From 4605fe00618f73f19b460d08f42a2a60b9b6934bf07fa26e26223f6b1fdb91e8 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Wed, 15 Jun 2022 20:58:33 +0000 Subject: [PATCH] - Update to 2.10.32: (boo#1199653 CVE-2022-30067) OBS-URL: https://build.opensuse.org/package/show/graphics/gimp?expand=0&rev=63 --- gimp-2.10.30.tar.bz2 | 3 - gimp-2.10.32.tar.bz2 | 3 + gimp-CVE_2022-30067.patch | 63 ------------------ gimp.changes | 130 ++++++++++++++++++++++++++++++++++++++ gimp.spec | 9 ++- 5 files changed, 137 insertions(+), 71 deletions(-) delete mode 100644 gimp-2.10.30.tar.bz2 create mode 100644 gimp-2.10.32.tar.bz2 delete mode 100644 gimp-CVE_2022-30067.patch diff --git a/gimp-2.10.30.tar.bz2 b/gimp-2.10.30.tar.bz2 deleted file mode 100644 index 3f187aa..0000000 --- a/gimp-2.10.30.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:88815daa76ed7d4277eeb353358bafa116cd2fcd2c861d95b95135c1d52b67dc -size 31731327 diff --git a/gimp-2.10.32.tar.bz2 b/gimp-2.10.32.tar.bz2 new file mode 100644 index 0000000..18a19f3 --- /dev/null +++ b/gimp-2.10.32.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3f15c70554af5dcc1b46e6dc68f3d8f0a6cc9fe56b6d78ac08c0fd859ab89a25 +size 31397425 diff --git a/gimp-CVE_2022-30067.patch b/gimp-CVE_2022-30067.patch deleted file mode 100644 index 2bb7e71..0000000 --- a/gimp-CVE_2022-30067.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 8cd6d05232795ac31076013db1c6be3dc67e8e09 Mon Sep 17 00:00:00 2001 -From: Jacob Boerema -Date: Fri, 29 Apr 2022 16:40:32 -0400 -Subject: [PATCH] app: fix #8120 GIMP 2.10.30 crashed when allocate large - memory - -GIMP could crash if the information regarding old path properties read -from XCF was incorrect. It did not check if xcf_old_path succeeded and -kept trying to load more paths even if the last one failed to load. - -Instead we now stop loading paths as soon as that function fails. -In case we have a failure here we also try to skip to the next property -based on the size of the path property, in hopes that the only problem -was this property. - -(cherry picked from commit 4f99f1fcfd892ead19831b5adcd38a99d71214b6) ---- - app/xcf/xcf-load.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c -index 5543e57af7..1a1a460f0e 100644 ---- a/app/xcf/xcf-load.c -+++ b/app/xcf/xcf-load.c -@@ -1060,7 +1060,12 @@ xcf_load_image_props (XcfInfo *info, - break; - - case PROP_PATHS: -- xcf_load_old_paths (info, image); -+ { -+ goffset base = info->cp; -+ -+ if (! xcf_load_old_paths (info, image)) -+ xcf_seek_pos (info, base + prop_size, NULL); -+ } - break; - - case PROP_USER_UNIT: -@@ -2747,8 +2752,11 @@ xcf_load_old_paths (XcfInfo *info, - xcf_read_int32 (info, &last_selected_row, 1); - xcf_read_int32 (info, &num_paths, 1); - -+ GIMP_LOG (XCF, "Number of old paths: %u", num_paths); -+ - while (num_paths-- > 0) -- xcf_load_old_path (info, image); -+ if (! xcf_load_old_path (info, image)) -+ return FALSE; - - active_vectors = - GIMP_VECTORS (gimp_container_get_child_by_index (gimp_image_get_vectors (image), -@@ -2799,7 +2807,7 @@ xcf_load_old_path (XcfInfo *info, - } - else if (version != 1) - { -- g_printerr ("Unknown path type. Possibly corrupt XCF file"); -+ g_printerr ("Unknown path type (version: %u). Possibly corrupt XCF file.\n", version); - - return FALSE; - } --- -2.36.1 - diff --git a/gimp.changes b/gimp.changes index 93cfc8a..fd8684b 100644 --- a/gimp.changes +++ b/gimp.changes @@ -1,3 +1,133 @@ +------------------------------------------------------------------- +Wed Jun 15 20:47:00 UTC 2022 - Marcus Rueckert + +- Update to 2.10.32: (boo#1199653 CVE-2022-30067) + - Core: + - Adding support for localized glyphs ('locl') in Text tool + depending on the value of the "Language" field in Text tool + options. + - XCF import nows drop Xmp.photoshop.DocumentAncestors tags + after 1000 of them, similarly to