fix buffer overflows in sphere-designer, gfig, lighting plugins

(CVE-2010-4540, CVE-2010-4541, CVE-2010-4542)
2011-05-23 16:53:54 +02:00 · 2011-05-23 16:53:54 +02:00 · a954c2d1ca
commit a954c2d1ca
parent fe90662a7e
2 changed files with 152 additions and 1 deletions
--- a/gimp-2.6.11-CVE-2010-4540,4541,4542.patch
+++ b/gimp-2.6.11-CVE-2010-4540,4541,4542.patch
@ -0,0 +1,143 @@
+From 66ceac29afde903c013ec6ade2b12f2b5b6e4050 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils@redhat.com>
+Date: Mon, 23 May 2011 16:40:05 +0200
+Subject: [PATCH] patch: CVE-2010-4540,4541,4542
+
+Squashed commit of the following:
+
+commit c63c02e87b9c399f60a6a8d6d235f22a470fe2d2
+Author: Simon Budig <simon@budig.de>
+Date:   Tue Jan 11 23:28:16 2011 +0100
+
+    fixes for some buffer overflow problems (see bug #639203)
+    (cherry picked from commit 7fb0300e1cfdb98a3bde54dbc73a0f3eda375162)
+---
+ plug-ins/common/sphere-designer.c |    5 ++++-
+ plug-ins/gfig/gfig-style.c        |    8 +++++++-
+ plug-ins/lighting/lighting-ui.c   |   27 +++++++++++++++++++++++----
+ 3 files changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/plug-ins/common/sphere-designer.c b/plug-ins/common/sphere-designer.c
+index 5421067..b06af40 100644
+--- a/plug-ins/common/sphere-designer.c
+++ b/plug-ins/common/sphere-designer.c
+@@ -1992,6 +1992,7 @@ loadit (const gchar * fn)
+   gchar    endbuf[21 * (G_ASCII_DTOSTR_BUF_SIZE + 1)];
+   gchar   *end = endbuf;
+   gchar    line[1024];
+  gchar    fmt_str[16];
+   gint     i;
+   texture *t;
+   gint     majtype, type;
+@@ -2016,6 +2017,8 @@ loadit (const gchar * fn)
+ 
+   s.com.numtexture = 0;
+ 
+  snprintf (fmt_str, sizeof (fmt_str), "%%d %%d %%%lds", sizeof (endbuf) - 1);
+
+   while (!feof (f))
+     {
+ 
+@@ -2026,7 +2029,7 @@ loadit (const gchar * fn)
+       t = &s.com.texture[i];
+       setdefaults (t);
+ 
+-      if (sscanf (line, "%d %d %s", &t->majtype, &t->type, end) != 3)
+      if (sscanf (line, fmt_str, &t->majtype, &t->type, end) != 3)
+         t->color1.x = g_ascii_strtod (end, &end);
+       if (end && errno != ERANGE)
+         t->color1.y = g_ascii_strtod (end, &end);
+diff --git a/plug-ins/gfig/gfig-style.c b/plug-ins/gfig/gfig-style.c
+index f8fefb8..685fe58 100644
+--- a/plug-ins/gfig/gfig-style.c
+++ b/plug-ins/gfig/gfig-style.c
+@@ -165,6 +165,7 @@ gfig_read_parameter_gimp_rgb (gchar        **text,
+   gchar *ptr;
+   gchar *tmpstr;
+   gchar *endptr;
+  gchar  fmt_str[32];
+   gchar  colorstr_r[G_ASCII_DTOSTR_BUF_SIZE];
+   gchar  colorstr_g[G_ASCII_DTOSTR_BUF_SIZE];
+   gchar  colorstr_b[G_ASCII_DTOSTR_BUF_SIZE];
+@@ -172,6 +173,10 @@ gfig_read_parameter_gimp_rgb (gchar        **text,
+ 
+   style_entry->r = style_entry->g = style_entry->b = style_entry->a = 0.;
+ 
+  snprintf (fmt_str, sizeof (fmt_str), "%%%lds %%%lds %%%lds %%%lds",
+            sizeof (colorstr_r) - 1, sizeof (colorstr_g) - 1,
+            sizeof (colorstr_b) - 1, sizeof (colorstr_a) - 1);
+
+   while (n < nitems)
+     {
+       ptr = strchr (text[n], ':');
+@@ -181,7 +186,8 @@ gfig_read_parameter_gimp_rgb (gchar        **text,
+           ptr++;
+           if (!strcmp (tmpstr, name))
+             {
+-              sscanf (ptr, "%s %s %s %s", colorstr_r, colorstr_g, colorstr_b, colorstr_a);
+              sscanf (ptr, fmt_str,
+                      colorstr_r, colorstr_g, colorstr_b, colorstr_a);
+               style_entry->r = g_ascii_strtod (colorstr_r, &endptr);
+               style_entry->g = g_ascii_strtod (colorstr_g, &endptr);
+               style_entry->b = g_ascii_strtod (colorstr_b, &endptr);
+diff --git a/plug-ins/lighting/lighting-ui.c b/plug-ins/lighting/lighting-ui.c
+index 71cd58f..702cda9 100644
+--- a/plug-ins/lighting/lighting-ui.c
+++ b/plug-ins/lighting/lighting-ui.c
+@@ -1342,6 +1342,7 @@ load_preset_response (GtkFileChooser *chooser,
+   gchar          buffer3[G_ASCII_DTOSTR_BUF_SIZE];
+   gchar          type_label[21];
