Bug#731305: gimp: CVE-2013-1913 CVE-2013-1978
On Fri, 28 Feb 2014 20:57:22 -0500
Ari Pollak a...@debian.org wrote:
Thanks, looks good to me.
Okay, then next is patch for CVE-2013-1913/CVE-2013-1978
I'll push it to git repo once, so if something wrong with it, please revert.
--
Regards,
Hideki Yamane henrich @ debian.or.jp/org
http://wiki.debian.org/HidekiYamane
Description: fix CVE-2013-1913 and CVE-2013-1978
Fixes xwd security vulnerabilities CVE-2013-1913 and CVE-2013-1978
CVE-2013-1978 is based on CVE-2013-1913 patched one, so merge it.
Origin: upstream, https://git.gnome.org/browse/gimp/commit/?id=32ae0f83e5748299641cceaabe3f80f1b3afd03e
upstream, https://git.gnome.org/browse/gimp/commit/?id=23f685931e5f000dd033a45c60c1e60d7f78caf4
Bug-Debian: http://bugs.debian.org/731305
Last-Update: 2014-03-01
Index: gimp/plug-ins/common/file-xwd.c
===
--- gimp.orig/plug-ins/common/file-xwd.c 2014-03-01 22:29:00.825683080 +0900
+++ gimp/plug-ins/common/file-xwd.c 2014-03-01 22:29:10.121693974 +0900
@@ -424,9 +424,9 @@
load_image (const gchar *filename,
GError **error)
{
- FILE*ifp;
+ FILE*ifp = NULL;
gint depth, bpp;
- gint32 image_ID;
+ gint32 image_ID = -1;
L_XWDFILEHEADER xwdhdr;
L_XWDCOLOR *xwdcolmap = NULL;
@@ -436,7 +436,7 @@
g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
_(Could not open '%s' for reading: %s),
gimp_filename_to_utf8 (filename), g_strerror (errno));
- return -1;
+ goto out;
}
read_xwd_header (ifp, xwdhdr);
@@ -445,8 +445,7 @@
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_(Could not read XWD header from '%s'),
gimp_filename_to_utf8 (filename));
- fclose (ifp);
- return -1;
+ goto out;
}
#ifdef XWD_COL_WAIT_DEBUG
@@ -461,8 +460,25 @@
/* Position to start of XWDColor structures */
fseek (ifp, (long)xwdhdr.l_header_size, SEEK_SET);
+ /* Guard against insanely huge color maps -- gimp_image_set_colormap() only
+ * accepts colormaps with 0..256 colors anyway. */
+ if (xwdhdr.l_colormap_entries 256)
+{
+ g_message (_('%s':\nIllegal number of colormap entries: %ld),
+ gimp_filename_to_utf8 (filename),
+ (long)xwdhdr.l_colormap_entries);
+ goto out;
+}
+
if (xwdhdr.l_colormap_entries 0)
{
+ if (xwdhdr.l_colormap_entries xwdhdr.l_ncolors)
+{
+ g_message (_('%s':\nNumber of colormap entries number of colors),
+ gimp_filename_to_utf8 (filename));
+ goto out;
+}
+
xwdcolmap = g_new (L_XWDCOLOR, xwdhdr.l_colormap_entries);
read_xwd_cols (ifp, xwdhdr, xwdcolmap);
@@ -482,9 +498,7 @@
if (xwdhdr.l_file_version != 7)
{
g_message (_(Can't read color entries));
- g_free (xwdcolmap);
- fclose (ifp);
- return (-1);
+ goto out;
}
}
@@ -492,9 +506,7 @@
{
g_message (_('%s':\nNo image width specified),
gimp_filename_to_utf8 (filename));
- g_free (xwdcolmap);
- fclose (ifp);
- return (-1);
+ goto out;
}
if (xwdhdr.l_pixmap_width GIMP_MAX_IMAGE_SIZE
@@ -502,27 +514,21 @@
{
g_message (_('%s':\nImage width is larger than GIMP can handle),
gimp_filename_to_utf8 (filename));
- g_free (xwdcolmap);
- fclose (ifp);
- return (-1);
+ goto out;
}
if (xwdhdr.l_pixmap_height = 0)
{
g_message (_('%s':\nNo image height specified),
gimp_filename_to_utf8 (filename));
- g_free (xwdcolmap);
- fclose (ifp);
- return (-1);
+ goto out;
}
if (xwdhdr.l_pixmap_height GIMP_MAX_IMAGE_SIZE)
{
g_message (_('%s':\nImage height is larger than GIMP can handle),
gimp_filename_to_utf8 (filename));
- g_free (xwdcolmap);
- fclose (ifp);
- return (-1);
+ goto out;
}
gimp_progress_init_printf (_(Opening '%s'),
@@ -571,11 +577,6 @@
}
gimp_progress_update (1.0);
- fclose (ifp);
-
- if (xwdcolmap)
-g_free (xwdcolmap);
-
if (image_ID == -1 ! (error *error))
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_(XWD-file %s has format %d, depth %d and bits per pixel %d.
