main/imagemagic: security fix for CVE-2016-7799 CVE-2016-7906

fixes #6325
author: Natanael Copa <ncopa@alpinelinux.org> 2016-10-21 14:40:34 +0200
committer: Natanael Copa <ncopa@alpinelinux.org> 2016-10-21 14:40:34 +0200
commit: a9c59696d69df232d543f278c34f1241e3c1e103 (patch)
tree: 2bdee9287a40bb67d8142409d5114525eff5f2d2
parent: 7a1fa50fc838cd70f0faff3af1d1c258a13001ec (diff)
download: alpine_aports-a9c59696d69df232d543f278c34f1241e3c1e103.tar.bz2
alpine_aports-a9c59696d69df232d543f278c34f1241e3c1e103.tar.xz
alpine_aports-a9c59696d69df232d543f278c34f1241e3c1e103.zip
3 files changed, 61 insertions, 5 deletions
diff --git a/main/imagemagick/APKBUILD b/main/imagemagick/APKBUILD
index b379c98385..0ab2e44018 100644
--- a/main/imagemagick/APKBUILD
+++ b/main/imagemagick/APKBUILD
@@ -5,7 +5,7 @@ pkgname=imagemagick
 pkgver=6.9.5.9
 _abiver=6
 _pkgver=${pkgver%.*}-${pkgver##*.}
-pkgrel=0
+pkgrel=1
 pkgdesc="A collection of tools and libraries for many image formats"
 url="http://www.imagemagick.org/"
 arch="all"
@@ -15,7 +15,10 @@ options="libtool"
 makedepends="zlib-dev libpng-dev libjpeg-turbo-dev freetype-dev fontconfig-dev
        perl-dev ghostscript-dev libwebp-dev libtool tiff-dev lcms2-dev"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-c++:_cxx"
-source="http://www.imagemagick.org/download/releases/ImageMagick-$_pkgver.tar.xz"
+source="http://www.imagemagick.org/download/releases/ImageMagick-$_pkgver.tar.xz
+        CVE-2016-7799.patch
+        CVE-2016-7906.patch
+        "
 # secfixes:
 #   6.9.5.3:
@@ -28,6 +31,9 @@ source="http://www.imagemagick.org/download/releases/ImageMagick-$_pkgver.tar.xz
 #     - CVE-2016-5841
 #     - CVE-2016-5842
 #     - CVE-2016-6491
+#   6.9.5.9-r1:
+#     - CVE-2016-7799
+#     - CVE-2016-7906
 _builddir="$srcdir/ImageMagick-${_pkgver}"
 prepare() {
@@ -85,6 +91,12 @@ _cxx() {
        mv "$pkgdir"/usr/lib/libMagick++*.so.* "$subpkgdir"/usr/lib/
 }
-md5sums="fc7c456f4bee061d387a03c7484e27f1  ImageMagick-6.9.5-9.tar.xz"
+md5sums="fc7c456f4bee061d387a03c7484e27f1  ImageMagick-6.9.5-9.tar.xz
-sha256sums="9c4f300daae165a6bcf46779876f9361a958076f8cd59fa203d84c70ba5bc183  ImageMagick-6.9.5-9.tar.xz"
+a69aaa7cfb91129faf0a6180632f37cc  CVE-2016-7799.patch
-sha512sums="3aff67710305e3427e2effab5bd5b10c9f55ca9b755704cdea169dbe3653fe919ae603a37fb3d7c105b61c930d4652cf488f7a7ec0a2d847bfb66b8f6eb1db43  ImageMagick-6.9.5-9.tar.xz"
+db49949a2ab7d4f593f07dcd2dd76e66  CVE-2016-7906.patch"
+sha256sums="9c4f300daae165a6bcf46779876f9361a958076f8cd59fa203d84c70ba5bc183  ImageMagick-6.9.5-9.tar.xz
+a81409f154f1d195e559aadc0caa6b4498fd6132c8d97bc3a9b55e693cb7aa75  CVE-2016-7799.patch
+a4e525f2980d665db04f15050cfce44a2dfdbf324e442f5610dfbd045214f02f  CVE-2016-7906.patch"
