import gimp-2.99.8-3.el9

2022-11-15 01:26:34 -05:00 · 2022-11-15 01:26:34 -05:00 · 154530c9e3
commit 154530c9e3
parent c2cfa5828b
3 changed files with 104 additions and 4 deletions
--- a/SOURCES/gimp-CVE-2022-30067.patch
+++ b/SOURCES/gimp-CVE-2022-30067.patch
@ -0,0 +1,60 @@
+From 4f99f1fcfd892ead19831b5adcd38a99d71214b6 Mon Sep 17 00:00:00 2001
+From: Jacob Boerema <jgboerema@gmail.com>
+Date: Fri, 29 Apr 2022 16:40:32 -0400
+Subject: [PATCH] app: fix #8120 GIMP 2.10.30 crashed when allocate large
+ memory
+
+GIMP could crash if the information regarding old path properties read
+from XCF was incorrect. It did not check if xcf_old_path succeeded and
+kept trying to load more paths even if the last one failed to load.
+
+Instead we now stop loading paths as soon as that function fails.
+In case we have a failure here we also try to skip to the next property
+based on the size of the path property, in hopes that the only problem
+was this property.
+---
+ app/xcf/xcf-load.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
+index ac9c4ea248..67bc766390 100644
+--- a/app/xcf/xcf-load.c
+++ b/app/xcf/xcf-load.c
+@@ -1168,7 +1168,12 @@ xcf_load_image_props (XcfInfo   *info,
+           break;
+ 
+         case PROP_PATHS:
+-          xcf_load_old_paths (info, image);
+          {
+            goffset base = info->cp;
+
+            if (! xcf_load_old_paths (info, image))
+              xcf_seek_pos (info, base + prop_size, NULL);
+          }
+           break;
+ 
+         case PROP_USER_UNIT:
+@@ -3035,8 +3040,11 @@ xcf_load_old_paths (XcfInfo   *info,
+   xcf_read_int32 (info, &last_selected_row, 1);
+   xcf_read_int32 (info, &num_paths,         1);
+ 
+  GIMP_LOG (XCF, "Number of old paths: %u", num_paths);
+
+   while (num_paths-- > 0)
+-    xcf_load_old_path (info, image);
+    if (! xcf_load_old_path (info, image))
+      return FALSE;
+ 
+   active_vectors =
+     GIMP_VECTORS (gimp_container_get_child_by_index (gimp_image_get_vectors (image),
+@@ -3087,7 +3095,7 @@ xcf_load_old_path (XcfInfo   *info,
+     }
+   else if (version != 1)
+     {
+-      g_printerr ("Unknown path type. Possibly corrupt XCF file");
+      g_printerr ("Unknown path type (version: %u). Possibly corrupt XCF file.\n", version);
+ 
+       g_free (name);
+       return FALSE;
+-- 
+GitLab
--- a/SOURCES/gimp-CVE-2022-32990.patch
+++ b/SOURCES/gimp-CVE-2022-32990.patch
@ -0,0 +1,31 @@
+From 22af0bcfe67c1c86381f33975ca7fdbde6b36b39 Mon Sep 17 00:00:00 2001
+From: Jacob Boerema <jgboerema@gmail.com>
+Date: Sun, 5 Jun 2022 15:38:24 -0400
+Subject: [PATCH] app: fix #8230 crash in gimp_layer_invalidate_boundary when
+ channel is NULL
+
+gimp_channel_is_empty returns FALSE if channel is NULL. This causes
+gimp_layer_invalidate_boundary to crash if the mask channel is NULL.
+
+With a NULL channel gimp_channel_is_empty should return TRUE, just like
+the similar gimp_image_is_empty does, because returning FALSE here
+suggests we have a non empty channel.
+---
+ app/core/gimpchannel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/app/core/gimpchannel.c b/app/core/gimpchannel.c
+index 7b6a9851ae..502821ba58 100644
+--- a/app/core/gimpchannel.c
+++ b/app/core/gimpchannel.c
+@@ -1827,7 +1827,7 @@ gimp_channel_boundary (GimpChannel         *channel,
+ gboolean
+ gimp_channel_is_empty (GimpChannel *channel)
+ {
+-  g_return_val_if_fail (GIMP_IS_CHANNEL (channel), FALSE);
+  g_return_val_if_fail (GIMP_IS_CHANNEL (channel), TRUE);
+ 
+   return GIMP_CHANNEL_GET_CLASS (channel)->is_empty (channel);
+ }
+-- 
+GitLab
--- a/SPECS/gimp.spec
+++ b/SPECS/gimp.spec
@ -88,8 +88,8 @@ Summary:        GNU Image Manipulation Program
 Name:           gimp
 Epoch:          2
 Version:        2.99.8
-%global rel 2
-Release:        %{?prerelprefix}%{rel}%{dotprerel}%{dotgitrev}%{?dist}.1
+%global rel 3
+Release:        %{?prerelprefix}%{rel}%{dotprerel}%{dotgitrev}%{?dist}

 # Compute some version related macros.
 # Ugly, need to get quoting percent signs straight.
@ -243,6 +243,12 @@ Patch3:         gimp-2.10.18-no-phone-home-default.patch
 # no luajit available in RHEL-9
 Patch4:         gimp-remove-lua.patch

+# CVE-2022-30067
+Patch5:         gimp-CVE-2022-30067.patch
+
+# CVE-2022-32990
+Patch6:         gimp-CVE-2022-32990.patch
+
 # use external help browser directly if help browser plug-in is not built
 Patch100:       gimp-2.10.24-external-help-browser.patch

@ -346,6 +352,8 @@ EOF

 %patch2 -p1 -b .font-default
 %patch4 -p1 -b .remove-lua
+%patch5 -p1 -b .CVE-2022-30067
+%patch6 -p1 -b .CVE-2022-32990

 %if ! %{with helpbrowser}
 #%patch100 -p1 -b .external-help-browser
@ -728,8 +736,9 @@ make check %{?_smp_mflags}
 %endif

 %changelog
-* Wed Mar 16 2022 Josef Ridky <jridky@redhat.com> - 2:2.99.8-2.1
- Bump spec for RHEL-9.0.0 build
+* Mon Jul 18 2022 Josef Ridky <jridky@redhat.com> - 2:2.99.8-3
+- fix CVE-2022-30067
+- fix CVE-2022-32990

 * Wed Mar 09 2022 Josef Ridky <jridky@redhat.com> - 2:2.99.8-2
 - Remove luajit requirement