[gdk-pixbuf2/f15] Fix CVE-2011-2485
Matthias Clasen
mclasen at fedoraproject.org
Fri Jun 24 05:29:35 UTC 2011
commit 8345ac0b342bd2314f1a5cf83bf180c8eb351378
Author: Matthias Clasen <mclasen at redhat.com>
Date: Fri Jun 24 01:15:41 2011 -0400
Fix CVE-2011-2485
...eturn-a-partially-initialized-pixbuf-stru.patch | 60 ++++++++++++++++++++
gdk-pixbuf2.spec | 9 +++-
2 files changed, 68 insertions(+), 1 deletions(-)
---
diff --git a/0001-GIF-Don-t-return-a-partially-initialized-pixbuf-stru.patch b/0001-GIF-Don-t-return-a-partially-initialized-pixbuf-stru.patch
new file mode 100644
index 0000000..7bcd93b
--- /dev/null
+++ b/0001-GIF-Don-t-return-a-partially-initialized-pixbuf-stru.patch
@@ -0,0 +1,60 @@
+From f8569bb13e2aa1584dde61ca545144750f7a7c98 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen at redhat.com>
+Date: Fri, 24 Jun 2011 01:09:35 -0400
+Subject: [PATCH] GIF: Don't return a partially initialized pixbuf structure
+
+It was found that gdk-pixbuf GIF image loader gdk_pixbuf__gif_image_load()
+routine did not properly handle certain return values from their subroutines.
+A remote attacker could provide a specially-crafted GIF image, which once
+opened in an application, linked against gdk-pixbuf would lead to gdk-pixbuf
+to return partially initialized pixbuf structure, possibly having huge
+width and height, leading to that particular application termination due
+excessive memory use.
+
+The CVE identifier of CVE-2011-2485 has been assigned to this issue.
+---
+ gdk-pixbuf/io-gif.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
+index 0b370ee..8a1fa3e 100644
+--- a/gdk-pixbuf/io-gif.c
++++ b/gdk-pixbuf/io-gif.c
+@@ -1455,6 +1455,7 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error)
+ {
+ GifContext *context;
+ GdkPixbuf *pixbuf;
++ gint retval;
+
+ g_return_val_if_fail (file != NULL, NULL);
+
+@@ -1472,19 +1473,25 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error)
+ context->error = error;
+ context->stop_after_first_frame = TRUE;
+
+- if (gif_main_loop (context) == -1 || context->animation->frames == NULL) {
++ retval = gif_main_loop (context);
++ if (retval == -1 || context->animation->frames == NULL) {
+ if (context->error && *(context->error) == NULL)
+ g_set_error_literal (context->error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("GIF file was missing some data (perhaps it was truncated somehow?)"));
+ }
++ else if (retval == -2) {
++ pixbuf = NULL;
++ goto out;
++ }
+
+ pixbuf = gdk_pixbuf_animation_get_static_image (GDK_PIXBUF_ANIMATION (context->animation));
+
+ if (pixbuf)
+ g_object_ref (pixbuf);
+
++out:
+ g_object_unref (context->animation);
+
+ g_free (context->buf);
+--
+1.7.5.4
+
diff --git a/gdk-pixbuf2.spec b/gdk-pixbuf2.spec
index 9c41cce..b6dee66 100644
--- a/gdk-pixbuf2.spec
+++ b/gdk-pixbuf2.spec
@@ -1,6 +1,6 @@
Name: gdk-pixbuf2
Version: 2.23.3
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: An image loading library
Group: System Environment/Libraries
@@ -9,6 +9,8 @@ URL: http://www.gt.org
#VCS: git:git://git.gnome.org/gdk-pixbuf
Source0: http://download.gnome.org/sources/gdk-pixbuf/2.23/gdk-pixbuf-%{version}.tar.bz2
+Patch0: 0001-GIF-Don-t-return-a-partially-initialized-pixbuf-stru.patch
+
BuildRequires: glib2-devel
BuildRequires: libpng-devel
BuildRequires: libjpeg-devel
@@ -50,6 +52,7 @@ for writing applications that are using gdk-pixbuf.
%prep
%setup -q -n gdk-pixbuf-%{version}
+%patch0 -p1 -b .gif-crash
%build
(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi;
@@ -113,6 +116,10 @@ fi
%changelog
+* Fri Jun 24 2011 Matthias Clasen <mclasen at redhat.com> 2.23.3-2
+- Don't return a partially initialized pixbuf structure
+ from the GIF loader (CVE-2011-2485)
+
* Wed Mar 30 2011 Matthias Clasen <mclasen at redhat.com> 2.23.3-1
- Update to 2.23.3
More information about the scm-commits
mailing list