* [Buildroot] [PATCH 1/1] package/graphicsmagick: fix CVE-2020-12672
@ 2020-09-05 20:58 Fabrice Fontaine
2020-09-05 21:12 ` Yann E. MORIN
0 siblings, 1 reply; 2+ messages in thread
From: Fabrice Fontaine @ 2020-09-05 20:58 UTC (permalink / raw)
To: buildroot
GraphicsMagick through 1.3.35 has a heap-based buffer overflow in
ReadMNGImage in coders/png.c.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...ix-small-heap-overwrite-or-assertion.patch | 78 +++++++++++++++++++
package/graphicsmagick/graphicsmagick.mk | 3 +
2 files changed, 81 insertions(+)
create mode 100644 package/graphicsmagick/0001-MNG-Fix-small-heap-overwrite-or-assertion.patch
diff --git a/package/graphicsmagick/0001-MNG-Fix-small-heap-overwrite-or-assertion.patch b/package/graphicsmagick/0001-MNG-Fix-small-heap-overwrite-or-assertion.patch
new file mode 100644
index 0000000000..6fac7d0302
--- /dev/null
+++ b/package/graphicsmagick/0001-MNG-Fix-small-heap-overwrite-or-assertion.patch
@@ -0,0 +1,78 @@
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1590851896 18000
+# Sat May 30 10:18:16 2020 -0500
+# Node ID 50395430a37188d0d197e71bd85ed6dd0f649ee3
+# Parent 4917a4242fc0a12f2f6baa10f1c5a9b3e68c20dd
+MNG: Fix small heap overwrite or assertion if magnifying and image to be magnified has rows or columns == 1.
+
+[Retrieved (and updated to remove ChangeLog and version changes) from:
+https://sourceforge.net/p/graphicsmagick/code/ci/50395430a37188d0d197e71bd85ed6dd0f649ee3]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+
+diff -r 4917a4242fc0 -r 50395430a371 coders/png.c
+--- a/coders/png.c Fri May 01 13:49:13 2020 -0500
++++ b/coders/png.c Sat May 30 10:18:16 2020 -0500
+@@ -5304,7 +5304,7 @@
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "MAGN chunk (%lu bytes): "
+- "First_magnified_object_id=%u, Last_magnified_object_id=%u, "
++ "First_magnified_object_id=%u, Las t_magnified_object_id=%u, "
+ "MB=%u, ML=%u, MR=%u, MT=%u, MX=%u, MY=%u, "
+ "X_method=%u, Y_method=%u",
+ length,
+@@ -5679,6 +5679,8 @@
+ /*
+ If magnifying and a supported method is requested then
+ magnify the image.
++
++ http://www.libpng.org/pub/mng/spec/mng-1.0-20010209-pdg.html#mng-MAGN
+ */
+ if (((mng_info->magn_methx > 0) && (mng_info->magn_methx <= 5)) &&
+ ((mng_info->magn_methy > 0) && (mng_info->magn_methy <= 5)))
+@@ -5689,7 +5691,28 @@
+
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+- " Processing MNG MAGN chunk");
++ " Processing MNG MAGN chunk: MB=%u, ML=%u,"
++ " MR=%u, MT=%u, MX=%u, MY=%u,"
++ " X_method=%u, Y_method=%u",
++ mng_info->magn_mb,mng_info->magn_ml,
++ mng_info->magn_mr,mng_info->magn_mt,
++ mng_info->magn_mx,mng_info->magn_my,
++ mng_info->magn_methx,
++ mng_info->magn_methy);
++
++ /*
++ If the image width is 1, then X magnification is done
++ by simple pixel replication.
++ */
++ if (image->columns == 1)
++ mng_info->magn_methx = 1;
++
++ /*
++ If the image height is 1, then Y magnification is done
++ by simple pixel replication.
++ */
++ if (image->rows == 1)
++ mng_info->magn_methy = 1;
+
+ if (mng_info->magn_methx == 1)
+ {
+@@ -5734,12 +5757,10 @@
+ Image
+ *large_image;
+
+- int
+- yy;
+-
+ long
+ m,
+- y;
++ y,
++ yy;
+
+ register long
+ x;
diff --git a/package/graphicsmagick/graphicsmagick.mk b/package/graphicsmagick/graphicsmagick.mk
index 782dd1431e..436df709e7 100644
--- a/package/graphicsmagick/graphicsmagick.mk
+++ b/package/graphicsmagick/graphicsmagick.mk
@@ -13,6 +13,9 @@ GRAPHICSMAGICK_LICENSE_FILES = Copyright.txt
GRAPHICSMAGICK_INSTALL_STAGING = YES
GRAPHICSMAGICK_CONFIG_SCRIPTS = GraphicsMagick-config GraphicsMagickWand-config
+# 0001-MNG-Fix-small-heap-overwrite-or-assertion.patch
+GRAPHICSMAGICK_IGNORE_CVES += CVE-2020-12672
+
ifeq ($(BR2_INSTALL_LIBSTDCPP)$(BR2_USE_WCHAR),yy)
GRAPHICSMAGICK_CONFIG_SCRIPTS += GraphicsMagick++-config
endif
--
2.28.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* [Buildroot] [PATCH 1/1] package/graphicsmagick: fix CVE-2020-12672
2020-09-05 20:58 [Buildroot] [PATCH 1/1] package/graphicsmagick: fix CVE-2020-12672 Fabrice Fontaine
@ 2020-09-05 21:12 ` Yann E. MORIN
0 siblings, 0 replies; 2+ messages in thread
From: Yann E. MORIN @ 2020-09-05 21:12 UTC (permalink / raw)
To: buildroot
Fabrice, All,
On 2020-09-05 22:58 +0200, Fabrice Fontaine spake thusly:
> GraphicsMagick through 1.3.35 has a heap-based buffer overflow in
> ReadMNGImage in coders/png.c.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...ix-small-heap-overwrite-or-assertion.patch | 78 +++++++++++++++++++
> package/graphicsmagick/graphicsmagick.mk | 3 +
> 2 files changed, 81 insertions(+)
> create mode 100644 package/graphicsmagick/0001-MNG-Fix-small-heap-overwrite-or-assertion.patch
>
> diff --git a/package/graphicsmagick/0001-MNG-Fix-small-heap-overwrite-or-assertion.patch b/package/graphicsmagick/0001-MNG-Fix-small-heap-overwrite-or-assertion.patch
> new file mode 100644
> index 0000000000..6fac7d0302
> --- /dev/null
> +++ b/package/graphicsmagick/0001-MNG-Fix-small-heap-overwrite-or-assertion.patch
> @@ -0,0 +1,78 @@
> +# HG changeset patch
> +# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
> +# Date 1590851896 18000
> +# Sat May 30 10:18:16 2020 -0500
> +# Node ID 50395430a37188d0d197e71bd85ed6dd0f649ee3
> +# Parent 4917a4242fc0a12f2f6baa10f1c5a9b3e68c20dd
> +MNG: Fix small heap overwrite or assertion if magnifying and image to be magnified has rows or columns == 1.