+sha512sums="3aff67710305e3427e2effab5bd5b10c9f55ca9b755704cdea169dbe3653fe919ae603a37fb3d7c105b61c930d4652cf488f7a7ec0a2d847bfb66b8f6eb1db43  ImageMagick-6.9.5-9.tar.xz
+78d60bd48ac932adaaadaae0b26594cc72ba3e94a0752e28e775ad37c9eb0cd0f602c969e52dab0e196a9742559df5b4406dc116095a6a5852444d0f00a89aca  CVE-2016-7799.patch
+f64fe197b621ae7046326ad88302c8a24e70c95c8725a8cdae56586460b00bb7137228ae04a9396b0e872bde901c464f2fbf570657d5d1c1c3592900c42d626b  CVE-2016-7906.patch"
diff --git a/main/imagemagick/CVE-2016-7799.patch b/main/imagemagick/CVE-2016-7799.patch
new file mode 100644
index 0000000000..6b04f3dc4b
--- /dev/null
+++ b/main/imagemagick/CVE-2016-7799.patch
@@ -0,0 +1,22 @@
+From 00a80395a4cd17a6f420238bf9d936d3d9b65a8a Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 30 Sep 2016 15:18:03 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/280
+---
+ magick/profile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/magick/profile.c b/magick/profile.c
+index baf7e70..db4083d 100644
+--- a/magick/profile.c
+++ b/magick/profile.c
+@@ -2060,7 +2060,7 @@ static MagickBooleanType SyncExifProfile(Image *image, StringInfo *profile)
+       (void) AddValueToSplayTree(exif_resources,q,q);
+       tag_value=(ssize_t) ReadProfileShort(endian,q);
+       format=(ssize_t) ReadProfileShort(endian,q+2);
+-      if ((format-1) >= EXIF_NUM_FORMATS)
+      if ((format < 0) || ((format-1) >= EXIF_NUM_FORMATS))
+         break;
+       components=(ssize_t) ReadProfileLong(endian,q+4);
+       if (components < 0)
diff --git a/main/imagemagick/CVE-2016-7906.patch b/main/imagemagick/CVE-2016-7906.patch
new file mode 100644
index 0000000000..fc22b35278
--- /dev/null
+++ b/main/imagemagick/CVE-2016-7906.patch
@@ -0,0 +1,22 @@
+From d63a3c5729df59f183e9e110d5d8385d17caaad0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 1 Oct 2016 11:16:55 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/281
+---
+ magick/attribute.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/magick/attribute.c b/magick/attribute.c
+index 4e01240..53d2706 100644
+--- a/magick/attribute.c
+++ b/magick/attribute.c
+@@ -1296,7 +1296,7 @@ MagickExport MagickBooleanType SetImageType(Image *image,const ImageType type)
+           status=QuantizeImage(quantize_info,image);
+           quantize_info=DestroyQuantizeInfo(quantize_info);
+         }
+-      image->colors=2;
+      status=AcquireImageColormap(image,2);
+       image->matte=MagickFalse;
+       break;
+     }
author	Natanael Copa <ncopa@alpinelinux.org>	2016-10-21 14:40:34 +0200
committer	Natanael Copa <ncopa@alpinelinux.org>	2016-10-21 14:40:34 +0200
commit	a9c59696d69df232d543f278c34f1241e3c1e103 (patch)
tree	2bdee9287a40bb67d8142409d5114525eff5f2d2
parent	7a1fa50fc838cd70f0faff3af1d1c258a13001ec (diff)
