From 191ad337581cfee42dfc87df2c9fcdeeedc80f00 Mon Sep 17 00:00:00 2001
From: Josef Ridky <jridky@redhat.com>
Date: Thu, 4 Jan 2018 13:30:57 +0100
Subject: [PATCH] Resolves: #1529149 - CVE-2017-17784 CVE-2017-17785
 CVE-2017-17786 CVE-2017-17787 CVE-2017-17788 CVE-2017-17789

---
 gimp-2.8.22-CVE-2017-17784.patch |  13 ++++
 gimp-2.8.22-CVE-2017-17785.patch | 130 +++++++++++++++++++++++++++++++
 gimp-2.8.22-CVE-2017-17786.patch |  25 ++++++
 gimp-2.8.22-CVE-2017-17787.patch |  16 ++++
 gimp-2.8.22-CVE-2017-17788.patch |  13 ++++
 gimp-2.8.22-CVE-2017-17789.patch |  19 +++++
 gimp.spec                        |  20 ++++-
 7 files changed, 235 insertions(+), 1 deletion(-)
 create mode 100644 gimp-2.8.22-CVE-2017-17784.patch
 create mode 100644 gimp-2.8.22-CVE-2017-17785.patch
 create mode 100644 gimp-2.8.22-CVE-2017-17786.patch
 create mode 100644 gimp-2.8.22-CVE-2017-17787.patch
 create mode 100644 gimp-2.8.22-CVE-2017-17788.patch
 create mode 100644 gimp-2.8.22-CVE-2017-17789.patch

