From 2a74f6f7e72c0bc420316d0d7cfb72bdcaedf414 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 31 Dec 2017 13:42:58 -0500 Subject: gnu: gimp: Fix CVE-2017-{17784,17785,17786,17787,17789}. * gnu/packages/patches/gimp-CVE-2017-17784.patch, gnu/packages/patches/gimp-CVE-2017-17785.patch, gnu/packages/patches/gimp-CVE-2017-17786.patch, gnu/packages/patches/gimp-CVE-2017-17787.patch, gnu/packages/patches/gimp-CVE-2017-17789.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gimp.scm (gimp)[source]: Use them. --- gnu/packages/gimp.scm | 5 + gnu/packages/patches/gimp-CVE-2017-17784.patch | 41 ++++++ gnu/packages/patches/gimp-CVE-2017-17785.patch | 171 +++++++++++++++++++++++++ gnu/packages/patches/gimp-CVE-2017-17786.patch | 94 ++++++++++++++ gnu/packages/patches/gimp-CVE-2017-17787.patch | 42 ++++++ gnu/packages/patches/gimp-CVE-2017-17789.patch | 48 +++++++ 6 files changed, 401 insertions(+) create mode 100644 gnu/packages/patches/gimp-CVE-2017-17784.patch create mode 100644 gnu/packages/patches/gimp-CVE-2017-17785.patch create mode 100644 gnu/packages/patches/gimp-CVE-2017-17786.patch create mode 100644 gnu/packages/patches/gimp-CVE-2017-17787.patch create mode 100644 gnu/packages/patches/gimp-CVE-2017-17789.patch (limited to 'gnu/packages') diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm index b0797453fa..fc2c8ff516 100644 --- a/gnu/packages/gimp.scm +++ b/gnu/packages/gimp.scm @@ -133,6 +133,11 @@ buffers.") (uri (string-append "http://download.gimp.org/pub/gimp/v" (version-major+minor version) "/gimp-" version ".tar.bz2")) + (patches (search-patches "gimp-CVE-2017-17784.patch" + "gimp-CVE-2017-17785.patch" + "gimp-CVE-2017-17786.patch" + "gimp-CVE-2017-17787.patch" + "gimp-CVE-2017-17789.patch")) (sha256 (base32 "12k3lp938qdc9cqj29scg55f3bb8iav2fysd29w0s49bqmfa71wi")))) diff --git a/gnu/packages/patches/gimp-CVE-2017-17784.patch b/gnu/packages/patches/gimp-CVE-2017-17784.patch new file mode 100644 index 0000000000..c791772fb5 --- /dev/null +++ b/gnu/packages/patches/gimp-CVE-2017-17784.patch @@ -0,0 +1,41 @@ +Fix CVE-2017-17784: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17784 +https://bugzilla.gnome.org/show_bug.cgi?id=790784 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/gimp/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270 + +From c57f9dcf1934a9ab0cd67650f2dea18cb0902270 Mon Sep 17 00:00:00 2001 +From: Jehan +Date: Thu, 21 Dec 2017 12:25:32 +0100 +Subject: [PATCH] Bug 790784 - (CVE-2017-17784) heap overread in gbr parser / + load_image. + +We were assuming the input name was well formed, hence was +nul-terminated. As any data coming from external input, this has to be +thorougly checked. +Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted +to older gimp-2-8 code. +--- + plug-ins/common/file-gbr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c +index b028100bef..d3f01d9c56 100644 +--- a/plug-ins/common/file-gbr.c ++++ b/plug-ins/common/file-gbr.c +@@ -443,7 +443,8 @@ load_image (const gchar *filename, + { + gchar *temp = g_new (gchar, bn_size); + +- if ((read (fd, temp, bn_size)) < bn_size) ++ if ((read (fd, temp, bn_size)) < bn_size || ++ temp[bn_size - 1] != '\0') + { + g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, + _("Error in GIMP brush file '%s'"), +-- +2.15.1 + diff --git a/gnu/packages/patches/gimp-CVE-2017-17785.patch b/gnu/packages/patches/gimp-CVE-2017-17785.patch new file mode 100644 index 0000000000..939b01f214 --- /dev/null +++ b/gnu/packages/patches/gimp-CVE-2017-17785.patch @@ -0,0 +1,171 @@ +Fix CVE-2017-17785: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17785 +https://bugzilla.gnome.org/show_bug.cgi?id=739133 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/gimp/commit/?id=1882bac996a20ab5c15c42b0c5e8f49033a1af54 + +From 1882bac996a20ab5c15c42b0c5e8f49033a1af54 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 29 Oct 2017 15:19:41 +0100 +Subject: [PATCH] Bug 739133 - (CVE-2017-17785) Heap overflow while parsing FLI + files. + +It is possible to trigger a heap overflow while parsing FLI files. The +RLE decoder is vulnerable to out of boundary writes due to lack of +boundary checks. + +The variable "framebuf" points to a memory area which was allocated +with fli_header->width * fli_header->height bytes. The RLE decoder +therefore must never write beyond that limit. + +If an illegal