From b5cf6b2820b61ba338b027798fbd26ce4740fd6519d13c2ab366e41562344a83 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 19 May 2022 07:22:00 +0000 Subject: [PATCH] Accepting request 977967 from home:mgorse:branches:graphics - Add gimp-CVE_2022-30067.patch: fix out of memory when reading XCF (boo#1199653 CVE-2022-30067). OBS-URL: https://build.opensuse.org/request/show/977967 OBS-URL: https://build.opensuse.org/package/show/graphics/gimp?expand=0&rev=61 --- gimp-CVE_2022-30067.patch | 63 +++++++++++++++++++++++++++++++++++++++ gimp.changes | 6 ++++ gimp.spec | 2 ++ 3 files changed, 71 insertions(+) create mode 100644 gimp-CVE_2022-30067.patch diff --git a/gimp-CVE_2022-30067.patch b/gimp-CVE_2022-30067.patch new file mode 100644 index 0000000..2bb7e71 --- /dev/null +++ b/gimp-CVE_2022-30067.patch @@ -0,0 +1,63 @@ +From 8cd6d05232795ac31076013db1c6be3dc67e8e09 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Fri, 29 Apr 2022 16:40:32 -0400 +Subject: [PATCH] app: fix #8120 GIMP 2.10.30 crashed when allocate large + memory + +GIMP could crash if the information regarding old path properties read +from XCF was incorrect. It did not check if xcf_old_path succeeded and +kept trying to load more paths even if the last one failed to load. + +Instead we now stop loading paths as soon as that function fails. +In case we have a failure here we also try to skip to the next property +based on the size of the path property, in hopes that the only problem +was this property. + +(cherry picked from commit 4f99f1fcfd892ead19831b5adcd38a99d71214b6) +--- + app/xcf/xcf-load.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c +index 5543e57af7..1a1a460f0e 100644 +--- a/app/xcf/xcf-load.c ++++ b/app/xcf/xcf-load.c +@@ -1060,7 +1060,12 @@ xcf_load_image_props (XcfInfo *info, + break; + + case PROP_PATHS: +- xcf_load_old_paths (info, image); ++ { ++ goffset base = info->cp; ++ ++ if (! xcf_load_old_paths (info, image)) ++ xcf_seek_pos (info, base + prop_size, NULL); ++ } + break; + + case PROP_USER_UNIT: +@@ -2747,8 +2752,11 @@ xcf_load_old_paths (XcfInfo *info, + xcf_read_int32 (info, &last_selected_row, 1); + xcf_read_int32 (info, &num_paths, 1); + ++ GIMP_LOG (XCF, "Number of old paths: %u", num_paths); ++ + while (num_paths-- > 0) +- xcf_load_old_path (info, image); ++ if (! xcf_load_old_path (info, image)) ++ return FALSE; + + active_vectors = + GIMP_VECTORS (gimp_container_get_child_by_index (gimp_image_get_vectors (image), +@@ -2799,7 +2807,7 @@ xcf_load_old_path (XcfInfo *info, + } + else if (version != 1) + { +- g_printerr ("Unknown path type. Possibly corrupt XCF file"); ++ g_printerr ("Unknown path type (version: %u). Possibly corrupt XCF file.\n", version); + + return FALSE; + } +-- +2.36.1 + diff --git a/gimp.changes b/gimp.changes index 6dca70f..1a47dd4 100644 --- a/gimp.changes +++ b/gimp.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed May 18 14:52:26 UTC 2022 - Michael Gorse + +- Add gimp-CVE_2022-30067.patch: fix out of memory when reading + XCF (boo#1199653 CVE-2022-30067). + ------------------------------------------------------------------- Wed May 4 09:02:40 UTC 2022 - Marcus Meissner diff --git a/gimp.spec b/gimp.spec index 19d3534..230e42f 100644 --- a/gimp.spec +++ b/gimp.spec @@ -42,6 +42,8 @@ Source1: macros.gimp # openSUSE palette file Source2: openSUSE.gpl Source99: baselibs.conf +# PATCH-FIX-UPSTREAM gimp-CVE_2022-30067.patch boo#1199653 mgorse@suse.com -- fix out of memory when reading XCF. +Patch0: gimp-CVE_2022-30067.patch BuildRequires: aalib-devel BuildRequires: alsa-devel >= 1.0.0