Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Control: affects -1 + src:graphicsmagick
Hi RMs,
Two security fixes were added to graphicsmagick and I would like to
get those to Bookworm.
[ Reason ]
It was found that the MIFF reader was somehow able to provide
attribute data in a way which resulted in a heap overflow. There is
also a memory leak fix.
[ Impact ]
The heap overflow was detected by ASAN, meaning it might be
exploitable. The memory leak is in the handling of the
EXIF:Orientation key, common in images.
[ Tests ]
Upstream test suite.
[ Risks ]
Minimal but if there would be any issue upstream is quick to address them.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock graphicsmagick/1.4+really1.3.40-4
Thanks for considering,
Laszlo/GCS
diff -Nru graphicsmagick-1.4+really1.3.40/debian/changelog graphicsmagick-1.4+really1.3.40/debian/changelog
--- graphicsmagick-1.4+really1.3.40/debian/changelog 2023-01-19 19:44:45.000000000 +0100
+++ graphicsmagick-1.4+really1.3.40/debian/changelog 2023-04-17 19:17:10.000000000 +0200
@@ -1,3 +1,19 @@
+graphicsmagick (1.4+really1.3.40-4) unstable; urgency=medium
+
+ * Remove development ifdef from memory leak fix.
+
+ -- Laszlo Boszormenyi (GCS) <g...@debian.org> Mon, 17 Apr 2023 19:17:10 +0200
+
+graphicsmagick (1.4+really1.3.40-3) unstable; urgency=high
+
+ * Backport security fixes:
+ - MIFF reader able to provide attribute data in way which results in
+ a heap overflow,
+ - SetImageAttribute(): eliminate memory leak when handling attribute
+ with key "EXIF:Orientation".
+
+ -- Laszlo Boszormenyi (GCS) <g...@debian.org> Sun, 16 Apr 2023 14:21:32 +0200
+
graphicsmagick (1.4+really1.3.40-2) unstable; urgency=medium
* Don't force tiff dependency, let shlibs handle it (closes: #1029212).
diff -Nru graphicsmagick-1.4+really1.3.40/debian/patches/eliminate_memory_leak_when_handling_EXIFOrientation.patch graphicsmagick-1.4+really1.3.40/debian/patches/eliminate_memory_leak_when_handling_EXIFOrientation.patch
--- graphicsmagick-1.4+really1.3.40/debian/patches/eliminate_memory_leak_when_handling_EXIFOrientation.patch 1970-01-01 01:00:00.000000000 +0100
+++ graphicsmagick-1.4+really1.3.40/debian/patches/eliminate_memory_leak_when_handling_EXIFOrientation.patch 2023-04-17 19:17:10.000000000 +0200
@@ -0,0 +1,115 @@
+
+# HG changeset patch
+# User Bob Friesenhahn <bfrie...@graphicsmagick.org>
+# Date 1681598921 18000
+# Node ID 3ce01217413bb5b476460bbc8ab11020205eeda0
+# Parent 8bec800dbaef2d72da0e7e997ad45bece0e95893
+SetImageAttribute(): Eliminate memory leak when handling attribute with key "EXIF:Orientation"
+
+diff -r 8bec800dbaef -r 3ce01217413b ChangeLog
+--- a/ChangeLog Sat Apr 08 18:31:31 2023 -0500
++++ b/ChangeLog Sat Apr 15 17:48:41 2023 -0500
+@@ -1,3 +1,9 @@
++2023-04-15 Bob Friesenhahn <bfrie...@simple.dallas.tx.us>
++
++ * magick/attribute.c (SetImageAttribute): Eliminate memory leak
++ when handling attribute with key "EXIF:Orientation". (SourceForge
++ issue #707 "memory leaks in gm").
++
+ 2023-04-08 Bob Friesenhahn <bfrie...@simple.dallas.tx.us>
+
+ * coders/mpc.c (ReadMPCImage): If an attribute appears multiple
+diff -r 8bec800dbaef -r 3ce01217413b coders/miff.c
+--- a/coders/miff.c Sat Apr 08 18:31:31 2023 -0500
++++ b/coders/miff.c Sat Apr 15 17:48:41 2023 -0500
+@@ -761,6 +761,8 @@ SetNewImageAttribute(Image *image,const
+ MagickPassFail
+ status;
+
++ status = SetImageAttribute(image,key,value);
++
+ if (GetImageAttribute(image,key) == (const ImageAttribute *) NULL)
+ status = SetImageAttribute(image,key,value);
+ else
+diff -r 8bec800dbaef -r 3ce01217413b magick/attribute.c
+--- a/magick/attribute.c Sat Apr 08 18:31:31 2023 -0500
++++ b/magick/attribute.c Sat Apr 15 17:48:41 2023 -0500
+@@ -3178,9 +3178,6 @@
+ register ImageAttribute
+ *p;
+
+- int
+- orientation;
+-
+ /*
+ Initialize new attribute.
