Accepting request 81712 from GNOME:Apps

Fix build + CVE-2011-2896 + crash (forwarded request 81711 from vuntz) OBS-URL: https://build.opensuse.org/request/show/81712 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gimp?expand=0&rev=64
2011-09-11 17:07:53 +00:00
parent 500845c06e
commit f54ed005b1
5 changed files with 180 additions and 0 deletions
--- a/gimp-CVE-2011-2896.patch
+++ b/gimp-CVE-2011-2896.patch
@@ -0,0 +1,109 @@
+From 0eae221c7c6eb84591d718587a17ea90c8852d5b Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils@redhat.com>
+Date: Thu, 04 Aug 2011 10:47:44 +0000
+Subject: file-gif-load: ensure return value of LZWReadByte() is <= 255
+
+(cherry picked from commit b1a3de761362db982c0ddfaff60ab4a3c4267f32)
+---
+diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
+index 9a0720b..a4d98fc 100644
+--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
+@@ -743,11 +743,11 @@ LZWReadByte (FILE *fd,
+         }
+       while (firstcode == clear_code);
+ 
+-      return firstcode;
+      return firstcode & 255;
+     }
+ 
+   if (sp > stack)
+-    return *--sp;
+    return (*--sp) & 255;
+ 
+   while ((code = GetCode (fd, code_size, FALSE)) >= 0)
+     {
+@@ -770,7 +770,7 @@ LZWReadByte (FILE *fd,
+           sp            = stack;
+           firstcode     = oldcode = GetCode (fd, code_size, FALSE);
+ 
+-          return firstcode;
+          return firstcode & 255;
+         }
+       else if (code == end_code)
+         {
+@@ -826,10 +826,10 @@ LZWReadByte (FILE *fd,
+       oldcode = incode;
+ 
+       if (sp > stack)
+-        return *--sp;
+        return (*--sp) & 255;
+     }
+ 
+-  return code;
+  return code & 255;
+ }
+ 
+ static gint32
+--
+cgit v0.9.0.2
+From 62718f821b7c79a6860b8b25f0a21a91daa6e22d Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils@redhat.com>
+Date: Thu, 04 Aug 2011 10:51:42 +0000
+Subject: file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896)
+
+(cherry picked from commit 376ad788c1a1c31d40f18494889c383f6909ebfc)
+---
+diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
+index a4d98fc..8460ec0 100644
+--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
+@@ -697,7 +697,8 @@ LZWReadByte (FILE *fd,
+   static gint firstcode, oldcode;
+   static gint clear_code, end_code;
+   static gint table[2][(1 << MAX_LZW_BITS)];
+-  static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
+#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
+  static gint stack[STACK_SIZE], *sp;
+   gint        i;
+ 
+   if (just_reset_LZW)
+@@ -772,7 +773,7 @@ LZWReadByte (FILE *fd,
+ 
+           return firstcode & 255;
+         }
+-      else if (code == end_code)
+      else if (code == end_code || code > max_code)
+         {
+           gint   count;
+           guchar buf[260];
+@@ -791,13 +792,14 @@ LZWReadByte (FILE *fd,
+ 
+       incode = code;
+ 
+-      if (code >= max_code)
+      if (code == max_code)
+         {
+-          *sp++ = firstcode;
+          if (sp < &(stack[STACK_SIZE]))
+            *sp++ = firstcode;
+           code = oldcode;
+         }
+ 
+-      while (code >= clear_code)
+      while (code >= clear_code && sp < &(stack[STACK_SIZE]))
+         {
+           *sp++ = table[1][code];
+           if (code == table[0][code])
+@@ -808,7 +810,8 @@ LZWReadByte (FILE *fd,
+           code = table[0][code];
+         }
+ 
+-      *sp++ = firstcode = table[1][code];
+      if (sp < &(stack[STACK_SIZE]))
+        *sp++ = firstcode = table[1][code];
+ 
+       if ((code = max_code) < (1 << MAX_LZW_BITS))
+         {
+--
+cgit v0.9.0.2
--- a/gimp-fix-linking.patch
+++ b/gimp-fix-linking.patch
@@ -0,0 +1,26 @@
+From 582cb0f14eb9f145bd2a2f5c9fda12309ae0229f Mon Sep 17 00:00:00 2001
+From: Manish Singh <yosh@gimp.org>
+Date: Sun, 24 May 2009 17:42:39 +0000
+Subject: Explicitly specify library dependencies at link time, so we can use gold.
+
+---
+(limited to 'libgimpthumb/Makefile.am')
+
+diff --git a/libgimpthumb/Makefile.am b/libgimpthumb/Makefile.am
+index a78a83a..98acd24 100644
+--- a/libgimpthumb/Makefile.am
+++ b/libgimpthumb/Makefile.am
+@@ -86,7 +86,10 @@ noinst_PROGRAMS = gimp-thumbnail-list
+ 
+ gimp_thumbnail_list_SOURCES = gimp-thumbnail-list.c
+ 
+-gimp_thumbnail_list_LDADD = libgimpthumb-$(GIMP_API_VERSION).la
+gimp_thumbnail_list_LDADD = \
+	libgimpthumb-$(GIMP_API_VERSION).la \
+	$(GDK_PIXBUF_LIBS) \
+	$(GLIB_LIBS)
+ 
+ 
+ install-data-local: install-ms-lib install-libtool-import-lib
+--
+cgit v0.9.0.2
--- a/gimp-pyslice-cellspacing-fix.patch
+++ b/gimp-pyslice-cellspacing-fix.patch
@@ -0,0 +1,24 @@
+From 16d77f975b2c398a515f91e34ef868dc3bb49228 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils@redhat.com>
+Date: Wed, 02 Feb 2011 16:11:28 +0000
+Subject: Bug 641259 - [abrt] gimp-2:2.6.11-1.fc14: py-slice.py:172:slice:TypeError: integer argument expected, got float
+
+py-slice: cast cellspacing to int in pyslice() to avoid tracebacks
+(cherry picked from commit 0af966b63fcc55b36380d6538dfb30000f71fef9)
+---
+diff --git a/plug-ins/pygimp/plug-ins/py-slice.py b/plug-ins/pygimp/plug-ins/py-slice.py
+index 40743f3..ac35f23 100755
+--- a/plug-ins/pygimp/plug-ins/py-slice.py
+++ b/plug-ins/pygimp/plug-ins/py-slice.py
+@@ -36,6 +36,9 @@ gettext.install("gimp20-python", gimp.locale_directory, unicode=True)
+ def pyslice(image, drawable, save_path, html_filename,
+             image_basename, image_extension, separate,
+             image_path, cellspacing, animate, skip_caps):
+
+    cellspacing = int (cellspacing)
+
+     if animate:
+         count = 0
+         drw = []
+--
+cgit v0.9.0.2
--- a/gimp.changes
+++ b/gimp.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Sep  9 13:29:26 UTC 2011 - vuntz@opensuse.org
+
+- Add gimp-fix-linking.patch: fix linking issue.
+- Add gimp-CVE-2011-2896.patch: Fix heap corruption and buffer
+  overflow in LZW code. Fix bnc#711491, CVE-2011-2896.
+- Add gimp-pyslice-cellspacing-fix.patch: fix a crash in the
+  pyslice plugin.
+- Add call to autoreconf, needed by gimp-fix-linking.patch.
+
 -------------------------------------------------------------------
 Wed Jul  6 16:24:31 CEST 2011 - vuntz@opensuse.org

