From 680971d51550602188abff22e4d739bff86e7a0e Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Tue, 17 Nov 2009 11:27:03 +0000 Subject: [PATCH] avoid overflow in the BMP image file plugin (#537356) avoid overflow in the PSD image file plugin (#537370) update jpeg-units patch --- gimp-2.6.2-jpeg-units.patch | 29 ---- gimp-2.6.7-bmp-hardening.patch | 119 +++++++++++++++ gimp-2.6.7-jpeg-units.patch | 45 ++++++ gimp-2.6.7-psd-hardening.patch | 259 +++++++++++++++++++++++++++++++++ gimp.spec | 21 ++- 5 files changed, 440 insertions(+), 33 deletions(-) delete mode 100644 gimp-2.6.2-jpeg-units.patch create mode 100644 gimp-2.6.7-bmp-hardening.patch create mode 100644 gimp-2.6.7-jpeg-units.patch create mode 100644 gimp-2.6.7-psd-hardening.patch diff --git a/gimp-2.6.2-jpeg-units.patch b/gimp-2.6.2-jpeg-units.patch deleted file mode 100644 index c239031..0000000 --- a/gimp-2.6.2-jpeg-units.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff -up gimp-2.6.2/plug-ins/file-jpeg/jpeg-save.c.jpeg-units gimp-2.6.2/plug-ins/file-jpeg/jpeg-save.c ---- gimp-2.6.2/plug-ins/file-jpeg/jpeg-save.c.jpeg-units 2008-10-30 10:32:32.000000000 +0100 -+++ gimp-2.6.2/plug-ins/file-jpeg/jpeg-save.c 2008-11-11 12:32:18.000000000 +0100 -@@ -192,14 +192,19 @@ background_jpeg_save (PreviewPersistent - /* display the preview stuff */ - if (!pp->abort_me) - { -- struct stat buf; -- gchar temp[128]; -+ struct stat buf; -+ gchar *text; -+ gchar *size_text; - - g_stat (pp->file_name, &buf); -- g_snprintf (temp, sizeof (temp), -- _("File size: %02.01f kB"), -- (gdouble) (buf.st_size) / 1024.0); -- gtk_label_set_text (GTK_LABEL (preview_size), temp); -+ -+ size_text = g_format_size_for_display (buf.st_size); -+ text = g_strdup_printf (_("File size: %s"), size_text); -+ -+ gtk_label_set_text (GTK_LABEL (preview_size), text); -+ -+ g_free (text); -+ g_free (size_text); - - /* and load the preview */ - load_image (pp->file_name, GIMP_RUN_NONINTERACTIVE, TRUE, NULL); diff --git a/gimp-2.6.7-bmp-hardening.patch b/gimp-2.6.7-bmp-hardening.patch new file mode 100644 index 0000000..187ba55 --- /dev/null +++ b/gimp-2.6.7-bmp-hardening.patch @@ -0,0 +1,119 @@ +commit 57aedabfa3bc555e4d68ad916c757354d518b421 +Author: Nils Philippsen +Date: Tue Nov 17 11:52:25 2009 +0100 + + patch: bmp-hardening + + Squashed commit of the following: + + commit d7ee36732bc37f4412c82f98473288fde2f6f151 + Author: Nils Philippsen + Date: Mon Nov 16 18:16:38 2009 +0100 + + Ensure valid bit depths when reading BMP files. + (cherry picked from commit 16e6a37687bb4b9748c5a5d166d90f5d5bd2e9f3) + (cherry picked from commit 153ae579f7e7508d7a5b95bd569e91890f6b666e) + + Signed-off-by: Nils Philippsen + + commit b76b8400dfffd99826fe73dee81d76029b808689 + Author: Nils Philippsen + Date: Mon Nov 16 17:16:09 2009 +0100 + + Use more defensive coding in plausibility check. + + Use an equivalent division instead of multiplying values and checking if + they are more than G_MAXINT32, because divisions cannot overflow. + (cherry picked from commit f63ba36dd9cc01ca6da83fa05ddd12419ad8953e) + (cherry picked from commit 6e8ff603a2ee6a0940373723d1f075930dfd3ce0) + + Signed-off-by: Nils Philippsen + + commit c8bd5c99decca02158f9c0218b33fa057bfdf5ce + Author: Nils Philippsen + Date: Mon Nov 16 17:15:32 2009 +0100 + + Make plausibility check easier to understand. + + Explicitly check that Bitmap_Head.biHeight is not G_MININT32 + instead of relying on ABS(G_MININT32) being negative. + (cherry picked from commit 43d57c666346320436a0b668de5525387952784e) + (cherry picked from commit 0214e1ff271a5310731de81d00450a92d9bf0fcd) + + Signed-off-by: Nils Philippsen + + commit eec97e14def220b1de45dcece0a63eb9925f701f + Author: Simon Budig + Date: Tue Nov 10 00:08:59 2009 +0100 + + Harden the BMP plugin against integer overflows. + + Issues discovered by Stefan Cornelius, Secunia Research, advisory SA37232 + and CVE identifier CVE-2009-1570. Fixes bug #600484. + (cherry picked from commit df2b0aca2e7cdb95ebfd3454c65aaba0a83e9bbe) + + Signed-off-by: Nils Philippsen + +diff --git a/plug-ins/file-bmp/bmp-read.c b/plug-ins/file-bmp/bmp-read.c +index a1ebe47..7ac4cc4 100644 +--- a/plug-ins/file-bmp/bmp-read.c ++++ b/plug-ins/file-bmp/bmp-read.c +@@ -400,9 +400,26 @@ ReadBMP (const gchar *name, + } + } + +- /* Valid bitpdepthis 1, 4, 8, 16, 24, 32 */ ++ /* Valid bit depth is 1, 4, 8, 16, 24, 32 */ + /* 16 is awful, we should probably shoot whoever invented it */ + ++ switch (Bitmap_Head.biBitCnt) ++ { ++ case 1: ++ case 2: ++ case 4: ++ case 8: ++ case 16: ++ case 24: ++ case 32: ++ break; ++ default: ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("'%s' is not a valid BMP file"), ++ gimp_filename_to_utf8 (filename)); ++ return -1; ++ } ++ + /* There should be some colors used! */ + + ColormapSize = +@@ -424,7 +441,10 @@ ReadBMP (const gchar *name, + return -1; + } + +- if (Bitmap_Head.biWidth < 0) ++ /* biHeight may be negative, but G_MININT32 is dangerous because: ++ G_MININT32 == -(G_MININT32) */ ++ if (Bitmap_Head.biWidth < 0 || ++ Bitmap_Head.biHeight == G_MININT32) + { + g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, + _("'%s' is not a valid BMP file"), +@@ -448,6 +468,18 @@ ReadBMP (const gchar *name, + return -1; + } + ++ /* protect against integer overflows caused by malicious BMPs */ ++ /* use divisions in comparisons to avoid type overflows */ ++ ++ if (((guint64) Bitmap_Head.biWidth) > G_MAXINT32 / Bitmap_Head.biBitCnt || ++ ((guint64) Bitmap_Head.biWidth) > (G_MAXINT32 / ABS (Bitmap_Head.biHeight)) / 4) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("'%s' is not a valid BMP file"), ++ gimp_filename_to_utf8 (filename)); ++ return -1; ++ } ++ + /* Windows and OS/2 declare filler so that rows are a multiple of + * word length (32 bits == 4 bytes) + */ diff --git a/gimp-2.6.7-jpeg-units.patch b/gimp-2.6.7-jpeg-units.patch new file mode 100644 index 0000000..71f460a --- /dev/null +++ b/gimp-2.6.7-jpeg-units.patch @@ -0,0 +1,45 @@ +commit f6f34fd0cd6d523cc472351bcdc9b9ae180aac41 +Author: Sven Neumann +Date: Mon Nov 3 16:39:20 2008 +0000 + + patch: jpeg-units + + Bug 559081 – JPEG Save dialog preview should adjust size units + + 2008-11-03 Sven Neumann + + Bug 559081 – JPEG Save dialog preview should adjust size units + + * plug-ins/file-jpeg/jpeg-save.c: use + g_format_size_for_display() + to display the JPEG file size. + + svn path=/trunk/; revision=27532 + + Signed-off-by: Nils Philippsen + +diff --git a/plug-ins/file-jpeg/jpeg-save.c b/plug-ins/file-jpeg/jpeg-save.c +index 2d0d249..35cda17 100644 +--- a/plug-ins/file-jpeg/jpeg-save.c ++++ b/plug-ins/file-jpeg/jpeg-save.c +@@ -192,14 +192,14 @@ background_jpeg_save (PreviewPersistent *pp) + /* display the preview stuff */ + if (!pp->abort_me) + { +- struct stat buf; +- gchar temp[128]; ++ struct stat buf; ++ gchar *text; + + g_stat (pp->file_name, &buf); +- g_snprintf (temp, sizeof (temp), +- _("File size: %02.01f kB"), +- (gdouble) (buf.st_size) / 1024.0); +- gtk_label_set_text (GTK_LABEL (preview_size), temp); ++ text = g_strdup_printf (_("File size: %s"), ++ g_format_size_for_display (buf.st_size)); ++ gtk_label_set_text (GTK_LABEL (preview_size), text); ++ g_free (text); + + /* and load the preview */ + load_image (pp->file_name, GIMP_RUN_NONINTERACTIVE, TRUE, NULL); diff --git a/gimp-2.6.7-psd-hardening.patch b/gimp-2.6.7-psd-hardening.patch new file mode 100644 index 0000000..138920c --- /dev/null +++ b/gimp-2.6.7-psd-hardening.patch @@ -0,0 +1,259 @@ +commit f53faac253bbf2f8326a4898c805fb3596694665 +Author: Nils Philippsen +Date: Tue Nov 17 11:56:08 2009 +0100 + + patch: psd-hardening + + Squashed commit of the following: + + commit de05a3ec3d0a452fb48d4705cec8d4bb505364d2 + Author: Simon Budig + Date: Tue Nov 17 00:41:39 2009 +0100 + + Harden the PSD plugin against integer overflows. + + Issues discovered by Stefan Cornelius, Secunia Research, advisory SA37232 + and CVE identifier CVE-2009-3909. Fixes bug #600741. + (cherry picked from commit 9cc8d78ff33b7a36852b74e64b427489cad44d0e) + (cherry picked from commit 88eccea84aa375197cc04a2a0e2e29debb56bfa5) + + Signed-off-by: Nils Philippsen + + commit 35ec53d2a1363380a0c6c3f64280e99d7d07f90a + Author: Simon Budig + Date: Tue Nov 17 01:12:19 2009 +0100 + + Fix the PSD structs to use signed ints for bounding box coordinates. + (cherry picked from commit 0e440cb6d4d6ee029667363d244aff61b154c33c) + (cherry picked from commit 687ec47914ec08d6e460918cb641c196d80140a3) + + Signed-off-by: Nils Philippsen + +diff --git a/plug-ins/file-psd/psd-load.c b/plug-ins/file-psd/psd-load.c +index d0a8455..1b4e944 100644 +--- a/plug-ins/file-psd/psd-load.c ++++ b/plug-ins/file-psd/psd-load.c +@@ -304,6 +304,15 @@ read_header_block (PSDimage *img_a, + return -1; + } + ++ /* img_a->rows is sanitized above, so a division by zero is avoided here */ ++ if (img_a->columns > G_MAXINT32 / img_a->rows) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Unsupported or invalid image size: %dx%d"), ++ img_a->columns, img_a->rows); ++ return -1; ++ } ++ + if (img_a->color_mode != PSD_BITMAP + && img_a->color_mode != PSD_GRAYSCALE + && img_a->color_mode != PSD_INDEXED +@@ -533,10 +542,10 @@ read_layer_block (PSDimage *img_a, + psd_set_error (feof (f), errno, error); + return NULL; + } +- lyr_a[lidx]->top = GUINT32_FROM_BE (lyr_a[lidx]->top); +- lyr_a[lidx]->left = GUINT32_FROM_BE (lyr_a[lidx]->left); +- lyr_a[lidx]->bottom = GUINT32_FROM_BE (lyr_a[lidx]->bottom); +- lyr_a[lidx]->right = GUINT32_FROM_BE (lyr_a[lidx]->right); ++ lyr_a[lidx]->top = GINT32_FROM_BE (lyr_a[lidx]->top); ++ lyr_a[lidx]->left = GINT32_FROM_BE (lyr_a[lidx]->left); ++ lyr_a[lidx]->bottom = GINT32_FROM_BE (lyr_a[lidx]->bottom); ++ lyr_a[lidx]->right = GINT32_FROM_BE (lyr_a[lidx]->right); + lyr_a[lidx]->num_channels = GUINT16_FROM_BE (lyr_a[lidx]->num_channels); + + if (lyr_a[lidx]->num_channels > MAX_CHANNELS) +@@ -546,14 +555,16 @@ read_layer_block (PSDimage *img_a, + lyr_a[lidx]->num_channels); + return NULL; + } +- if (lyr_a[lidx]->bottom - lyr_a[lidx]->top > GIMP_MAX_IMAGE_SIZE) ++ if (lyr_a[lidx]->bottom < lyr_a[lidx]->top || ++ lyr_a[lidx]->bottom - lyr_a[lidx]->top > GIMP_MAX_IMAGE_SIZE) + { + g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, + _("Unsupported or invalid layer height: %d"), + lyr_a[lidx]->bottom - lyr_a[lidx]->top); + return NULL; + } +- if (lyr_a[lidx]->right - lyr_a[lidx]->left > GIMP_MAX_IMAGE_SIZE) ++ if (lyr_a[lidx]->right < lyr_a[lidx]->left || ++ lyr_a[lidx]->right - lyr_a[lidx]->left > GIMP_MAX_IMAGE_SIZE) + { + g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, + _("Unsupported or invalid layer width: %d"), +@@ -561,6 +572,16 @@ read_layer_block (PSDimage *img_a, + return NULL; + } + ++ if ((lyr_a[lidx]->right - lyr_a[lidx]->left) > ++ G_MAXINT32 / MAX (lyr_a[lidx]->bottom - lyr_a[lidx]->top, 1)) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Unsupported or invalid layer size: %dx%d"), ++ lyr_a[lidx]->right - lyr_a[lidx]->left, ++ lyr_a[lidx]->bottom - lyr_a[lidx]->top); ++ return NULL; ++ } ++ + IFDBG(2) g_debug ("Layer %d, Coords %d %d %d %d, channels %d, ", + lidx, lyr_a[lidx]->left, lyr_a[lidx]->top, + lyr_a[lidx]->right, lyr_a[lidx]->bottom, +@@ -670,13 +691,13 @@ read_layer_block (PSDimage *img_a, + return NULL; + } + lyr_a[lidx]->layer_mask.top = +- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.top); ++ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.top); + lyr_a[lidx]->layer_mask.left = +- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.left); ++ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.left); + lyr_a[lidx]->layer_mask.bottom = +- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.bottom); ++ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.bottom); + lyr_a[lidx]->layer_mask.right = +- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.right); ++ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.right); + lyr_a[lidx]->layer_mask.mask_flags.relative_pos = + lyr_a[lidx]->layer_mask.flags & 1 ? TRUE : FALSE; + lyr_a[lidx]->layer_mask.mask_flags.disabled = +@@ -702,21 +723,21 @@ read_layer_block (PSDimage *img_a, + return NULL; + } + lyr_a[lidx]->layer_mask_extra.top = +- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.top); ++ GINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.top); + lyr_a[lidx]->layer_mask_extra.left = +- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.left); ++ GINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.left); + lyr_a[lidx]->layer_mask_extra.bottom = +- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.bottom); ++ GINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.bottom); + lyr_a[lidx]->layer_mask_extra.right = +- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.right); ++ GINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.right); + lyr_a[lidx]->layer_mask.top = +- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.top); ++ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.top); + lyr_a[lidx]->layer_mask.left = +- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.left); ++ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.left); + lyr_a[lidx]->layer_mask.bottom = +- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.bottom); ++ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.bottom); + lyr_a[lidx]->layer_mask.right = +- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.right); ++ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.right); + lyr_a[lidx]->layer_mask.mask_flags.relative_pos = + lyr_a[lidx]->layer_mask.flags & 1 ? TRUE : FALSE; + lyr_a[lidx]->layer_mask.mask_flags.disabled = +@@ -734,6 +755,34 @@ read_layer_block (PSDimage *img_a, + } + } + ++ /* sanity checks */ ++ if (lyr_a[lidx]->layer_mask.bottom < lyr_a[lidx]->layer_mask.top || ++ lyr_a[lidx]->layer_mask.bottom - lyr_a[lidx]->layer_mask.top > GIMP_MAX_IMAGE_SIZE) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Unsupported or invalid layer mask height: %d"), ++ lyr_a[lidx]->layer_mask.bottom - lyr_a[lidx]->layer_mask.top); ++ return NULL; ++ } ++ if (lyr_a[lidx]->layer_mask.right < lyr_a[lidx]->layer_mask.left || ++ lyr_a[lidx]->layer_mask.right - lyr_a[lidx]->layer_mask.left > GIMP_MAX_IMAGE_SIZE) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Unsupported or invalid layer mask width: %d"), ++ lyr_a[lidx]->layer_mask.right - lyr_a[lidx]->layer_mask.left); ++ return NULL; ++ } ++ ++ if ((lyr_a[lidx]->layer_mask.right - lyr_a[lidx]->layer_mask.left) > ++ G_MAXINT32 / MAX (lyr_a[lidx]->layer_mask.bottom - lyr_a[lidx]->layer_mask.top, 1)) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Unsupported or invalid layer mask size: %dx%d"), ++ lyr_a[lidx]->layer_mask.right - lyr_a[lidx]->layer_mask.left, ++ lyr_a[lidx]->layer_mask.bottom - lyr_a[lidx]->layer_mask.top); ++ return NULL; ++ } ++ + IFDBG(2) g_debug ("Layer mask coords %d %d %d %d, Rel pos %d", + lyr_a[lidx]->layer_mask.left, + lyr_a[lidx]->layer_mask.top, +@@ -1135,7 +1184,7 @@ add_layers (const gint32 image_id, + psd_set_error (feof (f), errno, error); + return -1; + } +- rle_pack_len[rowi] = GUINT16_FROM_BE (rle_pack_len[rowi]); ++ rle_pack_len[rowi] = GUINT16_FROM_BE (rle_pack_len[rowi]); + } + + IFDBG(3) g_debug ("RLE decode - data"); +@@ -1761,6 +1810,16 @@ read_channel_data (PSDchannel *channel, + + IFDBG(3) g_debug ("raw data size %d x %d = %d", readline_len, + channel->rows, readline_len * channel->rows); ++ ++ /* sanity check, int overflow check (avoid divisions by zero) */ ++ if ((channel->rows == 0) || (channel->columns == 0) || ++ (channel->rows > G_MAXINT32 / channel->columns / MAX (bps >> 3, 1))) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Unsupported or invalid channel size")); ++ return -1; ++ } ++ + raw_data = g_malloc (readline_len * channel->rows); + switch (compression) + { +diff --git a/plug-ins/file-psd/psd.h b/plug-ins/file-psd/psd.h +index 6292747..b0c28ff 100644 +--- a/plug-ins/file-psd/psd.h ++++ b/plug-ins/file-psd/psd.h +@@ -447,10 +447,10 @@ typedef struct + /* PSD Layer mask data (length 20) */ + typedef struct + { +- guint32 top; /* Layer top */ +- guint32 