frame is detected, the parser won't stop, which means +that the next valid sequence is properly parsed again. This should +allow GIMP to parse FLI files as good as possible even if they are +broken by an attacker or by accident. + +While at it, I changed the variable xc to be of type size_t, because +the multiplication of width and height could overflow a 16 bit type. + +Signed-off-by: Tobias Stoeckmann +(cherry picked from commit edb251a7ef1602d20a5afcbf23f24afb163de63b) +--- + plug-ins/file-fli/fli.c | 50 ++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 35 insertions(+), 15 deletions(-) + +diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c +index 313efeb977..ffb651e2af 100644 +--- a/plug-ins/file-fli/fli.c ++++ b/plug-ins/file-fli/fli.c +@@ -25,6 +25,8 @@ + + #include "config.h" + ++#include ++ + #include + #include + +@@ -461,23 +463,27 @@ void fli_read_brun(FILE *f, s_fli_header *fli_header, unsigned char *framebuf) + unsigned short yc; + unsigned char *pos; + for (yc=0; yc < fli_header->height; yc++) { +- unsigned short xc, pc, pcnt; ++ unsigned short pc, pcnt; ++ size_t n, xc; + pc=fli_read_char(f); + xc=0; + pos=framebuf+(fli_header->width * yc); ++ n=(size_t)fli_header->width * (fli_header->height-yc); + for (pcnt=pc; pcnt>0; pcnt--) { + unsigned short ps; + ps=fli_read_char(f); + if (ps & 0x80) { + unsigned short len; +- for (len=-(signed char)ps; len>0; len--) { ++ for (len=-(signed char)ps; len>0 && xcwidth * fli_header->height); + firstline = fli_read_short(f); + numline = fli_read_short(f); ++ if (numline > fli_header->height || fli_header->height-numline < firstline) ++ return; ++ + for (yc=0; yc < numline; yc++) { +- unsigned short xc, pc, pcnt; ++ unsigned short pc, pcnt; ++ size_t n, xc; + pc=fli_read_char(f); + xc=0; + pos=framebuf+(fli_header->width * (firstline+yc)); ++ n=(size_t)fli_header->width * (fli_header->height-firstline-yc); + for (pcnt=pc; pcnt>0; pcnt--) { + unsigned short ps,skip; + skip=fli_read_char(f); + ps=fli_read_char(f); +- xc+=skip; ++ xc+=MIN(n-xc,skip); + if (ps & 0x80) { + unsigned char val; ++ size_t len; + ps=-(signed char)ps; + val=fli_read_char(f); +- memset(&(pos[xc]), val, ps); +- xc+=ps; ++ len=MIN(n-xc,ps); ++ memset(&(pos[xc]), val, len); ++ xc+=len; + } else { +- fread(&(pos[xc]), ps, 1, f); +- xc+=ps; ++ size_t len; ++ len=MIN(n-xc,ps); ++ fread(&(pos[xc]), len, 1, f); ++ xc+=len; + } + } + } +@@ -689,7 +704,8 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu + yc=0; + numline = fli_read_short(f); + for (lc=0; lc < numline; lc++) { +- unsigned short xc, pc, pcnt, lpf, lpn; ++ unsigned short pc, pcnt, lpf, lpn; ++ size_t n, xc; + pc=fli_read_short(f); + lpf=0; lpn=0; + while (pc & 0x8000) { +@@ -700,26 +716,30 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu + } + pc=fli_read_short(f); + } ++ yc=MIN(yc, fli_header->height); + xc=0; + pos=framebuf+(fli_header->width * yc); ++ n=(size_t)fli_header->width * (fli_header->height-yc); + for (pcnt=pc; pcnt>0; pcnt--) { + unsigned short ps,skip; + skip=fli_read_char(f); + ps=fli_read_char(f); +- xc+=skip; ++ xc+=MIN(n-xc,skip); + if (ps & 0x80) { + unsigned char v1,v2; + ps=-(signed char)ps; + v1=fli_read_char(f); + v2=fli_read_char(f); +- while (ps>0) { ++ while (ps>0 && xc+1 +Date: Wed, 20 Dec 2017 13:02:38 +0100 +Subject: [PATCH] Bug 739134 - (CVE-2017-17786) Out of bounds read / heap + overflow in... +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... TGA importer. + +Be more thorough on valid TGA RGB and RGBA images. +In particular current TGA plug-in can import RGBA as 32 bits (8 bits per +channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and +RGB as 15 and 24 bits. +Maybe there exist more variants, but if they do exist, we simply don't +support them yet. + +Thanks to Hanno Böck for the report and a first patch attempt. + +(cherry picked from commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b) +--- + plug-ins/common/file-tga.