From 998d7a334572ef6d991c559f9bba3bee70aafba2e899d1371ffb1d161535a37f Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 3 Dec 2012 08:34:31 +0000 Subject: [PATCH] Accepting request 143763 from GNOME:Apps (forwarded request 143057 from vuntz) OBS-URL: https://build.opensuse.org/request/show/143763 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gimp?expand=0&rev=81 --- gimp-CVE-2012-5576.patch | 173 +++++++++++++++++++++++++++++++++++++++ gimp.changes | 6 ++ gimp.spec | 3 + 3 files changed, 182 insertions(+) create mode 100644 gimp-CVE-2012-5576.patch diff --git a/gimp-CVE-2012-5576.patch b/gimp-CVE-2012-5576.patch new file mode 100644 index 0000000..f518646 --- /dev/null +++ b/gimp-CVE-2012-5576.patch @@ -0,0 +1,173 @@ +From 0b35f6a082a0b3c372c568ea6bde39a4796acde2 Mon Sep 17 00:00:00 2001 +From: Michael Natterer +Date: Wed, 07 Nov 2012 23:16:31 +0000 +Subject: Bug 687392 - Memory corruption vulnerability when reading XWD files + +Applied and enhanced patch from andres which makes file-xwd detect +this kind of file corruption and abort loading with an error message. +--- +diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c +index 4e8a95e..f91d757 100644 +--- a/plug-ins/common/file-xwd.c ++++ b/plug-ins/common/file-xwd.c +@@ -186,11 +186,13 @@ static gint32 load_xwd_f2_d16_b16 (const gchar *, + static gint32 load_xwd_f2_d24_b32 (const gchar *, + FILE *, + L_XWDFILEHEADER *, +- L_XWDCOLOR *); ++ L_XWDCOLOR *, ++ GError **); + static gint32 load_xwd_f1_d24_b1 (const gchar *, + FILE *, + L_XWDFILEHEADER *, +- L_XWDCOLOR *); ++ L_XWDCOLOR *, ++ GError **); + + static L_CARD32 read_card32 (FILE *, + gint *); +@@ -540,7 +542,8 @@ load_image (const gchar *filename, + case 1: /* Single plane pixmap */ + if ((depth <= 24) && (bpp == 1)) + { +- image_ID = load_xwd_f1_d24_b1 (filename, ifp, &xwdhdr, xwdcolmap); ++ image_ID = load_xwd_f1_d24_b1 (filename, ifp, &xwdhdr, xwdcolmap, ++ error); + } + break; + +@@ -559,7 +562,8 @@ load_image (const gchar *filename, + } + else if ((depth <= 24) && ((bpp == 24) || (bpp == 32))) + { +- image_ID = load_xwd_f2_d24_b32 (filename, ifp, &xwdhdr, xwdcolmap); ++ image_ID = load_xwd_f2_d24_b32 (filename, ifp, &xwdhdr, xwdcolmap, ++ error); + } + break; + } +@@ -570,7 +574,7 @@ load_image (const gchar *filename, + if (xwdcolmap) + g_free (xwdcolmap); + +- if (image_ID == -1) ++ if (image_ID == -1 && ! (error && *error)) + g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, + _("XWD-file %s has format %d, depth %d and bits per pixel %d. " + "Currently this is not supported."), +@@ -1624,10 +1628,11 @@ load_xwd_f2_d16_b16 (const gchar *filename, + /* Load XWD with pixmap_format 2, pixmap_depth up to 24, bits_per_pixel 24/32 */ + + static gint32 +-load_xwd_f2_d24_b32 (const gchar *filename, +- FILE *ifp, +- L_XWDFILEHEADER *xwdhdr, +- L_XWDCOLOR *xwdcolmap) ++load_xwd_f2_d24_b32 (const gchar *filename, ++ FILE *ifp, ++ L_XWDFILEHEADER *xwdhdr, ++ L_XWDCOLOR *xwdcolmap, ++ GError **error) + { + register guchar *dest, lsbyte_first; + gint width, height, linepad, i, j, c0, c1, c2, c3; +@@ -1652,12 +1657,6 @@ load_xwd_f2_d24_b32 (const gchar *filename, + width = xwdhdr->l_pixmap_width; + height = xwdhdr->l_pixmap_height; + +- image_ID = create_new_image (filename, width, height, GIMP_RGB, +- &layer_ID, &drawable, &pixel_rgn); +- +- tile_height = gimp_tile_height (); +- data = g_malloc (tile_height * width * 3); +- + redmask = xwdhdr->l_red_mask; + greenmask = xwdhdr->l_green_mask; + bluemask = xwdhdr->l_blue_mask; +@@ -1685,6 +1684,22 @@ load_xwd_f2_d24_b32 (const gchar *filename, + maxblue = 0; while (bluemask >> (blueshift + maxblue)) maxblue++; + maxblue = (1 << maxblue) - 1; + ++ if (maxred > sizeof (redmap) || ++ maxgreen > sizeof (greenmap) || ++ maxblue > sizeof (bluemap)) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("XWD-file %s is corrupt."), ++ gimp_filename_to_utf8 (filename)); ++ return -1; ++ } ++ ++ image_ID = create_new_image (filename, width, height, GIMP_RGB, ++ &layer_ID, &drawable, &pixel_rgn); ++ ++ tile_height = gimp_tile_height (); ++ data = g_malloc (tile_height * width * 3); ++ + /* Set map-arrays for red, green, blue */ + for (red = 0; red <= maxred; red++) + redmap[red] = (red * 255) / maxred; +@@ -1825,10 +1840,11 @@ load_xwd_f2_d24_b32 (const gchar *filename, + /* Load XWD with pixmap_format 1, pixmap_depth up to 24, bits_per_pixel 1 */ + + static gint32 +-load_xwd_f1_d24_b1 (const gchar *filename, +- FILE *ifp, +- L_XWDFILEHEADER *xwdhdr, +- L_XWDCOLOR *xwdcolmap) ++load_xwd_f1_d24_b1 (const gchar *filename, ++ FILE *ifp, ++ L_XWDFILEHEADER *xwdhdr, ++ L_XWDCOLOR *xwdcolmap, ++ GError **error) + { + register guchar *dest, outmask, inmask, do_reverse; + gint width, height, i, j, plane, fromright; +@@ -1863,13 +1879,6 @@ load_xwd_f1_d24_b1 (const gchar *filename, + indexed = (xwdhdr->l_pixmap_depth <= 8); + bytes_per_pixel = (indexed ? 1 : 3); + +- image_ID = create_new_image (filename, width, height, +- indexed ? GIMP_INDEXED : GIMP_RGB, +- &layer_ID, &drawable, &pixel_rgn); +- +- tile_height = gimp_tile_height (); +- data = g_malloc (tile_height * width * bytes_per_pixel); +- + for (j = 0; j < 256; j++) /* Create an array for reversing bits */ + { + inmask = 0; +@@ -1913,6 +1922,16 @@ load_xwd_f1_d24_b1 (const gchar *filename, + maxblue = 0; while (bluemask >> (blueshift + maxblue)) maxblue++; + maxblue = (1 << maxblue) - 1; + ++ if (maxred > sizeof (redmap) || ++ maxgreen > sizeof (greenmap) || ++ maxblue > sizeof (bluemap)) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("XWD-file %s is corrupt."), ++ gimp_filename_to_utf8 (filename)); ++ return -1; ++ } ++ + /* Set map-arrays for red, green, blue */ + for (red = 0; red <= maxred; red++) + redmap[red] = (red * 255) / maxred; +@@ -1922,6 +1941,13 @@ load_xwd_f1_d24_b1 (const gchar *filename, + bluemap[blue] = (blue * 255) / maxblue; + } + ++ image_ID = create_new_image (filename, width, height, ++ indexed ? GIMP_INDEXED : GIMP_RGB, ++ &layer_ID, &drawable, &pixel_rgn); ++ ++ tile_height = gimp_tile_height (); ++ data = g_malloc (tile_height * width * bytes_per_pixel); ++ + ncols = xwdhdr->l_colormap_entries; + if (xwdhdr->l_ncolors < ncols) + ncols = xwdhdr->l_ncolors; +-- +cgit v0.9.0.2 + diff --git a/gimp.changes b/gimp.changes index 414695c..f08f999 100644 --- a/gimp.changes +++ b/gimp.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Nov 27 11:11:04 UTC 2012 - dimstar@opensuse.org + +- Add gimp-CVE-2012-5576.patch: fix memory corruption vulnerability + when reading XWD files (bnc#791372, bgo#687392, CVE-2012-5576). + ------------------------------------------------------------------- Wed Aug 29 11:43:22 UTC 2012 - dimstar@opensuse.org diff --git a/gimp.spec b/gimp.spec index 5e938a5..aad63f8 100644 --- a/gimp.spec +++ b/gimp.spec @@ -31,6 +31,8 @@ Source1: macros.gimp # openSUSE palette file Source2: openSUSE.gpl Source99: baselibs.conf +# PATCH-FIX-UPSTREAM gimp-CVE-2012-5576.patch bnc#791372 bgo#687392 CVE-2012-5576 dimstar@opensuse.org -- Memory corruption vulnerability when reading XWD files, taken from git. +Patch0: gimp-CVE-2012-5576.patch BuildRequires: aalib-devel BuildRequires: alsa-devel >= 1.0.0 BuildRequires: babl-devel >= 0.1.10 @@ -233,6 +235,7 @@ This package contains the help browser for the GIMP. %lang_package %prep %setup -q +%patch0 -p1 translation-update-upstream translation-update-upstream po-libgimp gimp20-libgimp translation-update-upstream po-python gimp20-python