From f291581178206dc6e8f5f549b29a17ebc38c952b Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Fri, 11 Dec 2009 09:35:04 +0000 Subject: [PATCH] version 2.6.8 remove obsolete bmp-hardening, psd-hardening patches --- .cvsignore | 2 +- gimp-2.6.7-bmp-hardening.patch | 119 --------------- gimp-2.6.7-psd-hardening.patch | 259 --------------------------------- gimp.spec | 58 ++++++-- sources | 2 +- 5 files changed, 50 insertions(+), 390 deletions(-) delete mode 100644 gimp-2.6.7-bmp-hardening.patch delete mode 100644 gimp-2.6.7-psd-hardening.patch diff --git a/.cvsignore b/.cvsignore index 978091f..7b9922c 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -gimp-2.6.7.tar.bz2 +gimp-2.6.8.tar.bz2 diff --git a/gimp-2.6.7-bmp-hardening.patch b/gimp-2.6.7-bmp-hardening.patch deleted file mode 100644 index 187ba55..0000000 --- a/gimp-2.6.7-bmp-hardening.patch +++ /dev/null @@ -1,119 +0,0 @@ -commit 57aedabfa3bc555e4d68ad916c757354d518b421 -Author: Nils Philippsen -Date: Tue Nov 17 11:52:25 2009 +0100 - - patch: bmp-hardening - - Squashed commit of the following: - - commit d7ee36732bc37f4412c82f98473288fde2f6f151 - Author: Nils Philippsen - Date: Mon Nov 16 18:16:38 2009 +0100 - - Ensure valid bit depths when reading BMP files. - (cherry picked from commit 16e6a37687bb4b9748c5a5d166d90f5d5bd2e9f3) - (cherry picked from commit 153ae579f7e7508d7a5b95bd569e91890f6b666e) - - Signed-off-by: Nils Philippsen - - commit b76b8400dfffd99826fe73dee81d76029b808689 - Author: Nils Philippsen - Date: Mon Nov 16 17:16:09 2009 +0100 - - Use more defensive coding in plausibility check. - - Use an equivalent division instead of multiplying values and checking if - they are more than G_MAXINT32, because divisions cannot overflow. - (cherry picked from commit f63ba36dd9cc01ca6da83fa05ddd12419ad8953e) - (cherry picked from commit 6e8ff603a2ee6a0940373723d1f075930dfd3ce0) - - Signed-off-by: Nils Philippsen - - commit c8bd5c99decca02158f9c0218b33fa057bfdf5ce - Author: Nils Philippsen - Date: Mon Nov 16 17:15:32 2009 +0100 - - Make plausibility check easier to understand. - - Explicitly check that Bitmap_Head.biHeight is not G_MININT32 - instead of relying on ABS(G_MININT32) being negative. - (cherry picked from commit 43d57c666346320436a0b668de5525387952784e) - (cherry picked from commit 0214e1ff271a5310731de81d00450a92d9bf0fcd) - - Signed-off-by: Nils Philippsen - - commit eec97e14def220b1de45dcece0a63eb9925f701f - Author: Simon Budig - Date: Tue Nov 10 00:08:59 2009 +0100 - - Harden the BMP plugin against integer overflows. - - Issues discovered by Stefan Cornelius, Secunia Research, advisory SA37232 - and CVE identifier CVE-2009-1570. Fixes bug #600484. - (cherry picked from commit df2b0aca2e7cdb95ebfd3454c65aaba0a83e9bbe) - - Signed-off-by: Nils Philippsen - -diff --git a/plug-ins/file-bmp/bmp-read.c b/plug-ins/file-bmp/bmp-read.c -index a1ebe47..7ac4cc4 100644 ---- a/plug-ins/file-bmp/bmp-read.c -+++ b/plug-ins/file-bmp/bmp-read.c -@@ -400,9 +400,26 @@ ReadBMP (const gchar *name, - } - } - -- /* Valid bitpdepthis 1, 4, 8, 16, 24, 32 */ -+ /* Valid bit depth is 1, 4, 8, 16, 24, 32 */ - /* 16 is awful, we should probably shoot whoever invented it */ - -+ switch (Bitmap_Head.biBitCnt) -+ { -+ case 1: -+ case 2: -+ case 4: -+ case 8: -+ case 16: -+ case 24: -+ case 32: -+ break; -+ default: -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("'%s' is not a valid BMP file"), -+ gimp_filename_to_utf8 (filename)); -+ return -1; -+ } -+ - /* There should be some colors used! */ - - ColormapSize = -@@ -424,7 +441,10 @@ ReadBMP (const gchar *name, - return -1; - } - -- if (Bitmap_Head.biWidth < 0) -+ /* biHeight may be negative, but G_MININT32 is dangerous because: -+ G_MININT32 == -(G_MININT32) */ -+ if (Bitmap_Head.biWidth < 0 || -+ Bitmap_Head.biHeight == G_MININT32) - { - g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, - _("'%s' is not a valid BMP file"), -@@ -448,6 +468,18 @@ ReadBMP (const gchar *name, - return -1; - } - -+ /* protect against integer overflows caused by malicious BMPs */ -+ /* use divisions in comparisons to avoid type overflows */ -+ -+ if (((guint64) Bitmap_Head.biWidth) > G_MAXINT32 / Bitmap_Head.biBitCnt || -+ ((guint64) Bitmap_Head.biWidth) > (G_MAXINT32 / ABS (Bitmap_Head.biHeight)) / 4) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("'%s' is not a valid BMP file"), -+ gimp_filename_to_utf8 (filename)); -+ return -1; -+ } -+ - /* Windows and OS/2 declare filler so that rows are a multiple of - * word length (32 bits == 4 bytes) - */ diff --git a/gimp-2.6.7-psd-hardening.patch b/gimp-2.6.7-psd-hardening.patch deleted file mode 100644 index 138920c..0000000 --- a/gimp-2.6.7-psd-hardening.patch +++ /dev/null @@ -1,259 +0,0 @@ -commit f53faac253bbf2f8326a4898c805fb3596694665 -Author: Nils Philippsen -Date: Tue Nov 17 11:56:08 2009 +0100 - - patch: psd-hardening - - Squashed commit of the following: - - commit de05a3ec3d0a452fb48d4705cec8d4bb505364d2 - Author: Simon Budig - Date: Tue Nov 17 00:41:39 2009 +0100 - - Harden the PSD plugin against integer overflows. - - Issues discovered by Stefan Cornelius, Secunia Research, advisory SA37232 - and CVE identifier CVE-2009-3909. Fixes bug #600741. - (cherry picked from commit 9cc8d78ff33b7a36852b74e64b427489cad44d0e) - (cherry picked from commit 88eccea84aa375197cc04a2a0e2e29debb56bfa5) - - Signed-off-by: Nils Philippsen - - commit 35ec53d2a1363380a0c6c3f64280e99d7d07f90a - Author: Simon Budig - Date: Tue Nov 17 01:12:19 2009 +0100 - - Fix the PSD structs to use signed ints for bounding box coordinates. - (cherry picked from commit 0e440cb6d4d6ee029667363d244aff61b154c33c) - (cherry picked from commit 687ec47914ec08d6e460918cb641c196d80140a3) - - Signed-off-by: Nils Philippsen - -diff --git a/plug-ins/file-psd/psd-load.c b/plug-ins/file-psd/psd-load.c -index d0a8455..1b4e944 100644 ---- a/plug-ins/file-psd/psd-load.c -+++ b/plug-ins/file-psd/psd-load.c -@@ -304,6 +304,15 @@ read_header_block (PSDimage *img_a, - return -1; - } - -+ /* img_a->rows is sanitized above, so a division by zero is avoided here */ -+ if (img_a->columns > G_MAXINT32 / img_a->rows) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("Unsupported or invalid image size: %dx%d"), -+ img_a->columns, img_a->rows); -+ return -1; -+ } -+ - if (img_a->color_mode != PSD_BITMAP - && img_a->color_mode != PSD_GRAYSCALE - && img_a->color_mode != PSD_INDEXED -@@ -533,10 +542,10 @@ read_layer_block (PSDimage *img_a, - psd_set_error (feof (f), errno, error); - return NULL; - } -- lyr_a[lidx]->top = GUINT32_FROM_BE (lyr_a[lidx]->top); -- lyr_a[lidx]->left = GUINT32_FROM_BE (lyr_a[lidx]->left); -- lyr_a[lidx]->bottom = GUINT32_FROM_BE (lyr_a[lidx]->bottom); -- lyr_a[lidx]->right = GUINT32_FROM_BE (lyr_a[lidx]->right); -+ lyr_a[lidx]->top = GINT32_FROM_BE (lyr_a[lidx]->top); -+ lyr_a[lidx]->left = GINT32_FROM_BE (lyr_a[lidx]->left); -+ lyr_a[lidx]->bottom = GINT32_FROM_BE (lyr_a[lidx]->bottom); -+ lyr_a[lidx]->right = GINT32_FROM_BE (lyr_a[lidx]->right); - lyr_a[lidx]->num_channels = GUINT16_FROM_BE (lyr_a[lidx]->num_channels); - - if (lyr_a[lidx]->num_channels > MAX_CHANNELS) -@@ -546,14 +555,16 @@ read_layer_block (PSDimage *img_a, - lyr_a[lidx]->num_channels); - return NULL; - } -- if (lyr_a[lidx]->bottom - lyr_a[lidx]->top > GIMP_MAX_IMAGE_SIZE) -+ if (lyr_a[lidx]->bottom < lyr_a[lidx]->top || -+ lyr_a[lidx]->bottom - lyr_a[lidx]->top > GIMP_MAX_IMAGE_SIZE) - { - g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, - _("Unsupported or invalid layer height: %d"), - lyr_a[lidx]->bottom - lyr_a[lidx]->top); - return NULL; - } -- if (lyr_a[lidx]->right - lyr_a[lidx]->left > GIMP_MAX_IMAGE_SIZE) -+ if (lyr_a[lidx]->right < lyr_a[lidx]->left || -+ lyr_a[lidx]->right - lyr_a[lidx]->left > GIMP_MAX_IMAGE_SIZE) - { - g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, - _("Unsupported or invalid layer width: %d"), -@@ -561,6 +572,16 @@ read_layer_block (PSDimage *img_a, - return NULL; - } - -+ if ((lyr_a[lidx]->right - lyr_a[lidx]->left) > -+ G_MAXINT32 / MAX (lyr_a[lidx]->bottom - lyr_a[lidx]->top, 1)) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("Unsupported or invalid layer size: %dx%d"), -+ lyr_a[lidx]->right - lyr_a[lidx]->left, -+ lyr_a[lidx]->bottom - lyr_a[lidx]->top); -+ return NULL; -+ } -+ - IFDBG(2) g_debug ("Layer %d, Coords %d %d %d %d, channels %d, ", - lidx, lyr_a[lidx]->left, lyr_a[lidx]->top, - lyr_a[lidx]->right, lyr_a[lidx]->bottom, -@@ -670,13 +691,13 @@ read_layer_block (PSDimage *img_a, - return NULL; - } - lyr_a[lidx]->layer_mask.top = -- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.top); -+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.top); - lyr_a[lidx]->layer_mask.left = -- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.left); -+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.left); - lyr_a[lidx]->layer_mask.bottom = -- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.bottom); -+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.bottom); - lyr_a[lidx]->layer_mask.right = -- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.right); -+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.right); - lyr_a[lidx]->layer_mask.mask_flags.relative_pos = - lyr_a[lidx]->layer_mask.flags & 1 ? TRUE : FALSE; - lyr_a[lidx]->layer_mask.mask_flags.disabled = -@@ -702,21 +723,21 @@ read_layer_block (PSDimage *img_a, - return NULL; - } - lyr_a[lidx]->layer_mask_extra.top = -- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.top); -+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.top); - lyr_a[lidx]->layer_mask_extra.left = -- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.left); -+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.left); - lyr_a[lidx]->layer_mask_extra.bottom = -- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.bottom); -+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.bottom); - lyr_a[lidx]->layer_mask_extra.right = -- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.right); -+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.right); - lyr_a[lidx]->layer_mask.top = -- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.top); -+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.top); - lyr_a[lidx]->layer_mask.left = -- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.left); -+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.left); - lyr_a[lidx]->layer_mask.bottom = -- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.bottom); -+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.bottom); - lyr_a[lidx]->layer_mask.right = -- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.right); -+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.right); - lyr_a[lidx]->layer_mask.mask_flags.relative_pos = - lyr_a[lidx]->layer_mask.flags & 1 ? TRUE : FALSE; - lyr_a[lidx]->layer_mask.mask_flags.disabled = -@@ -734,6 +755,34 @@ read_layer_block (PSDimage *img_a, - } - } - -+ /* sanity checks */ -+ if (lyr_a[lidx]->layer_mask.bottom < lyr_a[lidx]->layer_mask.top || -+ lyr_a[lidx]->layer_mask.bottom - lyr_a[lidx]->layer_mask.top > GIMP_MAX_IMAGE_SIZE) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("Unsupported or invalid layer mask height: %d"), -+ lyr_a[lidx]->layer_mask.bottom - lyr_a[lidx]->layer_mask.top); -+ return NULL; -+ } -+ if (lyr_a[lidx]->layer_mask.right < lyr_a[lidx]->layer_mask.left || -+ lyr_a[lidx]->layer_mask.right - lyr_a[lidx]->layer_mask.left > GIMP_MAX_IMAGE_SIZE) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("Unsupported or invalid layer mask width: %d"), -+ lyr_a[lidx]->layer_mask.right - lyr_a[lidx]->layer_mask.left); -+ return NULL; -+ } -+ -+ if ((lyr_a[lidx]->layer_mask.right - lyr_a[lidx]->layer_mask.left) > -+ G_MAXINT32 / MAX (lyr_a[lidx]->layer_mask.bottom - lyr_a[lidx]->layer_mask.top, 1)) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("Unsupported or invalid layer mask size: %dx%d"), -+ lyr_a[lidx]->layer_mask.right - lyr_a[lidx]->layer_mask.left, -+ lyr_a[lidx]->layer_mask.bottom - lyr_a[lidx]->layer_mask.top); -+ return NULL; -+ } -+ - IFDBG(2) g_debug ("Layer mask coords %d %d %d %d, Rel pos %d", - lyr_a[lidx]->layer_mask.left, - lyr_a[lidx]->layer_mask.top, -@@ -1135,7 +1184,7 @@ add_layers (const gint32 image_id, - psd_set_error (feof (f), errno, error); - return -1; - } -- rle_pack_len[rowi] = GUINT16_FROM_BE (rle_pack_len[rowi]); -+ rle_pack_len[rowi] = GUINT16_FROM_BE (rle_pack_len[rowi]); - } - - IFDBG(3) g_debug ("RLE decode - data"); -@@ -1761,6 +1810,16 @@ read_channel_data (PSDchannel *channel, - - IFDBG(3) g_debug ("raw data size %d x %d = %d", readline_len, - channel->rows, readline_len * channel->rows); -+ -+ /* sanity check, int overflow check (avoid divisions by zero) */ -+ if ((channel->rows == 0) || (channel->columns == 0) || -+ (channel->rows > G_MAXINT32 / channel->columns / MAX (bps >> 3, 1))) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("Unsupported or invalid channel size")); -+ return -1; -+ } -+ - raw_data = g_malloc (readline_len * channel->rows); - switch (compression) - { -diff --git a/plug-ins/file-psd/psd.h b/plug-ins/file-psd/psd.h -index 6292747..b0c28ff 100644 ---- a/plug-ins/file-psd/psd.h -+++ b/plug-ins/file-psd/psd.h -@@ -447,10 +447,10 @@ typedef struct - /* PSD Layer mask data (length 20) */ - typedef struct - { -- guint32 top; /* Layer top */ -- guint32 left; /* Layer left */ -- guint32 bottom; /* Layer bottom */ -- guint32 right; /* Layer right */ -+ gint32 top; /* Layer top */ -+ gint32 left; /* Layer left */ -+ gint32 bottom; /* Layer bottom */ -+ gint32 right; /* Layer right */ - guchar def_color; /* Default background colour */ - guchar flags; /* Layer flags */ - guchar extra_def_color; /* Real default background colour */ -@@ -461,20 +461,20 @@ typedef struct - /* PSD Layer mask data (length 36) */ - typedef struct - { -- guint32 top; /* Layer top */ -- guint32 left; /* Layer left */ -- guint32 bottom; /* Layer bottom */ -- guint32 right; /* Layer right */ -+ gint32 top; /* Layer top */ -+ gint32 left; /* Layer left */ -+ gint32 bottom; /* Layer bottom */ -+ gint32 right; /* Layer right */ - } LayerMaskExtra; - - /* PSD Layer data structure */ - typedef struct - { - gboolean drop; /* Do not add layer to GIMP image */ -- guint32 