+ */
+@@ -3271,6 +3268,9 @@
+
+ if (LocaleCompare(attribute->key,"EXIF:Orientation") == 0)
+ {
++ int
++ orientation = 0;
++
+ /*
+ Special handling for EXIF orientation tag.
+ If new value differs from existing value,
+@@ -3278,17 +3278,19 @@
+ is valid. Don't append new value to existing value,
+ replace it instead.
+ */
+- orientation = MagickAtoI(value);
+- if (orientation > 0 || orientation <= (int)LeftBottomOrientation)
+- SetEXIFOrientation(image, orientation);
+-
+- /* Replace current attribute with new one */
+- attribute->next = p->next;
+- if (p->previous == (ImageAttribute *) NULL)
+- image->attributes=attribute;
+- else
+- p->previous->next = attribute;
+- DestroyImageAttribute(p);
++ if ((MagickAtoIChk(value, &orientation) == MagickPass) &&
++ (orientation > 0 || orientation <= (int)LeftBottomOrientation))
++ {
++ SetEXIFOrientation(image, orientation);
++ }
++ /* Assign changed value to attribute in list */
++ if (LocaleCompare(p->value, attribute->value) != 0)
++ {
++ MagickFreeMemory(p->value);
++ p->value=attribute->value;
++ attribute->value = (char *) NULL;
++ }
++ DestroyImageAttribute(attribute);
+ return(MagickPass);
+ }
+ else
+@@ -3296,6 +3298,9 @@
+ /*
+ Extend existing text string. This functionality is deprecated!
+ */
++ fprintf(stderr,
++ "SetImageAttribute: Extending attribute value text is deprecated! (key=\"%s\")\n",
++ attribute->key);
+ min_l=p->length+attribute->length+1;
+ for (realloc_l=2; realloc_l <= min_l; realloc_l *= 2)
+ { /* nada */};
+diff -r 8bec800dbaef -r 3ce01217413b www/Changelog.html
+--- a/www/Changelog.html Sat Apr 08 18:31:31 2023 -0500
++++ b/www/Changelog.html Sat Apr 15 17:48:41 2023 -0500
+@@ -37,6 +37,14 @@
+ </div>
+
+ <div class="document">
++<p>2023-04-15 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
++<blockquote>
++<ul class="simple">
++<li><p>magick/attribute.c (SetImageAttribute): Eliminate memory leak
++when handling attribute with key "EXIF:Orientation". (SourceForge
++issue #707 "memory leaks in gm").</p></li>
++</ul>
++</blockquote>
+ <p>2023-04-08 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
+ <blockquote>
+ <ul class="simple">
diff -Nru graphicsmagick-1.4+really1.3.40/debian/patches/fix_bounds_issue_when_concatenating_string.patch graphicsmagick-1.4+really1.3.40/debian/patches/fix_bounds_issue_when_concatenating_string.patch
--- graphicsmagick-1.4+really1.3.40/debian/patches/fix_bounds_issue_when_concatenating_string.patch 1970-01-01 01:00:00.000000000 +0100
+++ graphicsmagick-1.4+really1.3.40/debian/patches/fix_bounds_issue_when_concatenating_string.patch 2023-04-16 14:21:32.000000000 +0200
@@ -0,0 +1,415 @@
+
+# HG changeset patch
+# User Bob Friesenhahn <bfrie...@graphicsmagick.org>
+# Date 1680966869 18000
+# Node ID 27a561878992e8588a9c80f3fce51e66e0b55ebc
+# Parent 5509b7e1b29b17b823d6bfdcf7d1519092bf7d8a
+Address issues from SourceForge issue #706 test case 'bug11'
+
+diff -r 5509b7e1b29b -r 27a561878992 ChangeLog
+--- a/ChangeLog Sun Apr 02 17:02:20 2023 -0500
++++ b/ChangeLog Sat Apr 08 10:14:29 2023 -0500
+@@ -1,3 +1,14 @@
++2023-04-08 Bob Friesenhahn <bfrie...@simple.dallas.tx.us>
++
++ * coders/mpc.c (ReadMPCImage): If an attribute appears multiple
++ times in the MPC header, only set it once.