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c +index aef98702d4..426acc2925 100644 +--- a/plug-ins/common/file-tga.c ++++ b/plug-ins/common/file-tga.c +@@ -564,12 +564,16 @@ load_image (const gchar *filename, + } + break; + case TGA_TYPE_COLOR: +- if (info.bpp != 15 && info.bpp != 16 && +- info.bpp != 24 && info.bpp != 32) ++ if ((info.bpp != 15 && info.bpp != 16 && ++ info.bpp != 24 && info.bpp != 32) || ++ ((info.bpp == 15 || info.bpp == 24) && ++ info.alphaBits != 0) || ++ (info.bpp == 16 && info.alphaBits != 1) || ++ (info.bpp == 32 && info.alphaBits != 8)) + { +- g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)", ++ g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)", + gimp_filename_to_utf8 (filename), +- info.imageType, info.bpp); ++ info.imageType, info.bpp, info.alphaBits); + return -1; + } + break; +-- +2.15.1 + +From 22e2571c25425f225abdb11a566cc281fca6f366 Mon Sep 17 00:00:00 2001 +From: Jehan +Date: Wed, 20 Dec 2017 13:26:26 +0100 +Subject: [PATCH] plug-ins: TGA 16-bit RGB (without alpha bit) is also valid. + +According to some spec on the web, 16-bit RGB is also valid. In this +case, the last bit is simply ignored (at least that's how it is +implemented right now). + +(cherry picked from commit 8ea316667c8a3296bce2832b3986b58d0fdfc077) +--- + plug-ins/common/file-tga.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c +index 426acc2925..eb14a1dadc 100644 +--- a/plug-ins/common/file-tga.c ++++ b/plug-ins/common/file-tga.c +@@ -568,7 +568,8 @@ load_image (const gchar *filename, + info.bpp != 24 && info.bpp != 32) || + ((info.bpp == 15 || info.bpp == 24) && + info.alphaBits != 0) || +- (info.bpp == 16 && info.alphaBits != 1) || ++ (info.bpp == 16 && info.alphaBits != 1 && ++ info.alphaBits != 0) || + (info.bpp == 32 && info.alphaBits != 8)) + { + g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)", +-- +2.15.1 + diff --git a/gnu/packages/patches/gimp-CVE-2017-17787.patch b/gnu/packages/patches/gimp-CVE-2017-17787.patch new file mode 100644 index 0000000000..b5310d33d9 --- /dev/null +++ b/gnu/packages/patches/gimp-CVE-2017-17787.patch @@ -0,0 +1,42 @@ +Fix CVE-2017-17787: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17787 +https://bugzilla.gnome.org/show_bug.cgi?id=790853 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/gimp/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d + +From 87ba505fff85989af795f4ab6a047713f4d9381d Mon Sep 17 00:00:00 2001 +From: Jehan +Date: Thu, 21 Dec 2017 12:49:41 +0100 +Subject: [PATCH] Bug 790853 - (CVE-2017-17787) heap overread in psp importer. + +As any external data, we have to check that strings being read at fixed +length are properly nul-terminated. + +(cherry picked from commit eb2980683e6472aff35a3117587c4f814515c74d) +--- + plug-ins/common/file-psp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c +index 4cbafe37b1..e350e4d88d 100644 +--- a/plug-ins/common/file-psp.c ++++ b/plug-ins/common/file-psp.c +@@ -890,6 +890,12 @@ read_creator_block (FILE *f, + g_free (string); + return -1; + } ++ if (string[length - 1] != '\0') ++ { ++ g_message ("Creator keyword data not nul-terminated"); ++ g_free (string); ++ return -1; ++ } + switch (keyword) + { + case PSP_CRTR_FLD_TITLE: +-- +2.15.1 + diff --git a/gnu/packages/patches/gimp-CVE-2017-17789.patch b/gnu/packages/patches/gimp-CVE-2017-17789.patch new file mode 100644 index 0000000000..6dfa435fd0 --- /dev/null +++ b/gnu/packages/patches/gimp-CVE-2017-17789.patch @@ -0,0 +1,48 @@ +Fix CVE-2017-17789: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17789 +https://bugzilla.gnome.org/show_bug.cgi?id=790849 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/gimp/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f + +From 01898f10f87a094665a7fdcf7153990f4e511d3f Mon Sep 17 00:00:00 2001 +From: Jehan +Date: Wed, 20 Dec 2017 16:44:20 +0100 +Subject: [PATCH] Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer + overflow... + +... in PSP importer. +Check if declared block length is valid (i.e. within the actual file) +before going further. +Consider the file as broken otherwise and fail loading it. + +(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8) +--- + plug-ins/common/file-psp.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c +index ac0fff78f0..4cbafe37b1 100644 +--- a/plug-ins/common/file-psp.c ++++ b/plug-ins/common/file-psp.c +@@ -1771,6 +1771,15 @@ load_image (const gchar *filename, + { + block_start = ftell (f); + ++ if (block_start + block_total_len > st.st_size) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Could not open '%s' for reading: %s"), ++ gimp_filename_to_utf8 (filename), ++ _("invalid block size")); ++ goto error; ++ } ++ + if (id == PSP_IMAGE_BLOCK) + { + if (block_number != 0) +-- +2.15.1 + -- cgit v1.2.3