download	alpine_aports-a9c59696d69df232d543f278c34f1241e3c1e103.tar.bz2 alpine_aports-a9c59696d69df232d543f278c34f1241e3c1e103.tar.xz alpine_aports-a9c59696d69df232d543f278c34f1241e3c1e103.zip

diff --git a/main/imagemagick/APKBUILD b/main/imagemagick/APKBUILD index b379c98385..0ab2e44018 100644 --- a/main/imagemagick/APKBUILD +++ b/main/imagemagick/APKBUILD
@@ -5,7 +5,7 @@ pkgname=imagemagick
5	pkgver=6.9.5.9	5	pkgver=6.9.5.9
6	_abiver=6	6	_abiver=6
7	_pkgver=${pkgver%.}-${pkgver##.}	7	_pkgver=${pkgver%.}-${pkgver##.}
8	pkgrel=0	8	pkgrel=1
9	pkgdesc="A collection of tools and libraries for many image formats"	9	pkgdesc="A collection of tools and libraries for many image formats"
10	url="http://www.imagemagick.org/"	10	url="http://www.imagemagick.org/"
11	arch="all"	11	arch="all"
@@ -15,7 +15,10 @@ options="libtool"
15	makedepends="zlib-dev libpng-dev libjpeg-turbo-dev freetype-dev fontconfig-dev	15	makedepends="zlib-dev libpng-dev libjpeg-turbo-dev freetype-dev fontconfig-dev
16	perl-dev ghostscript-dev libwebp-dev libtool tiff-dev lcms2-dev"	16	perl-dev ghostscript-dev libwebp-dev libtool tiff-dev lcms2-dev"
17	subpackages="$pkgname-doc $pkgname-dev $pkgname-c++:_cxx"	17	subpackages="$pkgname-doc $pkgname-dev $pkgname-c++:_cxx"
18	source="http://www.imagemagick.org/download/releases/ImageMagick-$_pkgver.tar.xz"	18	source="http://www.imagemagick.org/download/releases/ImageMagick-$_pkgver.tar.xz
		19	CVE-2016-7799.patch
		20	CVE-2016-7906.patch
		21	"
19		22
20	# secfixes:	23	# secfixes:
21	# 6.9.5.3:	24	# 6.9.5.3:
@@ -28,6 +31,9 @@ source="http://www.imagemagick.org/download/releases/ImageMagick-$_pkgver.tar.xz
28	# - CVE-2016-5841	31	# - CVE-2016-5841
29	# - CVE-2016-5842	32	# - CVE-2016-5842
30	# - CVE-2016-6491	33	# - CVE-2016-6491
		34	# 6.9.5.9-r1:
		35	# - CVE-2016-7799
		36	# - CVE-2016-7906
31		37
32	_builddir="$srcdir/ImageMagick-${_pkgver}"	38	_builddir="$srcdir/ImageMagick-${_pkgver}"
33	prepare() {	39	prepare() {
@@ -85,6 +91,12 @@ _cxx() {
85	mv "$pkgdir"/usr/lib/libMagick++.so. "$subpkgdir"/usr/lib/	91	mv "$pkgdir"/usr/lib/libMagick++.so. "$subpkgdir"/usr/lib/
86	}	92	}
87		93
88	md5sums="fc7c456f4bee061d387a03c7484e27f1 ImageMagick-6.9.5-9.tar.xz"	94	md5sums="fc7c456f4bee061d387a03c7484e27f1 ImageMagick-6.9.5-9.tar.xz
89	sha256sums="9c4f300daae165a6bcf46779876f9361a958076f8cd59fa203d84c70ba5bc183 ImageMagick-6.9.5-9.tar.xz"	95	a69aaa7cfb91129faf0a6180632f37cc CVE-2016-7799.patch
90	sha512sums="3aff67710305e3427e2effab5bd5b10c9f55ca9b755704cdea169dbe3653fe919ae603a37fb3d7c105b61c930d4652cf488f7a7ec0a2d847bfb66b8f6eb1db43 ImageMagick-6.9.5-9.tar.xz"	96	db49949a2ab7d4f593f07dcd2dd76e66 CVE-2016-7906.patch"
		97	sha256sums="9c4f300daae165a6bcf46779876f9361a958076f8cd59fa203d84c70ba5bc183 ImageMagick-6.9.5-9.tar.xz
		98	a81409f154f1d195e559aadc0caa6b4498fd6132c8d97bc3a9b55e693cb7aa75 CVE-2016-7799.patch
