gnu: gimp: Update to 2.10.0.
* gnu/packages/gimp.scm (gimp): Update to 2.10.0. [inputs]: Add glib-networking, gexiv2, libmypaint, mypaint-brushes and poppler-data. [native-inputs]: Add glib:bin. [source]: Remove obsolete patches and use HTTPS URL. [home-page]: Use HTTPS URL. * gnu/packages/patches/gimp-CVE-2017-17784.patch, gnu/packages/patches/gimp-CVE-2017-17785.patch, gnu/packages/patches/gimp-CVE-2017-17786.patch, gnu/packages/patches/gimp-CVE-2017-17787.patch, gnu/packages/patches/gimp-CVE-2017-17789.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
parent
08a752526d
commit
9eecf9bc13
|
@ -706,11 +706,6 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/ghostscript-no-header-creationdate.patch \
|
%D%/packages/patches/ghostscript-no-header-creationdate.patch \
|
||||||
%D%/packages/patches/ghostscript-runpath.patch \
|
%D%/packages/patches/ghostscript-runpath.patch \
|
||||||
%D%/packages/patches/giflib-make-reallocarray-private.patch \
|
%D%/packages/patches/giflib-make-reallocarray-private.patch \
|
||||||
%D%/packages/patches/gimp-CVE-2017-17784.patch \
|
|
||||||
%D%/packages/patches/gimp-CVE-2017-17785.patch \
|
|
||||||
%D%/packages/patches/gimp-CVE-2017-17786.patch \
|
|
||||||
%D%/packages/patches/gimp-CVE-2017-17787.patch \
|
|
||||||
%D%/packages/patches/gimp-CVE-2017-17789.patch \
|
|
||||||
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
|
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
|
||||||
%D%/packages/patches/glib-respect-datadir.patch \
|
%D%/packages/patches/glib-respect-datadir.patch \
|
||||||
%D%/packages/patches/glib-tests-timer.patch \
|
%D%/packages/patches/glib-tests-timer.patch \
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
|
;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
|
||||||
;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
|
;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
|
||||||
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
|
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
|
||||||
|
;;; Copyright © 2018 Leo Famulari <leo@famulari.name>
|
||||||
;;;
|
;;;
|
||||||
;;; This file is part of GNU Guix.
|
;;; This file is part of GNU Guix.
|
||||||
;;;
|
;;;
|
||||||
|
@ -115,23 +116,18 @@ buffers.")
|
||||||
(define-public gimp
|
(define-public gimp
|
||||||
(package
|
(package
|
||||||
(name "gimp")
|
(name "gimp")
|
||||||
(version "2.8.22")
|
(version "2.10.0")
|
||||||
(source (origin
|
(source (origin
|
||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
(uri (string-append "http://download.gimp.org/pub/gimp/v"
|
(uri (string-append "https://download.gimp.org/pub/gimp/v"
|
||||||
(version-major+minor version)
|
(version-major+minor version)
|
||||||
"/gimp-" version ".tar.bz2"))
|
"/gimp-" version ".tar.bz2"))
|
||||||
(patches (search-patches "gimp-CVE-2017-17784.patch"
|
|
||||||
"gimp-CVE-2017-17785.patch"
|
|
||||||
"gimp-CVE-2017-17786.patch"
|
|
||||||
"gimp-CVE-2017-17787.patch"
|
|
||||||
"gimp-CVE-2017-17789.patch"))
|
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"12k3lp938qdc9cqj29scg55f3bb8iav2fysd29w0s49bqmfa71wi"))))
|
"1qkxaigbfkx26xym5nzrgfrmn97cbnhn63v1saaha2nbi3xrdk3z"))))
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(outputs '("out"
|
(outputs '("out"
|
||||||
"doc")) ;5 MiB of gtk-doc HTML
|
"doc")) ;9 MiB of gtk-doc HTML
|
||||||
(arguments
|
(arguments
|
||||||
'(#:configure-flags (list (string-append "--with-html-dir="
|
'(#:configure-flags (list (string-append "--with-html-dir="
|
||||||
(assoc-ref %outputs "doc")
|
(assoc-ref %outputs "doc")
|
||||||
|
@ -155,21 +151,27 @@ buffers.")
