Accepting request 982890 from graphics

- Update to 2.10.32: (boo#1199653 CVE-2022-30067)

OBS-URL: https://build.opensuse.org/request/show/982890
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gimp?expand=0&rev=135

gimp-2.10.30.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:88815daa76ed7d4277eeb353358bafa116cd2fcd2c861d95b95135c1d52b67dc
-size 31731327

gimp-2.10.32.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3f15c70554af5dcc1b46e6dc68f3d8f0a6cc9fe56b6d78ac08c0fd859ab89a25
+size 31397425

gimp-CVE_2022-30067.patch

@@ -1,63 +0,0 @@
-From 8cd6d05232795ac31076013db1c6be3dc67e8e09 Mon Sep 17 00:00:00 2001
-From: Jacob Boerema <jgboerema@gmail.com>
-Date: Fri, 29 Apr 2022 16:40:32 -0400
-Subject: [PATCH] app: fix #8120 GIMP 2.10.30 crashed when allocate large
- memory
-
-GIMP could crash if the information regarding old path properties read
-from XCF was incorrect. It did not check if xcf_old_path succeeded and
-kept trying to load more paths even if the last one failed to load.
-
-Instead we now stop loading paths as soon as that function fails.
-In case we have a failure here we also try to skip to the next property
-based on the size of the path property, in hopes that the only problem
-was this property.
-
-(cherry picked from commit 4f99f1fcfd892ead19831b5adcd38a99d71214b6)
----
- app/xcf/xcf-load.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
-index 5543e57af7..1a1a460f0e 100644
---- a/app/xcf/xcf-load.c
-+++ b/app/xcf/xcf-load.c
-@@ -1060,7 +1060,12 @@ xcf_load_image_props (XcfInfo   *info,
-           break;
- 
-         case PROP_PATHS:
--          xcf_load_old_paths (info, image);
-+          {
-+            goffset base = info->cp;
-+
-+            if (! xcf_load_old_paths (info, image))
-+              xcf_seek_pos (info, base + prop_size, NULL);
-+          }
-           break;
- 
-         case PROP_USER_UNIT:
-@@ -2747,8 +2752,11 @@ xcf_load_old_paths (XcfInfo   *info,
-   xcf_read_int32 (info, &last_selected_row, 1);
-   xcf_read_int32 (info, &num_paths,         1);
- 
-+  GIMP_LOG (XCF, "Number of old paths: %u", num_paths);
-+
-   while (num_paths-- > 0)
--    xcf_load_old_path (info, image);
-+    if (! xcf_load_old_path (info, image))
-+      return FALSE;
- 
-   active_vectors =
-     GIMP_VECTORS (gimp_container_get_child_by_index (gimp_image_get_vectors (image),
-@@ -2799,7 +2807,7 @@ xcf_load_old_path (XcfInfo   *info,
-     }
-   else if (version != 1)
-     {
--      g_printerr ("Unknown path type. Possibly corrupt XCF file");
-+      g_printerr ("Unknown path type (version: %u). Possibly corrupt XCF file.\n", version);
- 
-       return FALSE;
-     }
--- 
-2.36.1
-

