rpms / ImageMagick

Clone
Source Code
GIT

Blame SOURCES/ImageMagick-cve-2016-3717.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c9s-sig-cloud-openstack-xena
  1.   b7c0725cf64caacf4246d74a567a0845d813ba8e
  2.   SOURCES
  3.   ImageMagick-cve-2016-3717.patch
Blob History Raw
b7c072 
diff -up ImageMagick-6.7.8-9/config/delegates.xml.in.cve-2016-3717 ImageMagick-6.7.8-9/config/delegates.xml.in
b7c072 
--- ImageMagick-6.7.8-9/config/delegates.xml.in.cve-2016-3717	2012-06-26 14:23:25.000000000 +0200
b7c072 
+++ ImageMagick-6.7.8-9/config/delegates.xml.in	2016-05-05 13:52:30.751570145 +0200
b7c072 
@@ -85,11 +85,11 @@
b7c072 
   <delegate decode="hpgl" command="if [ -e @HPGLDecodeDelegate@ -o -e /usr/bin/@HPGLDecodeDelegate@ ]; then     @HPGLDecodeDelegate@ -q -m eps -f `basename "%o"` "%i";     mv -f `basename "%o"` "%o";   else     echo "You need to install hp2xx to use HPGL files with ImageMagick.";     exit 1;   fi"/>
b7c072 
   <delegate decode="htm" command=""@HTMLDecodeDelegate@" -U -o "%o" "%i""/>
b7c072 
   <delegate decode="html" command=""@HTMLDecodeDelegate@" -U -o "%o" "%i""/>
b7c072 
-  <delegate decode="https" command=""@WWWDecodeDelegate@" -s -k -o "%o" "https:%M""/>
b7c072 
+  <delegate decode="https" command=""@WWWDecodeDelegate@" -s -k -o "%o" "https:%F""/>
b7c072 
   <delegate decode="ilbm" command=""@ILBMDecodeDelegate@" "%i" > "%o""/>
b7c072 
   <delegate decode="man" command=""@MANDelegate@" -man -Tps "%i" > "%o""/>
b7c072 
   <delegate decode="mpeg:decode" command=""@MPEGDecodeDelegate@" -v -1 -i "%i" -vframes %S -vcodec pam -an -f rawvideo -y "%u.pam" 2> "%Z""/>
b7c072 
-  <delegate encode="mpeg:encode" stealth="True" command=""@MPEGEncodeDelegate@" -v -1 -mbd rd -trellis 2 -cmp 2 -subcmp 2 -g 300 -i "%M%%d.jpg" "%u.%m" 2> "%Z""/>
b7c072 
+  <delegate encode="mpeg:encode" stealth="True" command=""@MPEGEncodeDelegate@" -v -1 -mbd rd -trellis 2 -cmp 2 -subcmp 2 -g 300 -i "%F%%d.jpg" "%u.%m" 2> "%Z""/>
b7c072 
   <delegate decode="sid" command=""@MrSIDDecodeDelegate@" -if sid -i "%i" -of tif -o "%o" > "%u""/>
b7c072 
   <delegate decode="pcl:color" stealth="True" command=""@PCLDelegate@" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@PCLColorDevice@" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s""/>
b7c072 
   <delegate decode="pcl:cmyk" stealth="True" command=""@PCLDelegate@" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@PCLCMYKDevice@" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s""/>
b7c072 
@@ -109,11 +109,11 @@
b7c072 
   <delegate decode="rgba" encode="rle" mode="encode" command=""@RLEEncodeDelegate@" -o "%o" -v "%i""/>
b7c072 
   <delegate decode="scan" command=""@SCANDecodeDelegate@" -d "%i" > "%o""/>
b7c072 
   <delegate decode="scanx" command=""@SCANDecodeDelegate@" > "%o""/>
b7c072 
-  <delegate decode="miff" encode="show" spawn="True" command=""@DisplayDelegate@" -delay 0 -window-group %[group] -title "%l " "ephemeral:%i""/>
b7c072 
+  <delegate decode="miff" encode="show" spawn="True" command=""@DisplayDelegate@" -delay 0 -window-group %[group] "ephemeral:%i""/>
b7c072 
   <delegate decode="shtml" command=""@HTMLDecodeDelegate@" -U -o "%o" "%i""/>
b7c072 
   <delegate decode="svg" command=""@RSVGDecodeDelegate@" -o "%o" "%i""/>
b7c072 
   <delegate decode="txt" encode="ps" mode="bi" command=""@TXTDelegate@" -o "%o" "%i""/>
b7c072 
-  <delegate decode="miff" encode="win" stealth="True" spawn="True" command=""@DisplayDelegate@" -immutable -delay 0 -window-group %[group] -title "%l " "ephemeral:%i""/>
b7c072 
+  <delegate decode="miff" encode="win" stealth="True" spawn="True" command=""@DisplayDelegate@" -immutable -delay 0 -window-group %[group] "ephemeral:%i""/>
b7c072 
   <delegate decode="wmf" command=""@WMFDecodeDelegate@" -o "%o" "%i""/>
b7c072 
   <delegate decode="xps:color" stealth="True" command=""@XPSDelegate@" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@XPSColorDevice@" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s""/>
b7c072 
   <delegate decode="xps:cmyk" stealth="True" command=""@XPSDelegate@" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@XPSCMYKDevice@" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s""/>
b7c072 
diff -up ImageMagick-6.7.8-9/config/policy.xml.cve-2016-3717 ImageMagick-6.7.8-9/config/policy.xml
b7c072 
--- ImageMagick-6.7.8-9/config/policy.xml.cve-2016-3717	2012-03-03 02:18:13.000000000 +0100
