Hello community, here is the log from the commit of package gimp for openSUSE:Factory checked in at 2012-12-03 09:34:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gimp (Old) and /work/SRC/openSUSE:Factory/.gimp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gimp", Maintainer is "gnome-maintainers@suse.de" Changes: -------- --- /work/SRC/openSUSE:Factory/gimp/gimp.changes 2012-09-15 17:27:18.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.gimp.new/gimp.changes 2012-12-03 09:34:33.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Nov 27 11:11:04 UTC 2012 - dimstar@opensuse.org + +- Add gimp-CVE-2012-5576.patch: fix memory corruption vulnerability + when reading XWD files (bnc#791372, bgo#687392, CVE-2012-5576). + +------------------------------------------------------------------- New: ---- gimp-CVE-2012-5576.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gimp.spec ++++++ --- /var/tmp/diff_new_pack.yhgWYY/_old 2012-12-03 09:34:35.000000000 +0100 +++ /var/tmp/diff_new_pack.yhgWYY/_new 2012-12-03 09:34:35.000000000 +0100 @@ -31,6 +31,8 @@ # openSUSE palette file Source2: openSUSE.gpl Source99: baselibs.conf +# PATCH-FIX-UPSTREAM gimp-CVE-2012-5576.patch bnc#791372 bgo#687392 CVE-2012-5576 dimstar@opensuse.org -- Memory corruption vulnerability when reading XWD files, taken from git. +Patch0: gimp-CVE-2012-5576.patch BuildRequires: aalib-devel BuildRequires: alsa-devel >= 1.0.0 BuildRequires: babl-devel >= 0.1.10 @@ -233,6 +235,7 @@ %lang_package %prep %setup -q +%patch0 -p1 translation-update-upstream translation-update-upstream po-libgimp gimp20-libgimp translation-update-upstream po-python gimp20-python ++++++ gimp-CVE-2012-5576.patch ++++++
From 0b35f6a082a0b3c372c568ea6bde39a4796acde2 Mon Sep 17 00:00:00 2001 From: Michael Natterer
Date: Wed, 07 Nov 2012 23:16:31 +0000 Subject: Bug 687392 - Memory corruption vulnerability when reading XWD files
Applied and enhanced patch from andres which makes file-xwd detect this kind of file corruption and abort loading with an error message. --- diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c index 4e8a95e..f91d757 100644 --- a/plug-ins/common/file-xwd.c +++ b/plug-ins/common/file-xwd.c @@ -186,11 +186,13 @@ static gint32 load_xwd_f2_d16_b16 (const gchar *, static gint32 load_xwd_f2_d24_b32 (const gchar *, FILE *, L_XWDFILEHEADER *, - L_XWDCOLOR *); + L_XWDCOLOR *, + GError **); static gint32 load_xwd_f1_d24_b1 (const gchar *, FILE *, L_XWDFILEHEADER *, - L_XWDCOLOR *); + L_XWDCOLOR *, + GError **); static L_CARD32 read_card32 (FILE *, gint *); @@ -540,7 +542,8 @@ load_image (const gchar *filename, case 1: /* Single plane pixmap */ if ((depth <= 24) && (bpp == 1)) { - image_ID = load_xwd_f1_d24_b1 (filename, ifp, &xwdhdr, xwdcolmap); + image_ID = load_xwd_f1_d24_b1 (filename, ifp, &xwdhdr, xwdcolmap, + error); } break; @@ -559,7 +562,8 @@ load_image (const gchar *filename, } else if ((depth <= 24) && ((bpp == 24) || (bpp == 32))) { - image_ID = load_xwd_f2_d24_b32 (filename, ifp, &xwdhdr, xwdcolmap); + image_ID = load_xwd_f2_d24_b32 (filename, ifp, &xwdhdr, xwdcolmap, + error); } break; } @@ -570,7 +574,7 @@ load_image (const gchar *filename, if (xwdcolmap) g_free (xwdcolmap); - if (image_ID == -1) + if (image_ID == -1 && ! (error && *error)) g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, _("XWD-file %s has format %d, depth %d and bits per pixel %d. " "Currently this is not supported."), @@ -1624,10 +1628,11 @@ load_xwd_f2_d16_b16 (const gchar *filename, /* Load XWD with