rpms/gimp
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import OL gimp-2.99.8-4.el9_3

Browse Source
This commit is contained in:
eabdullin 2024-02-09 06:51:19 +00:00
parent 154530c9e3
commit 5a848b7509
7 changed files with 338 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
SOURCES/gimp-2.10.36-CVE-2023-44441-0001-plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch Normal file
View File

@ -0,0 +1,63 @@
From 1e67a41b5171ab6c852d2b82ad3f3c23393d6326 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Wed, 7 Feb 2024 12:45:17 +0000
Subject: [PATCH 1/3] plug-ins: Fix DDS vulnerability (ZDI-CAN-22093)
Resolves #10069
Currently, the DDS header information for the width, height, and bytes per scan line
are read in and assumed to be correct. As these values are used for memory allocation
and reading, it would be good to verify they do not exceed the file size.
This patch adds a condition after the header is read in to verify those values. If they exceed
the file size (mins an offset), the file is not read in and an error message is shown.
Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
---
plug-ins/file-dds/ddsread.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index 72102d0..add4ba5 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -124,6 +124,7 @@ read_dds (GFile *file,
guint l = 0;
guchar *pixels;
FILE *fp;
+ gsize file_size;
dds_header_t hdr;
dds_header_dx10_t dx10hdr;
dds_load_info_t d;
@@ -157,6 +158,10 @@ read_dds (GFile *file,
return GIMP_PDB_EXECUTION_ERROR;
}
+ fseek (fp, 0L, SEEK_END);
+ file_size = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
+
gimp_progress_init_printf ("Loading %s:", gimp_file_get_utf8_name (file));
/* read header */
@@ -207,6 +212,16 @@ read_dds (GFile *file,
}
}
+ /* verify header information is accurate */
+ if (hdr.depth < 1 ||
+ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
+ (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
+ {
+ fclose (fp);
+ g_message ("Invalid or corrupted DDS header\n");
+ return GIMP_PDB_EXECUTION_ERROR;
+ }
+
if (hdr.pixelfmt.flags & DDPF_FOURCC)
{
/* fourcc is dXt* or rXgb */
--
2.39.3

100
SOURCES/gimp-2.10.36-CVE-2023-44441-0002-plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch Normal file
View File

@ -0,0 +1,100 @@
From bd6e7854b7b679444af685fab06dbb6559f3d720 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Wed, 7 Feb 2024 12:47:12 +0000
Subject: [PATCH 2/3] plug-ins: Fix DDS import regression from 7db71cd0
@Wormnest pointed out that compressed files are likely smaller than
width * height * bps, so our check to prevent ZDI-CAN-22093
also caught valid files.
The size check is removed from load_image () and moved to load_layer ()
before the two fread() functions, as we know exactly how much we'll
try to read at that point.
(Backport of 8faad92e)
Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
---
plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++----------
1 file changed, 29 insertions(+), 10 deletions(-)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index add4ba5..b19d32e 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -212,16 +212,6 @@ read_dds (GFile *file,
}
}
- /* verify header information is accurate */
- if (hdr.depth < 1 ||
- (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
- (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
- {
- fclose (fp);
- g_message ("Invalid or corrupted DDS header\n");
- return GIMP_PDB_EXECUTION_ERROR;
- }
-
if (hdr.pixelfmt.flags & DDPF_FOURCC)
{
/* fourcc is dXt* or rXgb */
@@ -332,6 +322,15 @@ read_dds (GFile *file,
precision = GIMP_PRECISION_U8_NON_LINEAR;
}
+ /* verify header information is accurate */
+ if (d.bpp < 1 ||
+ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))))
+ {
+ fclose (fp);
+ g_message ("Invalid or corrupted DDS header\n");
+ return GIMP_PDB_EXECUTION_ERROR;
+ }
+
image = gimp_image_new_with_precision (hdr.width, hdr.height, type, precision);
if (! image)
@@ -1000,6 +999,13 @@ load_layer (FILE *fp,
guint size = hdr->pitch_or_linsize >> (2 * level);
guint layerw;
gint format = DDS_COMPRESS_NONE;
+ gsize file_size;
+ gsize current_position;
+
+ current_position = ftell (fp);
+ fseek (fp, 0L, SEEK_END);
+ file_size = ftell (fp);
+ fseek (fp, current_position, SEEK_SET);
if (width < 1) width = 1;
if (height < 1) height = 1;
@@ -1097,6 +1103,12 @@ load_layer (FILE *fp,
size *= 16;
}
+ if (size > (file_size - current_position))
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+ }
+
if ((hdr->flags & DDSD_LINEARSIZE) &&
!fread (buf, size, 1, fp))
{
@@ -1136,6 +1148,13 @@ load_layer (FILE *fp,
gimp_progress_update ((double) y / (double) hdr->height);
}
+ current_position = ftell (fp);
+ if ((width * d->bpp) > (file_size - current_position))
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+ }
+
if ((hdr->flags & DDSD_PITCH) &&
! fread (buf, width * d->bpp, 1, fp))
{
--
2.39.3

