diff --git a/SOURCES/ImageMagick-cve-2016-3717.patch b/SOURCES/ImageMagick-cve-2016-3717.patch
new file mode 100644
index 0000000..eb013ae
--- /dev/null
+++ b/SOURCES/ImageMagick-cve-2016-3717.patch
@@ -0,0 +1,134 @@
+diff -up ImageMagick-6.7.8-9/config/delegates.xml.in.cve-2016-3717 ImageMagick-6.7.8-9/config/delegates.xml.in
+--- ImageMagick-6.7.8-9/config/delegates.xml.in.cve-2016-3717 2012-06-26 14:23:25.000000000 +0200
++++ ImageMagick-6.7.8-9/config/delegates.xml.in 2016-05-05 13:52:30.751570145 +0200
+@@ -85,11 +85,11 @@
+
+
+
+-
++
+
+
+
+-
++
+
+
+
+@@ -109,11 +109,11 @@
+
+
+
+-
++
+
+
+
+-
++
+
+
+
+diff -up ImageMagick-6.7.8-9/config/policy.xml.cve-2016-3717 ImageMagick-6.7.8-9/config/policy.xml
+--- ImageMagick-6.7.8-9/config/policy.xml.cve-2016-3717 2012-03-03 02:18:13.000000000 +0100
++++ ImageMagick-6.7.8-9/config/policy.xml 2016-05-05 14:08:15.249092848 +0200
+@@ -35,6 +35,10 @@
+
+
+
++ Let's prevent possible exploits by removing the right to use indirect reads.
++
++
++
+ Any large image is cached to disk rather than memory:
+
+
+@@ -55,4 +59,14 @@
+
+
+
++
++
++
++
++
++
++
++
++
++
+
+diff -up ImageMagick-6.7.8-9/magick/property.c.cve-2016-3717 ImageMagick-6.7.8-9/magick/property.c
+--- ImageMagick-6.7.8-9/magick/property.c.cve-2016-3717 2012-08-10 13:08:37.000000000 +0200
++++ ImageMagick-6.7.8-9/magick/property.c 2016-05-05 13:52:30.752570145 +0200
+@@ -66,6 +66,7 @@
+ #include "magick/monitor.h"
+ #include "magick/montage.h"
+ #include "magick/option.h"
++#include "magick/policy.h"
+ #include "magick/profile.h"
+ #include "magick/property.h"
+ #include "magick/quantum.h"
+@@ -2357,6 +2358,29 @@ static const char *GetMagickPropertyLett
+ CommandOptionToMnemonic(MagickDisposeOptions,(ssize_t) image->dispose));
+ break;
+ }
++ case 'F':
++ {
++ const char
++ *q;
++
++ register char
++ *p;
++
++ static char
++ whitelist[] =
++ "^-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
++ "+&@#/%?=~_|!:,.;()";
++
++ /*
++ * Magick filename (sanitized) - filename given incl. coder & read mods.
++ * */
++ (void) CopyMagickString(value,image->magick_filename,MaxTextExtent);
++ p=value;
++ q=value+strlen(value);
++ for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist))
++ *p='_';
++ break;
++ }
+ case 'G': /* Image size as geometry = "%wx%h" */
+ {
+ (void) FormatLocaleString(value,MaxTextExtent,"%.20gx%.20g",(double)
+@@ -2943,16 +2967,23 @@ MagickExport char *InterpretImagePropert
+ if ((embed_text == (const char *) NULL) || (*embed_text == '\0'))
+ return((char *) NULL);
+ p=embed_text;
++ while ((isspace((int) ((unsigned char) *p)) != 0) && (*p != '\0'))
++ p++;
++ if (*p == '\0')
++ return(ConstantString(""));
++
++ if ((*p == '@') && (IsPathAccessible(p+1) != MagickFalse))
++ {
++ /* handle a '@' replace string from file */
++ if (IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,p) == MagickFalse)
++ {
++ errno=EPERM;
++ (void) ThrowMagickException(&image->exception,GetMagickModule(),
++ PolicyError,"NotAuthorized","`%s'",p);
++ return(ConstantString(""));
++ }
+
+- /* handle a '@' replace string from file */
+- if (*p == '@') {
+- p++;
+- if (*p != '-' && (IsPathAccessible(p) == MagickFalse) ) {
+- (void) ThrowMagickException(&image->exception,GetMagickModule(),
+- OptionError,"UnableToAccessPath","%s",p);
+- return((char *) NULL);
+- }
+- return(FileToString(p,~0,&image->exception));
++ return(FileToString(p+1,~0,&image->exception));
+ }
+
+ /*
diff --git a/SPECS/ImageMagick.spec b/SPECS/ImageMagick.spec
index 3379e9e..b403e64 100644
--- a/SPECS/ImageMagick.spec
+++ b/SPECS/ImageMagick.spec
@@ -3,7 +3,7 @@
Name: ImageMagick
Version: %{VER}.%{Patchlevel}
-Release: 12%{?dist}
+Release: 13%{?dist}
Summary: An X application for displaying and manipulating images
Group: Applications/Multimedia
License: ImageMagick
@@ -13,6 +13,7 @@ Source0: ftp://ftp.ImageMagick.org/pub/%{name}/%{name}-%{VER}-%{Patchlevel}.tar
Patch0: 0001-Fix-man-page-scan-results.patch
Patch1: 0001-Fix-CVE-2014-1947-CVE-2014-2030.patch
Patch2: 0002-1303227-fix-exr-crash.patch
+Patch3: ImageMagick-cve-2016-3717.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: bzip2-devel, freetype-devel, libjpeg-devel, libpng-devel
@@ -129,6 +130,7 @@ cp -p Magick++/demo/*.cpp Magick++/demo/*.miff Magick++/examples
%patch0 -p1
%patch1 -p1
%patch2 -p1
+%patch3 -p1 -z .cve-2016-3717
%build
%configure --enable-shared \
@@ -283,7 +285,10 @@ rm -rf %{buildroot}
%doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt
%changelog
-* Tue Feb 2 2016 Jan Horak - 6.7.8.9-12
+* Thu May 5 2016 Jan Horak - 6.7.8.9-13
+- Add fix for CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717
+
+* Tue Feb 2 2016 Jan Horak - 6.7.8.9-11
- Fixed crash when processing .exr files (rhbz#1303227)
* Tue Apr 01 2014 Benjamin Tissoires 6.7.8.9-10