diff --git a/SOURCES/ImageMagick-cve-2020-29599.patch b/SOURCES/ImageMagick-cve-2020-29599.patch
new file mode 100644
index 0000000..6870f34
--- /dev/null
+++ b/SOURCES/ImageMagick-cve-2020-29599.patch
@@ -0,0 +1,78 @@
+diff -up ImageMagick-6.9.10-68/coders/pdf.c.authenticate ImageMagick-6.9.10-68/coders/pdf.c
+--- ImageMagick-6.9.10-68/coders/pdf.c.authenticate 2019-10-06 00:26:16.000000000 +0200
++++ ImageMagick-6.9.10-68/coders/pdf.c 2020-12-18 09:59:52.319382761 +0100
+@@ -364,6 +364,36 @@ static inline void CleanupPDFInfo(PDFInf
+ pdf_info->profile=DestroyStringInfo(pdf_info->profile);
+ }
+
++static char *SanitizeDelegateString(const char *source)
++{
++ char
++ *sanitize_source;
++
++ const char
++ *q;
++
++ register char
++ *p;
++
++ static char
++#if defined(MAGICKCORE_WINDOWS_SUPPORT)
++ whitelist[] =
++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 "
++ "$-_.+!;*(),{}|^~[]`\'><#%/?:@&=";
++#else
++ whitelist[] =
++ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 "
++ "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&=";
++#endif
++
++ sanitize_source=AcquireString(source);
++ p=sanitize_source;
++ q=sanitize_source+strlen(sanitize_source);
++ for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist))
++ *p='_';
++ return(sanitize_source);
++}
++
+ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ char
+@@ -585,11 +615,19 @@ static Image *ReadPDFImage(const ImageIn
+ if (option != (char *) NULL)
+ {
+ char
+- passphrase[MaxTextExtent];
++ passphrase[MagickPathExtent],
++ *sanitize_passphrase;
+
+- (void) FormatLocaleString(passphrase,MaxTextExtent,
+- "\"-sPDFPassword=%s\" ",option);
+- (void) ConcatenateMagickString(options,passphrase,MaxTextExtent);
++ sanitize_passphrase=SanitizeDelegateString(image_info->authenticate);
++#if defined(MAGICKCORE_WINDOWS_SUPPORT)
++ (void) FormatLocaleString(passphrase,MagickPathExtent,
++ "\"-sPDFPassword=%s\" ",sanitize_passphrase);
++#else
++ (void) FormatLocaleString(passphrase,MagickPathExtent,
++ "'-sPDFPassword=%s' ",sanitize_passphrase);
++#endif
++ sanitize_passphrase=DestroyString(sanitize_passphrase);
++ (void) ConcatenateMagickString(options,passphrase,MagickPathExtent);
+ }
+ read_info=CloneImageInfo(image_info);
+ *read_info->magick='\0';
+diff -up ImageMagick-6.9.10-68/config/delegates.xml.in.authenticate ImageMagick-6.9.10-68/config/delegates.xml.in
+--- ImageMagick-6.9.10-68/config/delegates.xml.in.authenticate 2019-10-06 00:26:16.000000000 +0200
++++ ImageMagick-6.9.10-68/config/delegates.xml.in 2020-12-18 10:02:24.491442232 +0100
+@@ -90,8 +90,8 @@
+ <delegate decode="pcl:cmyk" stealth="True" command=""@PCLDelegate@" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@PCLCMYKDevice@" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s""/>
+ <delegate decode="pcl:color" stealth="True" command=""@PCLDelegate@" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@PCLColorDevice@" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s""/>
+ <delegate decode="pcl:mono" stealth="True" command=""@PCLDelegate@" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@PCLMonoDevice@" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s""/>
+- <delegate decode="pdf" encode="eps" mode="bi" command=""@PSDelegate@" -sstdout=%%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 -sPDFPassword="%a" "-sDEVICE=@GSEPSDevice@" "-sOutputFile=%o" "-f%i""/>
+- <delegate decode="pdf" encode="ps" mode="bi" command=""@PSDelegate@" -sstdout=%%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@GSPSDevice@" -sPDFPassword="%a" "-sOutputFile=%o" "-f%i""/>
++ <delegate decode="pdf" encode="eps" mode="bi" command=""@PSDelegate@" -sstdout=%%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@GSEPSDevice@" "-sPDFPassword=%a" "-sOutputFile=%o" "-f%i""/>
++ <delegate decode="pdf" encode="ps" mode="bi" command=""@PSDelegate@" -sstdout=%%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@GSPSDevice@" "-sPDFPassword=%a" "-sOutputFile=%o" "-f%i""/>
+ <delegate decode="pnm" encode="trace" command=""@TraceEncodeDelegate@" --svg --output "%o" "%i""/>
+ <delegate decode="png" encode="webp" command=""@WebPEncodeDelegate@" -quiet %Q "%i" -o "%o""/>
+ <delegate decode="pnm" encode="ilbm" mode="encode" command=""@ILBMEncodeDelegate@" -24if "%i" > "%o""/>
diff --git a/SPECS/ImageMagick.spec b/SPECS/ImageMagick.spec
index 13d9ec3..b3f8028 100644
--- a/SPECS/ImageMagick.spec
+++ b/SPECS/ImageMagick.spec
@@ -3,7 +3,7 @@
Name: ImageMagick
Version: %{VER}.%{Patchlevel}
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: An X application for displaying and manipulating images
Group: Applications/Multimedia
License: ImageMagick
@@ -12,6 +12,7 @@ Source0: ftp://ftp.ImageMagick.org/pub/%{name}/%{name}-%{VER}-%{Patchlevel}.tar
Patch4: ImageMagick-cve-2016-5118.patch
Patch5: ImageMagick-freeze-svg-empty-class.patch
+Patch6: ImageMagick-cve-2020-29599.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: bzip2-devel, freetype-devel, libjpeg-devel, libpng-devel
@@ -130,6 +131,7 @@ mkdir Magick++/examples
cp -p Magick++/demo/*.cpp Magick++/demo/*.miff Magick++/examples
%patch4 -p1 -b .cve-2016-5118
%patch5 -p1 -b .cve-2016-5240
+%patch6 -p1 -b .cve-2020-29599
%build
%configure --enable-shared \
@@ -299,6 +301,9 @@ rm -rf %{buildroot}
%doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt
%changelog
+* Fri Dec 18 2020 Jan Horak <jhorak@redhat.com> - 6.9.10.68-5
+- Adding CTV-2020-29599 fix
+
* Fri Jul 10 2020 Jan Horak <jhorak@redhat.com> - 6.9.10.68-4
- Build with openjpeg2 to support JPEG2000 again