|
||||||
(inputs
|
(inputs
|
||||||
`(("babl" ,babl)
|
`(("babl" ,babl)
|
||||||
("glib" ,glib)
|
("glib" ,glib)
|
||||||
|
("glib-networking" ,glib-networking)
|
||||||
("libtiff" ,libtiff)
|
("libtiff" ,libtiff)
|
||||||
("libjpeg" ,libjpeg-8)
|
("libjpeg" ,libjpeg-8)
|
||||||
("atk" ,atk)
|
("atk" ,atk)
|
||||||
|
("gexiv2" ,gexiv2)
|
||||||
("gtk+" ,gtk+-2)
|
("gtk+" ,gtk+-2)
|
||||||
|
("libmypaint" ,libmypaint)
|
||||||
|
("mypaint-brushes" ,mypaint-brushes)
|
||||||
("exif" ,libexif) ; optional, EXIF + XMP support
|
("exif" ,libexif) ; optional, EXIF + XMP support
|
||||||
("lcms" ,lcms) ; optional, color management
|
("lcms" ,lcms) ; optional, color management
|
||||||
("librsvg" ,librsvg) ; optional, SVG support
|
("librsvg" ,librsvg) ; optional, SVG support
|
||||||
("poppler" ,poppler) ; optional, PDF support
|
("poppler" ,poppler) ; optional, PDF support
|
||||||
|
("poppler-data" ,poppler-data)
|
||||||
("python" ,python-2) ; optional, Python support
|
("python" ,python-2) ; optional, Python support
|
||||||
("python2-pygtk" ,python2-pygtk) ; optional, Python support
|
("python2-pygtk" ,python2-pygtk) ; optional, Python support
|
||||||
("gegl" ,gegl)))
|
("gegl" ,gegl)))
|
||||||
(native-inputs
|
(native-inputs
|
||||||
`(("pkg-config" ,pkg-config)
|
`(("glib:bin" ,glib "bin") ; for glib-compile-resources and gdbus-codegen
|
||||||
|
("pkg-config" ,pkg-config)
|
||||||
("intltool" ,intltool)))
|
("intltool" ,intltool)))
|
||||||
(home-page "http://gimp.org")
|
(home-page "https://www.gimp.org")
|
||||||
(synopsis "GNU Image Manipulation Program")
|
(synopsis "GNU Image Manipulation Program")
|
||||||
(description
|
(description
|
||||||
"GIMP is an application for image manipulation tasks such as photo
|
"GIMP is an application for image manipulation tasks such as photo
|
||||||
|
|
|
@ -1,41 +0,0 @@
|
||||||
Fix CVE-2017-17784:
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17784
|
|
||||||
https://bugzilla.gnome.org/show_bug.cgi?id=790784
|
|
||||||
|
|
||||||
Patch copied from upstream source repository:
|
|
||||||
|
|
||||||
https://git.gnome.org/browse/gimp/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270
|
|
||||||
|
|
||||||
From c57f9dcf1934a9ab0cd67650f2dea18cb0902270 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jehan <jehan@girinstud.io>
|
|
||||||
Date: Thu, 21 Dec 2017 12:25:32 +0100
|
|
||||||
Subject: [PATCH] Bug 790784 - (CVE-2017-17784) heap overread in gbr parser /
|
|
||||||
load_image.
|
|
||||||
|
|
||||||
We were assuming the input name was well formed, hence was
|
|
||||||
nul-terminated. As any data coming from external input, this has to be
|
|
||||||
thorougly checked.
|
|
||||||
Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted
|
|
||||||
to older gimp-2-8 code.
|
|
||||||
---
|
|
||||||
plug-ins/common/file-gbr.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
|
|
||||||
index b028100bef..d3f01d9c56 100644
|
|
||||||
--- a/plug-ins/common/file-gbr.c
|
|
||||||
+++ b/plug-ins/common/file-gbr.c
|
|
||||||
@@ -443,7 +443,8 @@ load_image (const gchar *filename,
|
|
||||||
{
|
|
||||||
gchar *temp = g_new (gchar, bn_size);
|
|
||||||
|
|
||||||
- if ((read (fd, temp, bn_size)) < bn_size)
|
|
||||||
+ if ((read (fd, temp, bn_size)) < bn_size ||
|
|
||||||
+ temp[bn_size - 1] != '\0')
|
|
||||||
{
|
|
||||||
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
|
|
||||||
_("Error in GIMP brush file '%s'"),
|
|
||||||
--
|
|
||||||
2.15.1
|
|
||||||
|
|
|
@ -1,171 +0,0 @@
|
||||||
Fix CVE-2017-17785:
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17785
|
|
||||||
https://bugzilla.gnome.org/show_bug.cgi?id=739133
|
|
||||||
|
|
||||||
Patch copied from upstream source repository:
|
|
||||||
|
|
||||||
https://git.gnome.org/browse/gimp/commit/?id=1882bac996a20ab5c15c42b0c5e8f49033a1af54
|
|
||||||
|
|
||||||
From 1882bac996a20ab5c15c42b0c5e8f49033a1af54 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
||||||
Date: Sun, 29 Oct 2017 15:19:41 +0100
|
|
||||||
Subject: [PATCH] Bug 739133 - (CVE-2017-17785) Heap overflow while parsing FLI
|
|
||||||
files.
