diff -up ImageMagick-6.7.8-9/config/delegates.xml.in.cve-2016-3717 ImageMagick-6.7.8-9/config/delegates.xml.in
--- ImageMagick-6.7.8-9/config/delegates.xml.in.cve-2016-3717 2012-06-26 14:23:25.000000000 +0200
+++ ImageMagick-6.7.8-9/config/delegates.xml.in 2016-05-05 13:52:30.751570145 +0200
@@ -85,11 +85,11 @@
-
+
-
+
@@ -109,11 +109,11 @@
-
+
-
+
diff -up ImageMagick-6.7.8-9/config/policy.xml.cve-2016-3717 ImageMagick-6.7.8-9/config/policy.xml
--- ImageMagick-6.7.8-9/config/policy.xml.cve-2016-3717 2012-03-03 02:18:13.000000000 +0100
+++ ImageMagick-6.7.8-9/config/policy.xml 2016-05-05 14:08:15.249092848 +0200
@@ -35,6 +35,10 @@
+ Let's prevent possible exploits by removing the right to use indirect reads.
+
+
+
Any large image is cached to disk rather than memory:
@@ -55,4 +59,14 @@
+
+
+
+
+
+
+
+
+
+
diff -up ImageMagick-6.7.8-9/magick/property.c.cve-2016-3717 ImageMagick-6.7.8-9/magick/property.c
--- ImageMagick-6.7.8-9/magick/property.c.cve-2016-3717 2012-08-10 13:08:37.000000000 +0200
+++ ImageMagick-6.7.8-9/magick/property.c 2016-05-05 13:52:30.752570145 +0200
@@ -66,6 +66,7 @@
#include "magick/monitor.h"
#include "magick/montage.h"
#include "magick/option.h"
+#include "magick/policy.h"
#include "magick/profile.h"
#include "magick/property.h"
#include "magick/quantum.h"
@@ -2357,6 +2358,29 @@ static const char *GetMagickPropertyLett
CommandOptionToMnemonic(MagickDisposeOptions,(ssize_t) image->dispose));
break;
}
+ case 'F':
+ {
+ const char
+ *q;
+
+ register char
+ *p;
+
+ static char
+ whitelist[] =
+ "^-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+ "+&@#/%?=~_|!:,.;()";
+
+ /*
+ * Magick filename (sanitized) - filename given incl. coder & read mods.
+ * */
+ (void) CopyMagickString(value,image->magick_filename,MaxTextExtent);
+ p=value;
+ q=value+strlen(value);
+ for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist))
+ *p='_';
+ break;
+ }
case 'G': /* Image size as geometry = "%wx%h" */
{
(void) FormatLocaleString(value,MaxTextExtent,"%.20gx%.20g",(double)
@@ -2943,16 +2967,23 @@ MagickExport char *InterpretImagePropert
if ((embed_text == (const char *) NULL) || (*embed_text == '\0'))
return((char *) NULL);
p=embed_text;
+ while ((isspace((int) ((unsigned char) *p)) != 0) && (*p != '\0'))
+ p++;
+ if (*p == '\0')
+ return(ConstantString(""));
+
+ if ((*p == '@') && (IsPathAccessible(p+1) != MagickFalse))
+ {
+ /* handle a '@' replace string from file */
+ if (IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,p) == MagickFalse)
+ {
+ errno=EPERM;
+ (void) ThrowMagickException(&image->exception,GetMagickModule(),
+ PolicyError,"NotAuthorized","`%s'",p);
+ return(ConstantString(""));
+ }
- /* handle a '@' replace string from file */
- if (*p == '@') {
- p++;
- if (*p != '-' && (IsPathAccessible(p) == MagickFalse) ) {
- (void) ThrowMagickException(&image->exception,GetMagickModule(),
- OptionError,"UnableToAccessPath","%s",p);
- return((char *) NULL);
- }
- return(FileToString(p,~0,&image->exception));
+ return(FileToString(p+1,~0,&image->exception));
}
/*