head 1.5; access; symbols pkgsrc-2013Q2:1.5.0.36 pkgsrc-2013Q2-base:1.5 pkgsrc-2012Q4:1.5.0.34 pkgsrc-2012Q4-base:1.5 pkgsrc-2011Q4:1.5.0.32 pkgsrc-2011Q4-base:1.5 pkgsrc-2011Q2:1.5.0.30 pkgsrc-2011Q2-base:1.5 pkgsrc-2009Q4:1.5.0.28 pkgsrc-2009Q4-base:1.5 pkgsrc-2008Q4:1.5.0.26 pkgsrc-2008Q4-base:1.5 pkgsrc-2008Q3:1.5.0.24 pkgsrc-2008Q3-base:1.5 cube-native-xorg:1.5.0.22 cube-native-xorg-base:1.5 pkgsrc-2008Q2:1.5.0.20 pkgsrc-2008Q2-base:1.5 pkgsrc-2008Q1:1.5.0.18 pkgsrc-2008Q1-base:1.5 pkgsrc-2007Q4:1.5.0.16 pkgsrc-2007Q4-base:1.5 pkgsrc-2007Q3:1.5.0.14 pkgsrc-2007Q3-base:1.5 pkgsrc-2007Q2:1.5.0.12 pkgsrc-2007Q2-base:1.5 pkgsrc-2007Q1:1.5.0.10 pkgsrc-2007Q1-base:1.5 pkgsrc-2006Q4:1.5.0.8 pkgsrc-2006Q4-base:1.5 pkgsrc-2006Q3:1.5.0.6 pkgsrc-2006Q3-base:1.5 pkgsrc-2006Q2:1.5.0.4 pkgsrc-2006Q2-base:1.5 pkgsrc-2006Q1:1.5.0.2 pkgsrc-2006Q1-base:1.5 pkgsrc-2005Q4:1.3.0.18 pkgsrc-2005Q4-base:1.3 pkgsrc-2005Q3:1.3.0.16 pkgsrc-2005Q3-base:1.3 pkgsrc-2005Q2:1.3.0.14 pkgsrc-2005Q2-base:1.3 pkgsrc-2005Q1:1.3.0.12 pkgsrc-2005Q1-base:1.3 pkgsrc-2004Q4:1.3.0.10 pkgsrc-2004Q4-base:1.3 pkgsrc-2004Q3:1.3.0.8 pkgsrc-2004Q3-base:1.3 pkgsrc-2004Q2:1.3.0.6 pkgsrc-2004Q2-base:1.3 pkgsrc-2004Q1:1.3.0.4 pkgsrc-2004Q1-base:1.3 pkgsrc-2003Q4:1.3.0.2 pkgsrc-2003Q4-base:1.3 netbsd-1-6:1.2.0.8 netbsd-1-6-RELEASE-base:1.2 pkgviews:1.2.0.4 pkgviews-base:1.2 buildlink2:1.2.0.2 buildlink2-base:1.3 netbsd-1-5-PATCH003:1.2; locks; strict; comment @# @; 1.5 date 2006.03.05.21.25.49; author adam; state dead; branches; next 1.4; 1.4 date 2006.01.28.02.36.55; author salo; state Exp; branches; next 1.3; 1.3 date 2002.08.22.08.06.15; author tron; state dead; branches 1.3.18.1; next 1.2; 1.2 date 2002.02.10.12.51.00; author abs; state Exp; branches 1.2.2.1; next 1.1; 1.1 date 2001.11.27.01.26.49; author lukem; state Exp; branches; next ; 1.3.18.1 date 2006.01.28.23.39.05; author seb; state Exp; branches; next ; 1.2.2.1 date 2002.08.22.11.11.18; author jlam; state dead; branches; next ; desc @@ 1.5 log @Changes 6.2.6.3: * The command line utilities properly returns a non-zero status when an exception is thrown. Changes 6.2.6.2 * Fix a memory leak in each of CompositeImageCommand() and CompositeImage() * Add new options -layers compare-any, -layers compare-clear, -layers compare-overlay, and -layers optimize. * Draw last dash in a dashed polyline. * Add %D to -format to return the image disposal method. * ncorrect handling of file:// URIs causes data loss (patch from Daniel Kobras). * Set default BMP resolution units to PixelsPerCentimeter (problem report from digipete@@shaw...). @ text @$NetBSD: patch-ag,v 1.4 2006/01/28 02:36:55 salo Exp $ Security fix for CVE-2006-0082, from Debian. --- magick/string.c.orig 2006-01-08 23:49:09.000000000 +0100 +++ magick/string.c 2006-01-28 02:54:01.000000000 +0100 @@@@ -971,6 +971,75 @@@@ % % % % % % +% F o r m a t M a g i c k S t r i n g N u m e r i c % +% % +% % +% % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +% Method FormatMagickStringNumeric formats output for a single numeric +% argument. It takes into account that the format string given might be +% untrusted user input, and returns the length of the formatted string. +% +% The format of the FormatMagickStringNumeric method is: +% +% long FormatMagickStringNumeric(char *string,const size_t length, +% const char *format,int value) +% +% A description of each parameter follows. +% +% o string: FormatMagickStringNumeric() returns the formatted string in this +% character buffer. +% +% o length: The maximum length of the string. +% +% o format: A string describing the format to use to write the numeric +% argument. Only the first numeric format identifier is replaced. +% +% o value: Numeric value to substitute into format string. +% +% +*/ +MagickExport long FormatMagickStringNumeric(char *string,const size_t length,const char *format,int value) +{ + char + *p; + + (void) CopyMagickString(string, format, length); + + for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%')) + { + char + *q; + + q=(char *) p+1; + if (*q == '0') + (void) strtol(q,&q,10); + if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x')) + { + char + c; + + q++; + c=*q; + *q='\0'; + (void) snprintf(string+(p-format),length-(p-format),p,value); + *q=c; + (void) ConcatenateMagickString(string,q,length); + if (*(q-1) == '%') + p++; + else + break; + } + } + return (long)strlen(string); +} + +/* +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% % +% % +% % % F o r m a t M a g i c k S t r i n g % % % % % @ 1.4 log @Security fixes for CVE-2006-0082 and Debian bug #345595: "Format string vulnerabilities in ImageMagick allow user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program." Patches from Debian. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0082 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345595 @ text @d1 1 a1 1 $NetBSD$ @ 1.3 log @Update "ImageMagick" and "p5-PerlMagick" packages to version 5.4.8.2. Many bugs were fixed since the release of version 5.3.9 and lots of new features like 32-Bit QuantumDepth support added. @ text @d1 1 a1 1 $NetBSD: patch-ag,v 1.2 2002/02/10 12:51:00 abs Exp $ d3 80 a82 10 --- magick/xwindow.c.orig Sun Sep 9 02:04:32 2001 +++ magick/xwindow.c @@@@ -2424,6 +2424,7 @@@@ annotate_info->previous=(XAnnotateInfo *) NULL; annotate_info->next=(XAnnotateInfo *) NULL; (void) setlocale(LC_ALL,""); + (void) setlocale(LC_CTYPE,"C"); (void) setlocale(LC_NUMERIC,"C"); XSupportsLocale(); XSetLocaleModifiers(""); @ 1.3.18.1 log @Pullup ticket 1070 - requested by Lubomir Sedlacik sync graphics/ImageMagick with HEAD including security fixes Revisions pulled up: - pkgsrc/graphics/ImageMagick/Makefile 1.137 - pkgsrc/graphics/ImageMagick/Makefile.common 1.46 - pkgsrc/graphics/ImageMagick/PLIST 1.44 - pkgsrc/graphics/ImageMagick/buildlink3.mk 1.11 - pkgsrc/graphics/ImageMagick/distinfo 1.57, 1.58 - pkgsrc/graphics/ImageMagick/options.mk 1.4 - pkgsrc/graphics/ImageMagick/patches/patch-aa 1.33 - pkgsrc/graphics/ImageMagick/patches/patch-ab 1.16 - pkgsrc/graphics/ImageMagick/patches/patch-ac 1.12 - pkgsrc/graphics/ImageMagick/patches/patch-ad 1.9 - pkgsrc/graphics/ImageMagick/patches/patch-ae 1.6 - pkgsrc/graphics/ImageMagick/patches/patch-af 1.6 - pkgsrc/graphics/ImageMagick/patches/patch-ag 1.4 - pkgsrc/graphics/ImageMagick/patches/patch-ah 1.3 Module Name: pkgsrc Committed By: adam Date: Thu Jan 26 20:38:19 UTC 2006 Modified Files: pkgsrc/graphics/ImageMagick: Makefile Makefile.common PLIST buildlink3.mk distinfo options.mk pkgsrc/graphics/ImageMagick/patches: patch-aa Log Message: Changes 6.2.6.0: * Bug fixes --- Module Name: pkgsrc Committed By: salo Date: Sat Jan 28 02:36:55 UTC 2006 Modified Files: pkgsrc/graphics/ImageMagick: Makefile distinfo Added Files: pkgsrc/graphics/ImageMagick/patches: patch-ab patch-ac patch-ad patch-ae patch-af patch-ag patch-ah Log Message: Security fixes for CVE-2006-0082 and Debian bug #345595: "Format string vulnerabilities in ImageMagick allow user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program." Patches from Debian. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0082 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345595 @ text @d1 1 a1 1 $NetBSD$ d3 10 a12 80 Security fix for CVE-2006-0082, from Debian. --- magick/string.c.orig 2006-01-08 23:49:09.000000000 +0100 +++ magick/string.c 2006-01-28 02:54:01.000000000 +0100 @@@@ -971,6 +971,75 @@@@ % % % % % % +% F o r m a t M a g i c k S t r i n g N u m e r i c % +% % +% % +% % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +% Method FormatMagickStringNumeric formats output for a single numeric +% argument. It takes into account that the format string given might be +% untrusted user input, and returns the length of the formatted string. +% +% The format of the FormatMagickStringNumeric method is: +% +% long FormatMagickStringNumeric(char *string,const size_t length, +% const char *format,int value) +% +% A description of each parameter follows. +% +% o string: FormatMagickStringNumeric() returns the formatted string in this +% character buffer. +% +% o length: The maximum length of the string. +% +% o format: A string describing the format to use to write the numeric +% argument. Only the first numeric format identifier is replaced. +% +% o value: Numeric value to substitute into format string. +% +% +*/ +MagickExport long FormatMagickStringNumeric(char *string,const size_t length,const char *format,int value) +{ + char + *p; + + (void) CopyMagickString(string, format, length); + + for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%')) + { + char + *q; + + q=(char *) p+1; + if (*q == '0') + (void) strtol(q,&q,10); + if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x')) + { + char + c; + + q++; + c=*q; + *q='\0'; + (void) snprintf(string+(p-format),length-(p-format),p,value); + *q=c; + (void) ConcatenateMagickString(string,q,length); + if (*(q-1) == '%') + p++; + else + break; + } + } + return (long)strlen(string); +} + +/* +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% % +% % +% % % F o r m a t M a g i c k S t r i n g % % % % % @ 1.2 log @Switch a 'long' to int32_t to work correctly on BE-LP64 platforms. Mark NOT_FOR_PLATFORM = NetBSD-*-sparc64 as c++ still broken @ text @d1 1 a1 1 $NetBSD$ @ 1.2.2.1 log @Merge changes from pkgsrc-current into the buildlink2 branch for the packages that have buildlink2.mk files. @ text @d1 1 a1 1 $NetBSD: patch-ag,v 1.2 2002/02/10 12:51:00 abs Exp $ @ 1.1 log @- Some operations that worked in-place on some format (e.g, "mogrify -rotate 90 foo.tiff") used to leave the result in /tmp/magickXXXXXXX with an in-file image comment of /tmp/magickXXXXXXX.mgk. Now it writes back to foo.tiff and the in-file comment is correct. For some reason, working on jpg's didn't exhibit this problem - Some operations that generate new files from some formats (e.g, "mogrify -format jpg -rotate 90 foo.tiff") used to leave the result in /tmp/magickXXXXXXX.jpg. Now foo.jpg is generated. For some reason, converting jpg->tiff didn't exhibit this problem. @ text @d3 10 a12 52 --- utilities/mogrify.c.orig Sat Sep 8 02:03:51 2001 +++ utilities/mogrify.c @@@@ -1651,11 +1651,12 @@@@ (void) strcpy(p,format); else { - FormatString(image_info->filename,"%.1024s:%.1024s",format, - image->filename); - (void) strcpy(image->filename,image_info->filename); + FormatString(filename, "%.1024s:%.1024s",format, + image_info->filename); + (void) strcpy(image->filename,filename); } - } + } else + (void) strcpy(image->filename,image_info->filename); /* Transmogrify image as defined by the image processing options. */ @@@@ -1669,19 +1670,6 @@@@ */ if (format != (char *) NULL) AppendImageFormat(format,image->filename); - else - if (LocaleCompare(image_info->filename,"-") != 0) - { - (void) strcpy(filename,image->filename); - AppendImageFormat("mgk",image->filename); - if (IsAccessible(image->filename)) - { - (void) strcat(image->filename,"~"); - if (IsAccessible(image->filename)) - MagickError(FileOpenError,"Unable to create temporary file", - filename); - } - } for (p=image; p != (Image *) NULL; p=p->next) { (void) strcpy(p->filename,image->filename); @@@@ -1700,12 +1688,6 @@@@ scene--; if (image_info->verbose) DescribeImage(image,stderr,False); - if ((format == (char *) NULL) && (status != False)) - if (LocaleCompare(image_info->filename,"-") != 0) - { - (void) remove(filename); - (void) rename(image->filename,filename); - } DestroyImage(image); } } @