diff --git a/gimp-2.8.22-CVE-2017-17784.patch b/gimp-2.8.22-CVE-2017-17784.patch
new file mode 100644
index 0000000..4238f9b
--- /dev/null
+++ b/gimp-2.8.22-CVE-2017-17784.patch
@@ -0,0 +1,13 @@
+diff -urNp old/plug-ins/common/file-gbr.c new/plug-ins/common/file-gbr.c
+--- old/plug-ins/common/file-gbr.c	2018-01-04 12:13:17.553757864 +0100
++++ new/plug-ins/common/file-gbr.c	2018-01-04 12:18:01.723635742 +0100
+@@ -443,7 +443,8 @@ load_image (const gchar  *filename,
+     {
+       gchar *temp = g_new (gchar, bn_size);
+ 
+-      if ((read (fd, temp, bn_size)) < bn_size)
++      if ((read (fd, temp, bn_size)) < bn_size ||
++          temp[bn_size - 1] != '\0')
+         {
+           g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+                        _("Error in GIMP brush file '%s'"),
diff --git a/gimp-2.8.22-CVE-2017-17785.patch b/gimp-2.8.22-CVE-2017-17785.patch
new file mode 100644
index 0000000..3ea3e25
--- /dev/null
+++ b/gimp-2.8.22-CVE-2017-17785.patch
@@ -0,0 +1,130 @@
+diff -urNp old/plug-ins/file-fli/fli.c new/plug-ins/file-fli/fli.c
+--- old/plug-ins/file-fli/fli.c	2018-01-04 12:19:54.714139464 +0100
++++ new/plug-ins/file-fli/fli.c	2018-01-04 12:34:18.568323629 +0100
+@@ -25,6 +25,8 @@
+ 
+ #include "config.h"
+ 
++#include <glib/gstdio.h>
++
+ #include <string.h>
+ #include <stdio.h>
+ 
+@@ -461,23 +463,27 @@ void fli_read_brun(FILE *f, s_fli_header
+ 	unsigned short yc;
+ 	unsigned char *pos;
+ 	for (yc=0; yc < fli_header->height; yc++) {
+-		unsigned short xc, pc, pcnt;
++		unsigned short pc, pcnt;
++                size_t n, xc;
+ 		pc=fli_read_char(f);
+ 		xc=0;
+ 		pos=framebuf+(fli_header->width * yc);
++                n=(size_t)fli_header->width * (fli_header->height-yc);
+ 		for (pcnt=pc; pcnt>0; pcnt--) {
+ 			unsigned short ps;
+ 			ps=fli_read_char(f);
+ 			if (ps & 0x80) {
+ 				unsigned short len;
+-				for (len=-(signed char)ps; len>0; len--) {
++				for (len=-(signed char)ps; len>0 && xc<n; len--) {
+ 					pos[xc++]=fli_read_char(f);
+ 				}
+ 			} else {
+ 				unsigned char val;
++                                size_t len;
++                                len=MIN(n-xc,ps);
+ 				val=fli_read_char(f);
+-				memset(&(pos[xc]), val, ps);
+-				xc+=ps;
++				memset(&(pos[xc]), val, len);
++				xc+=len;
+ 			}
+ 		}
+ 	}
+@@ -564,25 +570,34 @@ void fli_read_lc(FILE *f, s_fli_header *
+ 	memcpy(framebuf, old_framebuf, fli_header->width * fli_header->height);
+ 	firstline = fli_read_short(f);
+ 	numline = fli_read_short(f);
++        if (numline > fli_header->height || fli_header->height-numline < firstline)
++                return;
++
+ 	for (yc=0; yc < numline; yc++) {
+-		unsigned short xc, pc, pcnt;
++		unsigned short pc, pcnt;
++                size_t n, xc;
+ 		pc=fli_read_char(f);
+ 		xc=0;
+ 		pos=framebuf+(fli_header->width * (firstline+yc));
++                n=(size_t)fli_header->width * (fli_header->height-firstline-yc);
+ 		for (pcnt=pc; pcnt>0; pcnt--) {
+ 			unsigned short ps,skip;
+ 			skip=fli_read_char(f);
+ 			ps=fli_read_char(f);
+-			xc+=skip;
++			xc+=MIN(n-xc,skip);
+ 			if (ps & 0x80) {
+ 				unsigned char val;
++                                size_t len;
+ 				ps=-(signed char)ps;
+ 				val=fli_read_char(f);
+-				memset(&(pos[xc]), val, ps);
+-				xc+=ps;
++                                len=MIN(n-xc,ps);
++				memset(&(pos[xc]), val, len);
++				xc+=len;
+ 			} else {
+-				fread(&(pos[xc]), ps, 1, f);
+-				xc+=ps;
++                                size_t len;
++                                len=MIN(n-xc,ps);
++				fread(&(pos[xc]), len, 1, f);
++				xc+=len;
+ 			}
+ 		}
+ 	}
+@@ -689,7 +704,8 @@ void fli_read_lc_2(FILE *f, s_fli_header
+ 	yc=0;
+ 	numline = fli_read_short(f);
+ 	for (lc=0; lc < numline; lc++) {
+-		unsigned short xc, pc, pcnt, lpf, lpn;
++		unsigned short pc, pcnt, lpf, lpn;
++                size_t n, xc;
+ 		pc=fli_read_short(f);
+ 		lpf=0; lpn=0;
+ 		while (pc & 0x8000) {
+@@ -700,26 +716,30 @@ void fli_read_lc_2(FILE *f, s_fli_header
+ 			}
+ 			pc=fli_read_short(f);
+ 		}
++                yc=MIN(yc, fli_header->height);
+ 		xc=0;
+ 		pos=framebuf+(fli_header->width * yc);
++                n=(size_t)fli_header->width * (fli_header->height-yc);
+ 		for (pcnt=pc; pcnt>0; pcnt--) {
+ 			unsigned short ps,skip;
+ 			skip=fli_read_char(f);
+ 			ps=fli_read_char(f);
+-			xc+=skip;
++			xc+=MIN(n-xc,skip);
+ 			if (ps & 0x80) {
+ 				unsigned char v1,v2;
+ 				ps=-(signed char)ps;
+ 				v1=fli_read_char(f);
+ 				v2=fli_read_char(f);
+-				while (ps>0) {
++				while (ps>0 && xc+1<n) {