pixmap_format 2, pixmap_depth up to 24, bits_per_pixel 24/32 */ static gint32 -load_xwd_f2_d24_b32 (const gchar *filename, - FILE *ifp, - L_XWDFILEHEADER *xwdhdr, - L_XWDCOLOR *xwdcolmap) +load_xwd_f2_d24_b32 (const gchar *filename, + FILE *ifp, + L_XWDFILEHEADER *xwdhdr, + L_XWDCOLOR *xwdcolmap, + GError **error) { register guchar *dest, lsbyte_first; gint width, height, linepad, i, j, c0, c1, c2, c3; @@ -1652,12 +1657,6 @@ load_xwd_f2_d24_b32 (const gchar *filename, width = xwdhdr->l_pixmap_width; height = xwdhdr->l_pixmap_height; - image_ID = create_new_image (filename, width, height, GIMP_RGB, - &layer_ID, &drawable, &pixel_rgn); - - tile_height = gimp_tile_height (); - data = g_malloc (tile_height * width * 3); - redmask = xwdhdr->l_red_mask; greenmask = xwdhdr->l_green_mask; bluemask = xwdhdr->l_blue_mask; @@ -1685,6 +1684,22 @@ load_xwd_f2_d24_b32 (const gchar *filename, maxblue = 0; while (bluemask >> (blueshift + maxblue)) maxblue++; maxblue = (1 << maxblue) - 1; + if (maxred > sizeof (redmap) || + maxgreen > sizeof (greenmap) || + maxblue > sizeof (bluemap)) + { + g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, + _("XWD-file %s is corrupt."), + gimp_filename_to_utf8 (filename)); + return -1; + } + + image_ID = create_new_image (filename, width, height, GIMP_RGB, + &layer_ID, &drawable, &pixel_rgn); + + tile_height = gimp_tile_height (); + data = g_malloc (tile_height * width * 3); + /* Set map-arrays for red, green, blue */ for (red = 0; red <= maxred; red++) redmap[red] = (red * 255) / maxred; @@ -1825,10 +1840,11 @@ load_xwd_f2_d24_b32 (const gchar *filename, /* Load XWD with pixmap_format 1, pixmap_depth up to 24, bits_per_pixel 1 */ static gint32 -load_xwd_f1_d24_b1 (const gchar *filename, - FILE *ifp, - L_XWDFILEHEADER *xwdhdr, - L_XWDCOLOR *xwdcolmap) +load_xwd_f1_d24_b1 (const gchar *filename, + FILE *ifp, + L_XWDFILEHEADER *xwdhdr, + L_XWDCOLOR *xwdcolmap, + GError **error) { register guchar *dest, outmask, inmask, do_reverse; gint width, height, i, j, plane, fromright; @@ -1863,13 +1879,6 @@ load_xwd_f1_d24_b1 (const gchar *filename, indexed = (xwdhdr->l_pixmap_depth <= 8); bytes_per_pixel = (indexed ? 1 : 3); - image_ID = create_new_image (filename, width, height, - indexed ? GIMP_INDEXED : GIMP_RGB, - &layer_ID, &drawable, &pixel_rgn); - - tile_height = gimp_tile_height (); - data = g_malloc (tile_height * width * bytes_per_pixel); - for (j = 0; j < 256; j++) /* Create an array for reversing bits */ { inmask = 0; @@ -1913,6 +1922,16 @@ load_xwd_f1_d24_b1 (const gchar *filename, maxblue = 0; while (bluemask >> (blueshift + maxblue)) maxblue++; maxblue = (1 << maxblue) - 1; + if (maxred > sizeof (redmap) || + maxgreen > sizeof (greenmap) || + maxblue > sizeof (bluemap)) + { + g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, + _("XWD-file %s is corrupt."), + gimp_filename_to_utf8 (filename)); + return -1; + } + /* Set map-arrays for red, green, blue */ for (red = 0; red <= maxred; red++) redmap[red] = (red * 255) / maxred; @@ -1922,6 +1941,13 @@ load_xwd_f1_d24_b1 (const gchar *filename, bluemap[blue] = (blue * 255) / maxblue; } + image_ID = create_new_image (filename, width, height, + indexed ? GIMP_INDEXED : GIMP_RGB, + &layer_ID, &drawable, &pixel_rgn); + + tile_height = gimp_tile_height (); + data = g_malloc (tile_height * width * bytes_per_pixel); + ncols = xwdhdr->l_colormap_entries; if (xwdhdr->l_ncolors < ncols) ncols = xwdhdr->l_ncolors; -- cgit v0.9.0.2 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org