On Mon, 09 May 2016 at 07:17:33 +0000, Bastien Roucaries wrote:
> Could you Walt about nmu. I have more patches...
Don't worry, I don't intend to NMU imagemagick, certainly not without
getting some sort of review from its maintainers and/or the security team.
Here is what I have so far (entirely untested). Unfortunately, it fails
to build from source, because imagemagick's own build process converts
SVG to PNG for the icons. Without Inkscape installed, that goes via
MVG format, which I've just disabled... so that won't work. You might
have to build-depend on inkscape if you go this route :-(
S
From: Simon McVittie <s...@debian.org>
Date: Mon, 9 May 2016 08:29:09 +0100
Subject: policy.xml: disable various coders to mitigate CVE-2016-3714 etc.
Bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
Bug-CVE: CVE-2016-3714, CVE-2016-3715, CVE-2016-3717, CVE-2016-3718
Bug-Debian: https://bugs.debian.org/823542
---
config/policy.xml | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/config/policy.xml b/config/policy.xml
index e4908b1..36ae4ef 100644
--- a/config/policy.xml
+++ b/config/policy.xml
@@ -56,4 +56,24 @@
<!-- <policy domain="resource" name="time" value="3600"/> -->
<!-- <policy domain="system" name="precision" value="6"/> -->
<policy domain="cache" name="shared-secret" value="passphrase"/>
+
+ <!-- Mitigate CVE-2016-3714, -3718 -->
+ <policy domain="coder" rights="none" pattern="HTTPS" />
+ <policy domain="coder" rights="none" pattern="URL" />
+
+ <!-- Mitigate CVE-2016-3714 to -3718 -->
+ <policy domain="coder" rights="none" pattern="MVG" />
+
+ <!-- Mitigate CVE-2016-3715 -->
+ <policy domain="coder" rights="none" pattern="EPHEMERAL" />
+
+ <!-- Mitigate CVE-2016-3716 -->
+ <policy domain="coder" rights="none" pattern="MSL" />
+
+ <!-- FIXME: listed on imagetragick.com as mitigating CVE-2016-371x;
+ variation of CVE-2016-3717 maybe? -->
+ <policy domain="coder" rights="none" pattern="TEXT" />
+ <policy domain="coder" rights="none" pattern="SHOW" />
+ <policy domain="coder" rights="none" pattern="WIN" />
+ <policy domain="coder" rights="none" pattern="PLT" />
</policymap>
From: Cristy <urban-warr...@imagemagick.org>
Date: Fri, 2 Oct 2015 18:58:28 -0400
Subject: The -caption option no longer fails for filenames with @ prefix
(cherry picked from commit 89ce096de81428c1b15b44ec97eb5a7c7d4e0f8b to be
able to apply the CVE-2016-3714 patch)
Bug-Debian: https://bugs.debian.org/823542
---
magick/property.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
diff --git a/magick/property.c b/magick/property.c
index 545cb6f..36c3aab 100644
--- a/magick/property.c
+++ b/magick/property.c
@@ -3254,13 +3254,13 @@ MagickExport char *InterpretImageProperties(const ImageInfo *image_info,
*interpret_text;
register char
- *q; /* current position in interpret_text */
+ *q; /* current position in interpret_text */
register const char
- *p; /* position in embed_text string being expanded */
+ *p; /* position in embed_text string being expanded */
size_t
- extent; /* allocated length of interpret_text */
+ extent; /* allocated length of interpret_text */
MagickBooleanType
number;
@@ -3271,22 +3271,19 @@ MagickExport char *InterpretImageProperties(const ImageInfo *image_info,
(void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);
if (embed_text == (const char *) NULL)
- return((char *) NULL);
+ return(ConstantString(""));
p=embed_text;
if (*p == '\0')
return(ConstantString(""));
- /* handle a '@' replace string from file */
- if (*p == '@') {
- p++;
- if (*p != '-' && (IsPathAccessible(p) == MagickFalse) ) {
- (void) ThrowMagickException(&image->exception,GetMagickModule(),
- OptionError,"UnableToAccessPath","%s",p);
- return((char *) NULL);
- }
- return(FileToString(p,~0UL,&image->exception));
- }
+ if ((*p == '@') && (IsPathAccessible(p+1) != MagickFalse))
+ {
+ /* handle a '@' replace string from file */
+ interpret_text=FileToString(p+1,~0UL,&image->exception);
+ if (interpret_text != (char *) NULL)
+ return(interpret_text);
+ }
/*
Translate any embedded format characters.
