import OL gimp-2.99.8-4.el9_3

SOURCES/gimp-2.10.36-CVE-2023-44441-0001-plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch

@@ -0,0 +1,63 @@
+From 1e67a41b5171ab6c852d2b82ad3f3c23393d6326 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Wed, 7 Feb 2024 12:45:17 +0000
+Subject: [PATCH 1/3] plug-ins: Fix DDS vulnerability (ZDI-CAN-22093)
+
+Resolves #10069
+
+Currently, the DDS header information for the width, height, and bytes per scan line
+are read in and assumed to be correct. As these values are used for memory allocation
+and reading, it would be good to verify they do not exceed the file size.
+
+This patch adds a condition after the header is read in to verify those values. If they exceed
+the file size (mins an offset), the file is not read in and an error message is shown.
+
+Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
+Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
+---
+ plug-ins/file-dds/ddsread.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index 72102d0..add4ba5 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -124,6 +124,7 @@ read_dds (GFile          *file,
+   guint              l = 0;
+   guchar            *pixels;
+   FILE              *fp;
++  gsize              file_size;
+   dds_header_t       hdr;
+   dds_header_dx10_t  dx10hdr;
+   dds_load_info_t    d;
+@@ -157,6 +158,10 @@ read_dds (GFile          *file,
+       return GIMP_PDB_EXECUTION_ERROR;
+     }
+ 
++  fseek (fp, 0L, SEEK_END);
++  file_size = ftell (fp);
++  fseek (fp, 0, SEEK_SET);
++
+   gimp_progress_init_printf ("Loading %s:", gimp_file_get_utf8_name (file));
+ 
+   /* read header */
+@@ -207,6 +212,16 @@ read_dds (GFile          *file,
+         }
+     }
+ 
++  /* verify header information is accurate */
++  if (hdr.depth < 1                                       ||
++      (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
++      (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
++    {
++      fclose (fp);
++      g_message ("Invalid or corrupted DDS header\n");
++      return GIMP_PDB_EXECUTION_ERROR;
++    }
++
+   if (hdr.pixelfmt.flags & DDPF_FOURCC)
+     {
+       /* fourcc is dXt* or rXgb */
+-- 
+2.39.3
+

SOURCES/gimp-2.10.36-CVE-2023-44441-0002-plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch

@@ -0,0 +1,100 @@
+From bd6e7854b7b679444af685fab06dbb6559f3d720 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Wed, 7 Feb 2024 12:47:12 +0000
+Subject: [PATCH 2/3] plug-ins: Fix DDS import regression from 7db71cd0
+
+@Wormnest pointed out that compressed files are likely smaller than
+width * height * bps, so our check to prevent ZDI-CAN-22093
+also caught valid files.
+The size check is removed from load_image () and moved to load_layer ()
+before the two fread() functions, as we know exactly how much we'll
+try to read at that point.
+(Backport of 8faad92e)
+
+Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
+Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
+---
+ plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++----------
+ 1 file changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index add4ba5..b19d32e 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -212,16 +212,6 @@ read_dds (GFile          *file,
+         }
+     }
+ 
+-  /* verify header information is accurate */
+-  if (hdr.depth < 1                                       ||
+-      (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
+-      (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
+-    {
+-      fclose (fp);
+-      g_message ("Invalid or corrupted DDS header\n");
+-      return GIMP_PDB_EXECUTION_ERROR;
+-    }
+-
+   if (hdr.pixelfmt.flags & DDPF_FOURCC)
+     {
+       /* fourcc is dXt* or rXgb */
+@@ -332,6 +322,15 @@ read_dds (GFile          *file,
+       precision = GIMP_PRECISION_U8_NON_LINEAR;
+     }
+ 
++  /* verify header information is accurate */
++  if (d.bpp < 1 ||
++      (hdr.pitch_or_linsize > (file_size - sizeof (hdr))))
++    {
++      fclose (fp);
++      g_message ("Invalid or corrupted DDS header\n");
++      return GIMP_PDB_EXECUTION_ERROR;
++    }
++
+   image = gimp_image_new_with_precision (hdr.width, hdr.height, type, precision);
+ 
+   if (! image)
+@@ -1000,6 +999,13 @@ load_layer (FILE             *fp,
+   guint          size = hdr->pitch_or_linsize >> (2 * level);
+   guint          layerw;
+   gint           format = DDS_COMPRESS_NONE;
++  gsize          file_size;
++  gsize          current_position;
++
++  current_position = ftell (fp);
++  fseek (fp, 0L, SEEK_END);
++  file_size = ftell (fp);
++  fseek (fp, current_position, SEEK_SET);
+ 
+   if (width < 1) width = 1;
+   if (height < 1) height = 1;
+@@ -1097,6 +1103,12 @@ load_layer (FILE             *fp,
+         size *= 16;
+     }
+ 
++  if (size > (file_size - current_position))
++    {
++      g_message ("Requested data exceeds size of file.\n");
++      return 0;
++    }
++
+   if ((hdr->flags & DDSD_LINEARSIZE) &&
+       !fread (buf, size, 1, fp))
+     {
+@@ -1136,6 +1148,13 @@ load_layer (FILE             *fp,
+               gimp_progress_update ((double) y / (double) hdr->height);
+             }
+ 
++          current_position = ftell (fp);
++          if ((width * d->bpp) > (file_size - current_position))
++            {
++              g_message ("Requested data exceeds size of file.\n");
++              return 0;
++            }
++
+           if ((hdr->flags & DDSD_PITCH) &&
+               ! fread (buf, width * d->bpp, 1, fp))
+             {
+-- 
+2.39.3
+

