diff --git a/.gitignore b/.gitignore index 6cb785f..5eb9cb6 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ gimp-2.6.10-1-autoreconf.patch.bz2 /gimp-2.8.0-RC1.tar.bz2 /gimp-2.8.0-RC1-gitff6c280.patch.bz2 /gimp-2.8.0.tar.bz2 +/gimp-2.8.2.tar.bz2 diff --git a/gimp-2.8.0-CVE-2012-3403.patch b/gimp-2.8.0-CVE-2012-3403.patch deleted file mode 100644 index fe175d8..0000000 --- a/gimp-2.8.0-CVE-2012-3403.patch +++ /dev/null @@ -1,501 +0,0 @@ -From 144265df9a25a18181a4e3206543488fe1565ab0 Mon Sep 17 00:00:00 2001 -From: Nils Philippsen -Date: Mon, 20 Aug 2012 14:17:51 +0200 -Subject: [PATCH] patch: CVE-2012-3403 - -Squashed commit of the following: - -commit 6f4fceb2dc6ed6021d4d14ba19d4fb0b5ac74273 -Author: Nils Philippsen -Date: Fri Jul 13 15:33:27 2012 +0200 - - file-cel: use g_set_error() for errors instead of g_message() - (cherry picked from commit 86f4cd39bd493c88a7a19b56d1827d8b911e07f6) - -commit 288763736141624e8b3136cfff292b6107d35730 -Author: Nils Philippsen -Date: Fri Jul 13 15:30:44 2012 +0200 - - file-cel: use statically allocated palette buffer - (cherry picked from commit 69b98191cf315bcf0f7b8878896c01600e67c124) - -commit 48a7eb9a77b327777fbf01b0474c8adeb0d76b47 -Author: Nils Philippsen -Date: Fri Jul 13 15:20:06 2012 +0200 - - file-cel: validate header data (CVE-2012-3403) - (cherry picked from commit b772d1b84c9272bb46ab9a21db4390e6263c9892) - -commit 5ad4967eb6ad1893d2b8c1ef449e57d005fb22e4 -Author: Nils Philippsen -Date: Thu Jul 12 15:50:02 2012 +0200 - - file-cel: check fread()/g_fopen() return values and pass on errors - (cherry picked from commit 797db58b94c64f418c35d38b7a608d933c8cebef) ---- - plug-ins/common/file-cel.c | 282 +++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 233 insertions(+), 49 deletions(-) - -diff --git a/plug-ins/common/file-cel.c b/plug-ins/common/file-cel.c -index d285936..6292d7a 100644 ---- a/plug-ins/common/file-cel.c -+++ b/plug-ins/common/file-cel.c -@@ -44,8 +44,10 @@ static void run (const gchar *name, - gint *nreturn_vals, - GimpParam **return_vals); - --static gint load_palette (FILE *fp, -- guchar palette[]); -+static gint load_palette (const gchar *file, -+ FILE *fp, -+ guchar palette[], -+ GError **error); - static gint32 load_image (const gchar *file, - const gchar *brief, - GError **error); -@@ -55,7 +57,8 @@ static gboolean save_image (const gchar *file, - gint32 layer, - GError **error); - static void palette_dialog (const gchar *title); --static gboolean need_palette (const gchar *file); -+static gboolean need_palette (const gchar *file, -+ GError **error); - - - /* Globals... */ -@@ -150,6 +153,7 @@ run (const gchar *name, - gint32 image; - GimpExportReturn export = GIMP_EXPORT_CANCEL; - GError *error = NULL; -+ gint needs_palette = 0; - - run_mode = param[0].data.d_int32; - -@@ -187,20 +191,32 @@ run (const gchar *name, - else if (run_mode == GIMP_RUN_INTERACTIVE) - { - /* Let user choose KCF palette (cancel ignores) */ -- if (need_palette (param[1].data.d_string)) -- palette_dialog (_("Load KISS Palette")); -+ needs_palette = need_palette (param[1].data.d_string, &error); - -- gimp_set_data (SAVE_PROC, palette_file, data_length); -- } -+ if (! error) -+ { -+ if (needs_palette) -+ palette_dialog (_("Load KISS Palette")); - -- image = load_image (param[1].data.d_string, param[2].data.d_string, -- &error); -+ gimp_set_data (SAVE_PROC, palette_file, data_length); -+ } -+ } - -- if (image != -1) -+ if (! error) - { -- *nreturn_vals = 2; -- values[1].type = GIMP_PDB_IMAGE; -- values[1].data.d_image = image; -+ image = load_image (param[1].data.d_string, param[2].data.d_string, -+ &error); -+ -+ if (image != -1) -+ { -+ *nreturn_vals = 2; -+ values[1].type = GIMP_PDB_IMAGE; -+ values[1].data.d_image = image; -+ } -+ else -+ { -+ status = GIMP_PDB_EXECUTION_ERROR; -+ } - } - else - { -@@ -263,18 +279,33 @@ run (const gchar *name, - - /* Peek into the file to determine whether we need a palette */ - static gboolean --need_palette (const gchar *file) -+need_palette (const gchar *file, -+ GError **error) - { - FILE *fp; - guchar header[32]; -+ size_t n_read; - - fp = g_fopen (file, "rb"); -- if (!fp) -- return FALSE; -+ if (fp == NULL) -+ { -+ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), -+ _("Could not open '%s' for reading: %s"), -+ gimp_filename_to_utf8 (file), g_strerror (errno)); -+ return FALSE; -+ } -+ -+ n_read = fread (header, 32, 1, fp); - -- fread (header, 32, 1, fp); - fclose (fp); - -+ if (n_read < 1) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("EOF or error while reading image header")); -+ return FALSE; -+ } -+ - return (header[5] < 32); - } - -@@ -286,11 +317,12 @@ load_image (const gchar *file, - GError **error) - { - FILE *fp; /* Read file pointer */ -- guchar header[32]; /* File header */ -+ guchar header[32], /* File header */ -+ file_mark, /* KiSS file type */ -+ bpp; /* Bits per pixel */ - gint height, width, /* Dimensions of image */ - offx, offy, /* Layer offets */ -- colours, /* Number of colours */ -- bpp; /* Bits per pixel */ -+ colours; /* Number of colours */ - - gint32 image, /* Image */ - layer; /* Layer */ -@@ -301,6 +333,7 @@ load_image (const gchar *file, - GimpPixelRgn pixel_rgn; /* Pixel region for layer */ - - gint i, j, k; /* Counters */ -+ size_t n_read; /* Number of items read from file */ - - - /* Open the file for reading */ -@@ -319,7 +352,14 @@ load_image (const gchar *file, - - /* Get the image dimensions and create the image... */ - -- fread (header, 4, 1, fp); -+ n_read = fread (header, 4, 1, fp); -+ -+ if (n_read < 1) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("EOF or error while reading image header")); -+ return -1; -+ } - - if (strncmp ((const gchar *) header, "KiSS", 4)) - { -@@ -332,18 +372,53 @@ load_image (const gchar *file, - } - else - { /* New-style image file, read full header */ -- fread (header, 28, 1, fp); -+ n_read = fread (header, 28, 1, fp); -+ -+ if (n_read < 1) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("EOF or error while reading image header")); -+ return -1; -+ } -+ -+ file_mark = header[0]; -+ if (file_mark != 0x20 && file_mark != 0x21) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("is not a CEL image file")); -+ return -1; -+ } -+ - bpp = header[1]; -- if (bpp == 24) -- colours = -1; -- else -- colours = (1 << header[1]); -+ switch (bpp) -+ { -+ case 4: -+ case 8: -+ case 32: -+ colours = (1 << bpp); -+ break; -+ default: -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("illegal bpp value in image: %hhu"), bpp); -+ return -1; -+ } -+ - width = header[4] + (256 * header[5]); - height = header[6] + (256 * header[7]); - offx = header[8] + (256 * header[9]); - offy = header[10] + (256 * header[11]); - } - -+ if ((width == 0) || (height == 0) || (width + offx > GIMP_MAX_IMAGE_SIZE) || -+ (height + offy > GIMP_MAX_IMAGE_SIZE)) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("illegal image dimensions: width: %d, horizontal offset: " -+ "%d, height: %d, vertical offset: %d"), -+ width, offx, height, offy); -+ return -1; -+ } -+ - if (bpp == 32) - image = gimp_image_new (width + offx, height + offy, GIMP_RGB); - else -@@ -351,7 +426,7 @@ load_image (const gchar *file, - - if (image == -1) - { -- g_message (_("Can't create a new image")); -+ g_set_error (error, 0, 0, _("Can't create a new image")); - fclose (fp); - return -1; - } -@@ -384,7 +459,15 @@ load_image (const gchar *file, - switch (bpp) - { - case 4: -- fread (buffer, (width+1)/2, 1, fp); -+ n_read = fread (buffer, (width+1)/2, 1, fp); -+ -+ if (n_read < 1) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("EOF or error while reading image data")); -+ return -1; -+ } -+ - for (j = 0, k = 0; j < width*2; j+= 4, ++k) - { - if (buffer[k] / 16 == 0) -@@ -411,7 +494,15 @@ load_image (const gchar *file, - break; - - case 8: -- fread (buffer, width, 1, fp); -+ n_read = fread (buffer, width, 1, fp); -+ -+ if (n_read < 1) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("EOF or error while reading image data")); -+ return -1; -+ } -+ - for (j = 0, k = 0; j < width*2; j+= 2, ++k) - { - if (buffer[k] == 0) -@@ -428,7 +519,15 @@ load_image (const gchar *file, - break; - - case 32: -- fread (line, width*4, 1, fp); -+ n_read = fread (line, width*4, 1, fp); -+ -+ if (n_read < 1) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("EOF or error while reading image data")); -+ return -1; -+ } -+ - /* The CEL file order is BGR so we need to swap B and R - * to get the Gimp RGB order. - */ -@@ -441,7 +540,8 @@ load_image (const gchar *file, - break; - - default: -- g_message (_("Unsupported bit depth (%d)!"), bpp); -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("Unsupported bit depth (%d)!"), bpp); - return -1; - } - -@@ -459,7 +559,7 @@ load_image (const gchar *file, - if (bpp != 32) - { - /* Use palette from file or otherwise default grey palette */ -- palette = g_new (guchar, colours*3); -+ guchar palette[256*3]; - - /* Open the file for reading if user picked one */ - if (palette_file == NULL) -@@ -469,12 +569,23 @@ load_image (const gchar *file, - else - { - fp = g_fopen (palette_file, "r"); -+ -+ if (fp == NULL) -+ { -+ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), -+ _("Could not open '%s' for reading: %s"), -+ gimp_filename_to_utf8 (palette_file), -+ g_strerror (errno)); -+ return -1; -+ } - } - - if (fp != NULL) - { -- colours = load_palette (fp, palette); -+ colours = load_palette (palette_file, fp, palette, error); - fclose (fp); -+ if (colours < 0 || *error) -+ return -1; - } - else - { -@@ -485,10 +596,6 @@ load_image (const gchar *file, - } - - gimp_image_set_colormap (image, palette + 3, colours - 1); -- -- /* Close palette file, give back allocated memory */ -- -- g_free (palette); - } - - /* Now get everything redrawn and hand back the finished image */ -@@ -500,32 +607,100 @@ load_image (const gchar *file, - } - - static gint --load_palette (FILE *fp, -- guchar palette[]) -+load_palette (const gchar *file, -+ FILE *fp, -+ guchar palette[], -+ GError **error) - { - guchar header[32]; /* File header */ - guchar buffer[2]; -- int i, bpp, colours= 0; -+ guchar file_mark, bpp; -+ gint i, colours = 0; -+ size_t n_read; -+ -+ n_read = fread (header, 4, 1, fp); -+ -+ if (n_read < 1) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("'%s': EOF or error while reading palette header"), -+ gimp_filename_to_utf8 (file)); -+ return -1; -+ } - -- fread (header, 4, 1, fp); - if (!strncmp ((const gchar *) header, "KiSS", 4)) - { -- fread (header+4, 28, 1, fp); -+ n_read = fread (header+4, 28, 1, fp); -+ -+ if (n_read < 1) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("'%s': EOF or error while reading palette header"), -+ gimp_filename_to_utf8 (file)); -+ return -1; -+ } -+ -+ file_mark = header[4]; -+ if (file_mark != 