From: Cristy <urban-warr...@imagemagick.org>
Date: Sat, 30 Apr 2016 14:56:34 -0400
Subject: Indirect filename must be authorized by policy
(cherry picked from commit 25040d1c8e48c0586297159bf9756a21e857a549)
Bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
Bug-CVE: CVE-2016-3714
Bug-Debian: https://bugs.debian.org/823542
---
magick/property.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/magick/property.c b/magick/property.c
index 36c3aab..bd28b98 100644
--- a/magick/property.c
+++ b/magick/property.c
@@ -67,6 +67,7 @@
#include "magick/monitor.h"
#include "magick/montage.h"
#include "magick/option.h"
+#include "magick/policy.h"
#include "magick/profile.h"
#include "magick/property.h"
#include "magick/quantum.h"
@@ -3273,18 +3274,24 @@ MagickExport char *InterpretImageProperties(const ImageInfo *image_info,
if (embed_text == (const char *) NULL)
return(ConstantString(""));
p=embed_text;
-
+ while ((isspace((int) ((unsigned char) *p)) != 0) && (*p != '\0'))
+ p++;
if (*p == '\0')
return(ConstantString(""));
-
if ((*p == '@') && (IsPathAccessible(p+1) != MagickFalse))
- {
+ {
/* handle a '@' replace string from file */
+ if (IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,p) == MagickFalse)
+ {
+ errno=EPERM;
+ (void) ThrowMagickException(&image->exception,GetMagickModule(),
+ PolicyError,"NotAuthorized","`%s'",p);
+ return(ConstantString(""));
+ }
interpret_text=FileToString(p+1,~0UL,&image->exception);
if (interpret_text != (char *) NULL)
return(interpret_text);
}
-
/*
Translate any embedded format characters.
*/
From: Simon McVittie <s...@debian.org>
Date: Mon, 9 May 2016 08:48:41 +0100
Subject: Disarm CVE-2016-3717 by preventing indirect reads with label:@
Bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
Bug-CVE: CVE-2016-3717
Bug-Debian: https://bugs.debian.org/823542
---
config/policy.xml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/config/policy.xml b/config/policy.xml
index 36ae4ef..e6364f9 100644
--- a/config/policy.xml
+++ b/config/policy.xml
@@ -76,4 +76,7 @@
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />
+
+ <!-- CVE-2016-3717 -->
+ <policy domain="path" rights="none" pattern="@*" />
</policymap>
From: Cristy <urban-warr...@imagemagick.org>
Date: Sat, 30 Apr 2016 10:25:54 -0400
Subject: Sanitize input filename for http / https delegates
(cherry-picked from commit 2c04b05f205b5198f4c01b0c86097cba2b218fcf)
[smcv: excluded apparently unrelated changes to bpg, doc, docx, odt,
ppt, pptx, xls, xlsx]
Bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
Bug-CVE: CVE-2016-3714
Bug-Debian: https://bugs.debian.org/823542
---
config/delegates.xml.in | 5 +++--
magick/property.c | 23 +++++++++++++++++++++++
2 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/config/delegates.xml.in b/config/delegates.xml.in
index da35eff..0671af1 100644
--- a/config/delegates.xml.in
+++ b/config/delegates.xml.in
@@ -55,6 +55,7 @@
%w image columns (width)
%x input image x resolution
%y input image y resolution
+ %F sanitized original image filename
Set option delegate:bimodal=true to process bimodal delegates otherwise they
are ignored.