++
++ * coders/miff.c (ReadMIFFImage): If an attribute appears multiple
++ times in the MIFF header, only set it once.
++
++ * magick/attribute.c (SetImageAttribute): Fix bounds issue when
++ concatenating string (SourceForge issue #706 test case 'bug11');
++
+ 2023-01-14 Bob Friesenhahn <bfrie...@simple.dallas.tx.us>
+
+ * version.sh: Updated for 1.3.40 release.
+diff -r 5509b7e1b29b -r 27a561878992 coders/miff.c
+--- a/coders/miff.c Sun Apr 02 17:02:20 2023 -0500
++++ b/coders/miff.c Sat Apr 08 10:14:29 2023 -0500
+@@ -752,6 +752,23 @@
+
+ #define ReadMIFFMaxKeyWordCount 256 /* Arbitrary limit on keywords in one MIFF frame */
+
++/*
++ Ignore attempts to set the same attribute multiple times.
++*/
++static MagickPassFail
++SetNewImageAttribute(Image *image,const char *key,const char *value)
++{
++ MagickPassFail
++ status;
++
++ if (GetImageAttribute(image,key) == (const ImageAttribute *) NULL)
++ status = SetImageAttribute(image,key,value);
++ else
++ status = MagickFail;
++
++ return status;
++};
++
+ static Image *ReadMIFFImage(const ImageInfo *image_info,
+ ExceptionInfo *exception)
+ {
+@@ -926,7 +943,7 @@
+ image);
+ *p='\0';
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Comment: \"%s\"", comment);
+- (void) SetImageAttribute(image,"comment",comment);
++ (void) SetNewImageAttribute(image,"comment",comment);
+ comment_count++;
+ MagickFreeResourceLimitedMemory(comment);
+ c=ReadBlobByte(image);
+@@ -1060,7 +1077,7 @@
+ exception);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -1135,7 +1152,7 @@
+ image->columns= MagickAtoL(values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -1165,7 +1182,7 @@
+ image->dispose=PreviousDispose;
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -1184,7 +1201,7 @@
+ &image->chromaticity.green_primary.y);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -1201,7 +1218,7 @@
+ image->iterations=MagickAtoL(values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -1225,7 +1242,7 @@
+ (void) CloneString(&image->montage,values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -1243,7 +1260,7 @@
+ image->orientation=StringToOrientationType(values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -1281,7 +1298,7 @@
+ number_of_profiles++;
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -1322,7 +1339,7 @@
+ image->rows= MagickAtoL(values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -1334,7 +1351,7 @@
+ image->scene=MagickAtoL(values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -1351,7 +1368,7 @@
+ image->units=PixelsPerCentimeterResolution;
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -1363,7 +1380,7 @@
+ version=MagickAtoF(values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -1377,13 +1394,13 @@
+ &image->chromaticity.white_point.y);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+ default:
+ {
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+diff -r 5509b7e1b29b -r 27a561878992 coders/mpc.c
+--- a/coders/mpc.c Sun Apr 02 17:02:20 2023 -0500
++++ b/coders/mpc.c Sat Apr 08 10:14:29 2023 -0500
+@@ -1,5 +1,5 @@
+ /*
+-% Copyright (C) 2003-2022 GraphicsMagick Group
++% Copyright (C) 2003-2023 GraphicsMagick Group
+ % Copyright (C) 2002 ImageMagick Studio
+ %
+ % This program is covered by multiple licenses, which are described in
+@@ -146,6 +146,23 @@
+
+ #define ReadMPCMaxKeyWordCount 256 /* Arbitrary limit on number of keywords in MPC frame */
+
++/*
++ Ignore attempts to set the same attribute multiple times.