b7c072 
+++ ImageMagick-6.7.8-9/config/policy.xml	2016-05-05 14:08:15.249092848 +0200
b7c072 
@@ -35,6 +35,10 @@
b7c072
b7c072 
     <policy domain="path" rights="read" pattern="/repository/*" />
b7c072
b7c072 
+  Let's prevent possible exploits by removing the right to use indirect reads.
b7c072 
+
b7c072 
+    <policy domain="path" rights="none" pattern="@*" />
b7c072 
+
b7c072 
   Any large image is cached to disk rather than memory:
b7c072
b7c072 
     <policy domain="resource" name="area" value="1GB"/>
b7c072 
@@ -55,4 +59,14 @@
b7c072
b7c072
b7c072
b7c072 
+  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
b7c072 
+  <policy domain="coder" rights="none" pattern="HTTPS" />
b7c072 
+  <policy domain="coder" rights="none" pattern="HTTP" />
b7c072 
+  <policy domain="coder" rights="none" pattern="URL" />
b7c072 
+  <policy domain="coder" rights="none" pattern="FTP" />
b7c072 
+  <policy domain="coder" rights="none" pattern="MVG" />
b7c072 
+  <policy domain="coder" rights="none" pattern="MSL" />
b7c072 
+  <policy domain="coder" rights="none" pattern="TEXT" />
b7c072 
+  <policy domain="coder" rights="none" pattern="LABEL" />
b7c072 
+  <policy domain="path" rights="none" pattern="@*" />
b7c072 
 </policymap>
b7c072 
diff -up ImageMagick-6.7.8-9/magick/property.c.cve-2016-3717 ImageMagick-6.7.8-9/magick/property.c
b7c072 
--- ImageMagick-6.7.8-9/magick/property.c.cve-2016-3717	2012-08-10 13:08:37.000000000 +0200
b7c072 
+++ ImageMagick-6.7.8-9/magick/property.c	2016-05-05 13:52:30.752570145 +0200
b7c072 
@@ -66,6 +66,7 @@
b7c072 
 #include "magick/monitor.h"
b7c072 
 #include "magick/montage.h"
b7c072 
 #include "magick/option.h"
b7c072 
+#include "magick/policy.h"
b7c072 
 #include "magick/profile.h"
b7c072 
 #include "magick/property.h"
b7c072 
 #include "magick/quantum.h"
b7c072 
@@ -2357,6 +2358,29 @@ static const char *GetMagickPropertyLett
b7c072 
         CommandOptionToMnemonic(MagickDisposeOptions,(ssize_t) image->dispose));
b7c072 
       break;
b7c072 
     }
b7c072 
+    case 'F':
b7c072 
+    {
b7c072 
+      const char
b7c072 
+        *q;
b7c072 
+
b7c072 
+      register char
b7c072 
+        *p;
b7c072 
+
b7c072 
+      static char
b7c072 
+        whitelist[] =
b7c072 
+        "^-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
b7c072 
+        "+&@#/%?=~_|!:,.;()";
b7c072 
+
b7c072 
+      /*
b7c072 
+       *         Magick filename (sanitized) - filename given incl. coder & read mods.
b7c072 
+       *                 */
b7c072 
+      (void) CopyMagickString(value,image->magick_filename,MaxTextExtent);
b7c072 
+      p=value;
b7c072 
+      q=value+strlen(value);
b7c072 
+      for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist))
b7c072 
+        *p='_';
b7c072 
+      break;
b7c072 
+    }
b7c072 
     case 'G': /* Image size as geometry = "%wx%h" */
b7c072 
     {
b7c072 
       (void) FormatLocaleString(value,MaxTextExtent,"%.20gx%.20g",(double)
b7c072 
@@ -2943,16 +2967,23 @@ MagickExport char *InterpretImagePropert
b7c072 
   if ((embed_text == (const char *) NULL) || (*embed_text == '\0'))
b7c072 
     return((char *) NULL);
b7c072 
   p=embed_text;
b7c072 
+  while ((isspace((int) ((unsigned char) *p)) != 0) && (*p != '\0'))
b7c072 
+    p++;
b7c072 
+  if (*p == '\0')
b7c072 
+    return(ConstantString(""));
b7c072 
+
b7c072 
+  if ((*p == '@') && (IsPathAccessible(p+1) != MagickFalse))
b7c072 
+  {
b7c072 
+    /* handle a '@' replace string from file */
b7c072 
+    if (IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,p) == MagickFalse)
b7c072 
+    {
b7c072 
+      errno=EPERM;
b7c072 
+      (void) ThrowMagickException(&image->exception,GetMagickModule(),
b7c072 
+          PolicyError,"NotAuthorized","`%s'",p);
b7c072 
+      return(ConstantString(""));
b7c072 
+    }
b7c072
b7c072 
-  /* handle a '@' replace string from file */
b7c072 
-  if (*p == '@') {
b7c072 
-     p++;
b7c072 
-     if (*p != '-' && (IsPathAccessible(p) == MagickFalse) ) {
b7c072 
-       (void) ThrowMagickException(&image->exception,GetMagickModule(),
b7c072 
-           OptionError,"UnableToAccessPath","%s",p);
b7c072 
-       return((char *) NULL);
b7c072 
-     }
b7c072 
-     return(FileToString(p,~0,&image->exception));
b7c072 
+     return(FileToString(p+1,~0,&image->exception));
b7c072 
   }
b7c072
b7c072 
   /*

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation