From 4e9ec2b86957c1b2674d87f5f24496851e3b6699650106c4e71c29756978537c Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Mon, 6 Jun 2016 09:03:41 +0000 Subject: [PATCH] =?UTF-8?q?-=20updated=20to=206.9.4-7:=20=20=20*=20Fix=20s?= =?UTF-8?q?mall=20memory=20leak=20(patch=20provided=20by=20=D0=90=D0=BD?= =?UTF-8?q?=D0=B4=D1=80=D0=B5=D0=B9=20=D0=A7=D0=B5=D1=80=D0=BD=D1=8B=D0=B9?= =?UTF-8?q?).=20=20=20*=20Coder=20path=20traversal=20is=20not=20authorized?= =?UTF-8?q?=20(bug=20report=20provided=20by=20=20=20=20=20Masaaki=20Chida)?= =?UTF-8?q?.=20=20=20*=20Turn=20off=20alpha=20channel=20for=20the=20compar?= =?UTF-8?q?e=20difference=20image=20(reference=20=20=20=20=20http://www.im?= =?UTF-8?q?agemagick.org/discourse-server/viewtopic.php=3Ff=3D3&t=3D29828)?= =?UTF-8?q?.=20=20=20*=20Support=20configure=20script=20--enable-pipes=20o?= =?UTF-8?q?ption=20to=20enable=20pipes=20(|)=20in=20=20=20=20=20filenames.?= =?UTF-8?q?=20=20=20*=20Support=20configure=20script=20--enable-indirect-r?= =?UTF-8?q?eads=20option=20to=20enable=20=20=20=20=20indirect=20reads=20(@?= =?UTF-8?q?)=20in=20filenames.=20-=20remove=20ImageMagick-CVE-2016-5118.pa?= =?UTF-8?q?tch,=20use=20--enable-pipes=3Dno=20instead?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=259 --- ImageMagick-6.9.4-5.tar.xz | 3 --- ImageMagick-6.9.4-5.tar.xz.asc | 17 ----------------- ImageMagick-6.9.4-7.tar.xz | 3 +++ ImageMagick-6.9.4-7.tar.xz.asc | 17 +++++++++++++++++ ImageMagick-CVE-2016-5118.patch | 14 -------------- ImageMagick.changes | 15 +++++++++++++++ ImageMagick.spec | 8 ++++---- 7 files changed, 39 insertions(+), 38 deletions(-) delete mode 100644 ImageMagick-6.9.4-5.tar.xz delete mode 100644 ImageMagick-6.9.4-5.tar.xz.asc create mode 100644 ImageMagick-6.9.4-7.tar.xz create mode 100644 ImageMagick-6.9.4-7.tar.xz.asc delete mode 100644 ImageMagick-CVE-2016-5118.patch diff --git a/ImageMagick-6.9.4-5.tar.xz b/ImageMagick-6.9.4-5.tar.xz deleted file mode 100644 index 36941a8..0000000 --- a/ImageMagick-6.9.4-5.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:39a65b8e2371db36cb63709dea0b15f08a6870f8ce6103432f068112d9513c5a -size 8784244 diff --git a/ImageMagick-6.9.4-5.tar.xz.asc b/ImageMagick-6.9.4-5.tar.xz.asc deleted file mode 100644 index e9b8fe7..0000000 --- a/ImageMagick-6.9.4-5.tar.xz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQIcBAABAgAGBQJXTFLsAAoJEImrY9SCdzd6GLgQAJeeF5t6PQkb8dAuyc9Ss5j7 -xeg2mG7ez716czxZHzfGkHEDUAUhwpxcNGvR8mIYUpfDQU6C6XdS1DdFCWwfDXdA -2KcCtsmjHyWVlkLR+HNg76zq11GSXeLaXS2xTuoiXvzYKuUL5izy7rwVQ3j4LPSM -MptdXajRLQVX1NvHAAuRSTG1vAddd5FGKWx1mNfKEUPXiD++OA+YyoaPlH6SZeMc -jlHYSpLOsVIobgShbqPo91w4LJ/ofSUFQqK/99tTeGMaxrfEmn8TtWp44g7vZrFO -Zlmuxmpe9d9PUAPqE2mc8qFfa7/tVi+qiIdgio3cELT2f0bS5woSN5vRo2SsA6Cm -QtD615yXSrxrG2CQ5vINhRmHK2OoQLheIRzIhZcvgrIJejxsA3ku8LAdvddXHzG5 -UB4AngmaQX8Y9/FGZHpJLD0xkn/k+zNySALQvq+67MJLQI8G63bJfZXssWTk5az8 -G3Z25Z2x+rmkvUlJj7qEUHLhZ50GkSjxHJUixKYwYd24C+ga0fJDtyr9cPQPoUPj -K7+CwtdO3cV8FM71e1koJuvMcdnhVIezn556U70uQB8FchuLSQ6lGFO/3Ar3gBu8 -4pkrK0+tDKJSC+mXMDUL8Jr+wY+dGL+ZXmYTI7TP4WwEyyT3dqimTWcEQjJEBKNS -M1q6F1wzyRsCLS9EYOdg -=Y14c ------END PGP SIGNATURE----- diff --git a/ImageMagick-6.9.4-7.tar.xz b/ImageMagick-6.9.4-7.tar.xz new file mode 100644 index 0000000..ef5c3e0 --- /dev/null +++ b/ImageMagick-6.9.4-7.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f54fc8dcdb328404d1f89ddebe75d603e22894d3786ca2f2a9677478135b4c86 +size 8792244 diff --git a/ImageMagick-6.9.4-7.tar.xz.asc b/ImageMagick-6.9.4-7.tar.xz.asc new file mode 100644 index 0000000..d4da5fc --- /dev/null +++ b/ImageMagick-6.9.4-7.