|
|
||||||
|
|
||||||
It is possible to trigger a heap overflow while parsing FLI files. The
|
|
||||||
RLE decoder is vulnerable to out of boundary writes due to lack of
|
|
||||||
boundary checks.
|
|
||||||
|
|
||||||
The variable "framebuf" points to a memory area which was allocated
|
|
||||||
with fli_header->width * fli_header->height bytes. The RLE decoder
|
|
||||||
therefore must never write beyond that limit.
|
|
||||||
|
|
||||||
If an illegal frame is detected, the parser won't stop, which means
|
|
||||||
that the next valid sequence is properly parsed again. This should
|
|
||||||
allow GIMP to parse FLI files as good as possible even if they are
|
|
||||||
broken by an attacker or by accident.
|
|
||||||
|
|
||||||
While at it, I changed the variable xc to be of type size_t, because
|
|
||||||
the multiplication of width and height could overflow a 16 bit type.
|
|
||||||
|
|
||||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
||||||
(cherry picked from commit edb251a7ef1602d20a5afcbf23f24afb163de63b)
|
|
||||||
---
|
|
||||||
plug-ins/file-fli/fli.c | 50 ++++++++++++++++++++++++++++++++++---------------
|
|
||||||
1 file changed, 35 insertions(+), 15 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c
|
|
||||||
index 313efeb977..ffb651e2af 100644
|
|
||||||
--- a/plug-ins/file-fli/fli.c
|
|
||||||
+++ b/plug-ins/file-fli/fli.c
|
|
||||||
@@ -25,6 +25,8 @@
|
|
||||||
|
|
||||||
#include "config.h"
|
|
||||||
|
|
||||||
+#include <glib/gstdio.h>
|
|
||||||
+
|
|
||||||
#include <string.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
|
|
||||||
@@ -461,23 +463,27 @@ void fli_read_brun(FILE *f, s_fli_header *fli_header, unsigned char *framebuf)
|
|
||||||
unsigned short yc;
|
|
||||||
unsigned char *pos;
|
|
||||||
for (yc=0; yc < fli_header->height; yc++) {
|
|
||||||
- unsigned short xc, pc, pcnt;
|
|
||||||
+ unsigned short pc, pcnt;
|
|
||||||
+ size_t n, xc;
|
|
||||||
pc=fli_read_char(f);
|
|
||||||
xc=0;
|
|
||||||
pos=framebuf+(fli_header->width * yc);
|
|
||||||
+ n=(size_t)fli_header->width * (fli_header->height-yc);
|
|
||||||
for (pcnt=pc; pcnt>0; pcnt--) {
|
|
||||||
unsigned short ps;
|
|
||||||
ps=fli_read_char(f);
|
|
||||||
if (ps & 0x80) {
|
|
||||||
unsigned short len;
|
|
||||||
- for (len=-(signed char)ps; len>0; len--) {
|
|
||||||
+ for (len=-(signed char)ps; len>0 && xc<n; len--) {
|
|
||||||
pos[xc++]=fli_read_char(f);
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
unsigned char val;
|
|
||||||
+ size_t len;
|
|
||||||
+ len=MIN(n-xc,ps);
|
|
||||||
val=fli_read_char(f);
|
|
||||||
- memset(&(pos[xc]), val, ps);
|
|
||||||
- xc+=ps;
|
|
||||||
+ memset(&(pos[xc]), val, len);
|
|
||||||
+ xc+=len;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -564,25 +570,34 @@ void fli_read_lc(FILE *f, s_fli_header *fli_header, unsigned char *old_framebuf,
|
|
||||||
memcpy(framebuf, old_framebuf, fli_header->width * fli_header->height);
|
|
||||||
firstline = fli_read_short(f);
|
|
||||||
numline = fli_read_short(f);
|
|
||||||
+ if (numline > fli_header->height || fli_header->height-numline < firstline)
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
for (yc=0; yc < numline; yc++) {
|
|
||||||
- unsigned short xc, pc, pcnt;
|
|
||||||
+ unsigned short pc, pcnt;
|
|