what libgimpbase now does. + This could happen in XCF files which were created e.g. from a + PSD import before we handled the issue in libgimpbase. + - XCF import: + - made more robust by ignoring (with a warning) invalid + parasites and continuing to load the rest of the file + (which might be valid). This way, we are able to salvage + more cases of partially corrupted XCF files. + - additional safety checks to detect broken XCF files. + - Version check can be globally disabled through a value in the + `gimp-release` file. This would allow to use the same build + on repositories with an update channels (where we don't want + update check notifications) and on standalone (where we want + them). + - User Interface: + - Removed titlebar/borders from Windows Splash Screen. + - All official themes now have on-hover indicator around eye + and link toggles in Layer/Channel/Path Dialog tree-views. + - Dark theme: + - Hover-on effect on radio menu items to improve readability. + - Color icon theme: + - Thin contrast border for 'close' and 'detach' to improve + their readability against dark backgrounds on mouse-hover. + - Plug-ins: + - TGA: improving indexed images with alpha channel support + (both import and export). + - DICOM: Fix endian conversion for photometric interpretation + "MONOCHROME1". + - file-raw: "RGB Save Type" confusing dialog label renamed to + "Palette Type" as on the main dev branch. + - screenshot: option to capture cursor in now available on + Windows. + - pygimp: new optional parameter `run_mode_param` (defaulting + to True) to register() function of the Python binding, which + allows to make the "run-mode" parameter optional when + creating a new PDB procedure. This is already used to fix + "file-openraster-load-thumb" without changing its signature. + - BMP: new PDB procedure "file-bmp-save2" which supports all + options available interactively. + - BigTIFF: our TIFF plug-in now officially supports BigTIFF + import and export. + - Import was actually already working transparently if you + had a recent enough libtiff. Now the recent libtiff is + enforced by dependency requirements. + - Export support was added with a checkbox in the interactive + dialog and a new "bigtiff" argument in the "file-tiff-save" + PDB procedure. + - When an interactive export of ClassicTIFF fails for the + explicit reason of "Maximum TIFF file size exceeded", the + export dialog is raised again with a message proposing to + try again as BigTIFF or trying another compression + algorithm. This allows because discoverability and + understandibility of the issue, while not forcing BigTIFF + export (since it might not be supported everywhere). + - Unlike the same change on the main dev branch, this + backport comes without a dependency requirement bump, which + means this will only work if GIMP is built with recent + enough libtiff. + - Raw: more robust load able to load as much as possible from + the file, then fill the rest with white, when offset and + dimensions are bigger than actual file size. + - Improved support of a few plug-in code for building under + UCRT Windows environment (more modern C runtime library than + MINGW). + - EPS: loading transparent EPS files now supported. + - JPEG XL: import backported from the `master` (2.99) branch. + - WebP: export has a new IPTC checkbox (saved through XMP) as + well as a thumbnail checkbox. (backported from dev branch, + since 2.99.8) + - DDS: export has a new flip option (useful for some game + engine) as well as a new savetype option to export all + visible layers (not only the active one). + - TIFF: + - import support for 8 and 16 bit CMYK(A) TIFF files. + - 1, 2 and 4-bit B/W images are now converted to indexed + rather than grayscale as it seems that there is more of a + use case for these images to be handled as