gnu: gimp: Fix CVE-2017-{17784,17785,17786,17787,17789}.

* gnu/packages/patches/gimp-CVE-2017-17784.patch,
gnu/packages/patches/gimp-CVE-2017-17785.patch,
gnu/packages/patches/gimp-CVE-2017-17786.patch,
gnu/packages/patches/gimp-CVE-2017-17787.patch,
gnu/packages/patches/gimp-CVE-2017-17789.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gimp.scm (gimp)[source]: Use them.
This commit is contained in:
Leo Famulari 2017-12-31 13:42:58 -05:00
parent c41fb54f95
commit 2a74f6f7e7
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
7 changed files with 406 additions and 0 deletions

View File

@ -674,6 +674,11 @@ dist_patch_DATA = \
%D%/packages/patches/ghostscript-no-header-uuid.patch \
%D%/packages/patches/ghostscript-no-header-creationdate.patch \
%D%/packages/patches/ghostscript-runpath.patch \
%D%/packages/patches/gimp-CVE-2017-17784.patch \
%D%/packages/patches/gimp-CVE-2017-17785.patch \
%D%/packages/patches/gimp-CVE-2017-17786.patch \
%D%/packages/patches/gimp-CVE-2017-17787.patch \
%D%/packages/patches/gimp-CVE-2017-17789.patch \
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
%D%/packages/patches/glib-tests-timer.patch \
%D%/packages/patches/glibc-CVE-2015-5180.patch \

View File

@ -133,6 +133,11 @@ buffers.")
(uri (string-append "http://download.gimp.org/pub/gimp/v"
(version-major+minor version)
"/gimp-" version ".tar.bz2"))
(patches (search-patches "gimp-CVE-2017-17784.patch"
"gimp-CVE-2017-17785.patch"
"gimp-CVE-2017-17786.patch"
"gimp-CVE-2017-17787.patch"
"gimp-CVE-2017-17789.patch"))
(sha256
(base32
"12k3lp938qdc9cqj29scg55f3bb8iav2fysd29w0s49bqmfa71wi"))))

View File

@ -0,0 +1,41 @@
Fix CVE-2017-17784:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17784
https://bugzilla.gnome.org/show_bug.cgi?id=790784
Patch copied from upstream source repository:
https://git.gnome.org/browse/gimp/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270
From c57f9dcf1934a9ab0cd67650f2dea18cb0902270 Mon Sep 17 00:00:00 2001
From: Jehan <jehan@girinstud.io>
Date: Thu, 21 Dec 2017 12:25:32 +0100
Subject: [PATCH] Bug 790784 - (CVE-2017-17784) heap overread in gbr parser /
load_image.
We were assuming the input name was well formed, hence was
nul-terminated. As any data coming from external input, this has to be
thorougly checked.
Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted
to older gimp-2-8 code.
---
plug-ins/common/file-gbr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
index b028100bef..d3f01d9c56 100644
--- a/plug-ins/common/file-gbr.c
+++ b/plug-ins/common/file-gbr.c
@@ -443,7 +443,8 @@ load_image (const gchar *filename,
{
gchar *temp = g_new (gchar, bn_size);
- if ((read (fd, temp, bn_size)) < bn_size)
+ if ((read (fd, temp, bn_size)) < bn_size ||
+ temp[bn_size - 1] != '\0')
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("Error in GIMP brush file '%s'"),
--
2.15.1

