Hello community, here is the log from the commit of package gimp for openSUSE:Factory checked in at Tue Feb 15 16:45:41 CET 2011. -------- --- GNOME/gimp/gimp.changes 2011-02-12 20:24:31.000000000 +0100 +++ gimp/gimp.changes 2011-02-15 10:17:26.000000000 +0100 @@ -1,0 +2,7 @@ +Tue Feb 15 10:13:30 CET 2011 - vuntz@opensuse.org + +- Add gimp-CVE-2010-4540-and-more.patch and + gimp-CVE-2010-4543.patch to fix buffer overflows: CVE-2010-4540, + CVE-2010-4541, CVE-2010-4542, CVE-2010-4543. Fix bnc#662043. + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- gimp-CVE-2010-4540-and-more.patch gimp-CVE-2010-4543.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gimp.spec ++++++ --- /var/tmp/diff_new_pack.pApVb5/_old 2011-02-15 16:42:10.000000000 +0100 +++ /var/tmp/diff_new_pack.pApVb5/_new 2011-02-15 16:42:10.000000000 +0100 @@ -49,7 +49,7 @@ BuildRequires: xorg-x11-libXfixes-devel Url: http://www.gimp.org/ Version: 2.6.11 -Release: 5 +Release: 6 License: GPLv2+ Group: Productivity/Graphics/Bitmap Editors Suggests: AdobeICCProfiles @@ -63,6 +63,10 @@ # openSUSE palette file Source2: openSUSE.gpl Source99: baselibs.conf +# PATCH-FIX-UPSTREAM gimp-CVE-2010-4540-and-more.patch CVE-2010-4540 CVE-2010-4541 CVE-2010-4542 bgo#639203 bnc#662043 vuntz@opensuse.org -- Fix various buffer overflows +Patch0: gimp-CVE-2010-4540-and-more.patch +# PATCH-FIX-UPSTREAM gimp-CVE-2010-4543.patch CVE-2010-4543 bgo#639203 bnc#662043 vuntz@opensuse.org -- Fix a buffer overflow when reading a psp file +Patch1: gimp-CVE-2010-4543.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: %{name}-branding >= 2.4 Recommends: %{name}-plugins-python = %{version} gimp-2.0-scanner-plugin %{name}-help-browser @@ -238,6 +242,8 @@ translation-update-upstream po-script-fu gimp20-script-fu translation-update-upstream po-plug-ins gimp20-std-plug-ins translation-update-upstream po-tips gimp20-tips +%patch0 -p1 +%patch1 -p1 # Safety check for ABI version change. vabi=`printf "%d" $(sed -n '/#define GIMP_MODULE_ABI_VERSION/{s/.* //;p}' libgimpmodule/gimpmodule.h)` if test "x${vabi}" != "x%{abiver}"; then ++++++ gimp-CVE-2010-4540-and-more.patch ++++++
From 7fb0300e1cfdb98a3bde54dbc73a0f3eda375162 Mon Sep 17 00:00:00 2001 From: Simon Budig
Date: Tue, 11 Jan 2011 22:28:16 +0000 Subject: fixes for some buffer overflow problems (see bug #639203)
--- diff --git a/plug-ins/common/sphere-designer.c b/plug-ins/common/sphere-designer.c index 4e5b982..6dea871 100644 --- a/plug-ins/common/sphere-designer.c +++ b/plug-ins/common/sphere-designer.c @@ -1993,6 +1993,7 @@ loadit (const gchar * fn) gchar endbuf[21 * (G_ASCII_DTOSTR_BUF_SIZE + 1)]; gchar *end = endbuf; gchar line[1024]; + gchar fmt_str[16]; gint i; texture *t; gint majtype, type; @@ -2017,6 +2018,8 @@ loadit (const gchar * fn) s.com.numtexture = 0; + snprintf (fmt_str, sizeof (fmt_str), "%%d %%d %%%lds", sizeof (endbuf) - 1); + while (!feof (f)) { @@ -2027,7 +2030,7 @@ loadit (const gchar * fn) t = &s.com.texture[i]; setdefaults (t); - if (sscanf (line, "%d %d %s", &t->majtype, &t->type, end) != 3) + if (sscanf (line, fmt_str, &t->majtype, &t->type, end) != 3) t->color1.x = g_ascii_strtod (end, &end); if (end && errno != ERANGE) t->color1.y = g_ascii_strtod (end, &end); diff --git a/plug-ins/gfig/gfig-style.c b/plug-ins/gfig/gfig-style.c index ee1c7b2..eae78f8 100644 --- a/plug-ins/gfig/gfig-style.c +++ b/plug-ins/gfig/gfig-style.c @@ -164,6 +164,7 @@ gfig_read_parameter_gimp_rgb (gchar **text, gchar *ptr; gchar *tmpstr; gchar *endptr; + gchar fmt_str[32]; gchar colorstr_r[G_ASCII_DTOSTR_BUF_SIZE]; gchar