SOURCES/gimp-2.10.36-CVE-2023-44441-0003-plug-ins-Additional-fixes-for-DDS-Import.patch

@@ -0,0 +1,54 @@
+From 6d7aa0fd52d4d48e09e3c2fb3fb39b55cd35e0ea Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 28 Oct 2023 21:44:51 +0000
+Subject: [PATCH 3/3] plug-ins: Additional fixes for DDS Import
+
+@Wormnest noted remaining regressions after 8faad92e.
+The second fread() only runs if the DDSD_PITCH flag is set,
+so the error handling check should also be conditional.
+Additionally, the ZDI-CAN-22093 exploit no longer runs but
+still could cause a plug-in crash. This patch adds an additional
+check to ensure the buffer size was within bounds.
+
+Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
+Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
+---
+ plug-ins/file-dds/ddsread.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index b19d32e..21eeb56 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -1005,6 +1005,7 @@ load_layer (FILE             *fp,
+   current_position = ftell (fp);
+   fseek (fp, 0L, SEEK_END);
+   file_size = ftell (fp);
++  fseek (fp, 0, SEEK_SET);
+   fseek (fp, current_position, SEEK_SET);
+ 
+   if (width < 1) width = 1;
+@@ -1103,7 +1104,8 @@ load_layer (FILE             *fp,
+         size *= 16;
+     }
+ 
+-  if (size > (file_size - current_position))
++  if (size > (file_size - current_position) ||
++      size > hdr->pitch_or_linsize)
+     {
+       g_message ("Requested data exceeds size of file.\n");
+       return 0;
+@@ -1149,7 +1151,9 @@ load_layer (FILE             *fp,
+             }
+ 
+           current_position = ftell (fp);
+-          if ((width * d->bpp) > (file_size - current_position))
++          if ((hdr->flags & DDSD_PITCH)                          &&
++              ((width * d->bpp) > (file_size - current_position) ||
++               (width * d->bpp) > hdr->pitch_or_linsize))
+             {
+               g_message ("Requested data exceeds size of file.\n");
+               return 0;
+-- 
+2.39.3
+

SOURCES/gimp-CVE-2023-44442.patch

@@ -0,0 +1,27 @@
+From 865cc56894dcb6e1c664a55e4b4010ebf6919e10 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Fri, 29 Sep 2023 20:38:51 +0000
+Subject: [PATCH] plug-ins: Fix vulnerability in file-psd
+
+Resolves #10101.
+This patch adds a missing break statement after an error condition
+is detected to prevent the code from continuing afterwards.
+---
+ plug-ins/file-psd/psd-util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plug-ins/file-psd/psd-util.c b/plug-ins/file-psd/psd-util.c
+index 761865e7af..545bd32f7c 100644
+--- a/plug-ins/file-psd/psd-util.c
++++ b/plug-ins/file-psd/psd-util.c
+@@ -583,6 +583,7 @@ decode_packbits (const gchar *src,
+             {
+               IFDBG(2) g_debug ("Overrun in packbits replicate of %d chars", n - unpack_left);
+               error_code = 2;
++              break;
+             }
+           memset (dst, *src, n);
+           src++;
+-- 
+2.31.1
+

