harden PSP plugin against bogus input data

(CVE-2010-4543, CVE-2011-1782)
2011-05-23 15:57:56 +02:00 · 2011-05-23 15:57:56 +02:00 · 4af8fc1a3c
commit 4af8fc1a3c
parent 9d0484a96c
2 changed files with 52 additions and 0 deletions
--- a/gimp-2.6.11-psp-overflow.patch
+++ b/gimp-2.6.11-psp-overflow.patch
@ -0,0 +1,45 @@
+From 282feeae8df77bae287284f74e9f9c54d21e6d8d Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils@redhat.com>
+Date: Mon, 23 May 2011 15:52:48 +0200
+Subject: [PATCH] patch: psp-overflow
+
+Squashed commit of the following:
+
+commit c5b7e71d89c60a329d4db05f8ddb4610eab013d6
+Author: Nils Philippsen <nils@redhat.com>
+Date:   Fri May 13 17:08:02 2011 +0200
+
+    file-psp: fix overflow protection (CVE-2011-1782)
+
+    amends commit 48ec15890e1751dede061f6d1f469b6508c13439, related to
+    CVE-2010-4543
+    (cherry picked from commit f657361db04de69ce003328724c59e3f942d7d15)
+
+commit ab592eb5015f81defdd1e74cd5bcc7edfcd7ebf7
+Author: Simon Budig <simon@budig.de>
+Date:   Mon Feb 14 21:46:31 2011 +0100
+
+    file-psp: fix for bogus input data. Fixes bug #639203
+    (cherry picked from commit 48ec15890e1751dede061f6d1f469b6508c13439)
+---
+ plug-ins/common/file-psp.c |    4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index db12770..4931c87 100644
+--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
+@@ -1244,6 +1244,10 @@ read_channel_data (FILE       *f,
+             }
+           else
+             fread (buf, runcount, 1, f);
+
+          /* prevent buffer overflow for bogus data */
+          runcount = MIN (runcount, (endq - q) / bytespp);
+
+           if (bytespp == 1)
+             {
+               memmove (q, buf, runcount);
+-- 
+1.7.5.1
+
--- a/gimp.spec
+++ b/gimp.spec
@ -147,6 +147,9 @@ Patch5:         gimp-2.6.11-colorxhtml.patch
 Patch6:         gimp-2.6.11-pyslice.patch
 # backport: work with poppler-0.17, upstreamed
 Patch7:         gimp-2.6.11-poppler-0.17.patch
+# backport: CVE-2010-4543, CVE-2011-1782
+# harden PSP plugin against bogus input data
+Patch8:         gimp-2.6.11-psp-overflow.patch
 # files changed by autoreconf after applying the above
 Patch10:        gimp-2.6.11-11-autoreconf.patch.bz2

@ -236,6 +239,7 @@ EOF
 %patch5 -p1 -b .colorxhtml
 %patch6 -p1 -b .pyslice
 %patch7 -p1 -b .poppler-0.17
+%patch8 -p1 -b .psp-overflow

 %patch10 -p1 -b .autoreconf

@ -503,6 +507,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %{_libdir}/gimp/%{interfacever}/plug-ins/help-browser

 %changelog
+* Mon May 23 2011 Nils Philippsen <nils@redhat.com> - 2:2.6.11-13
+- harden PSP plugin against bogus input data (CVE-2010-4543, CVE-2011-1782)
+
 * Sat May 07 2011 Christopher Aillon <caillon@redhat.com> - 2:2.6.11-12
 - Update desktop database, icon cache scriptlets