--- a/gimp.spec
+++ b/gimp.spec
@@ -70,6 +70,12 @@ Source99:       baselibs.conf
 Patch0:         gimp-CVE-2010-4540-and-more.patch
 # PATCH-FIX-UPSTREAM gimp-CVE-2010-4543.patch CVE-2010-4543 bgo#639203 bnc#662043 vuntz@opensuse.org -- Fix a buffer overflow when reading a psp file
 Patch1:         gimp-CVE-2010-4543.patch
+# PATCH-FIX-UPSTREAM gimp-fix-linking.patch vuntz@opensuse.org -- Fix linking issue because of missing libs, taken from git
+Patch2:         gimp-fix-linking.patch
+# PATCH-FIX-UPSTREAM gimp-CVE-2011-2896.patch CVE-2011-2896 bnc#711491 vuntz@opensuse.org -- Fix heap corruption and buffer overflow
+Patch3:         gimp-CVE-2011-2896.patch
+# PATCH-FIX-UPSTREAM gimp-pyslice-cellspacing-fix.patch vuntz@opensuse.org -- Fix pyslice to not crash
+Patch4:         gimp-pyslice-cellspacing-fix.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Requires:       %{name}-branding = %{version}
 Recommends:     %{name}-plugins-python = %{version} gimp-2.0-scanner-plugin %{name}-help-browser
@@ -259,6 +265,9 @@ translation-update-upstream po-plug-ins gimp20-std-plug-ins
 translation-update-upstream po-tips gimp20-tips
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 # Safety check for ABI version change.
 vabi=`printf "%d" $(sed -n '/#define GIMP_MODULE_ABI_VERSION/{s/.* //;p}' libgimpmodule/gimpmodule.h)`
 if test "x${vabi}" != "x%{abiver}"; then
@@ -275,6 +284,8 @@ if test "x${vapi}" != "x%{apiver}"; then
 fi

 %build
+# needed for patch2
+autoreconf -fi
 export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
 %configure --with-pic\
 	--disable-static\