colorstr_g[G_ASCII_DTOSTR_BUF_SIZE]; gchar colorstr_b[G_ASCII_DTOSTR_BUF_SIZE]; @@ -171,6 +172,10 @@ gfig_read_parameter_gimp_rgb (gchar **text, style_entry->r = style_entry->g = style_entry->b = style_entry->a = 0.; + snprintf (fmt_str, sizeof (fmt_str), "%%%lds %%%lds %%%lds %%%lds", + sizeof (colorstr_r) - 1, sizeof (colorstr_g) - 1, + sizeof (colorstr_b) - 1, sizeof (colorstr_a) - 1); + while (n < nitems) { ptr = strchr (text[n], ':'); @@ -180,7 +185,8 @@ gfig_read_parameter_gimp_rgb (gchar **text, ptr++; if (!strcmp (tmpstr, name)) { - sscanf (ptr, "%s %s %s %s", colorstr_r, colorstr_g, colorstr_b, colorstr_a); + sscanf (ptr, fmt_str, + colorstr_r, colorstr_g, colorstr_b, colorstr_a); style_entry->r = g_ascii_strtod (colorstr_r, &endptr); style_entry->g = g_ascii_strtod (colorstr_g, &endptr); style_entry->b = g_ascii_strtod (colorstr_b, &endptr); diff --git a/plug-ins/lighting/lighting-ui.c b/plug-ins/lighting/lighting-ui.c index 99fb348..126f6e2 100644 --- a/plug-ins/lighting/lighting-ui.c +++ b/plug-ins/lighting/lighting-ui.c @@ -1345,6 +1345,7 @@ load_preset_response (GtkFileChooser *chooser, gchar buffer3[G_ASCII_DTOSTR_BUF_SIZE]; gchar type_label[21]; gchar *endptr; + gchar fmt_str[32]; if (response_id == GTK_RESPONSE_OK) { @@ -1384,23 +1385,41 @@ load_preset_response (GtkFileChooser *chooser, return; } - fscanf (fp, " Position: %s %s %s", buffer1, buffer2, buffer3); + snprintf (fmt_str, sizeof (fmt_str), + " Position: %%%lds %%%lds %%%lds", + sizeof (buffer1) - 1, + sizeof (buffer2) - 1, + sizeof (buffer3) - 1); + fscanf (fp, fmt_str, buffer1, buffer2, buffer3); source->position.x = g_ascii_strtod (buffer1, &endptr); source->position.y = g_ascii_strtod (buffer2, &endptr); source->position.z = g_ascii_strtod (buffer3, &endptr); - fscanf (fp, " Direction: %s %s %s", buffer1, buffer2, buffer3); + snprintf (fmt_str, sizeof (fmt_str), + " Direction: %%%lds %%%lds %%%lds", + sizeof (buffer1) - 1, + sizeof (buffer2) - 1, + sizeof (buffer3) - 1); + fscanf (fp, fmt_str, buffer1, buffer2, buffer3); source->direction.x = g_ascii_strtod (buffer1, &endptr); source->direction.y = g_ascii_strtod (buffer2, &endptr); source->direction.z = g_ascii_strtod (buffer3, &endptr); - fscanf (fp, " Color: %s %s %s", buffer1, buffer2, buffer3); + snprintf (fmt_str, sizeof (fmt_str), + " Color: %%%lds %%%lds %%%lds", + sizeof (buffer1) - 1, + sizeof (buffer2) - 1, + sizeof (buffer3) - 1); + fscanf (fp, fmt_str, buffer1, buffer2, buffer3); source->color.r = g_ascii_strtod (buffer1, &endptr); source->color.g = g_ascii_strtod (buffer2, &endptr); source->color.b = g_ascii_strtod (buffer3, &endptr); source->color.a = 1.0; - fscanf (fp, " Intensity: %s", buffer1); + snprintf (fmt_str, sizeof (fmt_str), + " Intensity: %%%lds", + sizeof (buffer1) - 1); + fscanf (fp, fmt_str, buffer1); source->intensity = g_ascii_strtod (buffer1, &endptr); } -- cgit v0.8.3.1 ++++++ gimp-CVE-2010-4543.patch ++++++
From 48ec15890e1751dede061f6d1f469b6508c13439 Mon Sep 17 00:00:00 2001 From: Simon Budig
Date: Mon, 14 Feb 2011 20:46:31 +0000 Subject: file-psp: fix for bogus input data. Fixes bug #639203
--- diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c index ef39d5b..04897d5 100644 --- a/plug-ins/common/file-psp.c +++ b/plug-ins/common/file-psp.c @@ -1197,6 +1197,10 @@ read_channel_data (FILE *f, } else fread (buf, runcount, 1, f); + + /* prevent buffer overflow for bogus data */ + runcount = MIN (runcount, endq - q); + if (bytespp == 1) { memmove (q, buf, runcount); -- cgit v0.8.3.1 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org