0x10) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("'%s': is not a KCF palette file"), -+ gimp_filename_to_utf8 (file)); -+ return -1; -+ } -+ - bpp = header[5]; -+ if (bpp != 12 && bpp != 24) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("'%s': illegal bpp value in palette: %hhu"), -+ gimp_filename_to_utf8 (file), bpp); -+ return -1; -+ } -+ - colours = header[8] + header[9] * 256; -- if (bpp == 12) -+ if (colours != 16 && colours != 256) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("'%s': illegal number of colors: %u"), -+ gimp_filename_to_utf8 (file), colours); -+ return -1; -+ } -+ -+ switch (bpp) - { -+ case 12: - for (i = 0; i < colours; ++i) - { -- fread (buffer, 1, 2, fp); -+ n_read = fread (buffer, 1, 2, fp); -+ -+ if (n_read < 2) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("'%s': EOF or error while reading " -+ "palette data"), -+ gimp_filename_to_utf8 (file)); -+ return -1; -+ } -+ - palette[i*3]= buffer[0] & 0xf0; - palette[i*3+1]= (buffer[1] & 0x0f) * 16; - palette[i*3+2]= (buffer[0] & 0x0f) * 16; - } -- } -- else -- { -- fread (palette, colours, 3, fp); -+ break; -+ case 24: -+ n_read = fread (palette, colours, 3, fp); -+ -+ if (n_read < 3) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("'%s': EOF or error while reading palette data"), -+ gimp_filename_to_utf8 (file)); -+ return -1; -+ } -+ break; -+ default: -+ g_assert_not_reached (); - } - } - else -@@ -534,7 +709,16 @@ load_palette (FILE *fp, - fseek (fp, 0, SEEK_SET); - for (i= 0; i < colours; ++i) - { -- fread (buffer, 1, 2, fp); -+ n_read = fread (buffer, 1, 2, fp); -+ -+ if (n_read < 2) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("'%s': EOF or error while reading palette data"), -+ gimp_filename_to_utf8 (file)); -+ return -1; -+ } -+ - palette[i*3] = buffer[0] & 0xf0; - palette[i*3+1] = (buffer[1] & 0x0f) * 16; - palette[i*3+2] = (buffer[0] & 0x0f) * 16; --- -1.7.11.4 - diff --git a/gimp-2.8.0-CVE-2012-3481.patch b/gimp-2.8.0-CVE-2012-3481.patch deleted file mode 100644 index 51bd699..0000000 --- a/gimp-2.8.0-CVE-2012-3481.patch +++ /dev/null @@ -1,56 +0,0 @@ -From b39f4582b80984f86701ab56f355c911cd448e15 Mon Sep 17 00:00:00 2001 -From: Nils Philippsen -Date: Mon, 20 Aug 2012 14:18:49 +0200 -Subject: [PATCH] patch: CVE-2012-3481 - -Squashed commit of the following: - -commit 52cce706d3d490d96e81d9cebff8c9796f33ff67 -Author: Nils Philippsen -Date: Tue Aug 14 15:27:39 2012 +0200 - - file-gif-load: fix type overflow (CVE-2012-3481) - - Cast variables properly to avoid overflowing when computing how much - memory to allocate. - (cherry picked from commit 43fc9dbd8e2196944c8a71321e525b89b7df9f5c) - -commit 562eefae83d6da5b70aaaccddd54c1f17c42f1b3 -Author: Jan Lieskovsky -Date: Tue Aug 14 12:18:22 2012 +0200 - - file-gif-load: limit len and height (CVE-2012-3481) - - Ensure values of len and height can't overflow g_malloc() argument type. - (cherry picked from commit d95c2f0bcb6775bdee2bef35b7d84f6dfd490783) ---- - plug-ins/common/file-gif-load.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c -index 4fdbe7a..0bb9bc4 100644 ---- a/plug-ins/common/file-gif-load.c -+++ b/plug-ins/common/file-gif-load.c -@@ -1057,10 +1057,17 @@ ReadImage (FILE *fd, - cur_progress = 0; - max_progress = height; - -+ if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1))) -+ { -+ g_message ("'%s' has a larger image size than GIMP can handle.", -+ gimp_filename_to_utf8 (filename)); -+ return -1; -+ } -+ - if (alpha_frame) -- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2)); -+ dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2)); - else -- dest = (guchar *) g_malloc (len * height); -+ dest = (guchar *) g_malloc ((gsize)len * (gsize)height); - - #ifdef GIFDEBUG - g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n", --- -1.7.11.4 - diff --git a/gimp-2.8.0-fits.patch b/gimp-2.8.0-fits.patch deleted file mode 100644 index fbf3207..0000000 --- a/gimp-2.8.0-fits.