gimp.changes

@@ -1,3 +1,133 @@
+-------------------------------------------------------------------
+Wed Jun 15 20:47:00 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 2.10.32: (boo#1199653 CVE-2022-30067)
+  - Core:
+    - Adding support for localized glyphs ('locl') in Text tool
+      depending on the value of the "Language" field in Text tool
+      options.
+    - XCF import nows drop Xmp.photoshop.DocumentAncestors tags
+      after 1000 of them, similarly to what libgimpbase now does.
+      This could happen in XCF files which were created e.g. from a
+      PSD import before we handled the issue in libgimpbase.
+    - XCF import:
+      - made more robust by ignoring (with a warning) invalid
+        parasites and continuing to load the rest of the file
+        (which might be valid). This way, we are able to salvage
+        more cases of partially corrupted XCF files.
+      - additional safety checks to detect broken XCF files.
+    - Version check can be globally disabled through a value in the
+      `gimp-release` file. This would allow to use the same build
+      on repositories with an update channels (where we don't want
+      update check notifications) and on standalone (where we want
+      them).
+  - User Interface:
+    - Removed titlebar/borders from Windows Splash Screen.
+    - All official themes now have on-hover indicator around eye
+      and link toggles in Layer/Channel/Path Dialog tree-views.
+    - Dark theme:
+      - Hover-on effect on radio menu items to improve readability.
+    - Color icon theme:
+      - Thin contrast border for 'close' and 'detach' to improve
+        their readability against dark backgrounds on mouse-hover.
+  - Plug-ins:
+    - TGA: improving indexed images with alpha channel support
+      (both import and export).
+    - DICOM: Fix endian conversion for photometric interpretation
+      "MONOCHROME1".
+    - file-raw: "RGB Save Type" confusing dialog label renamed to
+      "Palette Type" as on the main dev branch.
+    - screenshot: option to capture cursor in now available on
+      Windows.
+    - pygimp: new optional parameter `run_mode_param` (defaulting
+      to True) to register() function of the Python binding, which
+      allows to make the "run-mode" parameter optional when
+      creating a new PDB procedure. This is already used to fix
+      "file-openraster-load-thumb" without changing its signature.
+    - BMP: new PDB procedure "file-bmp-save2" which supports all
+      options available interactively.
+    - BigTIFF: our TIFF plug-in now officially supports BigTIFF
+      import and export.
+      - Import was actually already working transparently if you
+        had a recent enough libtiff. Now the recent libtiff is
+        enforced by dependency requirements.
+      - Export support was added with a checkbox in the interactive
+        dialog and a new "bigtiff" argument in the "file-tiff-save"
+        PDB procedure.
+      - When an interactive export of ClassicTIFF fails for the
+        explicit reason of "Maximum TIFF file size exceeded", the
+        export dialog is raised again with a message proposing to
+        try again as BigTIFF or trying another compression
+        algorithm. This allows because discoverability and
+        understandibility of the issue, while not forcing BigTIFF
+        export (since it might not be supported everywhere).
+      - Unlike the same change on the main dev branch, this
+        backport comes without a dependency requirement bump, which
+        means this will only work if GIMP is built with recent
+        enough libtiff.
+    - Raw: more robust load able to load as much as possible from
+      the file, then fill the rest with white, when offset and
+      dimensions are bigger than actual file size.
+    - Improved support of a few plug-in code for building under
+      UCRT Windows environment (more modern C runtime library than
+      MINGW).
+    - EPS: loading transparent EPS files now supported.
+    - JPEG XL: import backported from the `master` (2.99) branch.
+    - WebP: export has a new IPTC checkbox (saved through XMP) as
+      well as a thumbnail checkbox. (backported from dev branch,
+      since 2.99.8)
+    - DDS: export has a new flip option (useful for some game
+      engine) as well as a new savetype option to export all
+      visible layers (not only the active one).
+    - TIFF:
+      - import support for 8 and 16 bit CMYK(A) TIFF files.
+      - 1, 2 and 4-bit B/W images are now converted to indexed
+        rather than grayscale as it seems that there is more of a
+        use case for these images to be handled as indexed, even
+        though technically they can be considered grayscale. In the
+        future we could add an option at loading time where the
+        user can choose whether they prefer it to be loaded as
+        indexed or grayscale.
+      - Fix loading images generated by MATLAB's blockproc
+        function.
+      - More robust loading for 8 bps grayscale MINISWHITE TIFF.
+  - Libgimp:
+    - New gimp_plug_in_error_quark() as a generic GQuark/GError
+      domain for plug-ins (backported from 2.99.6).
+    - gimp_drawable_brightness_contrast() now works in the [-1.0,
+      1.0] range (it's more of a fix than a change because it's
+      what it should have been from the start).
+    - Better management of modification time in metadata: IPTC tag
+      Iptc.Application2.DateCreated is not overridden anymore as it
+      is the original creation date of the image. Instead we set
+      the XMP tag Xmp.xmp.ModifyDate for file modification time and
+      Xmp.xmp.MetadataDate for metadata modification time.
+    - Format of Xmp.tiff.DateTime is now properly set with timezone
+      as a consequence of the previous improvement.
+  - Libgimpbase:
+    - Limit to 1000 ancestors when importing images with incredible
+      amount of `Xmp.photoshop.DocumentAncestors` tags, which is
+      most likely due to a bug in some versions of Photoshop (in
+      some PSDs, we encountered over 100,000 such tags; it probably
+      makes no sense that a document could have that many ancestor
+      documents). GIMP will now stops at 1000 such tags before
+      dropping the rest and continue loading the file.
+  - Icons:
+    - Chain icons for the Color icon theme reworked from the
+      Symbolic versions (with contrast borders to work on any
+      background color) so that the "broken" and full variants are
+      easily distinguishable.
+  - Translations:
+    - New Galician and Georgian translations for the Windows
+      installer.
+    - 20 translations were updated: Catalan, Chinese (China),
+      Croatian, Danish, Dutch, Finnish, French, Georgian, German,
+      Hungarian, Icelandic, Italian, Polish, Portuguese, Russian,
+      Slovenian, Spanish, Swedish, Turkish, Ukrainian.
+  - Build:
+    - Bumping minimum GEGL to version 0.4.36.
+- drop gimp-CVE_2022-30067.patch: included in update
+
 -------------------------------------------------------------------
 Tue May 24 09:20:53 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
 

