[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
08/09: gnu: imagemagick: Fix CVE-2020-27829.
From: |
guix-commits |
Subject: |
08/09: gnu: imagemagick: Fix CVE-2020-27829. |
Date: |
Sat, 27 Mar 2021 19:50:47 -0400 (EDT) |
mhw pushed a commit to branch master
in repository guix.
commit bfc69d5e7c45eac865e231643b58396580afb231
Author: Mark H Weaver <mhw@netris.org>
AuthorDate: Sat Mar 27 08:08:37 2021 -0400
gnu: imagemagick: Fix CVE-2020-27829.
* gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/imagemagick.scm (source): Add patch.
---
gnu/local.mk | 1 +
gnu/packages/imagemagick.scm | 4 +++-
.../patches/imagemagick-CVE-2020-27829.patch | 27 ++++++++++++++++++++++
3 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index f8c4e73..435aade 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1220,6 +1220,7 @@ dist_patch_DATA =
\
%D%/packages/patches/id3lib-UTF16-writing-bug.patch \
%D%/packages/patches/idris-disable-test.patch \
%D%/packages/patches/ilmbase-fix-tests.patch \
+ %D%/packages/patches/imagemagick-CVE-2020-27829.patch \
%D%/packages/patches/inetutils-hurd.patch \
%D%/packages/patches/inkscape-poppler-0.76.patch \
%D%/packages/patches/intel-xed-fix-nondeterminism.patch \
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index bbf0385..c48ba53 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -155,7 +155,9 @@ text, lines, polygons, ellipses and Bézier curves.")
version ".tar.xz"))
(sha256
(base32
- "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))))))
+ "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))
+ (patches
+ (search-patches "imagemagick-CVE-2020-27829.patch"))))))
(define-public perl-image-magick
(package
diff --git a/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
new file mode 100644
index 0000000..b15c1d0
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
@@ -0,0 +1,27 @@
+We omit the ChangeLog changes below, since they do not apply cleanly.
+
+
+From 6ee5059cd3ac8d82714a1ab1321399b88539abf0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 30 Nov 2020 16:26:59 +0000
+Subject: [PATCH] possible TIFF related-heap buffer overflow (alert & POC by
+ Hardik Shah)
+
+---
+ ChangeLog | 6 ++++++
+ coders/tiff.c | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index e98f927ab..1eecf17ae 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1975,7 +1975,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+ extent+=image->columns*sizeof(uint32);
+ #endif
+ strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+- sizeof(*strip_pixels));
++ 2*sizeof(*strip_pixels));
+ if (strip_pixels == (unsigned char *) NULL)
+ ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+ (void) memset(strip_pixels,0,extent*sizeof(*strip_pixels));
- branch master updated (3b0ead1 -> 2d3d7fa), guix-commits, 2021/03/27
- 01/09: gnu: imagemagick: Remove graft., guix-commits, 2021/03/27
- 02/09: gnu: imagemagick: Add 'imagemagick/stable' variant., guix-commits, 2021/03/27
- 05/09: gnu: Use 'gtk-doc/stable' in native-inputs of selected packages., guix-commits, 2021/03/27
- 07/09: gnu: imagemagick: Hide 'imagemagick/stable' variant., guix-commits, 2021/03/27
- 06/09: gnu: imagemagick: Update to 6.9.12-4., guix-commits, 2021/03/27
- 09/09: gnu: imagemagick: Add more upstream fixes., guix-commits, 2021/03/27
- 03/09: gnu: dblatex: Add 'dblatex/stable' variant., guix-commits, 2021/03/27
- 04/09: gnu: gtk-doc: Add 'gtk-doc/stable' variant., guix-commits, 2021/03/27
- 08/09: gnu: imagemagick: Fix CVE-2020-27829.,
guix-commits <=