		99	a4e525f2980d665db04f15050cfce44a2dfdbf324e442f5610dfbd045214f02f CVE-2016-7906.patch"
		100	sha512sums="3aff67710305e3427e2effab5bd5b10c9f55ca9b755704cdea169dbe3653fe919ae603a37fb3d7c105b61c930d4652cf488f7a7ec0a2d847bfb66b8f6eb1db43 ImageMagick-6.9.5-9.tar.xz
		101	78d60bd48ac932adaaadaae0b26594cc72ba3e94a0752e28e775ad37c9eb0cd0f602c969e52dab0e196a9742559df5b4406dc116095a6a5852444d0f00a89aca CVE-2016-7799.patch
		102	f64fe197b621ae7046326ad88302c8a24e70c95c8725a8cdae56586460b00bb7137228ae04a9396b0e872bde901c464f2fbf570657d5d1c1c3592900c42d626b CVE-2016-7906.patch"


diff --git a/main/imagemagick/CVE-2016-7799.patch b/main/imagemagick/CVE-2016-7799.patch new file mode 100644 index 0000000000..6b04f3dc4b --- /dev/null +++ b/main/imagemagick/CVE-2016-7799.patch
@@ -0,0 +1,22 @@
		1	From 00a80395a4cd17a6f420238bf9d936d3d9b65a8a Mon Sep 17 00:00:00 2001
		2	From: Cristy <urban-warrior@imagemagick.org>
		3	Date: Fri, 30 Sep 2016 15:18:03 -0400
		4	Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/280
		5
		6	---
		7	magick/profile.c \| 2 +-
		8	1 file changed, 1 insertion(+), 1 deletion(-)
		9
		10	diff --git a/magick/profile.c b/magick/profile.c
		11	index baf7e70..db4083d 100644
		12	--- a/magick/profile.c
		13	+++ b/magick/profile.c
		14	@@ -2060,7 +2060,7 @@ static MagickBooleanType SyncExifProfile(Image image, StringInfo profile)
		15	(void) AddValueToSplayTree(exif_resources,q,q);
		16	tag_value=(ssize_t) ReadProfileShort(endian,q);
		17	format=(ssize_t) ReadProfileShort(endian,q+2);
		18	- if ((format-1) >= EXIF_NUM_FORMATS)
		19	+ if ((format < 0) \|\| ((format-1) >= EXIF_NUM_FORMATS))
		20	break;
		21	components=(ssize_t) ReadProfileLong(endian,q+4);
		22	if (components < 0)


diff --git a/main/imagemagick/CVE-2016-7906.patch b/main/imagemagick/CVE-2016-7906.patch new file mode 100644 index 0000000000..fc22b35278 --- /dev/null +++ b/main/imagemagick/CVE-2016-7906.patch
@@ -0,0 +1,22 @@
		1	From d63a3c5729df59f183e9e110d5d8385d17caaad0 Mon Sep 17 00:00:00 2001
		2	From: Cristy <urban-warrior@imagemagick.org>
		3	Date: Sat, 1 Oct 2016 11:16:55 -0400
		4	Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/281
		5
		6	---
		7	magick/attribute.c \| 2 +-
		8	1 file changed, 1 insertion(+), 1 deletion(-)
		9
		10	diff --git a/magick/attribute.c b/magick/attribute.c
		11	index 4e01240..53d2706 100644
		12	--- a/magick/attribute.c
		13	+++ b/magick/attribute.c
		14	@@ -1296,7 +1296,7 @@ MagickExport MagickBooleanType SetImageType(Image *image,const ImageType type)
		15	status=QuantizeImage(quantize_info,image);
		16	quantize_info=DestroyQuantizeInfo(quantize_info);
		17	}
		18	- image->colors=2;
		19	+ status=AcquireImageColormap(image,2);
		20	image->matte=MagickFalse;
		21	break;
		22	}