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABAgAGBQJXUbUTAAoJEImrY9SCdzd6fGUQAKPX/kantePbnSjHHHhcWEnA +VUaC/hROkOIA678eTmwK8EwHaYld+taDx47ok1MxLh4kODffHfQyx2IV3s8fHtM3 +JW1P1pYPhn6k4tr+5NmUZ8ODDRt506JUrAfrywH/cBbBmL0+ZEXUncZqZDP5bUmf +DYRc2Cyzf3UfJFBwCHBlmHYnKjR162w1baqWkFpTMXoT00+hK3UZnVqjEqykOkmE +k5nO4L/Od1yKhvj0OttrC0AuCMYjoWsVVmnP/iKspVnS60rnrcV+H0Hp3syZCTTB +Qn/u0soPbb2ca6SY8wVXXXCp8ELYCTEmTgtPIuLfaeYxHSijXI/86xDL1qVBiJ28 +KojGa9tXmBqxZjikJAcnODUdwdWgA5SC3dKXeQYcSbQ3aB8t0RjwW9m81bxWJ3bv +m9f3diF8TAgocHsaQ90s8rREDPA3jT030aGouYXP0CUija4dklhTLBXKUI4tfGoi +87rgLq1B1my1tVbNZC7oU590u4R3+GC+E8GthxFTE+hD8EpEw9OwlAuQYJqk9FvU +9o9arRx23Lg/ZApMKA6QoDxRDcYXqOVfSYfvFtecDWCrhFnNw6l5Sg8MaG0wpWBg +OYalC7cflMlIKDhjJ6JwTICON6nR0QIXqXAzTZNtrX5dpdZwRH8MNVb1RO6zfPqY +tEdR7rmpLXNUJZpj0rPW +=qQzc +-----END PGP SIGNATURE----- diff --git a/ImageMagick-CVE-2016-5118.patch b/ImageMagick-CVE-2016-5118.patch deleted file mode 100644 index 0505061..0000000 --- a/ImageMagick-CVE-2016-5118.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: ImageMagick-6.9.4-1/magick/blob.c -=================================================================== ---- ImageMagick-6.9.4-1.orig/magick/blob.c 2016-05-09 19:28:58.000000000 +0200 -+++ ImageMagick-6.9.4-1/magick/blob.c 2016-05-30 17:33:03.569022390 +0200 -@@ -80,6 +80,9 @@ - Define declarations. - */ - #define MagickMaxBlobExtent 65541 -+ -+#undef MAGICKCORE_HAVE_POPEN -+ - #if !defined(MAP_ANONYMOUS) && defined(MAP_ANON) - # define MAP_ANONYMOUS MAP_ANON - #endif diff --git a/ImageMagick.changes b/ImageMagick.changes index cc0a6ce..01857ed 100644 --- a/ImageMagick.changes +++ b/ImageMagick.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Mon Jun 6 08:51:19 UTC 2016 - pgajdos@suse.com + +- updated to 6.9.4-7: + * Fix small memory leak (patch provided by Андрей Черный). + * Coder path traversal is not authorized (bug report provided by + Masaaki Chida). + * Turn off alpha channel for the compare difference image (reference + http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29828). + * Support configure script --enable-pipes option to enable pipes (|) in + filenames. + * Support configure script --enable-indirect-reads option to enable + indirect reads (@) in filenames. +- remove ImageMagick-CVE-2016-5118.patch, use --enable-pipes=no instead + ------------------------------------------------------------------- Tue May 31 08:32:29 UTC 2016 - pgajdos@suse.com diff --git a/ImageMagick.spec b/ImageMagick.spec index 9654a24..4722e83 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -63,7 +63,7 @@ BuildRequires: zip %define maj 6 %define mfr_version %{maj}.9.4 -%define mfr_revision 5 +%define mfr_revision 7 %define quantum_depth 16 %define source_version %{mfr_version}-%{mfr_revision} %define clibver 2 @@ -93,7 +93,6 @@ Patch4: ImageMagick-6.8.5.7-no-XPMCompliance.patch # will ask upstream if needed, or if other solution exists Patch11: ImageMagick-6.8.4.0-dont-build-in-install.patch Patch20: ImageMagick-6.8.8-1-disable-insecure-coders.patch -Patch21: ImageMagick-CVE-2016-5118.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %package -n perl-PerlMagick @@ -254,7 +253,6 @@ HTML documentation for ImageMagick library and scene examples. %patch4 %patch11 %patch20 -p1 -%patch21 -p1 # remove executeable bits from per demos chmod -x PerlMagick/demo/*.pl @@ -295,7 +293,9 @@ automake --with-webp \ --with-wmf \ --with-quantum-depth=%{quantum_depth} \ - --without-gcc-arch + --without-gcc-arch \ + --enable-pipes=no \ + --enable-indirect-reads=no # don't build together, PerlMagick could be miscompiled when using parallel build[1] # [1] http://pkgs.fedoraproject.org/cgit/ImageMagick.git/tree/ImageMagick.spec make %{?_smp_mflags} all