[Pkg-gmagick-im-team] Bug#825799: imagemagick: CVE-2016-5118
Emilio Pozuelo Monfort
pochu at debian.org
Tue May 31 23:26:17 UTC 2016
Hi,
On Mon, 30 May 2016 07:29:32 +0200 Salvatore Bonaccorso <carnil at debian.org> wrote:
> Source: imagemagick
> Version: 8:6.8.9.9-7
> Severity: grave
> Tags: security upstream patch
>
> Hi,
>
> the following vulnerability was published for imagemagick.
>
> CVE-2016-5118[0]:
> popen() shell vulnerability via filename
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-5118
> [1] http://www.openwall.com/lists/oss-security/2016/05/29/7
>
> Please adjust the affected versions in the BTS as needed.
Upstream committed this patch:
http://git.imagemagick.org/repos/ImageMagick/commit/ca430ff77794980941ff0fa0d2fc463b50c2c6b7
I prepared an update for wheezy and tested it. Without the patch I could
reproduce the bug and with it I could not. All tests still pass. See wheezy.debdiff.
I also tested this on sid. See sid.debdiff.
I haven't had the time to look at jessie but the change should be similar.
@maintainers: Would you like to upload this fix yourself or want me to do it?
Just for wheezy/jessie or also for unstable?
Cheers,
Emilio
-------------- next part --------------
diff -Nru imagemagick-6.8.9.9/debian/changelog imagemagick-6.8.9.9/debian/changelog
--- imagemagick-6.8.9.9/debian/changelog 2016-01-17 21:45:14.000000000 +0100
+++ imagemagick-6.8.9.9/debian/changelog 2016-06-01 00:38:16.000000000 +0200
@@ -1,3 +1,12 @@
+imagemagick (8:6.8.9.9-7.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * 0082-Fix-CVE-2016-5118-disable-filename-pipes.patch:
+ + Fix CVE-2016-5118: disable pipes in filenames to avoid arbitrary
+ command execution.
+
+ -- Emilio Pozuelo Monfort <pochu at debian.org> Wed, 01 Jun 2016 00:37:30 +0200
+
imagemagick (8:6.8.9.9-7) unstable; urgency=low
* Fix various minor security issues
diff -Nru imagemagick-6.8.9.9/debian/patches/0082-Fix-CVE-2016-5118-disable-filename-pipes.patch imagemagick-6.8.9.9/debian/patches/0082-Fix-CVE-2016-5118-disable-filename-pipes.patch
--- imagemagick-6.8.9.9/debian/patches/0082-Fix-CVE-2016-5118-disable-filename-pipes.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.8.9.9/debian/patches/0082-Fix-CVE-2016-5118-disable-filename-pipes.patch 2016-06-01 00:39:40.000000000 +0200
@@ -0,0 +1,32 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -706,6 +706,18 @@
+ CFLAGS="$CFLAGS -DMAGICKCORE_HDRI_ENABLE=$magick_hdri_enable"
+ CPPFLAGS="$CPPFLAGS -DMAGICKCORE_HDRI_ENABLE=$magick_hdri_enable"
+
++# Enable pipes (|) in filenames.
++AC_ARG_ENABLE([pipes],
++ [AC_HELP_STRING([--enable-pipes],
++ [enable pipes (|) in filenames])],
++ [enable_pipes=$enableval],
++ [enable_pipes='no'])
++
++if test "$enable_pipes" = 'yes'; then
++ AC_DEFINE(PIPES_SUPPORT,1,[enable pipes (|) in filenames])
++ MAGICK_FEATURES="Pipes $MAGICK_FEATURES"
++fi
++
+ # Build a version of ImageMagick with assert statements.
