diff --git a/gimp-sunras-overflow.patch b/gimp-sunras-overflow.patch new file mode 100644 index 0000000..366ec39 --- /dev/null +++ b/gimp-sunras-overflow.patch @@ -0,0 +1,63 @@ +------------------------------------------------------------------------ +r22356 | neo | 2007-04-27 13:50:58 +0200 (Pá, 27 dub 2007) | 8 lines + +2007-04-27 Sven Neumann + + Merged from trunk: + + * plug-ins/common/sunras.c (set_color_table): guard against a + possible stack overflow. + + +------------------------------------------------------------------------ +Index: sunras.c +=================================================================== +--- plug-ins/common/sunras.c (revision 22355) ++++ plug-ins/common/sunras.c (revision 22356) +@@ -102,8 +102,7 @@ + gint32 image_ID, + gint32 drawable_ID); + +-static void set_color_table (gint32, L_SUNFILEHEADER *, unsigned char *); +- ++static void set_color_table (gint32, L_SUNFILEHEADER *, const guchar *); + static gint32 create_new_image (const gchar *filename, + guint width, + guint height, +@@ -865,19 +864,20 @@ + static void + set_color_table (gint32 image_ID, + L_SUNFILEHEADER *sunhdr, +- guchar *suncolmap) ++ const guchar *suncolmap) + { +- int ncols, j; +- guchar ColorMap[256*3]; ++ guchar ColorMap[256 * 3]; ++ gint ncols, j; + + ncols = sunhdr->l_ras_maplength / 3; +- if (ncols <= 0) return; ++ if (ncols <= 0) ++ return; + +- for (j = 0; j < ncols; j++) ++ for (j = 0; j < MIN (ncols, 256); j++) + { +- ColorMap[j*3] = suncolmap[j]; +- ColorMap[j*3+1] = suncolmap[j+ncols]; +- ColorMap[j*3+2] = suncolmap[j+2*ncols]; ++ ColorMap[j * 3 + 0] = suncolmap[j]; ++ ColorMap[j * 3 + 1] = suncolmap[j + ncols]; ++ ColorMap[j * 3 + 2] = suncolmap[j + 2 * ncols]; + } + + #ifdef DEBUG +@@ -886,6 +886,7 @@ + printf ("%3d: 0x%02x 0x%02x 0x%02x\n", j, + ColorMap[j*3], ColorMap[j*3+1], ColorMap[j*3+2]); + #endif ++ + gimp_image_set_colormap (image_ID, ColorMap, ncols); + } + diff --git a/gimp.changes b/gimp.changes index 7b4eb3b..d91f88c 100644 --- a/gimp.changes +++ b/gimp.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri May 4 15:32:01 CEST 2007 - sbrabec@suse.cz + +- Fixed buffer overflow in sunras plugin (#270506, GNOME#433902, + CVE-2007-2356). + ------------------------------------------------------------------- Tue Feb 27 22:39:05 CET 2007 - dmueller@suse.de diff --git a/gimp.spec b/gimp.spec index 4625567..80119f3 100644 --- a/gimp.spec +++ b/gimp.spec @@ -21,7 +21,7 @@ BuildRequires: python-gtk %endif URL: http://www.gimp.org/ Version: 2.2.13 -Release: 46 +Release: 60 License: GNU General Public License (GPL) Group: Productivity/Graphics/Bitmap Editors Provides: gimp2 gimp-2.0 @@ -35,6 +35,7 @@ Source: ftp://ftp.gimp.org/pub/gimp/v2.2/%{name}-%{version}.tar.bz2 Source1: gimp-logo.png Source2: gimp-splash.png Patch: gimp-default-browser.patch +Patch1: gimp-sunras-overflow.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -419,7 +420,7 @@ Authors: Shirasaki Yasuhiro %package doc -Summary: Additional Package Documentation. +Summary: Additional Package Documentation for GIMP. Provides: gimp2-doc gimp-2.0-doc Requires: %{name} = %{version} Obsoletes: gimpdev libgimpd gimp2-devel @@ -631,6 +632,7 @@ Authors: # gimpbilinear.c: 179, 132 # fit.c: 1302 %patch +%patch1 rm po*/no.* sed -i "/ALL_LINGUAS=/s/ no / /" configure.in @@ -718,6 +720,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/gtk-doc/html/* %changelog +* Fri May 04 2007 - sbrabec@suse.cz +- Fixed buffer overflow in sunras plugin (#270506, GNOME#433902, + CVE-2007-2356). * Tue Feb 27 2007 - dmueller@suse.de - adjust BuildRequires: libexif->libexif-devel * Wed Jan 03 2007 - sbrabec@suse.cz