gimp.spec

@@ -18,6 +18,7 @@
 
 %global abiver 4
 %global apiver 2.0
+%global gegl_version 0.4.36
 
 %if 0%{?suse_version} >= 1550
 %bcond_without libheif
@@ -31,7 +32,7 @@
 %bcond_without python_plugin
 %endif
 Name:           gimp
-Version:        2.10.30
+Version:        2.10.32
 Release:        0
 Summary:        The GNU Image Manipulation Program
 License:        GPL-3.0-or-later
@@ -42,8 +43,6 @@ Source1:        macros.gimp
 # openSUSE palette file
 Source2:        openSUSE.gpl
 Source99:       baselibs.conf
-# PATCH-FIX-UPSTREAM gimp-CVE_2022-30067.patch boo#1199653 mgorse@suse.com -- fix out of memory when reading XCF.
-Patch0:         gimp-CVE_2022-30067.patch
 
 BuildRequires:  aalib-devel
 BuildRequires:  alsa-devel >= 1.0.0
@@ -52,7 +51,7 @@ BuildRequires:  fontconfig-devel >= 2.12.4
 BuildRequires:  gcc-c++
 BuildRequires:  gdk-pixbuf-loader-rsvg
 # For some odd reason build needs gegl executable.
-BuildRequires:  gegl >= 0.4.34
+BuildRequires:  gegl >= %{gegl_version}
 BuildRequires:  ghostscript-devel
 # Explicitly needed, otherwise ghostscript-mini is used during the
 # build, and it's not enough for gimp.
@@ -74,7 +73,7 @@ BuildRequires:  pkgconfig(cairo) >= 1.12.2
 BuildRequires:  pkgconfig(cairo-pdf) >= 1.12.2
 BuildRequires:  pkgconfig(dbus-glib-1) >= 0.70
 BuildRequires:  pkgconfig(gdk-pixbuf-2.0) >= 2.30.8
-BuildRequires:  pkgconfig(gegl-0.4) >= 0.4.34
+BuildRequires:  pkgconfig(gegl-0.4) >= %{gegl_version}
 BuildRequires:  pkgconfig(gexiv2) >= 0.10.6
 BuildRequires:  pkgconfig(glib-2.0) >= 2.54.2
 BuildRequires:  pkgconfig(gtk+-2.0) >= 2.24.32