top; /* Layer top */ -- guint32 left; /* Layer left */ -- guint32 bottom; /* Layer bottom */ -- guint32 right; /* Layer right */ -+ gint32 top; /* Layer top */ -+ gint32 left; /* Layer left */ -+ gint32 bottom; /* Layer bottom */ -+ gint32 right; /* Layer right */ - guint16 num_channels; /* Number of channels */ - ChannelLengthInfo *chn_info; /* Channel length info */ - gchar mode_key[4]; /* Blend mode key */ diff --git a/gimp.spec b/gimp.spec index 0aeffa2..20edbb4 100644 --- a/gimp.spec +++ b/gimp.spec @@ -30,8 +30,8 @@ Summary: GNU Image Manipulation Program Name: gimp Epoch: 2 -Version: 2.6.7 -Release: 3%{?dist} +Version: 2.6.8 +Release: 1%{?dist} %define binver 2.6 %define gimp_lang_ver 20 %define interfacever 2.0 @@ -128,12 +128,6 @@ Patch1: gimp-2.6.7-jpeg-units.patch # https://bugzilla.gnome.org/show_bug.cgi?id=556896 # "Dialogs don't get minimized with single image window" Patch2: gimp-2.6.6-minimize-dialogs.patch -# https://bugzilla.gnome.org/show_bug.cgi?id=600484 -# "Gimp BMP Integer Overflow Vulnerability" -Patch3: gimp-2.6.7-bmp-hardening.patch -# https://bugzilla.gnome.org/show_bug.cgi?id=600741 -# '"read_channel_data()" Integer Overflow Vulnerability' -Patch4: gimp-2.6.7-psd-hardening.patch %description GIMP (GNU Image Manipulation Program) is a powerful image composition and @@ -215,8 +209,6 @@ EOF %patch0 -p1 -b .xdg-open %patch1 -p1 -b .jpeg-units %patch2 -p1 -b .minimize-dialogs -%patch3 -p1 -b .bmp-hardening -%patch4 -p1 -b .psd-hardening %build # if [ ! -f configure ]; then @@ -507,6 +499,52 @@ fi %{_libdir}/gimp/%{interfacever}/plug-ins/help-browser %changelog +* Fri Dec 11 2009 Nils Philippsen - 2:2.6.8-1 +- version 2.6.8 + + Overview of Changes from GIMP 2.6.7 to GIMP 2.6.8 + ================================================= + + * Bugs fixed: + + 470698 - MapObject cannot modify highlight + 593848 - FG color changed to black when FG-BG Editor tab created + 594651 - layer.scale() raises RuntimeError + 594998 - Keyboard shortcuts does not work for first image when dock + is focused + 599765 - F1 key on gimp-tool-align in menu have wrong link and it + open gimp-tool-move + 600484 - Gimp BMP Integer Overflow Vulnerability + 600741 - "read_channel_data()" Integer Overflow Vulnerability + 601891 - gimp_image_get_selection returns None + 602761 - plug-in-grid: Parameters Horizontal/Vertical Spacing and + Horizontal/Vertical Offset are reversed. + 603995 - PCX plugin doesn't sanitize input to avoid allocation overflows. + 603998 - PCX: Calculating amount of memory to allocate may overflow. + 604000 - SGI: sanitize input + 604001 - SGI: Calculating amount of memory to allocate may overflow. + 604002 - SGI: RLE encoded input data may write beyond allocated buffers + 604004 - SGI: allocate memory consistently + 604008 - GBR, PAT: sanitize input data + 604078 - Crash when pressing Backspace with Free Select Tool + + * Updated and new translations: + + Basque (eu) + British English (en_GB) + Czech (cs) + French (fr) + Greek (el) + Italian (it) + Japanese (ja) + Norwegian Nynorsk (nn) + Polish (pl) + Romanian (ro) + Russian (ru) + Simplified Chinese (zh_CN) + +- remove obsolete bmp-hardening, psd-hardening patches + * Tue Nov 17 2009 Nils Philippsen - 2:2.6.7-3 - avoid overflow in the BMP image file plugin (#537356) - avoid overflow in the PSD image file plugin (#537370) diff --git a/sources b/sources index 5c7b444..71e9928 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -77ed86a8de9b48587efb24f2b115ad38 gimp-2.6.7.tar.bz2 +a4d9462c9420954824a80c9b1963f9d9 gimp-2.6.8.tar.bz2