+ AC_ARG_ENABLE([assert],
+ [AC_HELP_STRING([--disable-assert],
+--- a/magick/blob.c
++++ b/magick/blob.c
+@@ -2494,7 +2494,7 @@
+ image->blob->exempt=MagickTrue;
+ return(MagickTrue);
+ }
+-#if defined(MAGICKCORE_HAVE_POPEN)
++#if defined(MAGICKCORE_HAVE_POPEN) && defined(MAGICKCORE_PIPES_SUPPORT)
+ if (*filename == '|')
+ {
+ char
diff -Nru imagemagick-6.8.9.9/debian/patches/series imagemagick-6.8.9.9/debian/patches/series
--- imagemagick-6.8.9.9/debian/patches/series 2016-01-17 21:45:18.000000000 +0100
+++ imagemagick-6.8.9.9/debian/patches/series 2016-06-01 00:37:22.000000000 +0200
@@ -74,3 +74,4 @@
0073-Fixed-memory-leaks.patch
0074-Fix-overflow-in-pict-image-parsing.patch
0075-Fix-buffer-overflow-in-icon-parsing-code.patch
+0082-Fix-CVE-2016-5118-disable-filename-pipes.patch
-------------- next part --------------
diff -Nru imagemagick-6.7.7.10/debian/changelog imagemagick-6.7.7.10/debian/changelog
--- imagemagick-6.7.7.10/debian/changelog 2016-05-23 02:23:46.000000000 +0200
+++ imagemagick-6.7.7.10/debian/changelog 2016-05-31 22:44:06.000000000 +0200
@@ -1,3 +1,12 @@
+imagemagick (8:6.7.7.10-5+deb7u6) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS team.
+ * 0082-Fix-CVE-2016-5118-disable-filename-pipes.patch:
+ + Fix CVE-2016-5118: disable pipes in filenames to avoid arbitrary
+ command execution.
+
+ -- Emilio Pozuelo Monfort <pochu at debian.org> Tue, 31 May 2016 22:42:22 +0200
+
imagemagick (8:6.7.7.10-5+deb7u5) wheezy-security; urgency=high
* Non-maintainer upload by the Debian LTS Team.
diff -Nru imagemagick-6.7.7.10/debian/patches/0082-Fix-CVE-2016-5118-disable-filename-pipes.patch imagemagick-6.7.7.10/debian/patches/0082-Fix-CVE-2016-5118-disable-filename-pipes.patch
--- imagemagick-6.7.7.10/debian/patches/0082-Fix-CVE-2016-5118-disable-filename-pipes.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.7.7.10/debian/patches/0082-Fix-CVE-2016-5118-disable-filename-pipes.patch 2016-05-31 23:14:31.000000000 +0200
@@ -0,0 +1,167 @@
+--- a/configure
++++ b/configure
+@@ -1084,6 +1084,7 @@
+ docdir
+ oldincludedir
+ includedir
++runstatedir
+ localstatedir
+ sharedstatedir
+ sysconfdir
+@@ -1136,6 +1137,7 @@
+ enable_cipher
+ enable_zero_configuration
+ enable_hdri
++enable_pipes
+ enable_assert
+ enable_maintainer_mode
+ enable_ccmalloc
+@@ -1255,6 +1257,7 @@
+ sysconfdir='${prefix}/etc'
+ sharedstatedir='${prefix}/com'
+ localstatedir='${prefix}/var'
++runstatedir='${localstatedir}/run'
+ includedir='${prefix}/include'
+ oldincludedir='/usr/include'
+ docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
+@@ -1507,6 +1510,15 @@
+ | -silent | --silent | --silen | --sile | --sil)
+ silent=yes ;;
+
++ -runstatedir | --runstatedir | --runstatedi | --runstated \
++ | --runstate | --runstat | --runsta | --runst | --runs \
++ | --run | --ru | --r)
++ ac_prev=runstatedir ;;
++ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
++ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
++ | --run=* | --ru=* | --r=*)
++ runstatedir=$ac_optarg ;;
++
+ -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+ ac_prev=sbindir ;;
+ -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+@@ -1644,7 +1656,7 @@
+ for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
+ datadir sysconfdir sharedstatedir localstatedir includedir \
+ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+- libdir localedir mandir
++ libdir localedir mandir runstatedir
+ do
+ eval ac_val=\$$ac_var
+ # Remove trailing slashes.