indexed, even + though technically they can be considered grayscale. In the + future we could add an option at loading time where the + user can choose whether they prefer it to be loaded as + indexed or grayscale. + - Fix loading images generated by MATLAB's blockproc + function. + - More robust loading for 8 bps grayscale MINISWHITE TIFF. + - Libgimp: + - New gimp_plug_in_error_quark() as a generic GQuark/GError + domain for plug-ins (backported from 2.99.6). + - gimp_drawable_brightness_contrast() now works in the [-1.0, + 1.0] range (it's more of a fix than a change because it's + what it should have been from the start). + - Better management of modification time in metadata: IPTC tag + Iptc.Application2.DateCreated is not overridden anymore as it + is the original creation date of the image. Instead we set + the XMP tag Xmp.xmp.ModifyDate for file modification time and + Xmp.xmp.MetadataDate for metadata modification time. + - Format of Xmp.tiff.DateTime is now properly set with timezone + as a consequence of the previous improvement. + - Libgimpbase: + - Limit to 1000 ancestors when importing images with incredible + amount of `Xmp.photoshop.DocumentAncestors` tags, which is + most likely due to a bug in some versions of Photoshop (in + some PSDs, we encountered over 100,000 such tags; it probably + makes no sense that a document could have that many ancestor + documents). GIMP will now stops at 1000 such tags before + dropping the rest and continue loading the file. + - Icons: + - Chain icons for the Color icon theme reworked from the + Symbolic versions (with contrast borders to work on any + background color) so that the "broken" and full variants are + easily distinguishable. + - Translations: + - New Galician and Georgian translations for the Windows + installer. + - 20 translations were updated: Catalan, Chinese (China), + Croatian, Danish, Dutch, Finnish, French, Georgian, German, + Hungarian, Icelandic, Italian, Polish, Portuguese, Russian, + Slovenian, Spanish, Swedish, Turkish, Ukrainian. + - Build: + - Bumping minimum GEGL to version 0.4.36. +- drop gimp-CVE_2022-30067.patch: included in update + ------------------------------------------------------------------- Tue May 24 09:20:53 UTC 2022 - Dominique Leuenberger diff --git a/gimp.spec b/gimp.spec index a09300b..378aad8 100644 --- a/gimp.spec +++ b/gimp.spec @@ -18,6 +18,7 @@ %global abiver 4 %global apiver 2.0 +%global gegl_version 0.4.36 %if 0%{?suse_version} >= 1550 %bcond_without libheif @@ -31,7 +32,7 @@ %bcond_without python_plugin %endif Name: gimp -Version: 2.10.30 +Version: 2.10.32 Release: 0 Summary: The GNU Image Manipulation Program License: GPL-3.0-or-later @@ -42,8 +43,6 @@ Source1: macros.gimp # openSUSE palette file Source2: openSUSE.gpl Source99: baselibs.conf -# PATCH-FIX-UPSTREAM gimp-CVE_2022-30067.patch boo#1199653 mgorse@suse.com -- fix out of memory when reading XCF. -Patch0: gimp-CVE_2022-30067.patch BuildRequires: aalib-devel BuildRequires: alsa-devel >= 1.0.0 @@ -52,7 +51,7 @@ BuildRequires: fontconfig-devel >= 2.12.4 BuildRequires: gcc-c++ BuildRequires: gdk-pixbuf-loader-rsvg # For some odd reason build needs gegl executable. -BuildRequires: gegl >= 0.4.34 +BuildRequires: gegl >= %{gegl_version} BuildRequires: ghostscript-devel # Explicitly needed, otherwise ghostscript-mini is used during the # build, and it's not enough for gimp. @@ -74,7 +73,7 @@ BuildRequires: pkgconfig(cairo) >= 1.12.2 BuildRequires: pkgconfig(cairo-pdf) >= 1.12.2 BuildRequires: pkgconfig(dbus-glib-1) >= 0.70 BuildRequires: pkgconfig(gdk-pixbuf-2.0) >= 2.30.8 -BuildRequires: pkgconfig(gegl-0.4) >= 0.4.34 +BuildRequires: pkgconfig(gegl-0.4) >= %{gegl_version} BuildRequires: pkgconfig(gexiv2) >= 0.10.6 BuildRequires: pkgconfig(glib-2.0) >= 2.54.2 BuildRequires: pkgconfig(gtk+-2.0) >= 2.24.32