Blob Blame History Raw
diff -up ImageMagick-6.7.8-9/config/delegates.xml.in.cve-2016-3717 ImageMagick-6.7.8-9/config/delegates.xml.in
--- ImageMagick-6.7.8-9/config/delegates.xml.in.cve-2016-3717	2012-06-26 14:23:25.000000000 +0200
+++ ImageMagick-6.7.8-9/config/delegates.xml.in	2016-05-05 13:52:30.751570145 +0200
@@ -85,11 +85,11 @@
   <delegate decode="hpgl" command="if [ -e @HPGLDecodeDelegate@ -o -e /usr/bin/@HPGLDecodeDelegate@ ]; then     @HPGLDecodeDelegate@ -q -m eps -f `basename &quot;%o&quot;` &quot;%i&quot;;     mv -f `basename &quot;%o&quot;` &quot;%o&quot;;   else     echo &quot;You need to install hp2xx to use HPGL files with ImageMagick.&quot;;     exit 1;   fi"/>
   <delegate decode="htm" command="&quot;@HTMLDecodeDelegate@&quot; -U -o &quot;%o&quot; &quot;%i&quot;"/>
   <delegate decode="html" command="&quot;@HTMLDecodeDelegate@&quot; -U -o &quot;%o&quot; &quot;%i&quot;"/>
-  <delegate decode="https" command="&quot;@WWWDecodeDelegate@&quot; -s -k -o &quot;%o&quot; &quot;https:%M&quot;"/>
+  <delegate decode="https" command="&quot;@WWWDecodeDelegate@&quot; -s -k -o &quot;%o&quot; &quot;https:%F&quot;"/>
   <delegate decode="ilbm" command="&quot;@ILBMDecodeDelegate@&quot; &quot;%i&quot; &gt; &quot;%o&quot;"/>
   <delegate decode="man" command="&quot;@MANDelegate@&quot; -man -Tps &quot;%i&quot; &gt; &quot;%o&quot;"/>
   <delegate decode="mpeg:decode" command="&quot;@MPEGDecodeDelegate@&quot; -v -1 -i &quot;%i&quot; -vframes %S -vcodec pam -an -f rawvideo -y &quot;%u.pam&quot; 2&gt; &quot;%Z&quot;"/>
-  <delegate encode="mpeg:encode" stealth="True" command="&quot;@MPEGEncodeDelegate@&quot; -v -1 -mbd rd -trellis 2 -cmp 2 -subcmp 2 -g 300 -i &quot;%M%%d.jpg&quot; &quot;%u.%m&quot; 2&gt; &quot;%Z&quot;"/>
+  <delegate encode="mpeg:encode" stealth="True" command="&quot;@MPEGEncodeDelegate@&quot; -v -1 -mbd rd -trellis 2 -cmp 2 -subcmp 2 -g 300 -i &quot;%F%%d.jpg&quot; &quot;%u.%m&quot; 2&gt; &quot;%Z&quot;"/>
   <delegate decode="sid" command="&quot;@MrSIDDecodeDelegate@&quot; -if sid -i &quot;%i&quot; -of tif -o &quot;%o&quot; &gt; &quot;%u&quot;"/>
   <delegate decode="pcl:color" stealth="True" command="&quot;@PCLDelegate@&quot; -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=@PCLColorDevice@&quot; -dTextAlphaBits=%u -dGraphicsAlphaBits=%u &quot;-r%s&quot; %s &quot;-sOutputFile=%s&quot; &quot;%s&quot;"/>
   <delegate decode="pcl:cmyk" stealth="True" command="&quot;@PCLDelegate@&quot; -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=@PCLCMYKDevice@&quot; -dTextAlphaBits=%u -dGraphicsAlphaBits=%u &quot;-r%s&quot; %s &quot;-sOutputFile=%s&quot; &quot;%s&quot;"/>
@@ -109,11 +109,11 @@
   <delegate decode="rgba" encode="rle" mode="encode" command="&quot;@RLEEncodeDelegate@&quot; -o &quot;%o&quot; -v &quot;%i&quot;"/>
   <delegate decode="scan" command="&quot;@SCANDecodeDelegate@&quot; -d &quot;%i&quot; &gt; &quot;%o&quot;"/>
   <delegate decode="scanx" command="&quot;@SCANDecodeDelegate@&quot; &gt; &quot;%o&quot;"/>
-  <delegate decode="miff" encode="show" spawn="True" command="&quot;@DisplayDelegate@&quot; -delay 0 -window-group %[group] -title &quot;%l &quot; &quot;ephemeral:%i&quot;"/>
+  <delegate decode="miff" encode="show" spawn="True" command="&quot;@DisplayDelegate@&quot; -delay 0 -window-group %[group] &quot;ephemeral:%i&quot;"/>
   <delegate decode="shtml" command="&quot;@HTMLDecodeDelegate@&quot; -U -o &quot;%o&quot; &quot;%i&quot;"/>
   <delegate decode="svg" command="&quot;@RSVGDecodeDelegate@&quot; -o &quot;%o&quot; &quot;%i&quot;"/>
   <delegate decode="txt" encode="ps" mode="bi" command="&quot;@TXTDelegate@&quot; -o &quot;%o&quot; &quot;%i&quot;"/>
-  <delegate decode="miff" encode="win" stealth="True" spawn="True" command="&quot;@DisplayDelegate@&quot; -immutable -delay 0 -window-group %[group] -title &quot;%l &quot; &quot;ephemeral:%i&quot;"/>
+  <delegate decode="miff" encode="win" stealth="True" spawn="True" command="&quot;@DisplayDelegate@&quot; -immutable -delay 0 -window-group %[group] &quot;ephemeral:%i&quot;"/>
   <delegate decode="wmf" command="&quot;@WMFDecodeDelegate@&quot; -o &quot;%o&quot; &quot;%i&quot;"/>
   <delegate decode="xps:color" stealth="True" command="&quot;@XPSDelegate@&quot; -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=@XPSColorDevice@&quot; -dTextAlphaBits=%u -dGraphicsAlphaBits=%u &quot;-r%s&quot; %s &quot;-sOutputFile=%s&quot; &quot;%s&quot;"/>
   <delegate decode="xps:cmyk" stealth="True" command="&quot;@XPSDelegate@&quot; -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=@XPSCMYKDevice@&quot; -dTextAlphaBits=%u -dGraphicsAlphaBits=%u &quot;-r%s&quot; %s &quot;-sOutputFile=%s&quot; &quot;%s&quot;"/>
diff -up ImageMagick-6.7.8-9/config/policy.xml.cve-2016-3717 ImageMagick-6.7.8-9/config/policy.xml
--- ImageMagick-6.7.8-9/config/policy.xml.cve-2016-3717	2012-03-03 02:18:13.000000000 +0100
+++ ImageMagick-6.7.8-9/config/policy.xml	2016-05-05 14:08:15.249092848 +0200
@@ -35,6 +35,10 @@
   