left; /* Layer left */ +- guint32 bottom; /* Layer bottom */ +- guint32 right; /* Layer right */ ++ gint32 top; /* Layer top */ ++ gint32 left; /* Layer left */ ++ gint32 bottom; /* Layer bottom */ ++ gint32 right; /* Layer right */ + guchar def_color; /* Default background colour */ + guchar flags; /* Layer flags */ + guchar extra_def_color; /* Real default background colour */ +@@ -461,20 +461,20 @@ typedef struct + /* PSD Layer mask data (length 36) */ + typedef struct + { +- guint32 top; /* Layer top */ +- guint32 left; /* Layer left */ +- guint32 bottom; /* Layer bottom */ +- guint32 right; /* Layer right */ ++ gint32 top; /* Layer top */ ++ gint32 left; /* Layer left */ ++ gint32 bottom; /* Layer bottom */ ++ gint32 right; /* Layer right */ + } LayerMaskExtra; + + /* PSD Layer data structure */ + typedef struct + { + gboolean drop; /* Do not add layer to GIMP image */ +- guint32 top; /* Layer top */ +- guint32 left; /* Layer left */ +- guint32 bottom; /* Layer bottom */ +- guint32 right; /* Layer right */ ++ gint32 top; /* Layer top */ ++ gint32 left; /* Layer left */ ++ gint32 bottom; /* Layer bottom */ ++ gint32 right; /* Layer right */ + guint16 num_channels; /* Number of channels */ + ChannelLengthInfo *chn_info; /* Channel length info */ + gchar mode_key[4]; /* Blend mode key */ diff --git a/gimp.spec b/gimp.spec index ef1441a..0aeffa2 100644 --- a/gimp.spec +++ b/gimp.spec @@ -31,7 +31,7 @@ Summary: GNU Image Manipulation Program Name: gimp Epoch: 2 Version: 2.6.7 -Release: 2%{?dist} +Release: 3%{?dist} %define binver 2.6 %define gimp_lang_ver 20 %define interfacever 2.0 @@ -122,12 +122,18 @@ Source0: ftp://ftp.gimp.org/pub/gimp/v%{binver}/gimp-%{version}.tar.bz2 Source1: gimp-plugin-mgr.in # distro specific: use xdg-open instead of firefox as web browser Patch0: gimp-2.6.2-xdg-open.patch -# http://bugzilla.gnome.org/show_bug.cgi?id=559081 +# https://bugzilla.gnome.org/show_bug.cgi?id=559081 # "JPEG Save dialog preview should adjust size units" -Patch1: gimp-2.6.2-jpeg-units.patch -# http://bugzilla.gnome.org/show_bug.cgi?id=556896 +Patch1: gimp-2.6.7-jpeg-units.patch +# https://bugzilla.gnome.org/show_bug.cgi?id=556896 # "Dialogs don't get minimized with single image window" Patch2: gimp-2.6.6-minimize-dialogs.patch +# https://bugzilla.gnome.org/show_bug.cgi?id=600484 +# "Gimp BMP Integer Overflow Vulnerability" +Patch3: gimp-2.6.7-bmp-hardening.patch +# https://bugzilla.gnome.org/show_bug.cgi?id=600741 +# '"read_channel_data()" Integer Overflow Vulnerability' +Patch4: gimp-2.6.7-psd-hardening.patch %description GIMP (GNU Image Manipulation Program) is a powerful image composition and @@ -209,6 +215,8 @@ EOF %patch0 -p1 -b .xdg-open %patch1 -p1 -b .jpeg-units %patch2 -p1 -b .minimize-dialogs +%patch3 -p1 -b .bmp-hardening +%patch4 -p1 -b .psd-hardening %build # if [ ! -f configure ]; then @@ -499,6 +507,11 @@ fi %{_libdir}/gimp/%{interfacever}/plug-ins/help-browser %changelog +* Tue Nov 17 2009 Nils Philippsen - 2:2.6.7-3 +- avoid overflow in the BMP image file plugin (#537356) +- avoid overflow in the PSD image file plugin (#537370) +- update jpeg-units patch + * Tue Aug 18 2009 Nils Philippsen - 2:2.6.7-2 - BR: webkitgtk-devel/WebKit-gtk-devel >= 1.1.0