buffer-overflow in ImageMagick <= 7.1.1-12, contributed + by Hardik shah of Vehere (Dawn Treaders team) + +--- + coders/tiff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- imagemagick-6.9.11.60+dfsg.orig/coders/tiff.c ++++ imagemagick-6.9.11.60+dfsg/coders/tiff.c +@@ -1968,7 +1968,7 @@ static Image *ReadTIFFImage(const ImageI + number_pixels=(MagickSizeType) columns*rows; + if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse) + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); +- extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff), ++ extent=4*(samples_per_pixel+1)*MagickMax((rows+1)*TIFFTileRowSize(tiff), + TIFFTileSize(tiff)); + #if defined(TIFF_VERSION_BIG) + extent+=image->columns*sizeof(uint64); diff --git a/debian/patches/series b/debian/patches/series index 3c4b111..0557ac9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -38,3 +38,12 @@ CVE-2022-28463.patch CVE-2022-32545.patch CVE-2022-32546.patch CVE-2022-32547.patch +CVE-2021-3610.patch +CVE-2023-1289-prepatch.patch +CVE-2023-1289.patch +CVE-2023-1906.patch +CVE-2023-3195.patch +CVE-2023-34151-prepatch.patch +CVE-2023-34151-prepatch-2.patch +CVE-2023-34151.patch +CVE-2023-3428.patch