[packages/GraphicsMagick] CVE-2016-5118 fix

glen glen at pld-linux.org
Fri Jun 3 11:19:20 CEST 2016 

commit 51c1699e0607ad7de43626ae7d1115c2b0f72e1b
Author: Elan Ruusamäe <glen at delfi.ee>
Date:   Fri Jun 3 12:18:47 2016 +0300

    CVE-2016-5118 fix
    
    patch from Notes section:
    https://security-tracker.debian.org/tracker/CVE-2016-5118

 CVE-2016-5118.patch | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 GraphicsMagick.spec |  4 ++-
 2 files changed, 83 insertions(+), 1 deletion(-)
---
diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec
index da9adde..53cf037 100644
--- a/GraphicsMagick.spec
+++ b/GraphicsMagick.spec
@@ -21,7 +21,7 @@ Summary(tr.UTF-8):	X altında resim gösterme, çevirme ve değişiklik yapma
 Summary(uk.UTF-8):	Перегляд, конвертування та обробка зображень під X Window
 Name:		GraphicsMagick
 Version:	1.3.23
-Release:	2
+Release:	3
 License:	MIT
 Group:		X11/Applications/Graphics
 Source0:	http://downloads.sourceforge.net/graphicsmagick/%{name}-%{version}.tar.xz
@@ -33,6 +33,7 @@ Patch2:		elegates-safer.patch
 Patch3:		disable-mvg-ext.patch
 Patch4:		disable-tmp-magick-prefix.patch
 Patch5:		image-sanity-check.patch
+Patch6:		CVE-2016-5118.patch
 URL:		http://www.graphicsmagick.org/
 BuildRequires:	autoconf >= 2.69
 BuildRequires:	automake >= 1:1.11
@@ -571,6 +572,7 @@ Dokumentacja do GraphicsMagick.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 find PerlMagick scripts www -type f -exec perl -pi -e 's=!%{_prefix}/local/bin/perl=!%{__perl}=' {} \;
 
diff --git a/CVE-2016-5118.patch b/CVE-2016-5118.patch
new file mode 100644
index 0000000..eb5d0d9
--- /dev/null
+++ b/CVE-2016-5118.patch
@@ -0,0 +1,80 @@
+http://www.openwall.com/lists/oss-security/2016/05/29/7
+
+Date: Sun, 29 May 2016 15:03:10 -0500 (CDT)
+From: Bob Friesenhahn <bfriesen at ...ple.dallas.tx.us>
+To: oss security list <oss-security at ...ts.openwall.com>
+Subject: CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability
+ via filename
+
+All existing releases of GraphicsMagick and ImageMagick support a file
+open syntax where if the first character of the file specification is
+a '|', then the remainder of the filename is passed to the shell for
+execution using the POSIX popen(3C) function.  File opening is handled
+by an OpenBlob() function in the source file blob.c.  Unlike the
+vulnerability described by CVE-2016-3714, this functionality is
+supported by the core file opening function rather than a delegates
+subsystem usually used to execute external programs.
+
+The funtionality can be demonstrated as follows:
+
+   % rm -f hello.txt
+   % convert '|echo Hello > hello.txt;' null:
+   % ls hello.txt
+   hello.txt
+
+The same weakness in the native SVG readers may be used to provoke
+this problem.  This example returns a valid image given a known file 
+(but an actual file is not necessary):
+
+   <?xml version="1.0" standalone="no"?>
+   <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+   "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+   <svg width="4in" height="3in" version="1.1"
+   xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+   <desc>Illustrates how a shell command may be embedded in a SVG.
+   </desc>
+   <image x="200" y="200" width="100px" height="100px"
+   xlink:href="|echo Hello > hello.txt; cat /usr/lib/firefox/browser/icons/mozicon128.png">
+   <title>My image</title>
+   </image>
+   </svg>
+
+Or in MVG:
+
+   push graphic-context
+   viewbox 0 0 640 480
+   image copy 200,200 100,100 "|echo Hello > hello.txt; cat /usr/lib/firefox/browser/icons/mozicon128.png"
+   pop graphic-context
+
+Previously supplied recommended patches for GraphicsMagick do 
+successfully block this attack vector in SVG and MVG.
+
+It is highly likely that there are many paths leading to a suitable 
+filename which may be executed outside of SVG and MVG since the 
+software is quite complex and powerful.  The examples above are not 
+meant to suggest that other avenues to the same weakness are not 
+available.
+
+The simple solution to the problem is to disable the popen support 
+(HAVE_POPEN) in GraphicsMagick's magick/blob.c as is done by the 
+attached patch.
+
+This issue was discovered by Bob Friesenhahn, of the GraphicsMagick
+project.
+
+Bob
+-- 
+Bob Friesenhahn
+bfriesen at ...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
+GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
+diff -r 33200fc645f6 magick/blob.c
+--- a/magick/blob.c	Sat Nov 07 14:49:16 2015 -0600
++++ b/magick/blob.c	Sun May 29 14:12:57 2016 -0500
+@@ -68,6 +68,7 @@
+ */
+ #define DefaultBlobQuantum  65541
+ 
++#undef HAVE_POPEN
+ 
+ /*
+   Enum declarations. 
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/GraphicsMagick.git/commitdiff/51c1699e0607ad7de43626ae7d1115c2b0f72e1b

More information about the pld-cvs-commit mailing list