54
SOURCES/gimp-2.10.36-CVE-2023-44441-0003-plug-ins-Additional-fixes-for-DDS-Import.patch Normal file
View File

@ -0,0 +1,54 @@
From 6d7aa0fd52d4d48e09e3c2fb3fb39b55cd35e0ea Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 28 Oct 2023 21:44:51 +0000
Subject: [PATCH 3/3] plug-ins: Additional fixes for DDS Import
@Wormnest noted remaining regressions after 8faad92e.
The second fread() only runs if the DDSD_PITCH flag is set,
so the error handling check should also be conditional.
Additionally, the ZDI-CAN-22093 exploit no longer runs but
still could cause a plug-in crash. This patch adds an additional
check to ensure the buffer size was within bounds.
Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
---
plug-ins/file-dds/ddsread.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index b19d32e..21eeb56 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -1005,6 +1005,7 @@ load_layer (FILE *fp,
current_position = ftell (fp);
fseek (fp, 0L, SEEK_END);
file_size = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
fseek (fp, current_position, SEEK_SET);
if (width < 1) width = 1;
@@ -1103,7 +1104,8 @@ load_layer (FILE *fp,
size *= 16;
}
- if (size > (file_size - current_position))
+ if (size > (file_size - current_position) ||
+ size > hdr->pitch_or_linsize)
{
g_message ("Requested data exceeds size of file.\n");
return 0;
@@ -1149,7 +1151,9 @@ load_layer (FILE *fp,
}
current_position = ftell (fp);
- if ((width * d->bpp) > (file_size - current_position))
+ if ((hdr->flags & DDSD_PITCH) &&
+ ((width * d->bpp) > (file_size - current_position) ||
+ (width * d->bpp) > hdr->pitch_or_linsize))
{
g_message ("Requested data exceeds size of file.\n");
return 0;
--
2.39.3

27
SOURCES/gimp-CVE-2023-44442.patch Normal file
View File

@ -0,0 +1,27 @@
From 865cc56894dcb6e1c664a55e4b4010ebf6919e10 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Fri, 29 Sep 2023 20:38:51 +0000
Subject: [PATCH] plug-ins: Fix vulnerability in file-psd
Resolves #10101.
This patch adds a missing break statement after an error condition
is detected to prevent the code from continuing afterwards.
---
plug-ins/file-psd/psd-util.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/plug-ins/file-psd/psd-util.c b/plug-ins/file-psd/psd-util.c
index 761865e7af..545bd32f7c 100644
--- a/plug-ins/file-psd/psd-util.c
+++ b/plug-ins/file-psd/psd-util.c
@@ -583,6 +583,7 @@ decode_packbits (const gchar *src,
{
IFDBG(2) g_debug ("Overrun in packbits replicate of %d chars", n - unpack_left);
error_code = 2;
+ break;
}
memset (dst, *src, n);
src++;
--
2.31.1