> +
> +[Retrieved (and updated to remove ChangeLog and version changes) from:
> +https://sourceforge.net/p/graphicsmagick/code/ci/50395430a37188d0d197e71bd85ed6dd0f649ee3]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +
> +diff -r 4917a4242fc0 -r 50395430a371 coders/png.c
> +--- a/coders/png.c Fri May 01 13:49:13 2020 -0500
> ++++ b/coders/png.c Sat May 30 10:18:16 2020 -0500
> +@@ -5304,7 +5304,7 @@
> + if (logging)
> + (void) LogMagickEvent(CoderEvent,GetMagickModule(),
> + "MAGN chunk (%lu bytes): "
> +- "First_magnified_object_id=%u, Last_magnified_object_id=%u, "
> ++ "First_magnified_object_id=%u, Las t_magnified_object_id=%u, "
> + "MB=%u, ML=%u, MR=%u, MT=%u, MX=%u, MY=%u, "
> + "X_method=%u, Y_method=%u",
> + length,
> +@@ -5679,6 +5679,8 @@
> + /*
> + If magnifying and a supported method is requested then
> + magnify the image.
> ++
> ++ http://www.libpng.org/pub/mng/spec/mng-1.0-20010209-pdg.html#mng-MAGN
> + */
> + if (((mng_info->magn_methx > 0) && (mng_info->magn_methx <= 5)) &&
> + ((mng_info->magn_methy > 0) && (mng_info->magn_methy <= 5)))
> +@@ -5689,7 +5691,28 @@
> +
> + if (logging)
> + (void) LogMagickEvent(CoderEvent,GetMagickModule(),
> +- " Processing MNG MAGN chunk");
> ++ " Processing MNG MAGN chunk: MB=%u, ML=%u,"
> ++ " MR=%u, MT=%u, MX=%u, MY=%u,"
> ++ " X_method=%u, Y_method=%u",
> ++ mng_info->magn_mb,mng_info->magn_ml,
> ++ mng_info->magn_mr,mng_info->magn_mt,
> ++ mng_info->magn_mx,mng_info->magn_my,
> ++ mng_info->magn_methx,
> ++ mng_info->magn_methy);
> ++
> ++ /*
> ++ If the image width is 1, then X magnification is done
> ++ by simple pixel replication.
> ++ */
> ++ if (image->columns == 1)
> ++ mng_info->magn_methx = 1;
> ++
> ++ /*
> ++ If the image height is 1, then Y magnification is done
> ++ by simple pixel replication.
> ++ */
> ++ if (image->rows == 1)
> ++ mng_info->magn_methy = 1;
> +
> + if (mng_info->magn_methx == 1)
> + {
> +@@ -5734,12 +5757,10 @@
> + Image
> + *large_image;
> +
> +- int
> +- yy;
> +-
> + long
> + m,
> +- y;
> ++ y,
> ++ yy;
> +
> + register long
> + x;
> diff --git a/package/graphicsmagick/graphicsmagick.mk b/package/graphicsmagick/graphicsmagick.mk
> index 782dd1431e..436df709e7 100644
> --- a/package/graphicsmagick/graphicsmagick.mk
> +++ b/package/graphicsmagick/graphicsmagick.mk
> @@ -13,6 +13,9 @@ GRAPHICSMAGICK_LICENSE_FILES = Copyright.txt
> GRAPHICSMAGICK_INSTALL_STAGING = YES
> GRAPHICSMAGICK_CONFIG_SCRIPTS = GraphicsMagick-config GraphicsMagickWand-config
>
> +# 0001-MNG-Fix-small-heap-overwrite-or-assertion.patch
> +GRAPHICSMAGICK_IGNORE_CVES += CVE-2020-12672
> +
> ifeq ($(BR2_INSTALL_LIBSTDCPP)$(BR2_USE_WCHAR),yy)
> GRAPHICSMAGICK_CONFIG_SCRIPTS += GraphicsMagick++-config
> endif
> --
> 2.28.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-09-05 21:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-09-05 20:58 [Buildroot] [PATCH 1/1] package/graphicsmagick: fix CVE-2020-12672 Fabrice Fontaine
2020-09-05 21:12 ` Yann E. MORIN
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox