diff options
| author |   Sebastian Pipping <sping@gentoo.org> | 2012-09-15 01:35:53 +0000 |
|---|---|---|
| committer | Sebastian Pipping <sping@gentoo.org> | 2012-09-15 01:35:53 +0000 |
| commit | 113f8069586598121561b774942ff0d47685b02d (patch) | |
| tree | fb6b5e75f65cb01fe0328ebd7115ceed5498fbfd /media-gfx/gimp | |
| parent | vanilla-3.5.3 + genpatches-3.5-4 + grsecurity-2.9.1-3.5.3-201209131726 (diff) | |
| download | historical-113f8069586598121561b774942ff0d47685b02d.tar.gz historical-113f8069586598121561b774942ff0d47685b02d.tar.bz2 historical-113f8069586598121561b774942ff0d47685b02d.zip | |
media-gfx/gimp: 2.6.12-r4 (CVE-2012-3403, bug #434580)
Package-Manager: portage-2.1.10.65/cvs/Linux x86_64
Diffstat (limited to 'media-gfx/gimp')
| -rw-r--r-- | media-gfx/gimp/ChangeLog | 12 | ||||
| -rw-r--r-- | media-gfx/gimp/Manifest | 14 | ||||
| -rw-r--r-- | media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3403.patch | 511 | ||||
| -rw-r--r-- | media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch | 56 | ||||
| -rw-r--r-- | media-gfx/gimp/files/gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch | 30 | ||||
| -rw-r--r-- | media-gfx/gimp/files/gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch | 31 | ||||
| -rw-r--r-- | media-gfx/gimp/gimp-2.6.12-r4.ebuild (renamed from media-gfx/gimp/gimp-2.6.12-r3.ebuild) | 7 |
7 files changed, 589 insertions, 72 deletions
diff --git a/media-gfx/gimp/ChangeLog b/media-gfx/gimp/ChangeLog index a2dea8644c84..dce04c36f86b 100644 --- a/media-gfx/gimp/ChangeLog +++ b/media-gfx/gimp/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for media-gfx/gimp # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/media-gfx/gimp/ChangeLog,v 1.384 2012/09/14 22:42:43 sping Exp $ +# $Header: /var/cvsroot/gentoo-x86/media-gfx/gimp/ChangeLog,v 1.385 2012/09/15 01:35:53 sping Exp $ + +*gimp-2.6.12-r4 (15 Sep 2012) + + 15 Sep 2012; Sebastian Pipping <sping@gentoo.org> -gimp-2.6.12-r3.ebuild, + +gimp-2.6.12-r4.ebuild, +files/gimp-2.6.12-CVE-2012-3403.patch, + +files/gimp-2.6.12-CVE-2012-3481.patch, + -files/gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch, + -files/gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch: + Apply patch for CVE-2012-3403 and single-file patch for CVE-2012-3481 (both + from Fedora, Gentoo bug #434580) *gimp-2.6.12-r3 (14 Sep 2012) diff --git a/media-gfx/gimp/Manifest b/media-gfx/gimp/Manifest index bdde82a03edc..30a878e431ed 100644 --- a/media-gfx/gimp/Manifest +++ b/media-gfx/gimp/Manifest @@ -5,8 +5,8 @@ AUX gimp-2.6.11-cve-2011-2896.patch 1818 RMD160 4cc01a8197a31f3793897150e190ea09 AUX gimp-2.6.11-file-uri.patch 2209 RMD160 17cd5c7b454e7f64f7ed50cec4d9fe160ce7f2fc SHA1 77b3f6f50934a70f2ac938cfa0a1876ee72c2d14 SHA256 cb9da632417fcc866c047104cfbe25b5b9964fa5e65e333c042fdf23c19e692f AUX gimp-2.6.11-poppler-0.17.patch 15620 RMD160 5f22b65bcadecbff1b67a42a6dd48fd167272bc9 SHA1 418cbe80cc5cd7f6476ce196c755344954df83e0 SHA256 69b214ff495c7cbc1f52c0c56fa9a09e4dfba47f54da8bb3c8b063b26b8d04bd AUX gimp-2.6.12-CVE-2012-2763.patch 711 RMD160 51799cd0ca7e188086f10d95dcc97e1a7a6ac708 SHA1 0545a3f3a52d45507419d6977eebb0df12b6a037 SHA256 6ea0d78cf8a70bdc8cd7877ec41750ee5d4bbf5f391910328eae3b3d6e83dc48 -AUX gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch 1045 RMD160 9151273c4d0074712709f4aee7eeead96c492bfd SHA1 4238c46f4abab28a2015e178cc1c0e498247c83c SHA256 32b43f45eaa44ed0a6d37ede8c247982a1b181c10535fc3cd7757a9651994a21 -AUX gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch 1015 RMD160 7b507954cb38efb5a4695630a3866ddf62270ade SHA1 3b058ac04448c2731d73ffbaca53d604c0d66d88 SHA256 abbef9ec210757da0c60dae98d24e7fe582600847bff0cdf0c374a11e19dccad +AUX gimp-2.6.12-CVE-2012-3403.patch 16268 RMD160 1992474c0d975ca9af0254cacbbe4fffebd42e78 SHA1 fe8366fa143b21f1f1dfa80dfe9697ff7ebaf97c SHA256 882c06f5726b96dbd442659e98729e1e9cb6e9e62de1bb6104ac2be7de9d5c5a +AUX gimp-2.6.12-CVE-2012-3481.patch 1937 RMD160 73d475236fb2d20419482ecabb268fa3aac6b5f4 SHA1 c54923c25423152a633a8a650257a7a13b586cb4 SHA256 eeb6fefb10280033dcd56d06d9b90e24c1c2c6689c1a54580c17e828384b5324 AUX gimp-2.6.12-potfiles-skip.patch 481 RMD160 4ddf02e9f6f1c09daf9d29546bd3f107b555a016 SHA1 1419bac320d9bfec8fb92b5dabdb626013d7542d SHA256 1ed0292cab5bc744b3c4450827accc86f1719eb8e75416c282e84a8f65eb9f2f AUX gimp-2.7.3-glib-2.29.patch 478 RMD160 24895c62b2ad03247a8bc47d79cd55059188b283 SHA1 c4b8719c7904f4b1349e40ca1e409367a9f5997a SHA256 76a2bac5fbcaacbef592e6c137e12b72320f38224c3c9a717b82f6c34404bbdc AUX gimp-2.7.3-libm.patch 995 RMD160 7db10366261d3b302cac3fda669d805fa3a9d09e SHA1 612e372060d37ea13939a92eff6b5383710f9b51 SHA256 cb49b9611aca4e0082cc2f3e0c334341df3ac41009fda41355bd8af77b8601ca @@ -34,7 +34,7 @@ EBUILD gimp-2.6.11-r5.ebuild 3860 RMD160 312435af1cb9aea93e5c1cae5928996b34f0809 EBUILD gimp-2.6.11-r6.ebuild 4087 RMD160 e0fc1eedefb122cccc8317eb9abfe914e02475cf SHA1 ab49b429e4910d703dad2d93f7cc425296691029 SHA256 73363236f423cd87341c1a9d14b69da103cdac2fa0e5c0540f094cd40448fe52 EBUILD gimp-2.6.12-r1.ebuild 4111 RMD160 44cdeffbdee85e8647bf0349cb528da4a9e14137 SHA1 e5670de2586b29fea302ce665c818e0c04d5bc3f SHA256 f32c0f92ee3e9c347ef1f2040598eaa64f8e185ba98a88f987099c8038800d02 EBUILD gimp-2.6.12-r2.ebuild 4237 RMD160 1b9a3a998c914247d3accb2c5779914e8e0cc766 SHA1 717207158a75be416746a8518f0502829737dc72 SHA256 22d32b49553a1a8adbeaa94da2071c71059b1c3dea070597c55063e461722e3e -EBUILD gimp-2.6.12-r3.ebuild 4519 RMD160 9901883951c0f63696aca4dde057a50c1d92cf2b SHA1 c9dd032934699566c3ff58db3d9f465ee6aef053 SHA256 934d93117aa742767ea819d243c3b734291d04e9ee9c4410af0201468c275035 +EBUILD gimp-2.6.12-r4.ebuild 4545 RMD160 88b96905f5319d02b3ab4f6678fc7db64d68154b SHA1 e1667b788aa92eedc9763d05b124635aa3d87295 SHA256 cac9754ffb84f08a49aed8eead219fdbf1634109c8985e258204fb94249c166b EBUILD gimp-2.6.12.ebuild 3502 RMD160 4e0fd3ae96ec46500b95f39c239d4d8d4e9d33e8 SHA1 28a9368980d4c70d7d721b44d901b3d8b7b2d615 SHA256 54c71b43a91c0ab52ca97ff01adb9bdb8023c6723b65d7b8cea93441c4c7d3ea EBUILD gimp-2.7.3-r1.ebuild 3619 RMD160 9a0442bae9acad14346f89ee7d7341daa25a58c4 SHA1 8699aa4739d44918918cc7dd301d93ad797e0c6c SHA256 ef525f90f19a2a5fb21ceefc77c7332764749b1d5476eaa2a0956d1ec22af75b EBUILD gimp-2.7.3.ebuild 3225 RMD160 7184efc8e9b6b38b10e5ac2a0fa745113f470668 SHA1 14d0c039f5f7655f880db96cf865c90c85e5c7a4 SHA256 2d947c62bae5e393e9dcdca6b7029e5284b782b55f47b5e945734b671454c755 @@ -45,12 +45,12 @@ EBUILD gimp-2.8.0.ebuild 3930 RMD160 fa79fad2a08964c49c0958aa17d4637f5b7bd22d SH EBUILD gimp-2.8.0_rc1.ebuild 3842 RMD160 6016ef2c7b758be8a939ef18be3de06c71d81e1f SHA1 dd5ef8c8ef296f6208f7251c892602683fd2f973 SHA256 33160f825372ae0e42293b1af29e5e7e74175f9da19620cc2a2b1faf7dd6955b EBUILD gimp-2.8.2.ebuild 4681 RMD160 7d7bdfcf917c8c38947121f962df6524eb1ab7f3 SHA1 be3b73fa2ed34bac4fb4e93198f17471e047c933 SHA256 bf99275d4dd2fc2ac38421b60ad73a17473716604ebb12c0cdb9b3e75b7b8056 EBUILD gimp-9999.ebuild 3845 RMD160 79c8a722d960037fda7f7830fd7167db23e42b64 SHA1 ba35425a897cba1c272a5012911b62c9e52fb5d3 SHA256 f4cf8c8d37cebd612041ac1144d32dbf8e0f4813f94a21317c5a20f4f38696ab -MISC ChangeLog 54326 RMD160 f510b274ff95aab443b578782c595fdf317cc174 SHA1 d3bf2c7c070635e1cf42305bc68ec8c4651ce131 SHA256 c53dd2fb68dab956bf3d1217ce66bf4d34a177a9cd72a942d72c88c7c2deb70d +MISC ChangeLog 54778 RMD160 22e9d23c723c20826918a66b69b171081ddacfa0 SHA1 ba0b307d6f29c65ffa26321522215f4b6e643171 SHA256 c8248af01b9d55ef3fc857275214ff66edb0fb8feda60f5af445570a31274023 MISC metadata.xml 395 RMD160 21c615f6cbae64b239eb177892aa533f261dcdfe SHA1 d37e0e0c4b92b44b787ea0f5d841a59be30dbd2f SHA256 f39e4503da8cb7302e8f1a947baf406445ea8420ddfac9c1bfd4fe75d0e4fb34 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) -iEYEARECAAYFAlBTsvYACgkQsAvGakAaFgBsegCg0VlkOJJkiJnobKaapFAjX8KB -oDUAn3O3++bIYvuxWr/hPK0kD9vBeKYG -=wxmU +iEYEARECAAYFAlBT23oACgkQsAvGakAaFgDuogCfQTG5oRb/rgjPFRE8baa0ZVw1 +eScAoJ82nFOvBxC/U9dgBQWZqXyNId1X +=K8je -----END PGP SIGNATURE----- diff --git a/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3403.patch b/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3403.patch new file mode 100644 index 000000000000..f7d0b3766a60 --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3403.patch @@ -0,0 +1,511 @@ +From 65ac6cda675fafd57bc182175f685e5d8c1a9cc9 Mon Sep 17 00:00:00 2001 +From: Nils Philippsen <nils@redhat.com> +Date: Mon, 20 Aug 2012 15:28:44 +0200 +Subject: [PATCH] patch: CVE-2012-3403 + +Squashed commit of the following: + +commit d002e513039a9667a06d3e2ba180f9c18785cc5f +Author: Nils Philippsen <nils@redhat.com> +Date: Fri Jul 13 15:47:16 2012 +0200 + + file-cel: close file on error + +commit ec3f1fe7586527ea7e2735b5c8548b925f622d5b +Author: Nils Philippsen <nils@redhat.com> +Date: Fri Jul 13 15:33:27 2012 +0200 + + file-cel: use g_set_error() for errors instead of g_message() + (cherry picked from commit 86f4cd39bd493c88a7a19b56d1827d8b911e07f6) + + Conflicts: + plug-ins/common/file-cel.c + +commit 79bd89bc39195974d5cae2c2b06c829dd90c36ee +Author: Nils Philippsen <nils@redhat.com> +Date: Fri Jul 13 15:30:44 2012 +0200 + + file-cel: use statically allocated palette buffer + (cherry picked from commit 69b98191cf315bcf0f7b8878896c01600e67c124) + +commit 52d85468980b5947cfd3e84f9a256769158210cc +Author: Nils Philippsen <nils@redhat.com> +Date: Fri Jul 13 15:20:06 2012 +0200 + + file-cel: validate header data (CVE-2012-3403) + (cherry picked from commit b772d1b84c9272bb46ab9a21db4390e6263c9892) + +commit 62da97876070839097671e83eb8f5d408515396f +Author: Nils Philippsen <nils@redhat.com> +Date: Thu Jul 12 15:50:02 2012 +0200 + + file-cel: check fread()/g_fopen() return values and pass on errors + (cherry picked from commit 797db58b94c64f418c35d38b7a608d933c8cebef) +--- + plug-ins/common/file-cel.c | 283 +++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 234 insertions(+), 49 deletions(-) + +diff --git a/plug-ins/common/file-cel.c b/plug-ins/common/file-cel.c +index a94671c..3357561 100644 +--- a/plug-ins/common/file-cel.c ++++ b/plug-ins/common/file-cel.c +@@ -44,8 +44,10 @@ static void run (const gchar *name, + gint *nreturn_vals, + GimpParam **return_vals); + +-static gint load_palette (FILE *fp, +- guchar palette[]); ++static gint load_palette (const gchar *file, ++ FILE *fp, ++ guchar palette[], ++ GError **error); + static gint32 load_image (const gchar *file, + const gchar *brief, + GError **error); +@@ -55,7 +57,8 @@ static gboolean save_image (const gchar *file, + gint32 layer, + GError **error); + static void palette_dialog (const gchar *title); +-static gboolean need_palette (const gchar *file); ++static gboolean need_palette (const gchar *file, ++ GError **error); + + + /* Globals... */ +@@ -150,6 +153,7 @@ run (const gchar *name, + gint32 image; + GimpExportReturn export = GIMP_EXPORT_CANCEL; + GError *error = NULL; ++ gint needs_palette = 0; + + run_mode = param[0].data.d_int32; + +@@ -187,20 +191,32 @@ run (const gchar *name, + else if (run_mode == GIMP_RUN_INTERACTIVE) + { + /* Let user choose KCF palette (cancel ignores) */ +- if (need_palette (param[1].data.d_string)) +- palette_dialog (_("Load KISS Palette")); ++ needs_palette = need_palette (param[1].data.d_string, &error); + +- gimp_set_data (SAVE_PROC, palette_file, data_length); +- } ++ if (! error) ++ { ++ if (needs_palette) ++ palette_dialog (_("Load KISS Palette")); + +- image = load_image (param[1].data.d_string, param[2].data.d_string, +- &error); ++ gimp_set_data (SAVE_PROC, palette_file, data_length); ++ } ++ } + +- if (image != -1) ++ if (! error) + { +- *nreturn_vals = 2; +- values[1].type = GIMP_PDB_IMAGE; +- values[1].data.d_image = image; ++ image = load_image (param[1].data.d_string, param[2].data.d_string, ++ &error); ++ ++ if (image != -1) ++ { ++ *nreturn_vals = 2; ++ values[1].type = GIMP_PDB_IMAGE; ++ values[1].data.d_image = image; ++ } ++ else ++ { ++ status = GIMP_PDB_EXECUTION_ERROR; ++ } + } + else + { +@@ -263,18 +279,33 @@ run (const gchar *name, + + /* Peek into the file to determine whether we need a palette */ + static gboolean +-need_palette (const gchar *file) ++need_palette (const gchar *file, ++ GError **error) + { + FILE *fp; + guchar header[32]; ++ size_t n_read; + + fp = g_fopen (file, "rb"); +- if (!fp) +- return FALSE; ++ if (fp == NULL) ++ { ++ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), ++ _("Could not open '%s' for reading: %s"), ++ gimp_filename_to_utf8 (file), g_strerror (errno)); ++ return FALSE; ++ } ++ ++ n_read = fread (header, 32, 1, fp); + +- fread (header, 32, 1, fp); + fclose (fp); + ++ if (n_read < 1) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("EOF or error while reading image header")); ++ return FALSE; ++ } ++ + return (header[5] < 32); + } + +@@ -286,11 +317,12 @@ load_image (const gchar *file, + GError **error) + { + FILE *fp; /* Read file pointer */ +- guchar header[32]; /* File header */ ++ guchar header[32], /* File header */ ++ file_mark, /* KiSS file type */ ++ bpp; /* Bits per pixel */ + gint height, width, /* Dimensions of image */ + offx, offy, /* Layer offets */ +- colours, /* Number of colours */ +- bpp; /* Bits per pixel */ ++ colours; /* Number of colours */ + + gint32 image, /* Image */ + layer; /* Layer */ +@@ -301,6 +333,7 @@ load_image (const gchar *file, + GimpPixelRgn pixel_rgn; /* Pixel region for layer */ + + gint i, j, k; /* Counters */ ++ size_t n_read; /* Number of items read from file */ + + + /* Open the file for reading */ +@@ -319,7 +352,14 @@ load_image (const gchar *file, + + /* Get the image dimensions and create the image... */ + +- fread (header, 4, 1, fp); ++ n_read = fread (header, 4, 1, fp); ++ ++ if (n_read < 1) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("EOF or error while reading image header")); ++ return -1; ++ } + + if (strncmp ((const gchar *) header, "KiSS", 4)) + { +@@ -332,18 +372,53 @@ load_image (const gchar *file, + } + else + { /* New-style image file, read full header */ +- fread (header, 28, 1, fp); ++ n_read = fread (header, 28, 1, fp); ++ ++ if (n_read < 1) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("EOF or error while reading image header")); ++ return -1; ++ } ++ ++ file_mark = header[0]; ++ if (file_mark != 0x20 && file_mark != 0x21) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("is not a CEL image file")); ++ return -1; ++ } ++ + bpp = header[1]; +- if (bpp == 24) +- colours = -1; +- else +- colours = (1 << header[1]); ++ switch (bpp) ++ { ++ case 4: ++ case 8: ++ case 32: ++ colours = (1 << bpp); ++ break; ++ default: ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("illegal bpp value in image: %hhu"), bpp); ++ return -1; ++ } ++ + width = header[4] + (256 * header[5]); + height = header[6] + (256 * header[7]); + offx = header[8] + (256 * header[9]); + offy = header[10] + (256 * header[11]); + } + ++ if ((width == 0) || (height == 0) || (width + offx > GIMP_MAX_IMAGE_SIZE) || ++ (height + offy > GIMP_MAX_IMAGE_SIZE)) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("illegal image dimensions: width: %d, horizontal offset: " ++ "%d, height: %d, vertical offset: %d"), ++ width, offx, height, offy); ++ return -1; ++ } ++ + if (bpp == 32) + image = gimp_image_new (width + offx, height + offy, GIMP_RGB); + else +@@ -351,7 +426,8 @@ load_image (const gchar *file, + + if (image == -1) + { +- g_message (_("Can't create a new image")); ++ g_set_error (error, 0, 0, _("Can't create a new image")); ++ fclose (fp); + return -1; + } + +@@ -383,7 +459,15 @@ load_image (const gchar *file, + switch (bpp) + { + case 4: +- fread (buffer, (width+1)/2, 1, fp); ++ n_read = fread (buffer, (width+1)/2, 1, fp); ++ ++ if (n_read < 1) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("EOF or error while reading image data")); ++ return -1; ++ } ++ + for (j = 0, k = 0; j < width*2; j+= 4, ++k) + { + if (buffer[k] / 16 == 0) +@@ -410,7 +494,15 @@ load_image (const gchar *file, + break; + + case 8: +- fread (buffer, width, 1, fp); ++ n_read = fread (buffer, width, 1, fp); ++ ++ if (n_read < 1) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("EOF or error while reading image data")); ++ return -1; ++ } ++ + for (j = 0, k = 0; j < width*2; j+= 2, ++k) + { + if (buffer[k] == 0) +@@ -427,7 +519,15 @@ load_image (const gchar *file, + break; + + case 32: +- fread (line, width*4, 1, fp); ++ n_read = fread (line, width*4, 1, fp); ++ ++ if (n_read < 1) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("EOF or error while reading image data")); ++ return -1; ++ } ++ + /* The CEL file order is BGR so we need to swap B and R + * to get the Gimp RGB order. + */ +@@ -440,7 +540,8 @@ load_image (const gchar *file, + break; + + default: +- g_message (_("Unsupported bit depth (%d)!"), bpp); ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Unsupported bit depth (%d)!"), bpp); + return -1; + } + +@@ -457,7 +558,7 @@ load_image (const gchar *file, + if (bpp != 32) + { + /* Use palette from file or otherwise default grey palette */ +- palette = g_new (guchar, colours*3); ++ guchar palette[256*3]; + + /* Open the file for reading if user picked one */ + if (palette_file == NULL) +@@ -467,12 +568,23 @@ load_image (const gchar *file, + else + { + fp = g_fopen (palette_file, "r"); ++ ++ if (fp == NULL) ++ { ++ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), ++ _("Could not open '%s' for reading: %s"), ++ gimp_filename_to_utf8 (palette_file), ++ g_strerror (errno)); ++ return -1; ++ } + } + + if (fp != NULL) + { +- colours = load_palette (fp, palette); ++ colours = load_palette (palette_file, fp, palette, error); + fclose (fp); ++ if (colours < 0 || *error) ++ return -1; + } + else + { +@@ -483,10 +595,6 @@ load_image (const gchar *file, + } + + gimp_image_set_colormap (image, palette + 3, colours - 1); +- +- /* Close palette file, give back allocated memory */ +- +- g_free (palette); + } + + /* Now get everything redrawn and hand back the finished image */ +@@ -498,32 +606,100 @@ load_image (const gchar *file, + } + + static gint +-load_palette (FILE *fp, +- guchar palette[]) ++load_palette (const gchar *file, ++ FILE *fp, ++ guchar palette[], ++ GError **error) + { + guchar header[32]; /* File header */ + guchar buffer[2]; +- int i, bpp, colours= 0; ++ guchar file_mark, bpp; ++ gint i, colours = 0; ++ size_t n_read; ++ ++ n_read = fread (header, 4, 1, fp); ++ ++ if (n_read < 1) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("'%s': EOF or error while reading palette header"), ++ gimp_filename_to_utf8 (file)); ++ return -1; ++ } + +- fread (header, 4, 1, fp); + if (!strncmp ((const gchar *) header, "KiSS", 4)) + { +- fread (header+4, 28, 1, fp); ++ n_read = fread (header+4, 28, 1, fp); ++ ++ if (n_read < 1) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("'%s': EOF or error while reading palette header"), ++ gimp_filename_to_utf8 (file)); ++ return -1; ++ } ++ ++ file_mark = header[4]; ++ if (file_mark != 0x10) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("'%s': is not a KCF palette file"), ++ gimp_filename_to_utf8 (file)); ++ return -1; ++ } ++ + bpp = header[5]; ++ if (bpp != 12 && bpp != 24) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("'%s': illegal bpp value in palette: %hhu"), ++ gimp_filename_to_utf8 (file), bpp); ++ return -1; ++ } ++ + colours = header[8] + header[9] * 256; +- if (bpp == 12) ++ if (colours != 16 && colours != 256) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("'%s': illegal number of colors: %u"), ++ gimp_filename_to_utf8 (file), colours); ++ return -1; ++ } ++ ++ switch (bpp) + { ++ case 12: + for (i = 0; i < colours; ++i) + { +- fread (buffer, 1, 2, fp); ++ n_read = fread (buffer, 1, 2, fp); ++ ++ if (n_read < 2) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("'%s': EOF or error while reading " ++ "palette data"), ++ gimp_filename_to_utf8 (file)); ++ return -1; ++ } ++ + palette[i*3]= buffer[0] & 0xf0; + palette[i*3+1]= (buffer[1] & 0x0f) * 16; + palette[i*3+2]= (buffer[0] & 0x0f) * 16; + } +- } +- else +- { +- fread (palette, colours, 3, fp); ++ break; ++ case 24: ++ n_read = fread (palette, colours, 3, fp); ++ ++ if (n_read < 3) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("'%s': EOF or error while reading palette data"), ++ gimp_filename_to_utf8 (file)); ++ return -1; ++ } ++ break; ++ default: ++ g_assert_not_reached (); + } + } + else +@@ -532,7 +708,16 @@ load_palette (FILE *fp, + fseek (fp, 0, SEEK_SET); + for (i= 0; i < colours; ++i) + { +- fread (buffer, 1, 2, fp); ++ n_read = fread (buffer, 1, 2, fp); ++ ++ if (n_read < 2) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("'%s': EOF or error while reading palette data"), ++ gimp_filename_to_utf8 (file)); ++ return -1; ++ } ++ + palette[i*3] = buffer[0] & 0xf0; + palette[i*3+1] = (buffer[1] & 0x0f) * 16; + palette[i*3+2] = (buffer[0] & 0x0f) * 16; +-- +1.7.11.4 + diff --git a/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch b/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch new file mode 100644 index 000000000000..a5aee6a34473 --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch @@ -0,0 +1,56 @@ +From 26b208c5aef5f7801bf0538f8df549f0bf8dcb92 Mon Sep 17 00:00:00 2001 +From: Nils Philippsen <nils@redhat.com> +Date: Mon, 20 Aug 2012 15:30:33 +0200 +Subject: [PATCH] patch: CVE-2012-3481 + +Squashed commit of the following: + +commit c56f3dc25cd4941f465e88bd91a0e107a4ac1b5e +Author: Nils Philippsen <nils@redhat.com> +Date: Tue Aug 14 15:27:39 2012 +0200 + + file-gif-load: fix type overflow (CVE-2012-3481) + + Cast variables properly to avoid overflowing when computing how much + memory to allocate. + (cherry picked from commit 43fc9dbd8e2196944c8a71321e525b89b7df9f5c) + +commit 11e922a8cee5c9bb532e2a996d2db3beab6da6cb +Author: Jan Lieskovsky <jlieskov@redhat.com> +Date: Tue Aug 14 12:18:22 2012 +0200 + + file-gif-load: limit len and height (CVE-2012-3481) + + Ensure values of len and height can't overflow g_malloc() argument type. + (cherry picked from commit d95c2f0bcb6775bdee2bef35b7d84f6dfd490783) +--- + plug-ins/common/file-gif-load.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c +index 8460ec0..295c351 100644 +--- a/plug-ins/common/file-gif-load.c ++++ b/plug-ins/common/file-gif-load.c +@@ -1028,10 +1028,17 @@ ReadImage (FILE *fd, + cur_progress = 0; + max_progress = height; + ++ if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1))) ++ { ++ g_message ("'%s' has a larger image size than GIMP can handle.", ++ gimp_filename_to_utf8 (filename)); ++ return -1; ++ } ++ + if (alpha_frame) +- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2)); ++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2)); + else +- dest = (guchar *) g_malloc (len * height); ++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height); + + #ifdef GIFDEBUG + g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n", +-- +1.7.11.4 + diff --git a/media-gfx/gimp/files/gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch b/media-gfx/gimp/files/gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch deleted file mode 100644 index 8ac0934038d9..000000000000 --- a/media-gfx/gimp/files/gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 407606bdbb404c0a1bf14751a394459e1bedfc08 Mon Sep 17 00:00:00 2001 -From: Nils Philippsen <nils@redhat.com> -Date: Tue, 14 Aug 2012 15:27:39 +0200 -Subject: [PATCH 2/2] file-gif-load: fix type overflow (CVE-2012-3481) - -Cast variables properly to avoid overflowing when computing how much -memory to allocate. ---- - plug-ins/common/file-gif-load.