+   gchar         *endptr;
+  gchar          fmt_str[32];
+ 
+   if (response_id == GTK_RESPONSE_OK)
+     {
+@@ -1381,23 +1382,41 @@ load_preset_response (GtkFileChooser *chooser,
+                   return;
+                 }
+ 
+-              fscanf (fp, " Position: %s %s %s", buffer1, buffer2, buffer3);
+              snprintf (fmt_str, sizeof (fmt_str),
+                        " Position: %%%lds %%%lds %%%lds",
+                        sizeof (buffer1) - 1,
+                        sizeof (buffer2) - 1,
+                        sizeof (buffer3) - 1);
+              fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+               source->position.x = g_ascii_strtod (buffer1, &endptr);
+               source->position.y = g_ascii_strtod (buffer2, &endptr);
+               source->position.z = g_ascii_strtod (buffer3, &endptr);
+ 
+-              fscanf (fp, " Direction: %s %s %s", buffer1, buffer2, buffer3);
+              snprintf (fmt_str, sizeof (fmt_str),
+                        " Direction: %%%lds %%%lds %%%lds",
+                        sizeof (buffer1) - 1,
+                        sizeof (buffer2) - 1,
+                        sizeof (buffer3) - 1);
+              fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+               source->direction.x = g_ascii_strtod (buffer1, &endptr);
+               source->direction.y = g_ascii_strtod (buffer2, &endptr);
+               source->direction.z = g_ascii_strtod (buffer3, &endptr);
+ 
+-              fscanf (fp, " Color: %s %s %s", buffer1, buffer2, buffer3);
+              snprintf (fmt_str, sizeof (fmt_str),
+                        " Color: %%%lds %%%lds %%%lds",
+                        sizeof (buffer1) - 1,
+                        sizeof (buffer2) - 1,
+                        sizeof (buffer3) - 1);
+              fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+               source->color.r = g_ascii_strtod (buffer1, &endptr);
+               source->color.g = g_ascii_strtod (buffer2, &endptr);
+               source->color.b = g_ascii_strtod (buffer3, &endptr);
+               source->color.a = 1.0;
+ 
+-              fscanf (fp, " Intensity: %s", buffer1);
+              snprintf (fmt_str, sizeof (fmt_str),
+                        " Intensity: %%%lds",
+                        sizeof (buffer1) - 1);
+              fscanf (fp, fmt_str, buffer1);
+               source->intensity = g_ascii_strtod (buffer1, &endptr);
+ 
+             }
+-- 
+1.7.5.1
+
--- a/gimp.spec
+++ b/gimp.spec
@ -38,7 +38,7 @@ Summary:        GNU Image Manipulation Program
 Name:           gimp
 Epoch:          2
 Version:        2.6.11
-Release:        13%{?dist}
+Release:        14%{?dist}
 %define binver 2.6
 %define gimp_lang_ver 20
 %define interfacever 2.0
@ -150,6 +150,9 @@ Patch7:         gimp-2.6.11-poppler-0.17.patch
 # backport: CVE-2010-4543, CVE-2011-1782
 # harden PSP plugin against bogus input data
 Patch8:         gimp-2.6.11-psp-overflow.patch
+# backport: CVE-2010-4540, CVE-2010-4541, CVE-2010-4542
+# fix buffer overflows in sphere-designer, gfig, lighting plugins
+Patch9:         gimp-2.6.11-CVE-2010-4540,4541,4542.patch
 # files changed by autoreconf after applying the above
 Patch10:        gimp-2.6.11-11-autoreconf.patch.bz2

@ -240,6 +243,7 @@ EOF
 %patch6 -p1 -b .pyslice
 %patch7 -p1 -b .poppler-0.17
 %patch8 -p1 -b .psp-overflow
+%patch9 -p1 -b .CVE-2010-4540,4541,4542

 %patch10 -p1 -b .autoreconf

@ -507,6 +511,10 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %{_libdir}/gimp/%{interfacever}/plug-ins/help-browser

 %changelog
+* Mon May 23 2011 Nils Philippsen <nils@redhat.com> - 2:2.6.11-14
+- fix buffer overflows in sphere-designer (CVE-2010-4541),
+  gfig (CVE-2010-4542), lighting (CVE-2010-4540) plugins
+
 * Mon May 23 2011 Nils Philippsen <nils@redhat.com> - 2:2.6.11-13
 - harden PSP plugin against bogus input data (CVE-2010-4543, CVE-2011-1782)