SOURCES/gimp-CVE-2023-44443.patch

@@ -0,0 +1,42 @@
+From 96f536a33590bb9811da5b5639e1d6c25aaf2e01 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 23 Sep 2023 02:41:57 +0000
+Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22096)
+
+Resolves #10072.
+
+The current PSP palette loading code does not check if
+the file's palette entry count value is below the limit
+(G_MAXUNIT32 / 4 due to each color being 4 bytes long).
+This patch adds this check and stops loading if the count
+is larger than GIMP currently supports.
+---
+ plug-ins/common/file-psp.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index 582a10c300..7c9340ee2b 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1279,8 +1279,17 @@ read_color_block (FILE      *f,
+     }
+ 
+   color_palette_entries = GUINT32_FROM_LE (entry_count);
++  /* TODO: GIMP currently only supports a maximum of 256 colors
++   * in an indexed image. If this changes, we can change this check */
++  if (color_palette_entries > 256)
++    {
++      g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                   _("Error: Unsupported palette size"));
++      return -1;
++    }
++
+   /* psp color palette entries are stored as RGBA so 4 bytes per entry
+-     where the fourth bytes is always zero */
++   * where the fourth bytes is always zero */
+   pal_size = color_palette_entries * 4;
+   color_palette = g_malloc (pal_size);
+   if (fread (color_palette, pal_size, 1, f) < 1)
+-- 
+2.31.1
+

SOURCES/gimp-CVE-2023-44444.patch

@@ -0,0 +1,31 @@
+From e1bfd87195e4fe60a92df70cde65464d032dd3c1 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 23 Sep 2023 02:16:24 +0000
+Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22097)
+
+Resolves #10071.
+
+When reading RLE compressed data, a buffer was allocated to 127 bytes.
+However, it can potentially be used to read 128 bytes, leading to a
+off-by-one vulnerability. This patch allocates 128 bytes to the buffer
+to prevent this from occurring.
+---
+ plug-ins/common/file-psp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index c8b166471e..582a10c300 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1649,7 +1649,7 @@ read_channel_data (FILE        *f,
+         else
+           endq = q + line_width * height;
+ 
+-        buf = g_malloc (127);
++        buf = g_malloc (128);
+         while (q < endq)
+           {
+             fread (&runcount, 1, 1, f);
+-- 
+2.31.1
+

SPECS/gimp.spec

@@ -88,7 +88,7 @@ Summary:        GNU Image Manipulation Program
 Name:           gimp
 Epoch:          2
 Version:        2.99.8
-%global rel 3
+%global rel 4
 Release:        %{?prerelprefix}%{rel}%{dotprerel}%{dotgitrev}%{?dist}
 
 # Compute some version related macros.
@@ -249,6 +249,14 @@ Patch5:         gimp-CVE-2022-30067.patch
 # CVE-2022-32990
 Patch6:         gimp-CVE-2022-32990.patch
 
+# CVE-2023-44441 CVE-2023-44442 CVE-2023-44443 CVE-2023-44444
+Patch7:		gimp-2.10.36-CVE-2023-44441-0001-plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
+Patch8:		gimp-2.10.36-CVE-2023-44441-0002-plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
+Patch9:		gimp-2.10.36-CVE-2023-44441-0003-plug-ins-Additional-fixes-for-DDS-Import.patch
+Patch10:	gimp-CVE-2023-44442.patch
+Patch11:	gimp-CVE-2023-44443.patch
+Patch12:	gimp-CVE-2023-44444.patch
+
 # use external help browser directly if help browser plug-in is not built
 Patch100:       gimp-2.10.24-external-help-browser.patch
 
@@ -354,6 +362,12 @@ EOF
 %patch4 -p1 -b .remove-lua
 %patch5 -p1 -b .CVE-2022-30067
 %patch6 -p1 -b .CVE-2022-32990
+%patch7 -p1 -b .CVE-2023-44441-1
+%patch8 -p1 -b .CVE-2023-44441-2
+%patch9 -p1 -b .CVE-2023-44441-3
+%patch10 -p1 -b .CVE-2023-44442
+%patch11 -p1 -b .CVE-2023-44443
+%patch12 -p1 -b .CVE-2023-44444
 
 %if ! %{with helpbrowser}
 #%patch100 -p1 -b .external-help-browser
@@ -736,6 +750,12 @@ make check %{?_smp_mflags}
 %endif
 
 %changelog
+* Mon Feb 05 2024 Darren Archibald <darren.archibald@oracle.com> - 2:2.99.8-4
+- fix CVE-2023-44441
+- fix CVE-2023-44442
+- fix CVE-2023-44443
+- fix CVE-2023-44444
+
 * Mon Jul 18 2022 Josef Ridky <jridky@redhat.com> - 2:2.99.8-3
 - fix CVE-2022-30067
 - fix CVE-2022-32990