pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/graphics/ImageMagick Security fixes for CVE-2006-0082 ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/fda733b2f018
branches: trunk
changeset: 507172:fda733b2f018
user: salo <salo%pkgsrc.org@localhost>
date: Sat Jan 28 02:36:55 2006 +0000
description:
Security fixes for CVE-2006-0082 and Debian bug #345595:
"Format string vulnerabilities in ImageMagick allow user-complicit attackers
to cause a denial of service (crash) and possibly execute arbitrary code via
a numeric format string specifier such as %d in the file name, a variant of
CVE-2005-0397, and as demonstrated using the convert program."
Patches from Debian.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0082
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345595
diffstat:
graphics/ImageMagick/Makefile | 3 +-
graphics/ImageMagick/distinfo | 9 +++-
graphics/ImageMagick/patches/patch-ab | 15 ++++++
graphics/ImageMagick/patches/patch-ac | 34 ++++++++++++++
graphics/ImageMagick/patches/patch-ad | 51 +++++++++++++++++++++
graphics/ImageMagick/patches/patch-ae | 34 ++++++++++++++
graphics/ImageMagick/patches/patch-af | 15 ++++++
graphics/ImageMagick/patches/patch-ag | 82 +++++++++++++++++++++++++++++++++++
graphics/ImageMagick/patches/patch-ah | 14 +++++
9 files changed, 255 insertions(+), 2 deletions(-)
diffs (truncated from 305 to 300 lines):
diff -r 8daf07459050 -r fda733b2f018 graphics/ImageMagick/Makefile
--- a/graphics/ImageMagick/Makefile Sat Jan 28 02:03:57 2006 +0000
+++ b/graphics/ImageMagick/Makefile Sat Jan 28 02:36:55 2006 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.136 2006/01/26 20:38:18 adam Exp $
+# $NetBSD: Makefile,v 1.137 2006/01/28 02:36:55 salo Exp $
.include "Makefile.common"
PKGNAME= ImageMagick-${DISTVERSION}
+PKGREVISION= 1
MAINTAINER= adam%NetBSD.org@localhost
HOMEPAGE= http://www.simplesystems.org/ImageMagick/
diff -r 8daf07459050 -r fda733b2f018 graphics/ImageMagick/distinfo
--- a/graphics/ImageMagick/distinfo Sat Jan 28 02:03:57 2006 +0000
+++ b/graphics/ImageMagick/distinfo Sat Jan 28 02:36:55 2006 +0000
@@ -1,6 +1,13 @@
-$NetBSD: distinfo,v 1.57 2006/01/26 20:38:18 adam Exp $
+$NetBSD: distinfo,v 1.58 2006/01/28 02:36:55 salo Exp $
SHA1 (ImageMagick-6.2.6-0.tar.bz2) = 0cf67149e806053a63fdaec70de913a9fd72aaf9
RMD160 (ImageMagick-6.2.6-0.tar.bz2) = 34d8ea5408439c536ac2c791c7ad2fafa1424671
Size (ImageMagick-6.2.6-0.tar.bz2) = 5139235 bytes
SHA1 (patch-aa) = b5002ca0bd553c27a23f3ea9835e5b6c738f4f8d
+SHA1 (patch-ab) = 8b6e1c08d3e48dd76f8b4ae98297f6ab78017313
+SHA1 (patch-ac) = 0fed1246c6d36ba8549a60c859cbed2e213f8ec7
+SHA1 (patch-ad) = a98725b948b5c58c509d5d0c623831e2d3a452cb
+SHA1 (patch-ae) = a3134b37c2830b7ea094a1e10c1847e596a7c78c
+SHA1 (patch-af) = db1af7fa7f143cd4fa45a83310f209e928959ae6
+SHA1 (patch-ag) = 732bcd06b712d2bdae5b05845be98603d2b75282
+SHA1 (patch-ah) = b240858ffb307f89cdfca402ce02b6d299f1b984
diff -r 8daf07459050 -r fda733b2f018 graphics/ImageMagick/patches/patch-ab
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/ImageMagick/patches/patch-ab Sat Jan 28 02:36:55 2006 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-ab,v 1.16 2006/01/28 02:36:55 salo Exp $
+
+Security fix for CVE-2006-0082, from Debian.
+
+--- wand/animate.c.orig 2006-01-13 05:49:46.000000000 +0100
++++ wand/animate.c 2006-01-28 02:24:20.000000000 +0100
+@@ -410,7 +410,7 @@
+ /*
+ Form filename for multi-part images.
