subject:"graphicsmagick update"

Re: graphicsmagick update

2017-01-31 Thread Guido Günther

On Tue, Jan 31, 2017 at 04:07:19PM -0500, Antoine Beaupré wrote:
> On 2017-01-31 21:42:41, Emilio Pozuelo Monfort wrote:
> > I'd say it makes sense to release a regression update.
> >
> > BTW I'm not sure about this change, which is not mentioned in your 
> > changelog entry:
> >
> > --- graphicsmagick-1.3.16/debian/rules  2016-09-20 23:52:26.0 +0200
> > +++ graphicsmagick-1.3.16/debian/rules  2017-01-16 19:22:54.0 +0100
> > @@ -36,7 +36,7 @@
> >  CFLAGS = -Wall -g -fno-strict-aliasing
> >  LDFLAGS =
> >
> > -include /usr/share/hardening-includes/hardening.make
> > +-include /usr/share/hardening-includes/hardening.make
> >  CFLAGS += $(HARDENING_CFLAGS)
> >  LDFLAGS += $(HARDENING_LDFLAGS)
> 
> This is to silence failure to include the file in later versions of
> hardening-includes (from stretch and later) that would prevent pdebuild,
> git-buildpackage and other tools from firing the build from sid or
> stretch.
> 
> I still build the package inside a woody chroot, of course, this is just
> to trigger the build.
> 
> But maybe there's another way to fix this that I don't know?
> 
> Are you people all still running wheezy or jessie? ;)

You can run with '-nc' to avoid pbuilder invoking clean outside of the
chroot.
 -- Guido

> 
> A.
> 
> -- 
> Choose a job you love and you will never have to work a day in your
> life.
>  - Confucius
>

Re: graphicsmagick update

2017-01-31 Thread Antoine Beaupré

On 2017-01-31 21:42:41, Emilio Pozuelo Monfort wrote:
> I'd say it makes sense to release a regression update.
>
> BTW I'm not sure about this change, which is not mentioned in your changelog 
> entry:
>
> --- graphicsmagick-1.3.16/debian/rules  2016-09-20 23:52:26.0 +0200
> +++ graphicsmagick-1.3.16/debian/rules  2017-01-16 19:22:54.0 +0100
> @@ -36,7 +36,7 @@
>  CFLAGS = -Wall -g -fno-strict-aliasing
>  LDFLAGS =
>
> -include /usr/share/hardening-includes/hardening.make
> +-include /usr/share/hardening-includes/hardening.make
>  CFLAGS += $(HARDENING_CFLAGS)
>  LDFLAGS += $(HARDENING_LDFLAGS)

This is to silence failure to include the file in later versions of
hardening-includes (from stretch and later) that would prevent pdebuild,
git-buildpackage and other tools from firing the build from sid or
stretch.

I still build the package inside a woody chroot, of course, this is just
to trigger the build.

But maybe there's another way to fix this that I don't know?

Are you people all still running wheezy or jessie? ;)

A.

-- 
Choose a job you love and you will never have to work a day in your
life.
 - Confucius

Re: graphicsmagick update

2017-01-31 Thread Emilio Pozuelo Monfort

On 16/01/17 20:48, Antoine Beaupré wrote:
> Hi,
> 
> I've looked at updating the graphicsmagick (GM) update to fix the issues
> outlined in a [recent discussion][1]. The fix to CVE-2016-5240.patch is
> trivial. I can also confirm the current GM version in wheezy-security
> segfaults with the POC.
> 
> I've had difficulties fixing the pending CVE-2016-9830 in wheezy,
> however. The patch depends on the fairly new heigth/width "magick
> resource limit" management, which was introduced in [January
> 2015][2]. The [patch][2] is rather intrusive and i don't think is a good
> candidate for wheezy, especially because it probably breaks ABI
> compatibility. Attached is my best shot at porting the patch for
> CVE-2016-9830, which fails to comply, but may be useful for jessie or
> others.
> 
> So I don't see any choice but to mark that issue as no-dsa. The impact
> of the patch is more of a DOS (memory exhaustion, from what I can tell)
> than code execution, so I think it doesn't warrant major code changes.
> 
> I have built a package for amd64 in the [usual location][3] and attached
> the debdiff for the debu6 update. I confirm the patch here fixes
> CVE-2016-5240 properly.
> 
> I am not sure I should upload this directly now considering it's such a
> small fix, but given that it crashes with the bad data, maybe it's worth
> it?

I'd say it makes sense to release a regression update.

BTW I'm not sure about this change, which is not mentioned in your changelog 
entry:

--- graphicsmagick-1.3.16/debian/rules  2016-09-20 23:52:26.0 +0200
+++ graphicsmagick-1.3.16/debian/rules  2017-01-16 19:22:54.0 +0100
@@ -36,7 +36,7 @@
 CFLAGS = -Wall -g -fno-strict-aliasing
 LDFLAGS =

-include /usr/share/hardening-includes/hardening.make
+-include /usr/share/hardening-includes/hardening.make
 CFLAGS += $(HARDENING_CFLAGS)
 LDFLAGS += $(HARDENING_LDFLAGS)


Cheers,
Emilio

graphicsmagick update

2017-01-16 Thread Antoine Beaupré

Hi,

I've looked at updating the graphicsmagick (GM) update to fix the issues
outlined in a [recent discussion][1]. The fix to CVE-2016-5240.patch is
trivial. I can also confirm the current GM version in wheezy-security
segfaults with the POC.

