From 35c4c461889ae7f79f03dbd4953e38e082c53151 Mon Sep 17 00:00:00 2001 From: Pavel Alexeev (aka Pahan-Hubbitus) Date: Aug 11 2012 19:48:41 +0000 Subject: Fix CVE-2012-3437 (bz#844101, 844103) --- diff --git a/ImageMagick-6.7.5-6-CVE-2012-3437.patch b/ImageMagick-6.7.5-6-CVE-2012-3437.patch new file mode 100644 index 0000000..b5fb983 --- /dev/null +++ b/ImageMagick-6.7.5-6-CVE-2012-3437.patch @@ -0,0 +1,56 @@ +--- coders/png.c (revision 8733) ++++ coders/png.c (revision 8732) +@@ -1756,11 +1756,7 @@ + } + + #ifdef PNG_USER_MEM_SUPPORTED +-#if PNG_LIBPNG_VER >= 14000 +-static png_voidp Magick_png_malloc(png_structp png_ptr,png_alloc_size_t size) +-#else +-static png_voidp Magick_png_malloc(png_structp png_ptr,png_size_t size) +-#endif ++static png_voidp Magick_png_malloc(png_structp png_ptr,png_uint_32 size) + { + #if (PNG_LIBPNG_VER < 10011) + png_voidp +@@ -7462,22 +7458,12 @@ + (char *) profile_type, (double) length); + } + +-#if PNG_LIBPNG_VER >= 14000 +- text=(png_textp) png_malloc(ping,(png_alloc_size_t) sizeof(png_text)); +-#else +- text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text)); +-#endif ++ text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text)); + description_length=(png_uint_32) strlen((const char *) profile_description); + allocated_length=(png_uint_32) (length*2 + (length >> 5) + 20 + + description_length); +-#if PNG_LIBPNG_VER >= 14000 +- text[0].text=(png_charp) png_malloc(ping, +- (png_alloc_size_t) allocated_length); +- text[0].key=(png_charp) png_malloc(ping, (png_alloc_size_t) 80); +-#else +- text[0].text=(png_charp) png_malloc(ping, (png_size_t) allocated_length); +- text[0].key=(png_charp) png_malloc(ping, (png_size_t) 80); +-#endif ++ text[0].text=(png_charp) png_malloc(ping,allocated_length); ++ text[0].key=(png_charp) png_malloc(ping, (png_uint_32) 80); + text[0].key[0]='\0'; + (void) ConcatenateMagickString(text[0].key, + "Raw profile type ",MaxTextExtent); +@@ -10796,13 +10782,7 @@ + { + if (value != (const char *) NULL) + { +- +-#if PNG_LIBPNG_VER >= 14000 +- text=(png_textp) png_malloc(ping, +- (png_alloc_size_t) sizeof(png_text)); +-#else +- text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text)); +-#endif ++ text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text)); + text[0].key=(char *) property; + text[0].text=(char *) value; + text[0].text_length=strlen(value); diff --git a/ImageMagick.spec b/ImageMagick.spec index 8e02e08..8b17f70 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -3,7 +3,7 @@ Name: ImageMagick Version: %{VER}.%{Patchlevel} -Release: 3%{?dist} +Release: 4%{?dist} Summary: An X application for displaying and manipulating images Group: Applications/Multimedia License: ImageMagick @@ -18,6 +18,9 @@ BuildRequires: libwmf-devel, jasper-devel, libtool-ltdl-devel BuildRequires: libX11-devel, libXext-devel, libXt-devel BuildRequires: lcms-devel, libxml2-devel, librsvg2-devel, OpenEXR-devel +# bz#844101, bz#844103 +Patch1: ImageMagick-6.7.5-6-CVE-2012-3437.patch + %description ImageMagick is an image display and manipulation tool for the X Window System. ImageMagick can read and write JPEG, TIFF, PNM, GIF, @@ -126,6 +129,9 @@ however. %prep %setup -q -n %{name}-%{VER}-%{Patchlevel} + +%patch1 -p0 -R -b .CVE-2012-3437 + sed -i 's/libltdl.la/libltdl.so/g' configure iconv -f ISO-8859-1 -t UTF-8 README.txt > README.txt.tmp touch -r README.txt README.txt.tmp @@ -303,6 +309,9 @@ rm -rf %{buildroot} %doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt %changelog +* Sat Aug 11 2012 Pavel Alexeev - 6.7.5.6-4 +- Fix CVE-2012-3437 (bz#844101, 844103) + * Sat Feb 25 2012 Pavel Alexeev - 6.7.5.6-1 - Update by request https://bugzilla.redhat.com/show_bug.cgi?id=755827#c8 - Delete multilib patch as it should be in main sources.