+@@ -1797,6 +1809,7 @@
+ --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
+ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
+ --localstatedir=DIR modifiable single-machine data [PREFIX/var]
++ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
+ --libdir=DIR object code libraries [EPREFIX/lib]
+ --includedir=DIR C header files [PREFIX/include]
+ --oldincludedir=DIR C header files for non-gcc [/usr/include]
+@@ -1867,6 +1880,7 @@
+ zero-configuration ImageMagick
+ --enable-hdri accurately represent the wide range of intensity
+ levels found in real scenes
++ --enable-pipes enable pipes (|) in filenames
+ --disable-assert disable assert() statements in build
+ --enable-maintainer-mode enable make rules and dependencies not useful
+ (and sometimes confusing) to the casual installer
+@@ -9957,7 +9971,7 @@
+ We can't simply define LARGE_OFF_T to be 9223372036854775807,
+ since some C++ compilers masquerading as C compilers
+ incorrectly reject 9223372036854775807. */
+-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
++#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+ int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+ && LARGE_OFF_T % 2147483647 == 1)
+ ? 1 : -1];
+@@ -10003,7 +10017,7 @@
+ We can't simply define LARGE_OFF_T to be 9223372036854775807,
+ since some C++ compilers masquerading as C compilers
+ incorrectly reject 9223372036854775807. */
+-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
++#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+ int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+ && LARGE_OFF_T % 2147483647 == 1)
+ ? 1 : -1];
+@@ -10027,7 +10041,7 @@
+ We can't simply define LARGE_OFF_T to be 9223372036854775807,
+ since some C++ compilers masquerading as C compilers
+ incorrectly reject 9223372036854775807. */
+-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
++#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+ int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+ && LARGE_OFF_T % 2147483647 == 1)
+ ? 1 : -1];
+@@ -10072,7 +10086,7 @@
+ We can't simply define LARGE_OFF_T to be 9223372036854775807,
+ since some C++ compilers masquerading as C compilers
+ incorrectly reject 9223372036854775807. */
+-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
++#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+ int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+ && LARGE_OFF_T % 2147483647 == 1)
+ ? 1 : -1];
+@@ -10096,7 +10110,7 @@
+ We can't simply define LARGE_OFF_T to be 9223372036854775807,
+ since some C++ compilers masquerading as C compilers
+ incorrectly reject 9223372036854775807. */
+-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
++#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+ int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+ && LARGE_OFF_T % 2147483647 == 1)
+ ? 1 : -1];
+@@ -21784,6 +21798,22 @@
+ MAGICK_FEATURES="HDRI $MAGICK_FEATURES"
+ fi
+
++# Enable pipes (|) in filenames.
++# Check whether --enable-pipes was given.
++if test "${enable_pipes+set}" = set; then :
++ enableval=$enable_pipes; enable_pipes=$enableval
++else
++ enable_pipes='no'
++fi
++
++
++if test "$enable_pipes" = 'yes'; then
++
++$as_echo "#define PIPES_SUPPORT 1" >>confdefs.h
++
++ MAGICK_FEATURES="Pipes $MAGICK_FEATURES"
++fi
++
+ # Build a version of ImageMagick with assert statements.
+ # Check whether --enable-assert was given.
+ if test "${enable_assert+set}" = set; then :
+--- a/configure.ac
++++ b/configure.ac
+@@ -622,6 +622,18 @@
+ fi
+ AC_SUBST(MAGICK_HDRI)dnl
+
++# Enable pipes (|) in filenames.
++AC_ARG_ENABLE([pipes],
++ [AC_HELP_STRING([--enable-pipes],
++ [enable pipes (|) in filenames])],
++ [enable_pipes=$enableval],
++ [enable_pipes='no'])
++
++if test "$enable_pipes" = 'yes'; then
++ AC_DEFINE(PIPES_SUPPORT,1,[enable pipes (|) in filenames])
++ MAGICK_FEATURES="Pipes $MAGICK_FEATURES"
++fi
++
+ # Build a version of ImageMagick with assert statements.
+ AC_ARG_ENABLE([assert],
+ [AC_HELP_STRING([--disable-assert],
+--- a/magick/blob.c
++++ b/magick/blob.c
+@@ -2427,7 +2427,7 @@
+ image->blob->exempt=MagickTrue;
+ return(MagickTrue);
+ }
+-#if defined(MAGICKCORE_HAVE_POPEN)
++#if defined(MAGICKCORE_HAVE_POPEN) && defined(MAGICKCORE_PIPES_SUPPORT)
+ if (*filename == '|')
+ {
+ char
diff -Nru imagemagick-6.7.7.10/debian/patches/series imagemagick-6.7.7.10/debian/patches/series
--- imagemagick-6.7.7.10/debian/patches/series 2016-05-23 02:23:16.000000000 +0200
+++ imagemagick-6.7.7.10/debian/patches/series 2016-05-31 22:41:17.000000000 +0200
@@ -20,3 +20,4 @@
0079-Indirect-filename-must-be-authorized-by-policy.patch
0080-Prevent-indirect-reads-with-label-at.patch
0081-Less-secure-coders-require-explicit-reference.patch
+0082-Fix-CVE-2016-5118-disable-filename-pipes.patch
More information about the Pkg-gmagick-im-team
mailing list