@@ -87,7 +88,7 @@
<delegate decode="hpgl" command=""@HPGLDecodeDelegate@" -q -m eps -f `basename "%o"` "%i"; mv -f `basename "%o"` "%o""/>
<delegate decode="htm" command=""@HTMLDecodeDelegate@" -U -o "%o" "%i""/>
<delegate decode="html" command=""@HTMLDecodeDelegate@" -U -o "%o" "%i""/>
- <delegate decode="https" command=""@WWWDecodeDelegate@" -s -k -L -o "%o" "https:%M""/>
+ <delegate decode="https" command=""@WWWDecodeDelegate@" -s -k -L -o "%o" "https:%F""/>
<delegate decode="ilbm" command=""@ILBMDecodeDelegate@" "%i" > "%o""/>
<delegate decode="jxr" command="mv "%i" "%i.jxr"; "@JXRDecodeDelegate@" -i "%i.jxr" -o "%o.bmp" -c 0; mv "%i.jxr" "%i"; mv "%o.bmp" "%o""/>
<delegate decode="man" command=""@MANDelegate@" -man -Tps "%i" > "%o""/>
@@ -132,5 +133,5 @@
<delegate decode="xps:cmyk" stealth="True" command=""@XPSDelegate@" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@XPSCMYKDevice@" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s""/>
<delegate decode="xps:color" stealth="True" command=""@XPSDelegate@" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@XPSColorDevice@" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s""/>
<delegate decode="xps:mono" stealth="True" command=""@XPSDelegate@" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@XPSMonoDevice@" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s""/>
- <delegate encode="mpeg:encode" stealth="True" command=""@MPEGEncodeDelegate@" -v -1 -i "%M%%d.jpg" "%u.%m" 2> "%Z""/>
+ <delegate encode="mpeg:encode" stealth="True" command=""@MPEGEncodeDelegate@" -v -1 -i "%F%%d.jpg" "%u.%m" 2> "%Z""/>
</delegatemap>
diff --git a/magick/property.c b/magick/property.c
index bd28b98..826b8dc 100644
--- a/magick/property.c
+++ b/magick/property.c
@@ -2517,6 +2517,29 @@ static const char *GetMagickPropertyLetter(const ImageInfo *image_info,
CommandOptionToMnemonic(MagickDisposeOptions,(ssize_t) image->dispose));
break;
}
+ case 'F':
+ {
+ const char
+ *q;
+
+ register char
+ *p;
+
+ static char
+ whitelist[] =
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_- "
+ ".@&;<>()/\\\'\":%=~`";
+
+ /*
+ Magick filename (sanitized) - filename given incl. coder & read mods.
+ */
+ (void) CopyMagickString(value,image->magick_filename,MaxTextExtent);
+ p=value;
+ q=value+strlen(value);
+ for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist))
+ *p='_';
+ break;
+ }
case 'G':
{
/*
From: Cristy <urban-warr...@imagemagick.org>
Date: Mon, 2 May 2016 10:23:55 -0400
Subject: Second effort to sanitize input string
(cherry picked from commit 091b7b46e132cd7b4142e7b81ac7764502c7e08b)
Bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
Bug-CVE: CVE-2016-3714
Bug-Debian: https://bugs.debian.org/823542
---
magick/property.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/magick/property.c b/magick/property.c
index 826b8dc..4f31ce5 100644
--- a/magick/property.c
+++ b/magick/property.c
@@ -2527,8 +2527,8 @@ static const char *GetMagickPropertyLetter(const ImageInfo *image_info,
static char
whitelist[] =
- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_- "
- ".@&;<>()/\\\'\":%=~`";
+ "^-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+ "+&@#/%?=~_|!:,.;()";
/*
Magick filename (sanitized) - filename given incl. coder & read mods.
From: Simon McVittie <s...@debian.org>
Date: Mon, 9 May 2016 08:56:12 +0100
Subject: Remove GNUPlot delegate (CVE-2016-3714)
Misleadingly, this was part of upstream commits
e87116ab2bd070c47943d4118a18c8f3a47461e2 and
70a2cf326ed32bedee144b961005c63846541a16 "Update to the latest
autoconf / automake". It appears to have been treated as part of
the scope of CVE-2016-3714.
Bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
Bug-CVE: CVE-2016-3714
Bug-Debian: https://bugs.debian.org/823542
---
config/delegates.xml.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/config/delegates.xml.in b/config/delegates.xml.in
index 0671af1..178c5cb 100644
--- a/config/delegates.xml.in
+++ b/config/delegates.xml.in
@@ -101,7 +101,6 @@
<delegate decode="pcl:mono" stealth="True" command=""@PCLDelegate@" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@PCLMonoDevice@" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s""/>
<delegate decode="pdf" encode="eps" mode="bi" command=""@PSDelegate@" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@GSEPSDevice@" "-sOutputFile=%o" "-f%i""/>
<delegate decode="pdf" encode="ps" mode="bi" command=""@PSDelegate@" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=@GSPSDevice@" "-sOutputFile=%o" "-f%i""/>
- <delegate decode="plt" command=""@EchoDelegate@" "set size 1.25,0.62; set terminal postscript portrait color solid; set output \'%o\'; load \'%i\'" > "%u";"@GnuplotDecodeDelegate@" "%u""/>
<delegate decode="png" encode="webp" command=""@WebPEncodeDelegate@" -quiet -q %Q "%i" -o "%o""/>
<delegate decode="pnm" encode="ilbm" mode="encode" command=""@ILBMEncodeDelegate@" -24if "%i" > "%o""/>
<delegate decode="bmp" encode="jxr" command="mv "%i" "%i.bmp"; "@JXREncodeDelegate@" -i "%i.bmp" -o "%o.jxr"; mv "%i.bmp" "%i"; mv "%o.jxr" "%o""/>
From: Cristy <urban-warr...@imagemagick.org>
Date: Sat, 7 May 2016 16:45:11 -0400
Subject: Less secure coders require explicit reference (e.g. mvg:my-graph.mvg)
(cherry picked from commit 611b2f063eb526da5f1ec1e8045794cf28a55921)
Bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
Bug-CVE: CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718
Bug-Debian: https://bugs.debian.org/823542
---
coders/msl.c | 1 +
coders/mvg.c | 1 +
coders/txt.c | 5 ++---
magick/magic.c | 1 -
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/coders/msl.c b/coders/msl.c
index 713af02..987ec93 100644
--- a/coders/msl.c
+++ b/coders/msl.c
@@ -7816,6 +7816,7 @@ ModuleExport size_t RegisterMSLImage(void)
entry->decoder=(DecodeImageHandler *) ReadMSLImage;
entry->encoder=(EncodeImageHandler *) WriteMSLImage;
#endif
+ entry->format_type=ImplicitFormatType;
entry->description=ConstantString("Magick Scripting Language");
entry->module=ConstantString("MSL");
(void) RegisterMagickInfo(entry);
diff --git a/coders/mvg.c b/coders/mvg.c
index 2179997..c621a71 100644
--- a/coders/mvg.c
+++ b/coders/mvg.c
@@ -251,6 +251,7 @@ ModuleExport size_t RegisterMVGImage(void)
entry->magick=(IsImageFormatHandler *) IsMVG;
entry->adjoin=MagickFalse;
entry->seekable_stream=MagickTrue;
+ entry->format_type=ImplicitFormatType;
entry->description=ConstantString("Magick Vector Graphics");
entry->module=ConstantString("MVG");
(void) RegisterMagickInfo(entry);
diff --git a/coders/txt.c b/coders/txt.c
index e9ca738..0a602c7 100644
--- a/coders/txt.c
+++ b/coders/txt.c
@@ -421,8 +421,6 @@ static Image *ReadTXTImage(const ImageInfo *image_info,ExceptionInfo *exception)
}
(void) ResetMagickMemory(text,0,sizeof(text));
(void) ReadBlobString(image,text);
- if (LocaleNCompare((char *) text,MagickID,strlen(MagickID)) != 0)
- return(ReadTEXTImage(image_info,image,text,exception));
do
{
width=0;
@@ -611,10 +609,11 @@ ModuleExport size_t RegisterTXTImage(void)
entry->module=ConstantString("TXT");
(void) RegisterMagickInfo(entry);
entry=SetMagickInfo("TEXT");
- entry->decoder=(DecodeImageHandler *) ReadTXTImage;
+ entry->decoder=(DecodeImageHandler *) ReadTEXTImage;
entry->encoder=(EncodeImageHandler *) WriteTXTImage;
entry->raw=MagickTrue;
entry->endian_support=MagickTrue;
+ entry->format_type=ImplicitFormatType;
entry->description=ConstantString("Text");
entry->module=ConstantString("TXT");
(void) RegisterMagickInfo(entry);
diff --git a/magick/magic.c b/magick/magic.c
index 0b54471..fbf89fe 100644
--- a/magick/magic.c
+++ b/magick/magic.c
@@ -142,7 +142,6 @@ static const MagicMapInfo
{ "MPC", 0, MagickString("id=MagickCache") },
{ "MPEG", 0, MagickString("\000\000\001\263") },
{ "MRW", 0, MagickString("\x00MRM") },
- { "MVG", 0, MagickString("push graphic-context") },
{ "ORF", 0, MagickString("IIRO\x08\x00\x00\x00") },
{ "PCD", 2048, MagickString("PCD_") },
{ "PCL", 0, MagickString("\033E\033") },
From: Cristy <urban-warr...@imagemagick.org>
Date: Sat, 7 May 2016 08:24:34 -0400
Subject: Remove support for internal ephemeral coder.
