Control: tag -1 + patch pending Hi,
to prevent two of my/our packages, gosa and movim, from being removed wiht php-imagick, I uploaded the attached NMU debdiff to DELAYED/2. Cheers, Nik
diff -Nru php-imagick-3.4.3/debian/changelog php-imagick-3.4.3/debian/changelog --- php-imagick-3.4.3/debian/changelog 2018-10-15 21:08:12.000000000 +0200 +++ php-imagick-3.4.3/debian/changelog 2019-06-06 11:33:10.000000000 +0200 @@ -1,3 +1,10 @@ +php-imagick (3.4.3-4.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix CVE-2019-11037. (Closes: #928420) + + -- Dominik George <naturesha...@debian.org> Thu, 06 Jun 2019 11:33:10 +0200 + php-imagick (3.4.3-4) unstable; urgency=medium * Bump the required dh-php version to >= 0.33~ diff -Nru php-imagick-3.4.3/debian/patches/0003-Fix-CVE-2019-11037.patch php-imagick-3.4.3/debian/patches/0003-Fix-CVE-2019-11037.patch --- php-imagick-3.4.3/debian/patches/0003-Fix-CVE-2019-11037.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-imagick-3.4.3/debian/patches/0003-Fix-CVE-2019-11037.patch 2019-06-06 11:33:10.000000000 +0200 @@ -0,0 +1,142 @@ +From: Danack <dan...@basereality.com> +Origin: https://github.com/Imagick/imagick/compare/d57a444766a321fa226266f51f1f42ee2cc29cc7...a827e4fd94aba346e919dc2ae8e8da2cec5a7445 +Subject: Fix CVE-2019-11037. + out of bounds write in ImagickKernel::addUnityKernel +Bug: https://bugs.php.net/bug.php?id=77791 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928420 +--- a/imagick-3.4.3/imagickkernel_class.c ++++ b/imagick-3.4.3/imagickkernel_class.c +@@ -229,9 +229,9 @@ PHP_METHOD(imagickkernel, frommatrix) + zval *origin_array; + HashTable *inner_array; + KernelInfo *kernel_info; +- long num_rows, num_columns; +- int previous_num_columns; +- int row, column; ++ unsigned long num_rows, num_columns; ++ unsigned int previous_num_columns = (unsigned int)-1; ++ unsigned int row, column; + + zval *pzval_outer; + zval *pzval_inner; +@@ -243,7 +243,6 @@ PHP_METHOD(imagickkernel, frommatrix) + KernelValueType *values = NULL; + double notanumber = sqrt((double)-1.0); /* Special Value : Not A Number */ + +- previous_num_columns = -1; + count = 0; + row = 0; + origin_array = NULL; +@@ -284,7 +283,7 @@ PHP_METHOD(imagickkernel, frommatrix) + values = (KernelValueType *)AcquireAlignedMemory(num_columns, num_rows*sizeof(KernelValueType)); + } + +- if (previous_num_columns != -1) { ++ if (previous_num_columns != ((unsigned int)-1)) { + if (previous_num_columns != num_columns) { + php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ERROR_UNEVEN TSRMLS_CC); + goto cleanup; +@@ -337,6 +336,8 @@ PHP_METHOD(imagickkernel, frommatrix) + else { + HashTable *origin_array_ht; + origin_array_ht = Z_ARRVAL_P(origin_array); ++ ++ // parse the origin_x + tmp = zend_hash_index_find(origin_array_ht, 0); + if (tmp != NULL) { + ZVAL_DEREF(tmp); +@@ -346,6 +347,19 @@ PHP_METHOD(imagickkernel, frommatrix) + php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ORIGIN_REQUIRED TSRMLS_CC); + goto cleanup; + } ++ // origin_x is unsigned, so checking for > num_columns, also ++ // checks for < 0 ++ if (origin_x>=num_columns) { ++ zend_throw_exception_ex( ++ php_imagickkernel_exception_class_entry, ++ 5 TSRMLS_CC, ++ "origin_x for matrix is outside bounds of columns: " ZEND_LONG_FMT, ++ origin_x ++ ); ++ goto cleanup; ++ } ++ ++ // parse the origin_y + tmp = zend_hash_index_find(origin_array_ht, 1); + if (tmp != NULL) { + ZVAL_DEREF(tmp); +@@ -355,6 +369,17 @@ PHP_METHOD(imagickkernel, frommatrix) + php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ORIGIN_REQUIRED TSRMLS_CC); + goto cleanup; + } ++ // origin_y is unsigned, so checking for > num_rows, also ++ // checks for < 0 ++ if (origin_y>=num_rows) { ++ zend_throw_exception_ex( ++ php_imagickkernel_exception_class_entry, ++ 5 TSRMLS_CC, ++ "origin_y for matrix is outside bounds of rows: " ZEND_LONG_FMT, ++ origin_x ++ ); ++ goto cleanup; ++ } + } + + kernel_info = imagick_createKernel(values, num_columns, num_rows, origin_x, origin_y); +@@ -431,7 +456,7 @@ PHP_METHOD(imagickkernel, frommatrix) + values = (KernelValueType *)AcquireAlignedMemory(num_columns, num_rows*sizeof(KernelValueType)); + } + +- if (previous_num_columns != -1) { ++ if (previous_num_columns != ((unsigned int)-1)) { + if (previous_num_columns != num_columns) { + php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ERROR_UNEVEN TSRMLS_CC); + goto cleanup; +@@ -481,6 +506,8 @@ PHP_METHOD(imagickkernel, frommatrix) + } + else { + origin_array_ht = Z_ARRVAL_P(origin_array); ++ ++ // parse and check the origin_x + if (zend_hash_index_find(origin_array_ht, 0, (void**)&tmp) == SUCCESS) { + origin_x = Z_LVAL_PP(tmp); + } +@@ -489,6 +516,19 @@ PHP_METHOD(imagickkernel, frommatrix) + goto cleanup; + } + ++ // origin_x is unsigned, so checking for > num_columns, also ++ // checks for < 0 ++ if (origin_x>=num_columns) { ++ zend_throw_exception_ex( ++ php_imagickkernel_exception_class_entry, ++ 5 TSRMLS_CC, ++ "origin_x for matrix is outside bounds of columns: %d", ++ origin_x ++ ); ++ goto cleanup; ++ } ++ ++ // parse and check the origin_y + if (zend_hash_index_find(origin_array_ht, 1, (void**)&tmp) == SUCCESS) { + origin_y = Z_LVAL_PP(tmp); + } +@@ -496,6 +536,18 @@ PHP_METHOD(imagickkernel, frommatrix) + php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ORIGIN_REQUIRED TSRMLS_CC); + goto cleanup; + } ++ ++ // origin_y is unsigned, so checking for > num_rows, also ++ // checks for < 0 ++ if (origin_y>=num_rows) { ++ zend_throw_exception_ex( ++ php_imagickkernel_exception_class_entry, ++ 5 TSRMLS_CC, ++ "origin_y for matrix is outside bounds of rows: %d", ++ origin_y ++ ); ++ goto cleanup; ++ } + } + + kernel_info = imagick_createKernel(values, num_columns, num_rows, origin_x, origin_y); diff -Nru php-imagick-3.4.3/debian/patches/series php-imagick-3.4.3/debian/patches/series --- php-imagick-3.4.3/debian/patches/series 2018-10-15 21:08:12.000000000 +0200 +++ php-imagick-3.4.3/debian/patches/series 2019-06-06 11:33:10.000000000 +0200 @@ -1,2 +1,3 @@ 0001-Hardcode-path-to-usrsharefontstruetypettf-dejavuDeja.patch 0002-Skip-version-check-by-default.patch +0003-Fix-CVE-2019-11037.patch
signature.asc
Description: PGP signature