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c -index 909b184..b46ba08 100644 ---- a/plug-ins/common/file-gif-load.c -+++ b/plug-ins/common/file-gif-load.c -@@ -1033,9 +1033,9 @@ ReadImage (FILE *fd, - } - - if (alpha_frame) -- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2)); -+ dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2)); - else -- dest = (guchar *) g_malloc (len * height); -+ dest = (guchar *) g_malloc ((gsize)len * (gsize)height); - - #ifdef GIFDEBUG - g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n", --- -1.7.11.4 - diff --git a/media-gfx/gimp/files/gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch b/media-gfx/gimp/files/gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch deleted file mode 100644 index e94224bb47e4..000000000000 --- a/media-gfx/gimp/files/gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 4ec417c50d4cce935a87b5beab051e85cbfcec45 Mon Sep 17 00:00:00 2001 -From: Jan Lieskovsky <jlieskov@redhat.com> -Date: Tue, 14 Aug 2012 12:18:22 +0200 -Subject: [PATCH 1/2] file-gif-load: limit len and height (CVE-2012-3481) - -Ensure values of len and height can't overflow g_malloc() argument type. ---- - plug-ins/common/file-gif-load.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c -index 9a0720b..909b184 100644 ---- a/plug-ins/common/file-gif-load.c -+++ b/plug-ins/common/file-gif-load.c -@@ -1025,6 +1025,13 @@ ReadImage (FILE *fd, - cur_progress = 0; - max_progress = height; - -+ if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1))) -+ { -+ g_message ("'%s' has a larger image size than GIMP can handle.", -+ gimp_filename_to_utf8 (filename)); -+ return -1; -+ } -+ - if (alpha_frame) - dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2)); - else --- -1.7.11.4 - diff --git a/media-gfx/gimp/gimp-2.6.12-r3.ebuild b/media-gfx/gimp/gimp-2.6.12-r4.ebuild index 788ed656a047..6376c271f0c2 100644 --- a/media-gfx/gimp/gimp-2.6.12-r3.ebuild +++ b/media-gfx/gimp/gimp-2.6.12-r4.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2012 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/media-gfx/gimp/gimp-2.6.12-r3.ebuild,v 1.1 2012/09/14 22:42:43 sping Exp $ +# $Header: /var/cvsroot/gentoo-x86/media-gfx/gimp/gimp-2.6.12-r4.ebuild,v 1.1 2012/09/15 01:35:53 sping Exp $ EAPI="3" @@ -113,8 +113,9 @@ src_prepare() { # CEL and GIF plug-ins: Heap-based buffer overflows (CVE-2012-{3403,3481}) # https://bugs.gentoo.org/show_bug.cgi?id=434580 - epatch "${FILESDIR}"/${PN}-2.6.12-fix-type-overflow-CVE-2012-3481.patch - epatch "${FILESDIR}"/${PN}-2.6.12-limit-len-and-height-CVE-2012-3481.patch + # Patches from Fedora <http://pkgs.fedoraproject.org/cgit/gimp.git/tree/?h=f16> + epatch "${FILESDIR}"/${P}-CVE-2012-3403.patch + epatch "${FILESDIR}"/${P}-CVE-2012-3481.patch echo '#!/bin/sh' > py-compile gnome2_src_prepare |