commit gimp for openSUSE:11.3

16 Sep 2011

Hello community,

here is the log from the commit of package gimp for openSUSE:11.3
checked in at Fri Sep 16 19:02:08 CEST 2011.



--------
--- old-versions/11.3/UPDATES/all/gimp/gimp.changes	2011-07-13 00:36:45.000000000 +0200
+++ 11.3/gimp/gimp.changes	2011-09-09 15:04:27.000000000 +0200
@@ -1,0 +2,6 @@
+Fri Sep  9 13:03:51 UTC 2011 - vuntz@opensuse.org
+
+- Add gimp-CVE-2011-2896.patch: Fix heap corruption and buffer
+  overflow in LZW code. Fix bnc#711491, CVE-2011-2896.
+
+-------------------------------------------------------------------

calling whatdependson for 11.3-i586


New:
----
  gimp-CVE-2011-2896.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ gimp.spec ++++++
--- /var/tmp/diff_new_pack.zmNvrL/_old	2011-09-16 17:57:55.000000000 +0200
+++ /var/tmp/diff_new_pack.zmNvrL/_new	2011-09-16 17:57:55.000000000 +0200
@@ -48,7 +48,7 @@
 BuildRequires:  xorg-x11-libXfixes-devel
 Url:            http://www.gimp.org/
 Version:        2.6.8
-Release:        7.<RELEASE7>
+Release:        7.<RELEASE9>
 License:        GPLv2+
 Group:          Productivity/Graphics/Bitmap Editors
 Suggests:       AdobeICCProfiles
@@ -71,6 +71,8 @@
 Patch3:         gimp-CVE-2010-4543.patch
 # PATCH-FIX-UPSTREAM gimp-pyslice-cellspacing-fix.patch bgo#641259 bnc#698769 fisiu@opensuse.org -- py-slice cellspacing fix
 Patch4:         gimp-pyslice-cellspacing-fix.patch
+# PATCH-FIX-UPSTREAM gimp-CVE-2011-2896.patch CVE-2011-2896 bnc#711491 vuntz@opensuse.org -- Fix heap corruption and buffer overflow
+Patch5:         gimp-CVE-2011-2896.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Requires:       %{name}-branding >= 2.4
 Recommends:     %{name}-plugins-python = %{version} gimp-2.0-scanner-plugin %{name}-help-browser
@@ -212,6 +214,7 @@
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 # Safety check for ABI version change.
 vabi=`printf "%d" $(sed -n '/#define GIMP_MODULE_ABI_VERSION/{s/.* //;p}' libgimpmodule/gimpmodule.h)`
 if test "x${vabi}" != "x%{abiver}"; then

++++++ gimp-CVE-2011-2896.patch ++++++
...
From 0eae221c7c6eb84591d718587a17ea90c8852d5b Mon Sep 17 00:00:00 2001
From: Nils Philippsen 
Date: Thu, 04 Aug 2011 10:47:44 +0000
Subject: file-gif-load: ensure return value of LZWReadByte() is <= 255
(cherry picked from commit b1a3de761362db982c0ddfaff60ab4a3c4267f32)
---

diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
index 9a0720b..a4d98fc 100644
--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
@@ -743,11 +743,11 @@ LZWReadByte (FILE *fd,
         }
       while (firstcode == clear_code);
 
-      return firstcode;
+      return firstcode & 255;
     }
 
   if (sp > stack)
-    return *--sp;
+    return (*--sp) & 255;
 
   while ((code = GetCode (fd, code_size, FALSE)) >= 0)
     {
@@ -770,7 +770,7 @@ LZWReadByte (FILE *fd,
           sp            = stack;
           firstcode     = oldcode = GetCode (fd, code_size, FALSE);
 
-          return firstcode;
+          return firstcode & 255;
         }
       else if (code == end_code)
         {
@@ -826,10 +826,10 @@ LZWReadByte (FILE *fd,
       oldcode = incode;
 
       if (sp > stack)
-        return *--sp;
+        return (*--sp) & 255;
     }
 
-  return code;
+  return code & 255;
 }
 
 static gint32
--
cgit v0.9.0.2
...
From 62718f821b7c79a6860b8b25f0a21a91daa6e22d Mon Sep 17 00:00:00 2001
From: Nils Philippsen 
Date: Thu, 04 Aug 2011 10:51:42 +0000
Subject: file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896)
(cherry picked from commit 376ad788c1a1c31d40f18494889c383f6909ebfc)
---
diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
index a4d98fc..8460ec0 100644
--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
@@ -697,7 +697,8 @@ LZWReadByte (FILE *fd,
   static gint firstcode, oldcode;
   static gint clear_code, end_code;
   static gint table[2][(1 << MAX_LZW_BITS)];
-  static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
+#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
+  static gint stack[STACK_SIZE], *sp;
   gint        i;
 
   if (just_reset_LZW)
@@ -772,7 +773,7 @@ LZWReadByte (FILE *fd,
 
           return firstcode & 255;
         }
-      else if (code == end_code)
+      else if (code == end_code || code > max_code)
         {
           gint   count;
           guchar buf[260];
@@ -791,13 +792,14 @@ LZWReadByte (FILE *fd,
 
       incode = code;
 
-      if (code >= max_code)
+      if (code == max_code)
         {
-          *sp++ = firstcode;
+          if (sp < &(stack[STACK_SIZE]))
+            *sp++ = firstcode;
           code = oldcode;
         }
 
-      while (code >= clear_code)
+      while (code >= clear_code && sp < &(stack[STACK_SIZE]))
         {
           *sp++ = table[1][code];
           if (code == table[0][code])
@@ -808,7 +810,8 @@ LZWReadByte (FILE *fd,
           code = table[0][code];
         }
 
-      *sp++ = firstcode = table[1][code];
+      if (sp < &(stack[STACK_SIZE]))
+        *sp++ = firstcode = table[1][code];
 
       if ((code = max_code) < (1 << MAX_LZW_BITS))
         {
--
cgit v0.9.0.2

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org

    

commit gimp for openSUSE:11.3

root＠hilbert.suse.de