+ 					pos[xc++]=v1;
+ 					pos[xc++]=v2;
+ 					ps--;
+ 				}
+ 			} else {
+-				fread(&(pos[xc]), ps, 2, f);
+-				xc+=ps << 1;
++                                size_t len;
++                                len=MIN((n-xc)/2,ps);
++				fread(&(pos[xc]), len, 2, f);
++				xc+=len << 1;
+ 			}
+ 		}
+ 		if (lpf) pos[xc]=lpn;
diff --git a/gimp-2.8.22-CVE-2017-17786.patch b/gimp-2.8.22-CVE-2017-17786.patch
new file mode 100644
index 0000000..276f70d
--- /dev/null
+++ b/gimp-2.8.22-CVE-2017-17786.patch
@@ -0,0 +1,25 @@
+diff -urNp old/plug-ins/common/file-tga.c new/plug-ins/common/file-tga.c
+--- old/plug-ins/common/file-tga.c	2018-01-04 12:36:22.333754882 +0100
++++ new/plug-ins/common/file-tga.c	2018-01-04 12:40:46.943070295 +0100
+@@ -564,12 +564,17 @@ load_image (const gchar  *filename,
+           }
+         break;
+       case TGA_TYPE_COLOR:
+-        if (info.bpp != 15 && info.bpp != 16 &&
+-            info.bpp != 24 && info.bpp != 32)
++        if ((info.bpp != 15 && info.bpp != 16 &&
++            info.bpp != 24 && info.bpp != 32)      ||
++           ((info.bpp == 15 || info.bpp == 24) &&
++            info.alphaBits != 0)                   ||
++           (info.bpp == 16 && info.alphaBits != 1 &&
++            info.alphaBits != 0)                   ||
++           (info.bpp == 32 && info.alphaBits != 8))
+           {
+-            g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
++            g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
+                        gimp_filename_to_utf8 (filename),
+-                       info.imageType, info.bpp);
++                       info.imageType, info.bpp, info.alphaBits);
+             return -1;
+           }
+         break;
diff --git a/gimp-2.8.22-CVE-2017-17787.patch b/gimp-2.8.22-CVE-2017-17787.patch
new file mode 100644
index 0000000..7c7c728
--- /dev/null
+++ b/gimp-2.8.22-CVE-2017-17787.patch
@@ -0,0 +1,16 @@
+diff -urNp old/plug-ins/common/file-psp.c new/plug-ins/common/file-psp.c
+--- old/plug-ins/common/file-psp.c	2018-01-04 11:58:46.928253797 +0100
++++ new/plug-ins/common/file-psp.c	2018-01-04 12:03:42.141874067 +0100
+@@ -913,6 +913,12 @@ read_creator_block (FILE     *f,
+               g_message ("Error reading creator keyword data");
+               return -1;
+             }
++          if (string[length - 1] != '\0')
++            {
++              g_message ("Creator keyword data not nul-terminated");
++              g_free (string);
++              return -1;
++            }
+           switch (keyword)
+             {
+             case PSP_CRTR_FLD_CRT_DATE:
diff --git a/gimp-2.8.22-CVE-2017-17788.patch b/gimp-2.8.22-CVE-2017-17788.patch
new file mode 100644
index 0000000..73dfd00
--- /dev/null
+++ b/gimp-2.8.22-CVE-2017-17788.patch
@@ -0,0 +1,13 @@
+diff -urNp old/app/xcf/xcf.c new/app/xcf/xcf.c
+--- old/app/xcf/xcf.c	2017-04-30 23:47:39.000000000 +0200
++++ new/app/xcf/xcf.c	2018-01-04 11:56:31.399888783 +0100
+@@ -318,7 +318,8 @@ xcf_load_invoker (GimpProcedure      *pr
+         {
+           info.file_version = 0;
+         }
+-      else if (id[9] == 'v')
++      else if (id[9] == 'v' &&
++               id[13] == '\0')
+         {
+           info.file_version = atoi (id + 10);
+         }
diff --git a/gimp-2.8.22-CVE-2017-17789.patch b/gimp-2.8.22-CVE-2017-17789.patch
new file mode 100644
index 0000000..bb33255
--- /dev/null
+++ b/gimp-2.8.22-CVE-2017-17789.patch
@@ -0,0 +1,19 @@
+diff -urNp old/plug-ins/common/file-psp.c new/plug-ins/common/file-psp.c
+--- old/plug-ins/common/file-psp.c	2018-01-04 12:04:14.636811394 +0100
++++ new/plug-ins/common/file-psp.c	2018-01-04 12:12:41.717877789 +0100
+@@ -1777,6 +1777,15 @@ load_image (const gchar  *filename,
+     {
+       block_start = ftell (f);
+ 
++      if (block_start + block_total_len > st.st_size)
++        {
++          g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                       _("Could not open '%s' for reading: %s"),
++                       gimp_filename_to_utf8 (filename),
++                       _("invalid block size"));
++          goto error;
++        }
++
+       if (id == PSP_IMAGE_BLOCK)
+         {
+           if (block_number != 0)
diff --git a/gimp.spec b/gimp.spec
index 59181b1..8325c11 100644
--- a/gimp.spec
+++ b/gimp.spec
@@ -82,7 +82,7 @@ Summary:        GNU Image Manipulation Program
 Name:           gimp
 Epoch:          2
 Version:        2.8.22
-Release:        %{?prerelprefix}2%{dotprerel}%{dotgitrev}%{?dist}.3
+Release:        %{?prerelprefix}3%{dotprerel}%{dotgitrev}%{?dist}
 