+ */
+- (void) FormatMagickString(filename,MaxTextExtent,
++ (void) FormatMagickStringNumeric(filename,MaxTextExtent,
+ image_info->filename,scene);
+ if (LocaleCompare(filename,image_info->filename) == 0)
+ (void) FormatMagickString(filename,MaxTextExtent,"%s[%lu]",
diff -r 8daf07459050 -r fda733b2f018 graphics/ImageMagick/patches/patch-ac
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/ImageMagick/patches/patch-ac Sat Jan 28 02:36:55 2006 +0000
@@ -0,0 +1,34 @@
+$NetBSD: patch-ac,v 1.12 2006/01/28 02:36:55 salo Exp $
+
+Security fix for CVE-2006-0082, from Debian.
+
+--- magick/blob.c.orig 2006-01-19 00:30:32.000000000 +0100
++++ magick/blob.c 2006-01-28 02:29:06.000000000 +0100
+@@ -1913,25 +1913,8 @@
+ /*
+ Form filename for multi-part images.
+ */
+- (void) CopyMagickString(filename,image->filename,MaxTextExtent);
+- for (p=strchr(filename,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
+- {
+- char
+- *q;
+-
+- q=p+1;
+- if (*q == '0')
+- (void) strtol(q,&q,10);
+- if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
+- {
+- char
+- format[MaxTextExtent];
+-
+- (void) CopyMagickString(format,p,MaxTextExtent);
+- (void) FormatMagickString(p,MaxTextExtent,format,image->scene);
+- break;
+- }
+- }
++ (void) FormatMagickStringNumeric(filename,MaxTextExtent,image->filename,
++ image->scene);
+ if (image_info->adjoin == MagickFalse)
+ if ((image->previous != (Image *) NULL) ||
+ (GetNextImageInList(image) != (Image *) NULL))
diff -r 8daf07459050 -r fda733b2f018 graphics/ImageMagick/patches/patch-ad
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/ImageMagick/patches/patch-ad Sat Jan 28 02:36:55 2006 +0000
@@ -0,0 +1,51 @@
+$NetBSD: patch-ad,v 1.9 2006/01/28 02:36:55 salo Exp $
+
+Security fixes for CVE-2006-0082 and #345595, from Debian.
+
+--- wand/display.c.orig 2006-01-13 05:49:46.000000000 +0100
++++ wand/display.c 2006-01-28 02:35:54.000000000 +0100
+@@ -315,10 +315,7 @@
+ image_number=0;
+ last_image=0;
+ last_scene=0;
+- image_marker=(unsigned long *)
+- AcquireMagickMemory((argc+1)*sizeof(*image_marker));
+- for (i=0; i <= argc; i++)
+- image_marker[i]=(unsigned long) argc;
++ image_marker=(unsigned long *) NULL;
+ option=(char *) NULL;
+ pend=MagickFalse;
+ resource_database=(XrmDatabase) NULL;
+@@ -326,9 +323,6 @@
+ server_name=(char *) NULL;
+ state=0;
+ status=MagickTrue;
+- if (image_marker == (unsigned long *) NULL)
+- ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
+- strerror(errno));
+ /*
+ Check for server name specified on the command line.
+ */
+@@ -337,6 +331,13 @@
+ if (status == MagickFalse)
+ ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
+ strerror(errno));
++ image_marker=(unsigned long *)
++ AcquireMagickMemory((argc+1)*sizeof(*image_marker));
++ for (i=0; i <= argc; i++)
++ image_marker[i]=(unsigned long) argc;
++ if (image_marker == (unsigned long *) NULL)
++ ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
++ strerror(errno));
+ for (i=1; i < (long) argc; i++)
+ {
+ /*
+@@ -461,7 +462,7 @@
+ /*
+ Form filename for multi-part images.
+ */
+- (void) FormatMagickString(filename,MaxTextExtent,
++ (void) FormatMagickStringNumeric(filename,MaxTextExtent,
+ image_info->filename,scene);
+ if (LocaleCompare(filename,image_info->filename) == 0)
+ (void) FormatMagickString(filename,MaxTextExtent,"%s.%lu",
diff -r 8daf07459050 -r fda733b2f018 graphics/ImageMagick/patches/patch-ae
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/ImageMagick/patches/patch-ae Sat Jan 28 02:36:55 2006 +0000
@@ -0,0 +1,34 @@
+$NetBSD: patch-ae,v 1.6 2006/01/28 02:36:55 salo Exp $
+
+Security fix for CVE-2006-0082, from Debian.
+
+--- magick/image.c.orig 2006-01-17 17:20:54.000000000 +0100
++++ magick/image.c 2006-01-28 02:42:54.000000000 +0100
+@@ -2780,25 +2780,8 @@
+ /*
+ Rectify multi-image file support.
