[packages/GraphicsMagick] CVE-2016-5118 fix
glen
glen at pld-linux.org
Fri Jun 3 11:19:20 CEST 2016
commit 51c1699e0607ad7de43626ae7d1115c2b0f72e1b
Author: Elan Ruusamäe <glen at delfi.ee>
Date: Fri Jun 3 12:18:47 2016 +0300
CVE-2016-5118 fix
patch from Notes section:
https://security-tracker.debian.org/tracker/CVE-2016-5118
CVE-2016-5118.patch | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++++
GraphicsMagick.spec | 4 ++-
2 files changed, 83 insertions(+), 1 deletion(-)
---
diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec
index da9adde..53cf037 100644
--- a/GraphicsMagick.spec
+++ b/GraphicsMagick.spec
@@ -21,7 +21,7 @@ Summary(tr.UTF-8): X altında resim gösterme, çevirme ve değişiklik yapma
Summary(uk.UTF-8): Перегляд, конвертування та обробка зображень під X Window
Name: GraphicsMagick
Version: 1.3.23
-Release: 2
+Release: 3
License: MIT
Group: X11/Applications/Graphics
Source0: http://downloads.sourceforge.net/graphicsmagick/%{name}-%{version}.tar.xz
@@ -33,6 +33,7 @@ Patch2: elegates-safer.patch
Patch3: disable-mvg-ext.patch
Patch4: disable-tmp-magick-prefix.patch
Patch5: image-sanity-check.patch
+Patch6: CVE-2016-5118.patch
URL: http://www.graphicsmagick.org/
BuildRequires: autoconf >= 2.69
BuildRequires: automake >= 1:1.11
@@ -571,6 +572,7 @@ Dokumentacja do GraphicsMagick.
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
find PerlMagick scripts www -type f -exec perl -pi -e 's=!%{_prefix}/local/bin/perl=!%{__perl}=' {} \;
diff --git a/CVE-2016-5118.patch b/CVE-2016-5118.patch
new file mode 100644
index 0000000..eb5d0d9
--- /dev/null
+++ b/CVE-2016-5118.patch
@@ -0,0 +1,80 @@
+http://www.openwall.com/lists/oss-security/2016/05/29/7
+
+Date: Sun, 29 May 2016 15:03:10 -0500 (CDT)
+From: Bob Friesenhahn <bfriesen at ...ple.dallas.tx.us>
+To: oss security list <oss-security at ...ts.openwall.com>
+Subject: CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability
+ via filename
+
+All existing releases of GraphicsMagick and ImageMagick support a file
+open syntax where if the first character of the file specification is
+a '|', then the remainder of the filename is passed to the shell for
+execution using the POSIX popen(3C) function. File opening is handled
+by an OpenBlob() function in the source file blob.c. Unlike the
+vulnerability described by CVE-2016-3714, this functionality is
+supported by the core file opening function rather than a delegates
+subsystem usually used to execute external programs.
+
+The funtionality can be demonstrated as follows:
+
+ % rm -f hello.txt
+ % convert '|echo Hello > hello.txt;' null:
+ % ls hello.txt
+ hello.txt
+
+The same weakness in the native SVG readers may be used to provoke
+this problem. This example returns a valid image given a known file
+(but an actual file is not necessary):
+
+ <?xml version="1.0" standalone="no"?>
+ <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+ <svg width="4in" height="3in" version="1.1"
+ xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <desc>Illustrates how a shell command may be embedded in a SVG.
+ </desc>
+ <image x="200" y="200" width="100px" height="100px"
+ xlink:href="|echo Hello > hello.txt; cat /usr/lib/firefox/browser/icons/mozicon128.png">
+ <title>My image</title>
+ </image>
+ </svg>
+
+Or in MVG:
+
+ push graphic-context
+ viewbox 0 0 640 480
+ image copy 200,200 100,100 "|echo Hello > hello.txt; cat /usr/lib/firefox/browser/icons/mozicon128.png"
+ pop graphic-context
+
+Previously supplied recommended patches for GraphicsMagick do
+successfully block this attack vector in SVG and MVG.
+
+It is highly likely that there are many paths leading to a suitable
+filename which may be executed outside of SVG and MVG since the
+software is quite complex and powerful. The examples above are not
+meant to suggest that other avenues to the same weakness are not
+available.
+
+The simple solution to the problem is to disable the popen support
+(HAVE_POPEN) in GraphicsMagick's magick/blob.c as is done by the
+attached patch.
+
+This issue was discovered by Bob Friesenhahn, of the GraphicsMagick
+project.
+
+Bob
+--
+Bob Friesenhahn
+bfriesen at ...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
+GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
+diff -r 33200fc645f6 magick/blob.c
+--- a/magick/blob.c Sat Nov 07 14:49:16 2015 -0600
++++ b/magick/blob.c Sun May 29 14:12:57 2016 -0500
+@@ -68,6 +68,7 @@
+ */
+ #define DefaultBlobQuantum 65541
+
++#undef HAVE_POPEN
+
+ /*
+ Enum declarations.
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/GraphicsMagick.git/commitdiff/51c1699e0607ad7de43626ae7d1115c2b0f72e1b
More information about the pld-cvs-commit
mailing list