@@ -583,6 +584,17 @@
gimp_filename_to_utf8 (filename),
(gint) xwdhdr.l_pixmap_format, depth, bpp);
+out:
+ if (ifp)
+{
+ fclose (ifp);
+}
+
+ if (xwdcolmap)
+{
+ g_free (xwdcolmap);
+}
+
return image_ID;
}
Bug#731305: gimp: CVE-2013-1913 CVE-2013-1978
Hi, On Fri, 17 Jan 2014 10:25:33 -0500 Ari Pollak a...@debian.org wrote: I was hoping upstream would release a new stable version, since it would also fix a FTBFS. That still hasn't happened, so I might just end up releasing a git snapshot. Attached tiny patch fixes FTBFS, I can built it with git-buildpackage. Ari, could you check it, please? -- Regards, Hideki Yamane henrich @ debian.or.jp/org http://wiki.debian.org/HidekiYamane diff --git a/debian/changelog b/debian/changelog index f9b0128..facae30 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,10 @@ gimp (2.8.10-1) UNRELEASED; urgency=high (Closes: #731305) * Build-depend on libtiff-dev instead of libtiff4-dev (Closes: #736006) + [ Hideki Yamane ] + * debian/patches +- add adjust_freetype_header.patch to fix FTBFS + -- Ari Pollak a...@debian.org Wed, 04 Dec 2013 20:46:57 -0500 gimp (2.8.6-1) unstable; urgency=low diff --git a/debian/patches/adjust_freetype_header.patch b/debian/patches/adjust_freetype_header.patch new file mode 100644 index 000..76feb49 --- /dev/null +++ b/debian/patches/adjust_freetype_header.patch @@ -0,0 +1,16 @@ +Description: adjust freetype header location + +Forwarded: no +Last-Update: 2014-02-28 + +--- gimp-2.8.10.orig/app/text/gimpfont.c gimp-2.8.10/app/text/gimpfont.c +@@ -27,7 +27,7 @@ + + #define PANGO_ENABLE_ENGINE 1 /* Argh */ + #include pango/pango-ot.h +-#include freetype/tttables.h ++#include freetype2/tttables.h + + #include text-types.h + diff --git a/debian/patches/series b/debian/patches/series index 65e0b16..457b29d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 01_hurd_ftbfs.patch +adjust_freetype_header.patch
Bug#731305: gimp: CVE-2013-1913 CVE-2013-1978
Thanks, looks good to me. On Feb 28, 2014 6:15 AM, Hideki Yamane henr...@debian.or.jp wrote: Hi, On Fri, 17 Jan 2014 10:25:33 -0500 Ari Pollak a...@debian.org wrote: I was hoping upstream would release a new stable version, since it would also fix a FTBFS. That still hasn't happened, so I might just end up releasing a git snapshot. Attached tiny patch fixes FTBFS, I can built it with git-buildpackage. Ari, could you check it, please? -- Regards, Hideki Yamane henrich @ debian.or.jp/org http://wiki.debian.org/HidekiYamane
Bug#731305: gimp: CVE-2013-1913 CVE-2013-1978
On Wed, Dec 04, 2013 at 08:48:59PM -0500, Ari Pollak wrote: Just a note, I plan on updating unstable but not stable gimp. We took care of oldstable/stable, but what's the status of unstable? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#731305: gimp: CVE-2013-1913 CVE-2013-1978
I was hoping upstream would release a new stable version, since it would also fix a FTBFS. That still hasn't happened, so I might just end up releasing a git snapshot. On Fri, Jan 17, 2014 at 10:10 AM, Moritz Muehlenhoff j...@inutil.org wrote: On Wed, Dec 04, 2013 at 08:48:59PM -0500, Ari Pollak wrote: Just a note, I plan on updating unstable but not stable gimp. We took care of oldstable/stable, but what's the status of unstable? Cheers, Moritz
Bug#731305: gimp: CVE-2013-1913 CVE-2013-1978
Just a note, I plan on updating unstable but not stable gimp. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#731305: gimp: CVE-2013-1913 CVE-2013-1978
Package: gimp Severity: grave Tags: security upstream Hi, the following vulnerabilities were published for gimp. Note I have set the severity to grave as it potentially allows potentially code execution. CVE-2013-1913[0]: xwd plugin g_new() integer overflow CVE-2013-1978[1]: XWD plugin color map heap-based buffer overflow See the RedHat bugtracker referenced from security-tracker for patches and background for the issues discovered by Murray McAllister. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-1913 [1] http://security-tracker.debian.org/tracker/CVE-2013-1978 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