++*/
++static MagickPassFail
++SetNewImageAttribute(Image *image,const char *key,const char *value)
++{
++ MagickPassFail
++ status;
++
++ if (GetImageAttribute(image,key) == (const ImageAttribute *) NULL)
++ status = SetImageAttribute(image,key,value);
++ else
++ status = MagickFail;
++
++ return status;
++};
++
+ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ char
+@@ -294,7 +311,7 @@
+ ThrowMPCReaderException(ResourceLimitError,MemoryAllocationFailed,
+ image);
+ *p='\0';
+- (void) SetImageAttribute(image,"comment",comment);
++ (void) SetNewImageAttribute(image,"comment",comment);
+ comment_count++;
+ MagickFreeResourceLimitedMemory(comment);
+ c=ReadBlobByte(image);
+@@ -429,7 +446,7 @@
+ exception);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -493,7 +510,7 @@
+ image->columns= MagickAtoL(values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -523,7 +540,7 @@
+ image->dispose=PreviousDispose;
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -535,7 +552,7 @@
+ image->error.mean_error_per_pixel=MagickAtoF(values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -560,7 +577,7 @@
+ &image->chromaticity.green_primary.y);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -577,7 +594,7 @@
+ image->iterations=MagickAtoL(values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -617,7 +634,7 @@
+ (void) CloneString(&image->montage,values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -635,7 +652,7 @@
+ image->orientation=StringToOrientationType(values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -671,7 +688,7 @@
+ number_of_profiles++;
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -683,7 +700,7 @@
+ quantum_depth=MagickAtoL(values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -724,7 +741,7 @@
+ image->rows=MagickAtoL(values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -736,7 +753,7 @@
+ image->scene=MagickAtoL(values);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -753,7 +770,7 @@
+ image->units=PixelsPerCentimeterResolution;
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+@@ -767,13 +784,13 @@
+ &image->chromaticity.white_point.y);
+ break;
+ }
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+ default:
+ {
+- (void) SetImageAttribute(image,keyword,
++ (void) SetNewImageAttribute(image,keyword,
+ *values == '{' ? values+1 : values);
+ break;
+ }
+diff -r 5509b7e1b29b -r 27a561878992 magick/attribute.c
+--- a/magick/attribute.c Sun Apr 02 17:02:20 2023 -0500
++++ b/magick/attribute.c Sat Apr 08 10:14:29 2023 -0500
+@@ -1,5 +1,5 @@
+ /*
+-% Copyright (C) 2003-2022 GraphicsMagick Group
++% Copyright (C) 2003-2023 GraphicsMagick Group
+ % Copyright (C) 2002 ImageMagick Studio
+ %
+ % This program is covered by multiple licenses, which are described in
+@@ -3294,15 +3294,18 @@
+ else
+ {
+ /*
+- Extend existing text string.
++ Extend existing text string. This functionality is deprecated!
+ */
+ min_l=p->length+attribute->length+1;
+ for (realloc_l=2; realloc_l <= min_l; realloc_l *= 2)
+ { /* nada */};
+ MagickReallocMemory(char *,p->value,realloc_l);
+ if (p->value != (char *) NULL)
+- (void) strlcat(p->value+p->length,attribute->value,min_l);
+- p->length += attribute->length;
++ {
++ (void) memcpy(p->value+p->length,attribute->value,min_l-p->length-1);
++ p->length += attribute->length;
++ p->value[p->length] = '\0';
++ }
+ DestroyImageAttribute(attribute);
+ }
+ if (p->value != (char *) NULL)
+diff -r 5509b7e1b29b -r 27a561878992 www/Changelog.html
+--- a/www/Changelog.html Sun Apr 02 17:02:20 2023 -0500
++++ b/www/Changelog.html Sat Apr 08 10:14:29 2023 -0500
+@@ -37,6 +37,17 @@
+ </div>
+
+ <div class="document">
++<p>2023-04-08 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
++<blockquote>
++<ul class="simple">
++<li><p>coders/mpc.c (ReadMPCImage): If an attribute appears multiple
++times in the MPC header, only set it once.</p></li>
++<li><p>coders/miff.c (ReadMIFFImage): If an attribute appears multiple
++times in the MIFF header, only set it once.</p></li>
++<li><p>magick/attribute.c (SetImageAttribute): Fix bounds issue when
++concatenating string (SourceForge issue #706 test case 'bug11');</p></li>
++</ul>
++</blockquote>
+ <p>2023-01-14 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
+ <blockquote>
+ <ul class="simple">
diff -Nru graphicsmagick-1.4+really1.3.40/debian/patches/series graphicsmagick-1.4+really1.3.40/debian/patches/series
--- graphicsmagick-1.4+really1.3.40/debian/patches/series 2023-01-15 08:33:55.000000000 +0100
+++ graphicsmagick-1.4+really1.3.40/debian/patches/series 2023-04-17 19:17:10.000000000 +0200
@@ -1,2 +1,4 @@
link-demos.diff
semaphore_O0_ppc64el.patch
+fix_bounds_issue_when_concatenating_string.patch
+eliminate_memory_leak_when_handling_EXIFOrientation.patch