View File

@ -0,0 +1,171 @@
Fix CVE-2017-17785:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17785
https://bugzilla.gnome.org/show_bug.cgi?id=739133
Patch copied from upstream source repository:
https://git.gnome.org/browse/gimp/commit/?id=1882bac996a20ab5c15c42b0c5e8f49033a1af54
From 1882bac996a20ab5c15c42b0c5e8f49033a1af54 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 29 Oct 2017 15:19:41 +0100
Subject: [PATCH] Bug 739133 - (CVE-2017-17785) Heap overflow while parsing FLI
files.
It is possible to trigger a heap overflow while parsing FLI files. The
RLE decoder is vulnerable to out of boundary writes due to lack of
boundary checks.
The variable "framebuf" points to a memory area which was allocated
with fli_header->width * fli_header->height bytes. The RLE decoder
therefore must never write beyond that limit.
If an illegal frame is detected, the parser won't stop, which means
that the next valid sequence is properly parsed again. This should
allow GIMP to parse FLI files as good as possible even if they are
broken by an attacker or by accident.
While at it, I changed the variable xc to be of type size_t, because
the multiplication of width and height could overflow a 16 bit type.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
(cherry picked from commit edb251a7ef1602d20a5afcbf23f24afb163de63b)
---
plug-ins/file-fli/fli.c | 50 ++++++++++++++++++++++++++++++++++---------------
1 file changed, 35 insertions(+), 15 deletions(-)
diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c
index 313efeb977..ffb651e2af 100644
--- a/plug-ins/file-fli/fli.c
+++ b/plug-ins/file-fli/fli.c
@@ -25,6 +25,8 @@
#include "config.h"
+#include <glib/gstdio.h>
+
#include <string.h>
#include <stdio.h>
@@ -461,23 +463,27 @@ void fli_read_brun(FILE *f, s_fli_header *fli_header, unsigned char *framebuf)
unsigned short yc;
unsigned char *pos;
for (yc=0; yc < fli_header->height; yc++) {
- unsigned short xc, pc, pcnt;
+ unsigned short pc, pcnt;
+ size_t n, xc;
pc=fli_read_char(f);
xc=0;
pos=framebuf+(fli_header->width * yc);
+ n=(size_t)fli_header->width * (fli_header->height-yc);
for (pcnt=pc; pcnt>0; pcnt--) {
unsigned short ps;
ps=fli_read_char(f);
if (ps & 0x80) {
unsigned short len;
- for (len=-(signed char)ps; len>0; len--) {
+ for (len=-(signed char)ps; len>0 && xc<n; len--) {
pos[xc++]=fli_read_char(f);
}
} else {
unsigned char val;
+ size_t len;
+ len=MIN(n-xc,ps);
val=fli_read_char(f);
- memset(&(pos[xc]), val, ps);
- xc+=ps;
+ memset(&(pos[xc]), val, len);
+ xc+=len;
}
}
}
@@ -564,25 +570,34 @@ void fli_read_lc(FILE *f, s_fli_header *fli_header, unsigned char *old_framebuf,
memcpy(framebuf, old_framebuf, fli_header->width * fli_header->height);
firstline = fli_read_short(f);
numline = fli_read_short(f);
+ if (numline > fli_header->height || fli_header->height-numline < firstline)
+ return;
+
for (yc=0; yc < numline; yc++) {
- unsigned short xc, pc, pcnt;
+ unsigned short pc, pcnt;
+ size_t n, xc;
pc=fli_read_char(f);
xc=0;
pos=framebuf+(fli_header->width * (firstline+yc));
+ n=(size_t)fli_header->width * (fli_header->height-firstline-yc);
for (pcnt=pc; pcnt>0; pcnt--) {
unsigned short ps,skip;
skip=fli_read_char(f);
ps=fli_read_char(f);
- xc+=skip;
+ xc+=MIN(n-xc,skip);
if (ps & 0x80) {
unsigned char val;
+ size_t len;
ps=-(signed char)ps;
val=fli_read_char(f);
- memset(&(pos[xc]), val, ps);
- xc+=ps;
+ len=MIN(n-xc,ps);
+ memset(&(pos[xc]), val, len);
+ xc+=len;
} else {
- fread(&(pos[xc]), ps, 1, f);
- xc+=ps;
+ size_t len;
+ len=MIN(n-xc,ps);
+ fread(&(pos[xc]), len, 1, f);
+ xc+=len;
}
}
}
@@ -689,7 +704,8 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
yc=0;
numline = fli_read_short(f);
for (lc=0; lc < numline; lc++) {
- unsigned short xc, pc, pcnt, lpf, lpn;
+ unsigned short pc, pcnt, lpf, lpn;
+ size_t n, xc;
pc=fli_read_short(f);
lpf=0; lpn=0;
while (pc & 0x8000) {
@@ -700,26 +716,30 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
}
pc=fli_read_short(f);
}
+ yc=MIN(yc, fli_header->height);
xc=0;
pos=framebuf+(fli_header->width * yc);
+ n=(size_t)fli_header->width * (fli_header->height-yc);
for (pcnt=pc; pcnt>0; pcnt--) {
unsigned short ps,skip;
skip=fli_read_char(f);
ps=fli_read_char(f);
- xc+=skip;
+ xc+=MIN(n-xc,skip);
if (ps & 0x80) {
unsigned char v1,v2;
ps=-(signed char)ps;
v1=fli_read_char(f);
v2=fli_read_char(f);
- while (ps>0) {
+ while (ps>0 && xc+1<n) {
pos[xc++]=v1;
pos[xc++]=v2;
ps--;
}
} else {
- fread(&(pos[xc]), ps, 2, f);
- xc+=ps << 1;
+ size_t len;
+ len=MIN((n-xc)/2,ps);
+ fread(&(pos[xc]), len, 2, f);
+ xc+=len << 1;
}
}
if (lpf) pos[xc]=lpn;
--
2.15.1

