Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package GraphicsMagick for openSUSE:Factory checked in at 2026-07-10 17:34:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/GraphicsMagick (Old) and /work/SRC/openSUSE:Factory/.GraphicsMagick.new.1991 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "GraphicsMagick" Fri Jul 10 17:34:13 2026 rev:107 rq:1364710 version:1.3.47 Changes: -------- --- /work/SRC/openSUSE:Factory/GraphicsMagick/GraphicsMagick.changes 2026-06-25 10:51:39.265843771 +0200 +++ /work/SRC/openSUSE:Factory/.GraphicsMagick.new.1991/GraphicsMagick.changes 2026-07-10 17:35:00.732206978 +0200 @@ -1,0 +2,7 @@ +Thu Jul 9 12:07:43 UTC 2026 - Petr Gajdos <[email protected]> + +- added patches + CVE-2026-13606: memory corruption via crafted Photo CD (PCD) file [bsc#1269891] + * GraphicsMagick-CVE-2026-13606.patch + +------------------------------------------------------------------- New: ---- GraphicsMagick-CVE-2026-13606.patch ----------(New B)---------- New: CVE-2026-13606: memory corruption via crafted Photo CD (PCD) file [bsc#1269891] * GraphicsMagick-CVE-2026-13606.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ GraphicsMagick.spec ++++++ --- /var/tmp/diff_new_pack.UFpv0W/_old 2026-07-10 17:35:04.628340292 +0200 +++ /var/tmp/diff_new_pack.UFpv0W/_new 2026-07-10 17:35:04.632340429 +0200 @@ -37,6 +37,8 @@ Patch7: GraphicsMagick-CVE-2026-42050.patch # CVE-2026-46523: heap-use-after-free via a crafted MSL image [bsc#1268125] Patch8: GraphicsMagick-CVE-2026-46523.patch +# CVE-2026-13606: memory corruption via crafted Photo CD (PCD) file [bsc#1269891] +Patch9: GraphicsMagick-CVE-2026-13606.patch BuildRequires: cups-client BuildRequires: dcraw BuildRequires: gcc-c++ ++++++ GraphicsMagick-CVE-2026-13606.patch ++++++ # HG changeset patch # User Bob Friesenhahn <[email protected]> # Date 1782310094 18000 # Wed Jun 24 09:08:14 2026 -0500 # Node ID 937cdd9920bd966517c5f7a3595397af96b6ab6f # Parent ae36237cba6a12216b5f40ad42930152ce2ff1ac coders/pcd.c (ReadPCDImage): Over-provision the per-channel Huffman decode buffers and detect any attempt to overflow them. diff --git a/coders/pcd.c b/coders/pcd.c --- a/coders/pcd.c +++ b/coders/pcd.c @@ -87,8 +87,10 @@ % % */ -static void Upsample(const unsigned long width,const unsigned long height, - const unsigned long scaled_width,unsigned char *pixels) +static void Upsample(const unsigned long width, + const unsigned long height, + const unsigned long scaled_width, + unsigned char * restrict pixels) { register long x, @@ -198,8 +200,11 @@ if (EOFBlob(image)) \ break; \ } -static MagickPassFail DecodeImage(Image *image,unsigned char *luma, - unsigned char *chroma1,unsigned char *chroma2) +static MagickPassFail DecodeImage(Image *image, + const size_t channel_alloc_size, + unsigned char * restrict luma, + unsigned char * restrict chroma1, + unsigned char * restrict chroma2) { typedef struct PCDTable { @@ -236,7 +241,8 @@ length; unsigned char - *buffer; + *buffer, + *plane_end; unsigned int bits, @@ -332,6 +338,7 @@ plane=0; row=0; q=luma; + plane_end=luma+channel_alloc_size; for ( ; ; ) { if (IsSync) @@ -351,12 +358,14 @@ case 0: { q=luma+row*(size_t)image->columns; + plane_end=luma+channel_alloc_size; /* count=(long) image->columns; */ break; } case 2: { q=chroma1+(row >> 1)*(size_t)image->columns; + plane_end=chroma1+channel_alloc_size; /* count=(long) (image->columns >> 1); */ plane--; break; @@ -364,6 +373,7 @@ case 3: { q=chroma2+(row >> 1)*(size_t)image->columns; + plane_end=chroma2+channel_alloc_size; /* count=(long) (image->columns >> 1); */ plane--; break; @@ -405,6 +415,17 @@ PCDGetBits(1); continue; } + /* Detect overflow */ + if (q >= plane_end) + { + if (image->logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "Plane buffer overflow detected!"); + ThrowException(&image->exception,CorruptImageError, + UnableToUncompressImage,image->filename); + status=MagickFail; + goto decode_image_error; + } if (r->key < 128U) quantum=(long) (*q)+r->key; else @@ -564,7 +585,8 @@ size_t number_pixels, - count; + count, + channel_alloc_size; unsigned char *chroma1 = NULL, @@ -661,9 +683,13 @@ number_pixels=MagickArraySize(image->columns,image->rows); if (number_pixels == 0 || number_pixels+1 < number_pixels) ThrowPCDReaderException(ResourceLimitError,MemoryAllocationFailed,image); - chroma1=MagickAllocateResourceLimitedMemory(unsigned char *,number_pixels+1); - chroma2=MagickAllocateResourceLimitedMemory(unsigned char *,number_pixels+1); - luma=MagickAllocateResourceLimitedMemory(unsigned char *,number_pixels+1); + channel_alloc_size=MagickArraySize(number_pixels,10); + if (channel_alloc_size == 0 || channel_alloc_size+1 < channel_alloc_size) + ThrowPCDReaderException(ResourceLimitError,MemoryAllocationFailed,image); + channel_alloc_size++; + chroma1=MagickAllocateResourceLimitedClearedMemory(unsigned char *,channel_alloc_size); + chroma2=MagickAllocateResourceLimitedClearedMemory(unsigned char *,channel_alloc_size); + luma=MagickAllocateResourceLimitedClearedMemory(unsigned char *,channel_alloc_size); if ((chroma1 == (unsigned char *) NULL) || (chroma2 == (unsigned char *) NULL) || (luma == (unsigned char *) NULL)) @@ -741,6 +767,12 @@ q->red=ScaleCharToQuantum(*yy++); q->green=ScaleCharToQuantum(*c1++); q->blue=ScaleCharToQuantum(*c2++); + if (((size_t) (yy-luma) >= channel_alloc_size) || + ((size_t) (c1-chroma1) >= channel_alloc_size) || + ((size_t) (c2-chroma2) >= channel_alloc_size)) + { + ThrowPCDReaderException(CorruptImageError,UnableToUncompressImage,image); + } q++; } if (!SyncImagePixels(image)) @@ -812,7 +844,7 @@ image->rows=1024; for (i=0; i < (4*0x800); i++) (void) ReadBlobByte(image); - status=DecodeImage(image,luma,chroma1,chroma2); + status=DecodeImage(image,channel_alloc_size,luma,chroma1,chroma2); if ((subimage >= 5) && status) { /* @@ -824,7 +856,7 @@ image->rows=2048; offset=TellBlob(image)/0x800+12; (void) SeekBlob(image,offset*0x800,SEEK_SET); - status=DecodeImage(image,luma,chroma1,chroma2); + status=DecodeImage(image,channel_alloc_size,luma,chroma1,chroma2); if ((subimage >= 6) && status) { /* @@ -860,6 +892,12 @@ q->red=ScaleCharToQuantum(*yy++); q->green=ScaleCharToQuantum(*c1++); q->blue=ScaleCharToQuantum(*c2++); + if (((size_t) (yy-luma) >= channel_alloc_size) || + ((size_t) (c1-chroma1) >= channel_alloc_size) || + ((size_t) (c2-chroma2) >= channel_alloc_size)) + { + ThrowPCDReaderException(CorruptImageError,UnableToUncompressImage,image); + } q++; } if (!SyncImagePixels(image))