42
SOURCES/gimp-CVE-2023-44443.patch Normal file
View File

@ -0,0 +1,42 @@
From 96f536a33590bb9811da5b5639e1d6c25aaf2e01 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 23 Sep 2023 02:41:57 +0000
Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22096)
Resolves #10072.
The current PSP palette loading code does not check if
the file's palette entry count value is below the limit
(G_MAXUNIT32 / 4 due to each color being 4 bytes long).
This patch adds this check and stops loading if the count
is larger than GIMP currently supports.
---
plug-ins/common/file-psp.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index 582a10c300..7c9340ee2b 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -1279,8 +1279,17 @@ read_color_block (FILE *f,
}
color_palette_entries = GUINT32_FROM_LE (entry_count);
+ /* TODO: GIMP currently only supports a maximum of 256 colors
+ * in an indexed image. If this changes, we can change this check */
+ if (color_palette_entries > 256)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("Error: Unsupported palette size"));
+ return -1;
+ }
+
/* psp color palette entries are stored as RGBA so 4 bytes per entry
- where the fourth bytes is always zero */
+ * where the fourth bytes is always zero */
pal_size = color_palette_entries * 4;
color_palette = g_malloc (pal_size);
if (fread (color_palette, pal_size, 1, f) < 1)
--
2.31.1

31
SOURCES/gimp-CVE-2023-44444.patch Normal file
View File

@ -0,0 +1,31 @@
From e1bfd87195e4fe60a92df70cde65464d032dd3c1 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 23 Sep 2023 02:16:24 +0000
Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22097)
Resolves #10071.
When reading RLE compressed data, a buffer was allocated to 127 bytes.
However, it can potentially be used to read 128 bytes, leading to a
off-by-one vulnerability. This patch allocates 128 bytes to the buffer
to prevent this from occurring.
---
plug-ins/common/file-psp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index c8b166471e..582a10c300 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -1649,7 +1649,7 @@ read_channel_data (FILE *f,
else
endq = q + line_width * height;
- buf = g_malloc (127);
+ buf = g_malloc (128);
while (q < endq)
{
fread (&runcount, 1, 1, f);
--
2.31.1

22
SPECS/gimp.spec
View File

@ -88,7 +88,7 @@ Summary: GNU Image Manipulation Program
Name: gimp
Epoch: 2
Version: 2.99.8
%global rel 3
%global rel 4
Release: %{?prerelprefix}%{rel}%{dotprerel}%{dotgitrev}%{?dist}
# Compute some version related macros.
@ -249,6 +249,14 @@ Patch5: gimp-CVE-2022-30067.patch
# CVE-2022-32990
Patch6: gimp-CVE-2022-32990.patch
# CVE-2023-44441 CVE-2023-44442 CVE-2023-44443 CVE-2023-44444
Patch7: gimp-2.10.36-CVE-2023-44441-0001-plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
Patch8: gimp-2.10.36-CVE-2023-44441-0002-plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
Patch9: gimp-2.10.36-CVE-2023-44441-0003-plug-ins-Additional-fixes-for-DDS-Import.patch
Patch10: gimp-CVE-2023-44442.patch
Patch11: gimp-CVE-2023-44443.patch
Patch12: gimp-CVE-2023-44444.patch
# use external help browser directly if help browser plug-in is not built
Patch100: gimp-2.10.24-external-help-browser.patch
@ -354,6 +362,12 @@ EOF
%patch4 -p1 -b .remove-lua
%patch5 -p1 -b .CVE-2022-30067
%patch6 -p1 -b .CVE-2022-32990
%patch7 -p1 -b .CVE-2023-44441-1
%patch8 -p1 -b .CVE-2023-44441-2
%patch9 -p1 -b .CVE-2023-44441-3
%patch10 -p1 -b .CVE-2023-44442
%patch11 -p1 -b .CVE-2023-44443
%patch12 -p1 -b .CVE-2023-44444
%if ! %{with helpbrowser}
#%patch100 -p1 -b .external-help-browser
@ -736,6 +750,12 @@ make check %{?_smp_mflags}
%endif
%changelog
* Mon Feb 05 2024 Darren Archibald <darren.archibald@oracle.com> - 2:2.99.8-4
- fix CVE-2023-44441
- fix CVE-2023-44442
- fix CVE-2023-44443
- fix CVE-2023-44444
* Mon Jul 18 2022 Josef Ridky <jridky@redhat.com> - 2:2.99.8-3
- fix CVE-2022-30067
- fix CVE-2022-32990