aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrancesco Colista <fcolista@alpinelinux.org>2020-06-10 06:31:41 +0000
committerFrancesco Colista <fcolista@alpinelinux.org>2020-06-10 06:31:41 +0000
commit1544895a634968957e317942619257eb9079ea43 (patch)
tree99ac34cacbbd728605d964df143943bf9616672d
parent7fd82612488f2e64932e0f691b9e8f15562a0af5 (diff)
downloadaports-1544895a634968957e317942619257eb9079ea43.tar.gz
aports-1544895a634968957e317942619257eb9079ea43.tar.bz2
aports-1544895a634968957e317942619257eb9079ea43.tar.xz
community/graphicsmagick: security fix for CVE-2020-12672
fixes https://gitlab.alpinelinux.org/alpine/aports/-/issues/11631
-rw-r--r--community/graphicsmagick/APKBUILD10
-rw-r--r--community/graphicsmagick/CVE-2020-12672.patch49
2 files changed, 56 insertions, 3 deletions
diff --git a/community/graphicsmagick/APKBUILD b/community/graphicsmagick/APKBUILD
index dacdc24881..ddaf9937d0 100644
--- a/community/graphicsmagick/APKBUILD
+++ b/community/graphicsmagick/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=graphicsmagick
pkgver=1.3.35
-pkgrel=1
+pkgrel=2
pkgdesc="Image processing system"
url="http://www.graphicsmagick.org/"
arch="all"
@@ -10,11 +10,14 @@ license="MIT"
makedepends="libpng-dev tiff-dev libxml2-dev libwmf-dev freetype-dev libtool libltdl
libwebp-dev"
subpackages="$pkgname-dev $pkgname-doc"
-source="https://downloads.sourceforge.net/graphicsmagick/graphicsmagick/$pkgver/GraphicsMagick-$pkgver.tar.xz"
+source="https://downloads.sourceforge.net/graphicsmagick/graphicsmagick/$pkgver/GraphicsMagick-$pkgver.tar.xz
+CVE-2020-12672.patch"
options="libtool !check"
builddir="$srcdir"/GraphicsMagick-$pkgver
# security fixes:
+# 1.3.35-r2:
+# - CVE-2020-12672
# 1.3.35-r0:
# - CVE-2020-10938
# 1.3.32-r0:
@@ -144,4 +147,5 @@ package() {
make -j1 DESTDIR="$pkgdir" install
}
-sha512sums="baae92089d52147ef961f93495abc8a9d8b1a963af61d87a650c1ab105d46816aa38c83f654edcb5a0e1b7f07ccc06eaeaa443b9bde3a63a0b9bfb45f3ae144c GraphicsMagick-1.3.35.tar.xz"
+sha512sums="baae92089d52147ef961f93495abc8a9d8b1a963af61d87a650c1ab105d46816aa38c83f654edcb5a0e1b7f07ccc06eaeaa443b9bde3a63a0b9bfb45f3ae144c GraphicsMagick-1.3.35.tar.xz
+f933ec308277523aa5d7b8f679651af207de969daa3fc0eff152db394a08dd18647e994e6b03e053e862736c8a756adea5e82b242fe6182f2288395e05c40de8 CVE-2020-12672.patch"
diff --git a/community/graphicsmagick/CVE-2020-12672.patch b/community/graphicsmagick/CVE-2020-12672.patch
new file mode 100644
index 0000000000..9e29052caf
--- /dev/null
+++ b/community/graphicsmagick/CVE-2020-12672.patch
@@ -0,0 +1,49 @@
+diff -r 4917a4242fc0 -r 50395430a371 coders/png.c
+--- a/coders/png.c Fri May 01 13:49:13 2020 -0500
++++ b/coders/png.c Sat May 30 10:18:16 2020 -0500
+@@ -5689,7 +5691,28 @@
+
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+- " Processing MNG MAGN chunk");
++ " Processing MNG MAGN chunk: MB=%u, ML=%u,"
++ " MR=%u, MT=%u, MX=%u, MY=%u,"
++ " X_method=%u, Y_method=%u",
++ mng_info->magn_mb,mng_info->magn_ml,
++ mng_info->magn_mr,mng_info->magn_mt,
++ mng_info->magn_mx,mng_info->magn_my,
++ mng_info->magn_methx,
++ mng_info->magn_methy);
++
++ /*
++ If the image width is 1, then X magnification is done
++ by simple pixel replication.
++ */
++ if (image->columns == 1)
++ mng_info->magn_methx = 1;
++
++ /*
++ If the image height is 1, then Y magnification is done
++ by simple pixel replication.
++ */
++ if (image->rows == 1)
++ mng_info->magn_methy = 1;
+
+ if (mng_info->magn_methx == 1)
+ {
+@@ -5734,12 +5757,10 @@
+ Image
+ *large_image;
+
+- int
+- yy;
+-
+ long
+ m,
+- y;
++ y,
++ yy;
+
+ register long
+ x;
+