||||||
+ size_t n, xc;
|
|
||||||
pc=fli_read_char(f);
|
|
||||||
xc=0;
|
|
||||||
pos=framebuf+(fli_header->width * (firstline+yc));
|
|
||||||
+ n=(size_t)fli_header->width * (fli_header->height-firstline-yc);
|
|
||||||
for (pcnt=pc; pcnt>0; pcnt--) {
|
|
||||||
unsigned short ps,skip;
|
|
||||||
skip=fli_read_char(f);
|
|
||||||
ps=fli_read_char(f);
|
|
||||||
- xc+=skip;
|
|
||||||
+ xc+=MIN(n-xc,skip);
|
|
||||||
if (ps & 0x80) {
|
|
||||||
unsigned char val;
|
|
||||||
+ size_t len;
|
|
||||||
ps=-(signed char)ps;
|
|
||||||
val=fli_read_char(f);
|
|
||||||
- memset(&(pos[xc]), val, ps);
|
|
||||||
- xc+=ps;
|
|
||||||
+ len=MIN(n-xc,ps);
|
|
||||||
+ memset(&(pos[xc]), val, len);
|
|
||||||
+ xc+=len;
|
|
||||||
} else {
|
|
||||||
- fread(&(pos[xc]), ps, 1, f);
|
|
||||||
- xc+=ps;
|
|
||||||
+ size_t len;
|
|
||||||
+ len=MIN(n-xc,ps);
|
|
||||||
+ fread(&(pos[xc]), len, 1, f);
|
|
||||||
+ xc+=len;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -689,7 +704,8 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
|
|
||||||
yc=0;
|
|
||||||
numline = fli_read_short(f);
|
|
||||||
for (lc=0; lc < numline; lc++) {
|
|
||||||
- unsigned short xc, pc, pcnt, lpf, lpn;
|
|
||||||
+ unsigned short pc, pcnt, lpf, lpn;
|
|
||||||
+ size_t n, xc;
|
|
||||||
pc=fli_read_short(f);
|
|
||||||
lpf=0; lpn=0;
|
|
||||||
while (pc & 0x8000) {
|
|
||||||
@@ -700,26 +716,30 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
|
|
||||||
}
|
|
||||||
pc=fli_read_short(f);
|
|
||||||
}
|
|
||||||
+ yc=MIN(yc, fli_header->height);
|
|
||||||
xc=0;
|
|
||||||
pos=framebuf+(fli_header->width * yc);
|
|
||||||
+ n=(size_t)fli_header->width * (fli_header->height-yc);
|
|
||||||
for (pcnt=pc; pcnt>0; pcnt--) {
|
|
||||||
unsigned short ps,skip;
|
|
||||||
skip=fli_read_char(f);
|
|
||||||
ps=fli_read_char(f);
|
|
||||||
- xc+=skip;
|
|
||||||
+ xc+=MIN(n-xc,skip);
|
|
||||||
if (ps & 0x80) {
|
|
||||||
unsigned char v1,v2;
|
|
||||||
ps=-(signed char)ps;
|
|
||||||
v1=fli_read_char(f);
|
|
||||||
v2=fli_read_char(f);
|
|
||||||
- while (ps>0) {
|
|
||||||
+ while (ps>0 && xc+1<n) {
|
|
||||||
pos[xc++]=v1;
|
|
||||||
pos[xc++]=v2;
|
|
||||||
ps--;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- fread(&(pos[xc]), ps, 2, f);
|
|
||||||
- xc+=ps << 1;
|
|
||||||
+ size_t len;
|
|
||||||
+ len=MIN((n-xc)/2,ps);
|
|
||||||
+ fread(&(pos[xc]), len, 2, f);
|
|
||||||
+ xc+=len << 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (lpf) pos[xc]=lpn;
|
|
||||||
--
|
|
||||||
2.15.1
|
|
||||||
|
|
|
@ -1,94 +0,0 @@
|
||||||
Fix CVE-2017-17786:
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17786
|
|
||||||
https://bugzilla.gnome.org/show_bug.cgi?id=739134
|
|
||||||
|
|
||||||
Both patches copied from upstream source repository:
|
|
||||||
|
|
||||||
https://git.gnome.org/browse/gimp/commit/?id=ef9c821fff8b637a2178eab1c78cae6764c50e12
|
|
||||||
https://git.gnome.org/browse/gimp/commit/?id=22e2571c25425f225abdb11a566cc281fca6f366
|
|
||||||
|
|
||||||
From ef9c821fff8b637a2178eab1c78cae6764c50e12 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jehan <jehan@girinstud.io>
|
|
||||||
Date: Wed, 20 Dec 2017 13:02:38 +0100
|
|
||||||
Subject: [PATCH] Bug 739134 - (CVE-2017-17786) Out of bounds read / heap
|
|
||||||
overflow in...
