From 6f3d77139120a02bb54a607678261a52037521081b911ac79d4727a2d976fafb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Tue, 21 Feb 2017 15:43:52 +0000 Subject: [PATCH] Accepting request 459481 from home:Zaitor:branches:graphics Add bugfix patches, CVE-2007-3126, not build-tested, so hold of on ack until done building OBS-URL: https://build.opensuse.org/request/show/459481 OBS-URL: https://build.opensuse.org/package/show/graphics/gimp?expand=0&rev=11 --- gimp-bgo773233-CVE-2007-3126.patch | 293 +++++++++++++++++++++++++ gimp-fix-PDF-Import-filter-crash.patch | 27 +++ gimp.changes | 11 + gimp.spec | 6 + 4 files changed, 337 insertions(+) create mode 100644 gimp-bgo773233-CVE-2007-3126.patch create mode 100644 gimp-fix-PDF-Import-filter-crash.patch diff --git a/gimp-bgo773233-CVE-2007-3126.patch b/gimp-bgo773233-CVE-2007-3126.patch new file mode 100644 index 0000000..f3bed59 --- /dev/null +++ b/gimp-bgo773233-CVE-2007-3126.patch @@ -0,0 +1,293 @@ +From 323ecb73f7bf36788fb7066eb2d6678830cd5de7 Mon Sep 17 00:00:00 2001 +From: Michael Natterer +Date: Sun, 6 Nov 2016 21:34:43 +0100 +Subject: Bug 773233 - CVE-2007-3126 - Gimp 2.3.14 allows context-dependent + attackers... + +...to cause a denial of service (crash) via an ICO file with an +InfoHeader containing a Height of zero + +Add some error handling to ico-load.c and bail out on zero width or height +icons. Also some formatting cleanup. + +(cherry picked from commit 46bcd82800e37b0f5aead76184430ef2fe802748) +--- + plug-ins/file-ico/ico-load.c | 103 ++++++++++++++++++++++++++----------------- + 1 file changed, 62 insertions(+), 41 deletions(-) + +diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c +index fde543a..0075eab 100644 +--- a/plug-ins/file-ico/ico-load.c ++++ b/plug-ins/file-ico/ico-load.c +@@ -124,15 +124,17 @@ static guint32 + ico_read_init (FILE *fp) + { + IcoFileHeader header; ++ + /* read and check file header */ +- if (!ico_read_int16 (fp, &header.reserved, 1) +- || !ico_read_int16 (fp, &header.resource_type, 1) +- || !ico_read_int16 (fp, &header.icon_count, 1) +- || header.reserved != 0 +- || header.resource_type != 1) ++ if (! ico_read_int16 (fp, &header.reserved, 1) || ++ ! ico_read_int16 (fp, &header.resource_type, 1) || ++ ! ico_read_int16 (fp, &header.icon_count, 1) || ++ header.reserved != 0 || ++ header.resource_type != 1) + { + return 0; + } ++ + return header.icon_count; + } + +@@ -148,22 +150,25 @@ ico_read_size (FILE *fp, + gint32 color_type; + guint32 magic; + +- if ( fseek (fp, info->offset, SEEK_SET) < 0 ) ++ if (fseek (fp, info->offset, SEEK_SET) < 0) + return FALSE; + + ico_read_int32 (fp, &magic, 1); ++ + if (magic == ICO_PNG_MAGIC) + { + png_ptr = png_create_read_struct (PNG_LIBPNG_VER_STRING, NULL, NULL, + NULL); +- if (! png_ptr ) ++ if (! png_ptr) + return FALSE; ++ + info_ptr = png_create_info_struct (png_ptr); +- if (! info_ptr ) ++ if (! info_ptr) + { + png_destroy_read_struct (&png_ptr, NULL, NULL); + return FALSE; + } ++ + if (setjmp (png_jmpbuf (png_ptr))) + { + png_destroy_read_struct (&png_ptr, NULL, NULL); +@@ -182,8 +187,8 @@ ico_read_size (FILE *fp, + } + else if (magic == 40) + { +- if (ico_read_int32 (fp, &info->width, 1) +- && ico_read_int32 (fp, &info->height, 1)) ++ if (ico_read_int32 (fp, &info->width, 1) && ++ ico_read_int32 (fp, &info->height, 1)) + { + info->height /= 2; + D(("ico_read_size: ICO: %ix%i\n", info->width, info->height)); +@@ -200,8 +205,9 @@ ico_read_size (FILE *fp, + } + + static IcoLoadInfo* +-ico_read_info (FILE *fp, +- gint icon_count) ++ico_read_info (FILE *fp, ++ gint icon_count, ++ GError **error) + { + gint i; + IcoFileEntry *entries; +@@ -209,8 +215,11 @@ ico_read_info (FILE *fp, + + /* read icon entries */ + entries = g_new (IcoFileEntry, icon_count); +- if ( fread (entries, sizeof(IcoFileEntry), icon_count, fp) <= 0 ) ++ if (fread (entries, sizeof (IcoFileEntry), icon_count, fp) <= 0) + { ++ g_set_error (error, G_FILE_ERROR, 0, ++ _("Could not read '%lu' bytes"), ++ sizeof (IcoFileEntry)); + g_free (entries); + return NULL; + } +@@ -218,23 +227,33 @@ ico_read_info (FILE *fp, + info = g_new (IcoLoadInfo, icon_count); + for (i = 0; i < icon_count; i++) + { +- info[i].width = entries[i].width; ++ info[i].width = entries[i].width; + info[i].height = entries[i].height; +- info[i].bpp = GUINT16_FROM_LE (entries[i].bpp); +- info[i].size = GUINT32_FROM_LE (entries[i].size); ++ info[i].bpp = GUINT16_FROM_LE (entries[i].bpp); ++ info[i].size = GUINT32_FROM_LE (entries[i].size); + info[i].offset = GUINT32_FROM_LE (entries[i].offset); + + if (info[i].width == 0 || info[i].height == 0) + { +- ico_read_size (fp, info+i); ++ ico_read_size (fp, info + i); + } + + D(("ico_read_info: %ix%i (%i bits, size: %i, offset: %i)\n", + info[i].width, info[i].height, info[i].bpp, + info[i].size, info[i].offset)); ++ ++ if (info[i].width == 0 || info[i].height == 0) ++ { ++ g_set_error (error, G_FILE_ERROR, 0, ++ _("Icon #%d has zero width or height"), i); ++ g_free (info); ++ g_free (entries); ++ return NULL; ++ } + } + + g_free (entries); ++ + return info; + } + +@@ -256,10 +275,10 @@ ico_read_png (FILE *fp, + gint i; + + png_ptr = png_create_read_struct (PNG_LIBPNG_VER_STRING, NULL, NULL, NULL); +- if (! png_ptr ) ++ if (! png_ptr) + return FALSE; + info = png_create_info_struct (png_ptr); +- if (! info ) ++ if (! info) + { + png_destroy_read_struct (&png_ptr, NULL, NULL); + return FALSE; +@@ -287,14 +306,14 @@ ico_read_png (FILE *fp, + { + case PNG_COLOR_TYPE_GRAY: + png_set_expand_gray_1_2_4_to_8 (png_ptr); +- if ( bit_depth == 16 ) ++ if (bit_depth == 16) + png_set_strip_16 (png_ptr); + png_set_gray_to_rgb (png_ptr); + png_set_add_alpha (png_ptr, 0xff, PNG_FILLER_AFTER); + break; + case PNG_COLOR_TYPE_GRAY_ALPHA: + png_set_expand_gray_1_2_4_to_8 (png_ptr); +- if ( bit_depth == 16 ) ++ if (bit_depth == 16) + png_set_strip_16 (png_ptr); + png_set_gray_to_rgb (png_ptr); + break; +@@ -427,16 +446,18 @@ ico_read_icon (FILE *fp, + data.planes, data.image_size, data.bpp, + data.used_clrs, data.important_clrs)); + +- if (data.planes != 1 +- || data.compression != 0) ++ if (data.planes != 1 || ++ data.compression != 0) + { + D(("skipping image: invalid header\n")); + return FALSE; + } + +- if (data.bpp != 1 && data.bpp != 4 +- && data.bpp != 8 && data.bpp != 24 +- && data.bpp != 32) ++ if (data.bpp != 1 && ++ data.bpp != 4 && ++ data.bpp != 8 && ++ data.bpp != 24 && ++ data.bpp != 32) + { + D(("skipping image: invalid depth: %i\n", data.bpp)); + return FALSE; +@@ -591,8 +612,8 @@ ico_load_layer (FILE *fp, + GimpPixelRgn pixel_rgn; + gchar buf [ICO_MAXBUF]; + +- if ( fseek (fp, info->offset, SEEK_SET) < 0 +- || !ico_read_int32 (fp, &first_bytes, 1) ) ++ if (fseek (fp, info->offset, SEEK_SET) < 0 || ++ ! ico_read_int32 (fp, &first_bytes, 1)) + return -1; + + if (first_bytes == ICO_PNG_MAGIC) +@@ -645,7 +666,7 @@ ico_load_image (const gchar *filename, + gimp_filename_to_utf8 (filename)); + + fp = g_fopen (filename, "rb"); +- if (! fp ) ++ if (! fp) + { + g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), + _("Could not open '%s' for reading: %s"), +@@ -660,8 +681,8 @@ ico_load_image (const gchar *filename, + return -1; + } + +- info = ico_read_info (fp, icon_count); +- if (!info) ++ info = ico_read_info (fp, icon_count, error); ++ if (! info) + { + fclose (fp); + return -1; +@@ -672,12 +693,12 @@ ico_load_image (const gchar *filename, + max_height = 0; + for (i = 0; i < icon_count; i++) + { +- if ( info[i].width > max_width ) ++ if (info[i].width > max_width) + max_width = info[i].width; +- if ( info[i].height > max_height ) ++ if (info[i].height > max_height) + max_height = info[i].height; + } +- if ( max_width <= 0 || max_height <= 0 ) ++ if (max_width <= 0 || max_height <= 0) + { + g_free (info); + fclose (fp); +@@ -723,7 +744,7 @@ ico_load_thumbnail_image (const gchar *filename, + gimp_filename_to_utf8 (filename)); + + fp = g_fopen (filename, "rb"); +- if (! fp ) ++ if (! fp) + { + g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), + _("Could not open '%s' for reading: %s"), +@@ -732,7 +753,7 @@ ico_load_thumbnail_image (const gchar *filename, + } + + icon_count = ico_read_init (fp); +- if (! icon_count ) ++ if (! icon_count) + { + fclose (fp); + return -1; +@@ -741,8 +762,8 @@ ico_load_thumbnail_image (const gchar *filename, + D(("*** %s: Microsoft icon file, containing %i icon(s)\n", + filename, icon_count)); + +- info = ico_read_info (fp, icon_count); +- if (! info ) ++ info = ico_read_info (fp, icon_count, error); ++ if (! info) + { + fclose (fp); + return -1; +@@ -760,9 +781,9 @@ ico_load_thumbnail_image (const gchar *filename, + + match = i; + } +- else if ( w == info[i].width +- && h == info[i].height +- && info[i].bpp > bpp ) ++ else if (w == info[i].width && ++ h == info[i].height && ++ info[i].bpp > bpp) + { + /* better quality */ + bpp = info[i].bpp; +-- +cgit v0.12 + diff --git a/gimp-fix-PDF-Import-filter-crash.patch b/gimp-fix-PDF-Import-filter-crash.patch new file mode 100644 index 0000000..145d1c6 --- /dev/null +++ b/gimp-fix-PDF-Import-filter-crash.patch @@ -0,0 +1,27 @@ +From abf4f7560bf9baecd9e111e47c7c82c50e813ef1 Mon Sep 17 00:00:00 2001 +From: Massimo Valentini +Date: Sun, 19 Feb 2017 21:01:49 +0100 +Subject: Bug 593576 - PDF Import filter: crashes when importing large image + PDF or specifying high resolution + +Manually committed to master as commit adae3882d2c9955f9dd62482f9bcdb8456679701 due to code changes there. +--- + libgimp/gimplayer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libgimp/gimplayer.c b/libgimp/gimplayer.c +index af210a4..15367e7 100644 +--- a/libgimp/gimplayer.c ++++ b/libgimp/gimplayer.c +@@ -236,7 +236,7 @@ gimp_layer_new_from_surface (gint32 image_ID, + cairo_format_t format; + gint width; + gint height; +- gint rowstride; ++ gsize rowstride; + gdouble range = progress_end - progress_start; + guint count = 0; + guint done = 0; +-- +cgit v0.12 + diff --git a/gimp.changes b/gimp.changes index 0971ce4..aa8d04b 100644 --- a/gimp.changes +++ b/gimp.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Tue Feb 21 11:25:43 UTC 2017 - zaitor@opensuse.org + +- Add gimp-bgo773233-CVE-2007-3126.patch: Gimp 2.3.14 allows + context-dependent attackers to cause a denial of service (crash) + via an ICO file with an InfoHeader containing a Height of zero + (bgo#773233, CVE-2007-3126). +- Add gimp-fix-PDF-Import-filter-crash.patch: Fix a crash in PDF + Import filter when importing large image PDF or specifying high + resolution (bgo#593576). + ------------------------------------------------------------------- Thu Feb 9 11:15:33 UTC 2017 - zaitor@opensuse.org diff --git a/gimp.spec b/gimp.spec index 44684b0..aca3271 100644 --- a/gimp.spec +++ b/gimp.spec @@ -28,6 +28,10 @@ Group: Productivity/Graphics/Bitmap Editors Url: http://www.gimp.org/ Source: http://download.gimp.org/pub/gimp/v2.8/%{name}-%{version}.tar.bz2 Source1: macros.gimp +# PATCH-FIX-UPSTREAM gimp-bgo773233-CVE-2007-3126.patch bgo#773233 CVE-2007-3126 zaitor@opensuse.org -- Fix a crash +Patch0: gimp-bgo773233-CVE-2007-3126.patch +# PATCH-FIX-UPSTREAM gimp-fix-PDF-Import-filter-crash.patch bgo#593576 zaitor@opensuse.org -- Fix a crash when importing PDF's +Patch1: gimp-fix-PDF-Import-filter-crash.patch # openSUSE palette file Source2: openSUSE.gpl Source99: baselibs.conf @@ -202,6 +206,8 @@ This package contains the help browser for the GIMP. %prep %setup -q +%patch0 -p1 +%patch1 -p1 translation-update-upstream translation-update-upstream po-libgimp gimp20-libgimp translation-update-upstream po-python gimp20-python