(cherry picked from commit 5746147c01efcaf0223586a84d196550e5736fdd)
Bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
Bug-CVE: CVE-2016-3715
Bug-Debian: https://bugs.debian.org/823542
---
config/delegates.xml.in | 6 ++----
magick/image.c | 6 +-----
magick/magick.c | 6 ------
3 files changed, 3 insertions(+), 15 deletions(-)
diff --git a/config/delegates.xml.in b/config/delegates.xml.in
index 178c5cb..afa67de 100644
--- a/config/delegates.xml.in
+++ b/config/delegates.xml.in
@@ -63,10 +63,8 @@
If stealth="True" the delegate is not listed in user requested
"-list delegate" listings. These are typically special internal delegates.
- If spawn="True" ImageMagick will not way for the delegate to finish,
- nor will it read any output image. It will only wait for either the input
- file to be removed (See "ephemeral:" coder) indicating that the input file
- has been read, or a maximum time limit of 2 seconds.
+ If spawn="True" ImageMagick will not wait for the delegate to finish, nor will
+ it read any output image.
-->
<delegatemap>
<delegate decode="autotrace" stealth="True" command=""@ConvertDelegate@" "%i" "pnm:%u"\n"@AutotraceDecodeDelegate@" -input-format pnm -output-format svg -output-file "%o" "%u""/>
diff --git a/magick/image.c b/magick/image.c
index e9d4a49..20e0c8b 100644
--- a/magick/image.c
+++ b/magick/image.c
@@ -2623,7 +2623,6 @@ MagickExport MagickBooleanType SetImageInfo(ImageInfo *image_info,
"BROWSE",
"DCRAW",
"EDIT",
- "EPHEMERAL",
"LAUNCH",
"MPEG:DECODE",
"MPEG:ENCODE",
@@ -2688,10 +2687,7 @@ MagickExport MagickBooleanType SetImageInfo(ImageInfo *image_info,
if (IsMagickConflict(magic) == MagickFalse)
{
(void) CopyMagickString(image_info->magick,magic,MaxTextExtent);
- if (LocaleCompare(magic,"EPHEMERAL") != 0)
- image_info->affirm=MagickTrue;
- else
- image_info->temporary=MagickTrue;
+ image_info->affirm=MagickTrue;
}
}
magick_info=GetMagickInfo(magic,sans_exception);
diff --git a/magick/magick.c b/magick/magick.c
index 35c12aa..00b0537 100644
--- a/magick/magick.c
+++ b/magick/magick.c
@@ -851,12 +851,6 @@ static MagickBooleanType IsMagickTreeInstantiated(ExceptionInfo *exception)
if (magick_list == (SplayTreeInfo *) NULL)
ThrowFatalException(ResourceLimitFatalError,
"MemoryAllocationFailed");
- magick_info=SetMagickInfo("ephemeral");
- magick_info->stealth=MagickTrue;
- status=AddValueToSplayTree(magick_list,magick_info->name,magick_info);
- if (status == MagickFalse)
- ThrowFatalException(ResourceLimitFatalError,
- "MemoryAllocationFailed");
magick_info=SetMagickInfo("clipmask");
magick_info->stealth=MagickTrue;
status=AddValueToSplayTree(magick_list,magick_info->name,magick_info);