 # Compute some version related macros.
 # Ugly, need to get quoting percent signs straight.
@@ -207,6 +207,14 @@ Patch1:         gimp-2.8.2-cm-system-monitor-profile-by-default.patch
 #Fix screenshot feature in wayland
 Patch2:		gimp-2.8.22-fix-screenshot-in-wayland.patch
 
+#Reported CVE
+Patch3: gimp-2.8.22-CVE-2017-17784.patch
+Patch4: gimp-2.8.22-CVE-2017-17785.patch
+Patch5: gimp-2.8.22-CVE-2017-17786.patch
+Patch6: gimp-2.8.22-CVE-2017-17787.patch
+Patch7: gimp-2.8.22-CVE-2017-17788.patch
+Patch8: gimp-2.8.22-CVE-2017-17789.patch
+
 # use external help browser directly if help browser plug-in is not built
 Patch100:       gimp-2.8.6-external-help-browser.patch
 
@@ -293,6 +301,12 @@ EOF
 
 %patch1 -p1 -b .cm-system-monitor-profile-by-default
 %patch2 -p1 -b .fix-screenshot-in-wayland
+%patch3 -p1 -b .CVE-17784
+%patch4 -p1 -b .CVE-17785
+%patch5 -p1 -b .CVE-17786
+%patch6 -p1 -b .CVE-17787
+%patch7 -p1 -b .CVE-17788
+%patch8 -p1 -b .CVE-17789
 
 %if ! %{with helpbrowser}
 %patch100 -p1 -b .external-help-browser
@@ -645,6 +659,10 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif
 
 %changelog
+* Thu Jan 04 2018 Josef Ridky <jridky@redhat.com> - 2:2.8.22-3
+- Fix for CVE-2017-17784, CVE-2017-17785, CVE-2017-17786,
+  CVE-2017-17787, CVE-2017-17788 and CVE-2017-17789 (#1529149)
+
 * Thu Oct 19 2017 Josef Ridky <jridky@redhat.com> - 2:2.8.22-2.3
 - Rebuilt for python2 package