[Buildroot] [PATCH 1/1] package/graphicsmagick: fix CVE-2020-12672

Yann E. MORIN yann.morin.1998 at free.fr
Sat Sep 5 21:12:03 UTC 2020


Fabrice, All,

On 2020-09-05 22:58 +0200, Fabrice Fontaine spake thusly:
> GraphicsMagick through 1.3.35 has a heap-based buffer overflow in
> ReadMNGImage in coders/png.c.
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  ...ix-small-heap-overwrite-or-assertion.patch | 78 +++++++++++++++++++
>  package/graphicsmagick/graphicsmagick.mk      |  3 +
>  2 files changed, 81 insertions(+)
>  create mode 100644 package/graphicsmagick/0001-MNG-Fix-small-heap-overwrite-or-assertion.patch
> 
> diff --git a/package/graphicsmagick/0001-MNG-Fix-small-heap-overwrite-or-assertion.patch b/package/graphicsmagick/0001-MNG-Fix-small-heap-overwrite-or-assertion.patch
> new file mode 100644
> index 0000000000..6fac7d0302
> --- /dev/null
> +++ b/package/graphicsmagick/0001-MNG-Fix-small-heap-overwrite-or-assertion.patch
> @@ -0,0 +1,78 @@
> +# HG changeset patch
> +# User Bob Friesenhahn <bfriesen at GraphicsMagick.org>
> +# Date 1590851896 18000
> +#      Sat May 30 10:18:16 2020 -0500
> +# Node ID 50395430a37188d0d197e71bd85ed6dd0f649ee3
> +# Parent  4917a4242fc0a12f2f6baa10f1c5a9b3e68c20dd
> +MNG: Fix small heap overwrite or assertion if magnifying and image to be magnified has rows or columns == 1.
> +
> +[Retrieved (and updated to remove ChangeLog and version changes) from:
> +https://sourceforge.net/p/graphicsmagick/code/ci/50395430a37188d0d197e71bd85ed6dd0f649ee3]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> +
> +diff -r 4917a4242fc0 -r 50395430a371 coders/png.c
> +--- a/coders/png.c	Fri May 01 13:49:13 2020 -0500
> ++++ b/coders/png.c	Sat May 30 10:18:16 2020 -0500
> +@@ -5304,7 +5304,7 @@
> +               if (logging)
> +                 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
> +                                       "MAGN chunk (%lu bytes): "
> +-                                      "First_magnified_object_id=%u, Last_magnified_object_id=%u, "
> ++                                      "First_magnified_object_id=%u, Las t_magnified_object_id=%u, "
> +                                       "MB=%u, ML=%u, MR=%u, MT=%u, MX=%u, MY=%u, "
> +                                       "X_method=%u, Y_method=%u",
> +                                       length,
> +@@ -5679,6 +5679,8 @@
> +           /*
> +             If magnifying and a supported method is requested then
> +             magnify the image.
> ++
> ++            http://www.libpng.org/pub/mng/spec/mng-1.0-20010209-pdg.html#mng-MAGN
> +           */
> +           if (((mng_info->magn_methx > 0) && (mng_info->magn_methx <= 5)) &&
> +               ((mng_info->magn_methy > 0) && (mng_info->magn_methy <= 5)))
> +@@ -5689,7 +5691,28 @@
> + 
> +               if (logging)
> +                 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
> +-                                      "  Processing MNG MAGN chunk");
> ++                                      "  Processing MNG MAGN chunk: MB=%u, ML=%u,"
> ++                                      " MR=%u, MT=%u, MX=%u, MY=%u,"
> ++                                      " X_method=%u, Y_method=%u",
> ++                                      mng_info->magn_mb,mng_info->magn_ml,
> ++                                      mng_info->magn_mr,mng_info->magn_mt,
> ++                                      mng_info->magn_mx,mng_info->magn_my,
> ++                                      mng_info->magn_methx,
> ++                                      mng_info->magn_methy);
> ++
> ++              /*
> ++                If the image width is 1, then X magnification is done
> ++                by simple pixel replication.
> ++              */
> ++              if (image->columns == 1)
> ++                  mng_info->magn_methx = 1;
> ++
> ++              /*
> ++                If the image height is 1, then Y magnification is done
> ++                by simple pixel replication.
> ++              */
> ++              if (image->rows == 1)
> ++                  mng_info->magn_methy = 1;
> + 
> +               if (mng_info->magn_methx == 1)
> +                 {
> +@@ -5734,12 +5757,10 @@
> +                   Image
> +                     *large_image;
> + 
> +-                  int
> +-                    yy;
> +-
> +                   long
> +                     m,
> +-                    y;
> ++                    y,
> ++                    yy;
> + 
> +                   register long
> +                     x;
> diff --git a/package/graphicsmagick/graphicsmagick.mk b/package/graphicsmagick/graphicsmagick.mk
> index 782dd1431e..436df709e7 100644
> --- a/package/graphicsmagick/graphicsmagick.mk
> +++ b/package/graphicsmagick/graphicsmagick.mk
> @@ -13,6 +13,9 @@ GRAPHICSMAGICK_LICENSE_FILES = Copyright.txt
>  GRAPHICSMAGICK_INSTALL_STAGING = YES
>  GRAPHICSMAGICK_CONFIG_SCRIPTS = GraphicsMagick-config GraphicsMagickWand-config
>  
> +# 0001-MNG-Fix-small-heap-overwrite-or-assertion.patch
> +GRAPHICSMAGICK_IGNORE_CVES += CVE-2020-12672
> +
>  ifeq ($(BR2_INSTALL_LIBSTDCPP)$(BR2_USE_WCHAR),yy)
>  GRAPHICSMAGICK_CONFIG_SCRIPTS += GraphicsMagick++-config
>  endif
> -- 
> 2.28.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'


More information about the buildroot mailing list