     <policy domain="path" rights="read" pattern="/repository/*" />
 
+  Let's prevent possible exploits by removing the right to use indirect reads.
+ 
+    <policy domain="path" rights="none" pattern="@*" /> 
+
   Any large image is cached to disk rather than memory:
 
     <policy domain="resource" name="area" value="1GB"/>
@@ -55,4 +59,14 @@
   <!-- <policy domain="resource" name="thread" value="4"/> -->
   <!-- <policy domain="resource" name="throttle" value="0"/> -->
   <!-- <policy domain="resource" name="time" value="3600"/> -->
+  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
+  <policy domain="coder" rights="none" pattern="HTTPS" />
+  <policy domain="coder" rights="none" pattern="HTTP" />
+  <policy domain="coder" rights="none" pattern="URL" />
+  <policy domain="coder" rights="none" pattern="FTP" />
+  <policy domain="coder" rights="none" pattern="MVG" />
+  <policy domain="coder" rights="none" pattern="MSL" />
+  <policy domain="coder" rights="none" pattern="TEXT" />
+  <policy domain="coder" rights="none" pattern="LABEL" />
+  <policy domain="path" rights="none" pattern="@*" />
 </policymap>
diff -up ImageMagick-6.7.8-9/magick/property.c.cve-2016-3717 ImageMagick-6.7.8-9/magick/property.c
--- ImageMagick-6.7.8-9/magick/property.c.cve-2016-3717	2012-08-10 13:08:37.000000000 +0200
+++ ImageMagick-6.7.8-9/magick/property.c	2016-05-05 13:52:30.752570145 +0200
@@ -66,6 +66,7 @@
 #include "magick/monitor.h"
 #include "magick/montage.h"
 #include "magick/option.h"
+#include "magick/policy.h"
 #include "magick/profile.h"
 #include "magick/property.h"
 #include "magick/quantum.h"
@@ -2357,6 +2358,29 @@ static const char *GetMagickPropertyLett
         CommandOptionToMnemonic(MagickDisposeOptions,(ssize_t) image->dispose));
       break;
     }
+    case 'F':
+    {
+      const char
+        *q;
+
+      register char
+        *p;
+
+      static char
+        whitelist[] =
+        "^-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+        "+&@#/%?=~_|!:,.;()";
+
+      /*
+       *         Magick filename (sanitized) - filename given incl. coder & read mods.
+       *                 */
+      (void) CopyMagickString(value,image->magick_filename,MaxTextExtent);
+      p=value;
+      q=value+strlen(value);
+      for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist))
+        *p='_';
+      break;
+    }
     case 'G': /* Image size as geometry = "%wx%h" */
     {
       (void) FormatLocaleString(value,MaxTextExtent,"%.20gx%.20g",(double)
@@ -2943,16 +2967,23 @@ MagickExport char *InterpretImagePropert
   if ((embed_text == (const char *) NULL) || (*embed_text == '\0'))
     return((char *) NULL);
   p=embed_text;
+  while ((isspace((int) ((unsigned char) *p)) != 0) && (*p != '\0'))
+    p++;
+  if (*p == '\0')
+    return(ConstantString(""));
+
+  if ((*p == '@') && (IsPathAccessible(p+1) != MagickFalse)) 
+  {
+    /* handle a '@' replace string from file */
+    if (IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,p) == MagickFalse)
+    {
+      errno=EPERM;
+      (void) ThrowMagickException(&image->exception,GetMagickModule(),
+          PolicyError,"NotAuthorized","`%s'",p);
+      return(ConstantString(""));
+    }
 
-  /* handle a '@' replace string from file */
-  if (*p == '@') {
-     p++;
-     if (*p != '-' && (IsPathAccessible(p) == MagickFalse) ) {
-       (void) ThrowMagickException(&image->exception,GetMagickModule(),
-           OptionError,"UnableToAccessPath","%s",p);
-       return((char *) NULL);
-     }
-     return(FileToString(p,~0,&image->exception));
+     return(FileToString(p+1,~0,&image->exception));
   }
 
   /*