View File

@ -0,0 +1,94 @@
Fix CVE-2017-17786:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17786
https://bugzilla.gnome.org/show_bug.cgi?id=739134
Both patches copied from upstream source repository:
https://git.gnome.org/browse/gimp/commit/?id=ef9c821fff8b637a2178eab1c78cae6764c50e12
https://git.gnome.org/browse/gimp/commit/?id=22e2571c25425f225abdb11a566cc281fca6f366
From ef9c821fff8b637a2178eab1c78cae6764c50e12 Mon Sep 17 00:00:00 2001
From: Jehan <jehan@girinstud.io>
Date: Wed, 20 Dec 2017 13:02:38 +0100
Subject: [PATCH] Bug 739134 - (CVE-2017-17786) Out of bounds read / heap
overflow in...
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
... TGA importer.
Be more thorough on valid TGA RGB and RGBA images.
In particular current TGA plug-in can import RGBA as 32 bits (8 bits per
channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and
RGB as 15 and 24 bits.
Maybe there exist more variants, but if they do exist, we simply don't
support them yet.
Thanks to Hanno Böck for the report and a first patch attempt.
(cherry picked from commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b)
---
plug-ins/common/file-tga.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
index aef98702d4..426acc2925 100644
--- a/plug-ins/common/file-tga.c
+++ b/plug-ins/common/file-tga.c
@@ -564,12 +564,16 @@ load_image (const gchar *filename,
}
break;
case TGA_TYPE_COLOR:
- if (info.bpp != 15 && info.bpp != 16 &&
- info.bpp != 24 && info.bpp != 32)
+ if ((info.bpp != 15 && info.bpp != 16 &&
+ info.bpp != 24 && info.bpp != 32) ||
+ ((info.bpp == 15 || info.bpp == 24) &&
+ info.alphaBits != 0) ||
+ (info.bpp == 16 && info.alphaBits != 1) ||
+ (info.bpp == 32 && info.alphaBits != 8))
{
- g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
+ g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
gimp_filename_to_utf8 (filename),
- info.imageType, info.bpp);
+ info.imageType, info.bpp, info.alphaBits);
return -1;
}
break;
--
2.15.1
From 22e2571c25425f225abdb11a566cc281fca6f366 Mon Sep 17 00:00:00 2001
From: Jehan <jehan@girinstud.io>
Date: Wed, 20 Dec 2017 13:26:26 +0100
Subject: [PATCH] plug-ins: TGA 16-bit RGB (without alpha bit) is also valid.
According to some spec on the web, 16-bit RGB is also valid. In this
case, the last bit is simply ignored (at least that's how it is
implemented right now).
(cherry picked from commit 8ea316667c8a3296bce2832b3986b58d0fdfc077)
---
plug-ins/common/file-tga.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
index 426acc2925..eb14a1dadc 100644
--- a/plug-ins/common/file-tga.c
+++ b/plug-ins/common/file-tga.c
@@ -568,7 +568,8 @@ load_image (const gchar *filename,
info.bpp != 24 && info.bpp != 32) ||
((info.bpp == 15 || info.bpp == 24) &&
info.alphaBits != 0) ||
- (info.bpp == 16 && info.alphaBits != 1) ||
+ (info.bpp == 16 && info.alphaBits != 1 &&
+ info.alphaBits != 0) ||
(info.bpp == 32 && info.alphaBits != 8))
{
g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
--
2.15.1

View File

@ -0,0 +1,42 @@
Fix CVE-2017-17787:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17787
https://bugzilla.gnome.org/show_bug.cgi?id=790853
Patch copied from upstream source repository:
https://git.gnome.org/browse/gimp/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d
From 87ba505fff85989af795f4ab6a047713f4d9381d Mon Sep 17 00:00:00 2001
From: Jehan <jehan@girinstud.io>
Date: Thu, 21 Dec 2017 12:49:41 +0100
Subject: [PATCH] Bug 790853 - (CVE-2017-17787) heap overread in psp importer.
As any external data, we have to check that strings being read at fixed
length are properly nul-terminated.
(cherry picked from commit eb2980683e6472aff35a3117587c4f814515c74d)
---
plug-ins/common/file-psp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index 4cbafe37b1..e350e4d88d 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -890,6 +890,12 @@ read_creator_block (FILE *f,
g_free (string);
return -1;
}
+ if (string[length - 1] != '\0')
+ {
+ g_message ("Creator keyword data not nul-terminated");
+ g_free (string);
+ return -1;
+ }
switch (keyword)
{
case PSP_CRTR_FLD_TITLE:
--
2.15.1

View File

@ -0,0 +1,48 @@
Fix CVE-2017-17789:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17789
https://bugzilla.gnome.org/show_bug.cgi?id=790849
Patch copied from upstream source repository:
https://git.gnome.org/browse/gimp/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f
From 01898f10f87a094665a7fdcf7153990f4e511d3f Mon Sep 17 00:00:00 2001
From: Jehan <jehan@girinstud.io>
Date: Wed, 20 Dec 2017 16:44:20 +0100
Subject: [PATCH] Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer
overflow...
... in PSP importer.
Check if declared block length is valid (i.e. within the actual file)
before going further.
Consider the file as broken otherwise and fail loading it.
(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
---
plug-ins/common/file-psp.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index ac0fff78f0..4cbafe37b1 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -1771,6 +1771,15 @@ load_image (const gchar *filename,
{
block_start = ftell (f);
+ if (block_start + block_total_len > st.st_size)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("Could not open '%s' for reading: %s"),
+ gimp_filename_to_utf8 (filename),
+ _("invalid block size"));
+ goto error;
+ }
+
if (id == PSP_IMAGE_BLOCK)
{
if (block_number != 0)
--
2.15.1