[gimp] harden PSP plugin against bogus input data
Nils Philippsen
nphilipp at fedoraproject.org
Mon May 23 14:01:14 UTC 2011
commit 4af8fc1a3c9a3488254acca77237860d55420c2f
Author: Nils Philippsen <nils at redhat.com>
Date: Mon May 23 15:57:56 2011 +0200
harden PSP plugin against bogus input data
(CVE-2010-4543, CVE-2011-1782)
gimp-2.6.11-psp-overflow.patch | 45 ++++++++++++++++++++++++++++++++++++++++
gimp.spec | 7 ++++++
2 files changed, 52 insertions(+), 0 deletions(-)
---
diff --git a/gimp-2.6.11-psp-overflow.patch b/gimp-2.6.11-psp-overflow.patch
new file mode 100644
index 0000000..8ced9d0
--- /dev/null
+++ b/gimp-2.6.11-psp-overflow.patch
@@ -0,0 +1,45 @@
+From 282feeae8df77bae287284f74e9f9c54d21e6d8d Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils at redhat.com>
+Date: Mon, 23 May 2011 15:52:48 +0200
+Subject: [PATCH] patch: psp-overflow
+
+Squashed commit of the following:
+
+commit c5b7e71d89c60a329d4db05f8ddb4610eab013d6
+Author: Nils Philippsen <nils at redhat.com>
+Date: Fri May 13 17:08:02 2011 +0200
+
+ file-psp: fix overflow protection (CVE-2011-1782)
+
+ amends commit 48ec15890e1751dede061f6d1f469b6508c13439, related to
+ CVE-2010-4543
+ (cherry picked from commit f657361db04de69ce003328724c59e3f942d7d15)
+
+commit ab592eb5015f81defdd1e74cd5bcc7edfcd7ebf7
+Author: Simon Budig <simon at budig.de>
+Date: Mon Feb 14 21:46:31 2011 +0100
+
+ file-psp: fix for bogus input data. Fixes bug #639203
+ (cherry picked from commit 48ec15890e1751dede061f6d1f469b6508c13439)
+---
+ plug-ins/common/file-psp.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index db12770..4931c87 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1244,6 +1244,10 @@ read_channel_data (FILE *f,
+ }
+ else
+ fread (buf, runcount, 1, f);
++
++ /* prevent buffer overflow for bogus data */
++ runcount = MIN (runcount, (endq - q) / bytespp);
++
+ if (bytespp == 1)
+ {
+ memmove (q, buf, runcount);
+--
+1.7.5.1
+
diff --git a/gimp.spec b/gimp.spec
index 64cc924..7c972bf 100644
--- a/gimp.spec
+++ b/gimp.spec
@@ -147,6 +147,9 @@ Patch5: gimp-2.6.11-colorxhtml.patch
Patch6: gimp-2.6.11-pyslice.patch
# backport: work with poppler-0.17, upstreamed
Patch7: gimp-2.6.11-poppler-0.17.patch
+# backport: CVE-2010-4543, CVE-2011-1782
+# harden PSP plugin against bogus input data
+Patch8: gimp-2.6.11-psp-overflow.patch
# files changed by autoreconf after applying the above
Patch10: gimp-2.6.11-11-autoreconf.patch.bz2
@@ -236,6 +239,7 @@ EOF
%patch5 -p1 -b .colorxhtml
%patch6 -p1 -b .pyslice
%patch7 -p1 -b .poppler-0.17
+%patch8 -p1 -b .psp-overflow
%patch10 -p1 -b .autoreconf
@@ -503,6 +507,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%{_libdir}/gimp/%{interfacever}/plug-ins/help-browser
%changelog
+* Mon May 23 2011 Nils Philippsen <nils at redhat.com> - 2:2.6.11-13
+- harden PSP plugin against bogus input data (CVE-2010-4543, CVE-2011-1782)
+
* Sat May 07 2011 Christopher Aillon <caillon at redhat.com> - 2:2.6.11-12
- Update desktop database, icon cache scriptlets
More information about the scm-commits
mailing list