summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/gimp-CVE-2017-17784.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/gimp-CVE-2017-17784.patch')
-rw-r--r--gnu/packages/patches/gimp-CVE-2017-17784.patch41
1 files changed, 41 insertions, 0 deletions
diff --git a/gnu/packages/patches/gimp-CVE-2017-17784.patch b/gnu/packages/patches/gimp-CVE-2017-17784.patch
new file mode 100644
index 0000000000..c791772fb5
--- /dev/null
+++ b/gnu/packages/patches/gimp-CVE-2017-17784.patch
@@ -0,0 +1,41 @@
+Fix CVE-2017-17784:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17784
+https://bugzilla.gnome.org/show_bug.cgi?id=790784
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/gimp/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270
+
+From c57f9dcf1934a9ab0cd67650f2dea18cb0902270 Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Thu, 21 Dec 2017 12:25:32 +0100
+Subject: [PATCH] Bug 790784 - (CVE-2017-17784) heap overread in gbr parser /
+ load_image.
+
+We were assuming the input name was well formed, hence was
+nul-terminated. As any data coming from external input, this has to be
+thorougly checked.
+Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted
+to older gimp-2-8 code.
+---
+ plug-ins/common/file-gbr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
+index b028100bef..d3f01d9c56 100644
+--- a/plug-ins/common/file-gbr.c
++++ b/plug-ins/common/file-gbr.c
+@@ -443,7 +443,8 @@ load_image (const gchar *filename,
+ {
+ gchar *temp = g_new (gchar, bn_size);
+
+- if ((read (fd, temp, bn_size)) < bn_size)
++ if ((read (fd, temp, bn_size)) < bn_size ||
++ temp[bn_size - 1] != '\0')
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("Error in GIMP brush file '%s'"),
+--
+2.15.1
+