I've had difficulties fixing the pending CVE-2016-9830 in wheezy,
however. The patch depends on the fairly new heigth/width "magick
resource limit" management, which was introduced in [January
2015][2]. The [patch][2] is rather intrusive and i don't think is a good
candidate for wheezy, especially because it probably breaks ABI
compatibility. Attached is my best shot at porting the patch for
CVE-2016-9830, which fails to comply, but may be useful for jessie or
others.

So I don't see any choice but to mark that issue as no-dsa. The impact
of the patch is more of a DOS (memory exhaustion, from what I can tell)
than code execution, so I think it doesn't warrant major code changes.

I have built a package for amd64 in the [usual location][3] and attached
the debdiff for the debu6 update. I confirm the patch here fixes
CVE-2016-5240 properly.

I am not sure I should upload this directly now considering it's such a
small fix, but given that it crashes with the bad data, maybe it's worth
it?

Let me know,

A.

[1]: 
https://lists.debian.org/msgid-search/148158.43717.818066433.42d9b...@webmail.messagingengine.com
[2]: http://hg.code.sf.net/p/graphicsmagick/code/rev/fac88115873c
[3]: https://people.debian.org/~anarcat/debian/wheezy-lts/

-- 
Tu connaîtras la vérité de ton chemin à ce qui te rend heureux.
- Aristote


# HG changeset patch
# User Glenn Randers-Pehrson 
# Date 1477099736 14400
# Node ID 38d0f281e8c81e12ead220e1a7849d69e89b4697
# Parent  400a2e59c0d9bd7fb8b19abb1b8df60d04418f8f
*coders/png.c (ReadOneJNGImage): Enforce spec requirement that

the dimensions of the JPEG embedded in a JDAT chunk must match
the JHDR dimensions.

--- a/coders/png.c
+++ b/coders/png.c
@@ -70,6 +70,7 @@
 #include "magick/pixel_cache.h"
 #include "magick/profile.h"
 #include "magick/quantize.h"
+#include "magick/resource.h"
 #include "magick/semaphore.h"
 #include "magick/static.h"
 #include "magick/tempfile.h"
@@ -3043,6 +3044,10 @@ static Image *ReadOneJNGImage(MngInfo *m
 skip_to_iend,
 status;
 
+  magick_int64_t
+height_resource,
+width_resource;
+
   unsigned long
 length;
 
@@ -3082,6 +3087,10 @@ static Image *ReadOneJNGImage(MngInfo *m
   read_JSEP=MagickFalse;
   reading_idat=MagickFalse;
   skip_to_iend=MagickFalse;
+
+  width_resource = GetMagickResourceLimit(WidthResource);
+  height_resource = GetMagickResourceLimit(HeightResource);
+
   for (;;)
 {
   char
@@ -3186,6 +3195,10 @@ static Image *ReadOneJNGImage(MngInfo *m
 }
   if (length)
 MagickFreeMemory(chunk);
+  /* Temporarily set width and height resources to match JHDR */
+  SetMagickResourceLimit(WidthResource,jng_width);
+  SetMagickResourceLimit(HeightResource,jng_height);
+
   continue;
 }
 
@@ -3588,6 +3601,10 @@ static Image *ReadOneJNGImage(MngInfo *m
   if (logging)
 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
   "  exit ReadOneJNGImage()");
+
+  SetMagickResourceLimit(WidthResource,width_resource);
+  SetMagickResourceLimit(HeightResource,height_resource);
+
   return (image);
 }
 
diff -Nru graphicsmagick-1.3.16/debian/changelog graphicsmagick-1.3.16/debian/changelog
--- graphicsmagick-1.3.16/debian/changelog	2016-10-26 17:11:46.0 -0400
+++ graphicsmagick-1.3.16/debian/changelog	2017-01-16 14:35:02.0 -0500
@@ -1,3 +1,11 @@
+graphicsmagick (1.3.16-1.1+deb7u6) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the LTS Security Team.
+  * Properly fix CVE-2016-5240. Previous patch caused a segfault instead
+of fixing the Denial of Service.
+
+ -- Antoine Beaupré   Mon, 16 Jan 2017 14:35:02 -0500
+
 graphicsmagick (1.3.16-1.1+deb7u5) wheezy-security; urgency=high
 
   * Non-maintainer upload by the Wheezy LTS team.
diff -Nru graphicsmagick-1.3.16/debian/patches/CVE-2016-5240.patch graphicsmagick-1.3.16/debian/patches/CVE-2016-5240.patch
--- graphicsmagick-1.3.16/debian/patches/CVE-2016-5240.patch	2016-10-26 16:31:22.0 -0400
+++ graphicsmagick-1.3.16/debian/patches/CVE-2016-5240.patch	2017-01-16 13:28:27.0 -0500
@@ -1,6 +1,6 @@
 --- a/magick/render.c
 +++ b/magick/render.c
-@@ -1519,7 +1519,7 @@
+@@ -1519,7 +1519,7 @@ static unsigned int DrawDashPolygon(cons
  n++;
}
status=True;
@@ -9,7 +9,7 @@
{
  dx=primitive_info[i].point.x-primitive_info[i-1].point.x;
  dy=primitive_info[i].point.y-primitive_info[i-1].point.y;
-@@ -1531,7 +1531,7 @@
+@@ -1531,7 +1531,7 @@ static unsigned int DrawDashPolygon(cons
n=0;
  length=scale*draw_info->dash_pattern[n];
}
@@ -18,7 +18,7 @@
  {
total_length+=length;
if

Re: graphicsmagick update

Re: graphicsmagick update

Re: graphicsmagick update

graphicsmagick update

4 matches

Site Navigation

Mail list logo

Footer information