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
... TGA importer.
|
|
||||||
|
|
||||||
Be more thorough on valid TGA RGB and RGBA images.
|
|
||||||
In particular current TGA plug-in can import RGBA as 32 bits (8 bits per
|
|
||||||
channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and
|
|
||||||
RGB as 15 and 24 bits.
|
|
||||||
Maybe there exist more variants, but if they do exist, we simply don't
|
|
||||||
support them yet.
|
|
||||||
|
|
||||||
Thanks to Hanno Böck for the report and a first patch attempt.
|
|
||||||
|
|
||||||
(cherry picked from commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b)
|
|
||||||
---
|
|
||||||
plug-ins/common/file-tga.c | 12 ++++++++----
|
|
||||||
1 file changed, 8 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
|
|
||||||
index aef98702d4..426acc2925 100644
|
|
||||||
--- a/plug-ins/common/file-tga.c
|
|
||||||
+++ b/plug-ins/common/file-tga.c
|
|
||||||
@@ -564,12 +564,16 @@ load_image (const gchar *filename,
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case TGA_TYPE_COLOR:
|
|
||||||
- if (info.bpp != 15 && info.bpp != 16 &&
|
|
||||||
- info.bpp != 24 && info.bpp != 32)
|
|
||||||
+ if ((info.bpp != 15 && info.bpp != 16 &&
|
|
||||||
+ info.bpp != 24 && info.bpp != 32) ||
|
|
||||||
+ ((info.bpp == 15 || info.bpp == 24) &&
|
|
||||||
+ info.alphaBits != 0) ||
|
|
||||||
+ (info.bpp == 16 && info.alphaBits != 1) ||
|
|
||||||
+ (info.bpp == 32 && info.alphaBits != 8))
|
|
||||||
{
|
|
||||||
- g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
|
|
||||||
+ g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
|
|
||||||
gimp_filename_to_utf8 (filename),
|
|
||||||
- info.imageType, info.bpp);
|
|
||||||
+ info.imageType, info.bpp, info.alphaBits);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
--
|
|
||||||
2.15.1
|
|
||||||
|
|
||||||
From 22e2571c25425f225abdb11a566cc281fca6f366 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jehan <jehan@girinstud.io>
|
|
||||||
Date: Wed, 20 Dec 2017 13:26:26 +0100
|
|
||||||
Subject: [PATCH] plug-ins: TGA 16-bit RGB (without alpha bit) is also valid.
|
|
||||||
|
|
||||||
According to some spec on the web, 16-bit RGB is also valid. In this
|
|
||||||
case, the last bit is simply ignored (at least that's how it is
|
|
||||||
implemented right now).
