diff --git a/SOURCES/gimp-CVE-2022-30067.patch b/SOURCES/gimp-CVE-2022-30067.patch new file mode 100644 index 0000000..94e29d2 --- /dev/null +++ b/SOURCES/gimp-CVE-2022-30067.patch @@ -0,0 +1,60 @@ +From 4f99f1fcfd892ead19831b5adcd38a99d71214b6 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Fri, 29 Apr 2022 16:40:32 -0400 +Subject: [PATCH] app: fix #8120 GIMP 2.10.30 crashed when allocate large + memory + +GIMP could crash if the information regarding old path properties read +from XCF was incorrect. It did not check if xcf_old_path succeeded and +kept trying to load more paths even if the last one failed to load. + +Instead we now stop loading paths as soon as that function fails. +In case we have a failure here we also try to skip to the next property +based on the size of the path property, in hopes that the only problem +was this property. +--- + app/xcf/xcf-load.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c +index ac9c4ea248..67bc766390 100644 +--- a/app/xcf/xcf-load.c ++++ b/app/xcf/xcf-load.c +@@ -1168,7 +1168,12 @@ xcf_load_image_props (XcfInfo *info, + break; + + case PROP_PATHS: +- xcf_load_old_paths (info, image); ++ { ++ goffset base = info->cp; ++ ++ if (! xcf_load_old_paths (info, image)) ++ xcf_seek_pos (info, base + prop_size, NULL); ++ } + break; + + case PROP_USER_UNIT: +@@ -3035,8 +3040,11 @@ xcf_load_old_paths (XcfInfo *info, + xcf_read_int32 (info, &last_selected_row, 1); + xcf_read_int32 (info, &num_paths, 1); + ++ GIMP_LOG (XCF, "Number of old paths: %u", num_paths); ++ + while (num_paths-- > 0) +- xcf_load_old_path (info, image); ++ if (! xcf_load_old_path (info, image)) ++ return FALSE; + + active_vectors = + GIMP_VECTORS (gimp_container_get_child_by_index (gimp_image_get_vectors (image), +@@ -3087,7 +3095,7 @@ xcf_load_old_path (XcfInfo *info, + } + else if (version != 1) + { +- g_printerr ("Unknown path type. Possibly corrupt XCF file"); ++ g_printerr ("Unknown path type (version: %u). Possibly corrupt XCF file.\n", version); + + g_free (name); + return FALSE; +-- +GitLab diff --git a/SOURCES/gimp-CVE-2022-32990.patch b/SOURCES/gimp-CVE-2022-32990.patch new file mode 100644 index 0000000..24e1515 --- /dev/null +++ b/SOURCES/gimp-CVE-2022-32990.patch @@ -0,0 +1,31 @@ +From 22af0bcfe67c1c86381f33975ca7fdbde6b36b39 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Sun, 5 Jun 2022 15:38:24 -0400 +Subject: [PATCH] app: fix #8230 crash in gimp_layer_invalidate_boundary when + channel is NULL + +gimp_channel_is_empty returns FALSE if channel is NULL. This causes +gimp_layer_invalidate_boundary to crash if the mask channel is NULL. + +With a NULL channel gimp_channel_is_empty should return TRUE, just like +the similar gimp_image_is_empty does, because returning FALSE here +suggests we have a non empty channel. +--- + app/core/gimpchannel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/app/core/gimpchannel.c b/app/core/gimpchannel.c +index 7b6a9851ae..502821ba58 100644 +--- a/app/core/gimpchannel.c ++++ b/app/core/gimpchannel.c +@@ -1827,7 +1827,7 @@ gimp_channel_boundary (GimpChannel *channel, + gboolean + gimp_channel_is_empty (GimpChannel *channel) + { +- g_return_val_if_fail (GIMP_IS_CHANNEL (channel), FALSE); ++ g_return_val_if_fail (GIMP_IS_CHANNEL (channel), TRUE); + + return GIMP_CHANNEL_GET_CLASS (channel)->is_empty (channel); + } +-- +GitLab diff --git a/SPECS/gimp.spec b/SPECS/gimp.spec index ab314cd..704872c 100644 --- a/SPECS/gimp.spec +++ b/SPECS/gimp.spec @@ -88,8 +88,8 @@ Summary: GNU Image Manipulation Program Name: gimp Epoch: 2 Version: 2.99.8 -%global rel 2 -Release: %{?prerelprefix}%{rel}%{dotprerel}%{dotgitrev}%{?dist}.1 +%global rel 3 +Release: %{?prerelprefix}%{rel}%{dotprerel}%{dotgitrev}%{?dist} # Compute some version related macros. # Ugly, need to get quoting percent signs straight. @@ -243,6 +243,12 @@ Patch3: gimp-2.10.18-no-phone-home-default.patch # no luajit available in RHEL-9 Patch4: gimp-remove-lua.patch +# CVE-2022-30067 +Patch5: gimp-CVE-2022-30067.patch + +# CVE-2022-32990 +Patch6: gimp-CVE-2022-32990.patch + # use external help browser directly if help browser plug-in is not built Patch100: gimp-2.10.24-external-help-browser.patch @@ -346,6 +352,8 @@ EOF %patch2 -p1 -b .font-default %patch4 -p1 -b .remove-lua +%patch5 -p1 -b .CVE-2022-30067 +%patch6 -p1 -b .CVE-2022-32990 %if ! %{with helpbrowser} #%patch100 -p1 -b .external-help-browser @@ -728,8 +736,9 @@ make check %{?_smp_mflags} %endif %changelog -* Wed Mar 16 2022 Josef Ridky - 2:2.99.8-2.1 -- Bump spec for RHEL-9.0.0 build +* Mon Jul 18 2022 Josef Ridky - 2:2.99.8-3 +- fix CVE-2022-30067 +- fix CVE-2022-32990 * Wed Mar 09 2022 Josef Ridky - 2:2.99.8-2 - Remove luajit requirement