+ */
+- (void) CopyMagickString(filename,image_info->filename,MaxTextExtent);
+- for (p=strchr(filename,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
+- {
+- char
+- *q;
+-
+- q=(char *) p+1;
+- if (*q == '0')
+- (void) strtol(q,&q,10);
+- if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
+- {
+- char
+- format[MaxTextExtent];
+-
+- (void) CopyMagickString(format,p,MaxTextExtent);
+- (void) FormatMagickString(p,MaxTextExtent,format,image_info->scene);
+- break;
+- }
+- }
++ (void) FormatMagickStringNumeric(filename,MaxTextExtent,
++ image_info->filename,image_info->scene);
+ if ((LocaleCompare(filename,image_info->filename) != 0) &&
+ (strchr(filename,'%') == (char *) NULL))
+ image_info->adjoin=MagickFalse;
diff -r 8daf07459050 -r fda733b2f018 graphics/ImageMagick/patches/patch-af
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/ImageMagick/patches/patch-af Sat Jan 28 02:36:55 2006 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-af,v 1.6 2006/01/28 02:36:55 salo Exp $
+
+Security fix for CVE-2006-0082, from Debian.
+
+--- wand/montage.c.orig 2006-01-13 05:49:46.000000000 +0100
++++ wand/montage.c 2006-01-28 02:51:49.000000000 +0100
+@@ -340,7 +340,7 @@
+ /*
+ Form filename for multi-part images.
+ */
+- (void) FormatMagickString(filename,MaxTextExtent,
++ (void) FormatMagickStringNumeric(filename,MaxTextExtent,
+ image_info->filename,scene);
+ if (LocaleCompare(filename,image_info->filename) == 0)
+ (void) FormatMagickString(filename,MaxTextExtent,"%s.%lu",
diff -r 8daf07459050 -r fda733b2f018 graphics/ImageMagick/patches/patch-ag
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/ImageMagick/patches/patch-ag Sat Jan 28 02:36:55 2006 +0000
@@ -0,0 +1,82 @@
+$NetBSD: patch-ag,v 1.4 2006/01/28 02:36:55 salo Exp $
+
+Security fix for CVE-2006-0082, from Debian.
+
+--- magick/string.c.orig 2006-01-08 23:49:09.000000000 +0100
++++ magick/string.c 2006-01-28 02:54:01.000000000 +0100
+@@ -971,6 +971,75 @@
+ % %
+ % %
+ % %
++% F o r m a t M a g i c k S t r i n g N u m e r i c %
++% %
++% %
++% %
++%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
++%
++% Method FormatMagickStringNumeric formats output for a single numeric
++% argument. It takes into account that the format string given might be
++% untrusted user input, and returns the length of the formatted string.
++%
++% The format of the FormatMagickStringNumeric method is:
++%
++% long FormatMagickStringNumeric(char *string,const size_t length,
++% const char *format,int value)
++%
++% A description of each parameter follows.
++%
++% o string: FormatMagickStringNumeric() returns the formatted string in this
++% character buffer.
++%
++% o length: The maximum length of the string.
++%
++% o format: A string describing the format to use to write the numeric
++% argument. Only the first numeric format identifier is replaced.
++%
++% o value: Numeric value to substitute into format string.
++%
++%
++*/
++MagickExport long FormatMagickStringNumeric(char *string,const size_t length,const char *format,int value)
++{
++ char
++ *p;
++
++ (void) CopyMagickString(string, format, length);
++
++ for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
++ {
++ char
++ *q;
++
++ q=(char *) p+1;
++ if (*q == '0')
++ (void) strtol(q,&q,10);
++ if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
++ {
++ char
++ c;
++
++ q++;
++ c=*q;
++ *q='\0';
++ (void) snprintf(string+(p-format),length-(p-format),p,value);
++ *q=c;
++ (void) ConcatenateMagickString(string,q,length);
++ if (*(q-1) == '%')
++ p++;
++ else
++ break;
++ }
++ }
++ return (long)strlen(string);
++}
++�
++/*
++%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
++% %
++% %
++% %
+ % F o r m a t M a g i c k S t r i n g %
+ % %
+ % %
diff -r 8daf07459050 -r fda733b2f018 graphics/ImageMagick/patches/patch-ah
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/ImageMagick/patches/patch-ah Sat Jan 28 02:36:55 2006 +0000
@@ -0,0 +1,14 @@
+$NetBSD: patch-ah,v 1.3 2006/01/28 02:36:55 salo Exp $
+
+Security fix for CVE-2006-0082, from Debian.
+
+--- magick/string_.h.orig 2006-01-08 06:14:02.000000000 +0100
++++ magick/string_.h 2006-01-28 03:04:20.000000000 +0100
+@@ -61,6 +61,7 @@
+ magick_attribute((format (printf,3,4))),
+ FormatMagickStringList(char *,const size_t,const char *,va_list)
Home |
Main Index |
Thread Index |
Old Index