|
|
||||||
|
|
||||||
(cherry picked from commit 8ea316667c8a3296bce2832b3986b58d0fdfc077)
|
|
||||||
---
|
|
||||||
plug-ins/common/file-tga.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
|
|
||||||
index 426acc2925..eb14a1dadc 100644
|
|
||||||
--- a/plug-ins/common/file-tga.c
|
|
||||||
+++ b/plug-ins/common/file-tga.c
|
|
||||||
@@ -568,7 +568,8 @@ load_image (const gchar *filename,
|
|
||||||
info.bpp != 24 && info.bpp != 32) ||
|
|
||||||
((info.bpp == 15 || info.bpp == 24) &&
|
|
||||||
info.alphaBits != 0) ||
|
|
||||||
- (info.bpp == 16 && info.alphaBits != 1) ||
|
|
||||||
+ (info.bpp == 16 && info.alphaBits != 1 &&
|
|
||||||
+ info.alphaBits != 0) ||
|
|
||||||
(info.bpp == 32 && info.alphaBits != 8))
|
|
||||||
{
|
|
||||||
g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
|
|
||||||
--
|
|
||||||
2.15.1
|
|
||||||
|
|
|
@ -1,42 +0,0 @@
|
||||||
Fix CVE-2017-17787:
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17787
|
|
||||||
https://bugzilla.gnome.org/show_bug.cgi?id=790853
|
|
||||||
|
|
||||||
Patch copied from upstream source repository:
|
|
||||||
|
|
||||||
https://git.gnome.org/browse/gimp/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d
|
|
||||||
|
|
||||||
From 87ba505fff85989af795f4ab6a047713f4d9381d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jehan <jehan@girinstud.io>
|
|
||||||
Date: Thu, 21 Dec 2017 12:49:41 +0100
|
|
||||||
Subject: [PATCH] Bug 790853 - (CVE-2017-17787) heap overread in psp importer.
|
|
||||||
|
|
||||||
As any external data, we have to check that strings being read at fixed
|
|
||||||
length are properly nul-terminated.
|
|
||||||
|
|
||||||
(cherry picked from commit eb2980683e6472aff35a3117587c4f814515c74d)
|
|
||||||
---
|
|
||||||
plug-ins/common/file-psp.c | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
|
|
||||||
index 4cbafe37b1..e350e4d88d 100644
|
|
||||||
--- a/plug-ins/common/file-psp.c
|
|
||||||
+++ b/plug-ins/common/file-psp.c
|
|
||||||
@@ -890,6 +890,12 @@ read_creator_block (FILE *f,
|
|
||||||
g_free (string);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+ if (string[length - 1] != '\0')
|
|
||||||
+ {
|
|
||||||
+ g_message ("Creator keyword data not nul-terminated");
|
|
||||||
+ g_free (string);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
switch (keyword)
|
|
||||||
{
|
|
||||||
case PSP_CRTR_FLD_TITLE:
|
|
||||||
--
|
|
||||||
2.15.1
|
|
||||||
|
|
|
@ -1,48 +0,0 @@
|
||||||
Fix CVE-2017-17789:
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17789
|
|
||||||
https://bugzilla.gnome.org/show_bug.cgi?id=790849
|
|
||||||
|
|
||||||
Patch copied from upstream source repository:
|
|
||||||
|
|
||||||
https://git.gnome.org/browse/gimp/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f
|
|
||||||
|
|
||||||
From 01898f10f87a094665a7fdcf7153990f4e511d3f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jehan <jehan@girinstud.io>
|
|
||||||
Date: Wed, 20 Dec 2017 16:44:20 +0100
|
|
||||||
Subject: [PATCH] Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer
|
|
||||||
overflow...
|
|
||||||
|
|
||||||
... in PSP importer.
|
|
||||||
Check if declared block length is valid (i.e. within the actual file)
|
|
||||||
before going further.
|
|
||||||
Consider the file as broken otherwise and fail loading it.
|
|
||||||
|
|
||||||
(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
|
|
||||||
---
|
|
||||||
plug-ins/common/file-psp.c | 9 +++++++++
|
|
||||||
1 file changed, 9 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
|
|
||||||
index ac0fff78f0..4cbafe37b1 100644
|
|
||||||
--- a/plug-ins/common/file-psp.c
|
|
||||||
+++ b/plug-ins/common/file-psp.c
|
|
||||||
@@ -1771,6 +1771,15 @@ load_image (const gchar *filename,
|
|
||||||
{
|
|
||||||
block_start = ftell (f);
|
|
||||||
|
|
||||||
+ if (block_start + block_total_len > st.st_size)
|
|
||||||
+ {
|
|
||||||
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
|
|
||||||
+ _("Could not open '%s' for reading: %s"),
|
|
||||||
+ gimp_filename_to_utf8 (filename),
|
|
||||||
+ _("invalid block size"));
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (id == PSP_IMAGE_BLOCK)
|
|
||||||
{
|
|
||||||
if (block_number != 0)
|
|
||||||
--
|
|
||||||
2.15.1
|
|
||||||
|
|
Loading…
Reference in New Issue