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 202a4d52bcc6a69889c9f475a74a6570081e5cf6 Mon Sep 17 00:00:00 2001 -From: Nils Philippsen -Date: Thu, 28 Jun 2012 13:54:50 +0200 -Subject: [PATCH] patch: fits - -Squashed commit of the following: - -commit c66982caadfad47db632647bcc19bcf480008bfc -Author: Michael Natterer -Date: Wed Jun 6 21:21:10 2012 +0200 - - Bug 676804 - file handling DoS for fit file format - - Apply patch from joe@reactionis.co.uk which fixes a buffer overflow on - broken/malicious fits files. - (cherry picked from commit ace45631595e8781a1420842582d67160097163c) ---- - plug-ins/file-fits/fits-io.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/plug-ins/file-fits/fits-io.c b/plug-ins/file-fits/fits-io.c -index 03d9652..ed77318 100644 ---- a/plug-ins/file-fits/fits-io.c -+++ b/plug-ins/file-fits/fits-io.c -@@ -1054,10 +1054,18 @@ static FITS_HDU_LIST *fits_decode_header (FITS_RECORD_LIST *hdr, - hdulist->used.simple = (strncmp (hdr->data, "SIMPLE ", 8) == 0); - hdulist->used.xtension = (strncmp (hdr->data, "XTENSION", 8) == 0); - if (hdulist->used.xtension) -- { -- fdat = fits_decode_card (fits_search_card (hdr, "XTENSION"), typ_fstring); -- strcpy (hdulist->xtension, fdat->fstring); -- } -+ { -+ fdat = fits_decode_card (fits_search_card (hdr, "XTENSION"), typ_fstring); -+ if (fdat != NULL) -+ { -+ strcpy (hdulist->xtension, fdat->fstring); -+ } -+ else -+ { -+ strcpy (errmsg, "No valid XTENSION header found."); -+ goto err_return; -+ } -+ } - - FITS_DECODE_CARD (hdr, "NAXIS", fdat, typ_flong); - hdulist->naxis = fdat->flong; --- -1.7.10.2 - diff --git a/gimp.spec b/gimp.spec index b888cce..e4405e7 100644 --- a/gimp.spec +++ b/gimp.spec @@ -70,8 +70,8 @@ Summary: GNU Image Manipulation Program Name: gimp Epoch: 2 -Version: 2.8.0 -Release: %{?prerelprefix}3%{dotprerel}%{dotgitrev}%{?dist} +Version: 2.8.2 +Release: %{?prerelprefix}1%{dotprerel}%{dotgitrev}%{?dist} # Compute some version related macros # Ugly hack, you need to get your quoting backslashes/percent signs straight @@ -186,10 +186,6 @@ Source0: ftp://ftp.gimp.org/pub/gimp/v%{binver}/gimp-%{version}%{dashprer Patch0: gimp-%{version}%{dashprerel}-git%{gitrev}.patch.bz2 %endif -Patch1: gimp-2.8.0-fits.patch -Patch2: gimp-2.8.0-CVE-2012-3403.patch -Patch3: gimp-2.8.0-CVE-2012-3481.patch - %description GIMP (GNU Image Manipulation Program) is a powerful image composition and editing program, which can be extremely useful for creating logos and other @@ -271,10 +267,6 @@ EOF %patch0 -p1 -b .git%{gitrev} %endif -%patch1 -p1 -b .fits -%patch2 -p1 -b .CVE-2012-3403 -%patch3 -p1 -b .CVE-2012-3481 - %build %if %{with hardening} # Use hardening compiler/linker flags because gimp is likely to deal with files @@ -546,6 +538,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : %{_libdir}/gimp/%{lib_api_version}/plug-ins/help-browser %changelog +* Fri Aug 24 2012 Nils Philippsen - 2:2.8.2-1 +- version 2.8.2 + * Mon Aug 20 2012 Nils Philippsen - 2:2.8.0-3 - fix crash in fits loader (#834627) - fix overflow in CEL plug-in (CVE-2012-3403) diff --git a/sources b/sources index 7d52b23..5fd12b8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -28997d14055f15db063eb92e1c8a7ebb gimp-2.8.0.tar.bz2 +b542138820ca3a41cbd63fc331907955 gimp-2.8.2.tar.bz2