Package: gimp
Version: 2.6.11-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu natty ubuntu-patch
*** /tmp/tmpJCXJq8
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: denial of service and possible code execution via
malformed plugin configuration files
- debian/patches/05_CVE-2010-454x.patch: fix format strings in
plug-ins/{common/sphere-designer,gfig/gfig-style,
lighting/lighting-ui}.c.
- CVE-2010-4540
- CVE-2010-4541
- CVE-2010-4542
* SECURITY UPDATE: denial of service and possible code execution via
malformed PSP image file
- debian/patches/06_CVE-2010-4543.patch: fix buffer overflow in
plug-ins/common/file-psp.c.
- CVE-2010-4543
Thanks for considering the patch.
-- System Information:
Debian Release: squeeze/sid
APT prefers natty-updates
APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-8-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru gimp-2.6.11/debian/changelog gimp-2.6.11/debian/changelog
diff -Nru gimp-2.6.11/debian/patches/05_CVE-2010-454x.patch gimp-2.6.11/debian/patches/05_CVE-2010-454x.patch
--- gimp-2.6.11/debian/patches/05_CVE-2010-454x.patch 1969-12-31 19:00:00.000000000 -0500
+++ gimp-2.6.11/debian/patches/05_CVE-2010-454x.patch 2011-04-07 10:59:56.000000000 -0400
@@ -0,0 +1,127 @@
+Description: fix denial of service and possible code execution via
+ malformed plugin configuration files
+Origin: upstream, http://git.gnome.org/browse/gimp/commit/?id=7fb0300e1cfdb98a3bde54dbc73a0f3eda375162
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608497
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=639203
+
+Index: gimp-2.6.11/plug-ins/common/sphere-designer.c
+===================================================================
+--- gimp-2.6.11.orig/plug-ins/common/sphere-designer.c 2011-04-07 10:39:20.396192480 -0400
++++ gimp-2.6.11/plug-ins/common/sphere-designer.c 2011-04-07 10:40:07.156192468 -0400
+@@ -1992,6 +1992,7 @@
+ gchar endbuf[21 * (G_ASCII_DTOSTR_BUF_SIZE + 1)];
+ gchar *end = endbuf;
+ gchar line[1024];
++ gchar fmt_str[16];
+ gint i;
+ texture *t;
+ gint majtype, type;
+@@ -2016,6 +2017,8 @@
+
+ s.com.numtexture = 0;
+
++ snprintf (fmt_str, sizeof (fmt_str), "%%d %%d %%%lds", sizeof (endbuf) - 1);
++
+ while (!feof (f))
+ {
+
+@@ -2026,7 +2029,7 @@
+ t = &s.com.texture[i];
+ setdefaults (t);
+
+- if (sscanf (line, "%d %d %s", &t->majtype, &t->type, end) != 3)
++ if (sscanf (line, fmt_str, &t->majtype, &t->type, end) != 3)
+ t->color1.x = g_ascii_strtod (end, &end);
+ if (end && errno != ERANGE)
+ t->color1.y = g_ascii_strtod (end, &end);
+Index: gimp-2.6.11/plug-ins/gfig/gfig-style.c
+===================================================================
+--- gimp-2.6.11.orig/plug-ins/gfig/gfig-style.c 2011-04-07 10:39:35.966192476 -0400
++++ gimp-2.6.11/plug-ins/gfig/gfig-style.c 2011-04-07 10:40:07.156192468 -0400
+@@ -165,6 +165,7 @@
+ gchar *ptr;
+ gchar *tmpstr;
+ gchar *endptr;
++ gchar fmt_str[32];
+ gchar colorstr_r[G_ASCII_DTOSTR_BUF_SIZE];
+ gchar colorstr_g[G_ASCII_DTOSTR_BUF_SIZE];
+ gchar colorstr_b[G_ASCII_DTOSTR_BUF_SIZE];
+@@ -172,6 +173,10 @@
+
+ style_entry->r = style_entry->g = style_entry->b = style_entry->a = 0.;
+
++ snprintf (fmt_str, sizeof (fmt_str), "%%%lds %%%lds %%%lds %%%lds",
++ sizeof (colorstr_r) - 1, sizeof (colorstr_g) - 1,
++ sizeof (colorstr_b) - 1, sizeof (colorstr_a) - 1);
++
+ while (n < nitems)
+ {
+ ptr = strchr (text[n], ':');
+@@ -181,7 +186,8 @@
+ ptr++;
+ if (!strcmp (tmpstr, name))
+ {
+- sscanf (ptr, "%s %s %s %s", colorstr_r, colorstr_g, colorstr_b, colorstr_a);
++ sscanf (ptr, fmt_str,
++ colorstr_r, colorstr_g, colorstr_b, colorstr_a);
+ style_entry->r = g_ascii_strtod (colorstr_r, &endptr);
+ style_entry->g = g_ascii_strtod (colorstr_g, &endptr);
+ style_entry->b = g_ascii_strtod (colorstr_b, &endptr);
+Index: gimp-2.6.11/plug-ins/lighting/lighting-ui.c
+===================================================================
+--- gimp-2.6.11.orig/plug-ins/lighting/lighting-ui.c 2011-04-07 10:39:44.816192474 -0400
++++ gimp-2.6.11/plug-ins/lighting/lighting-ui.c 2011-04-07 10:40:07.156192468 -0400
+@@ -1342,6 +1342,7 @@
+ gchar buffer3[G_ASCII_DTOSTR_BUF_SIZE];
+ gchar type_label[21];
+ gchar *endptr;
++ gchar fmt_str[32];
+
+ if (response_id == GTK_RESPONSE_OK)
+ {
+@@ -1381,23 +1382,41 @@
+ return;
+ }
+
+- fscanf (fp, " Position: %s %s %s", buffer1, buffer2, buffer3);
++ snprintf (fmt_str, sizeof (fmt_str),
++ " Position: %%%lds %%%lds %%%lds",
++ sizeof (buffer1) - 1,
++ sizeof (buffer2) - 1,
++ sizeof (buffer3) - 1);
++ fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+ source->position.x = g_ascii_strtod (buffer1, &endptr);
+ source->position.y = g_ascii_strtod (buffer2, &endptr);
+ source->position.z = g_ascii_strtod (buffer3, &endptr);
+
+- fscanf (fp, " Direction: %s %s %s", buffer1, buffer2, buffer3);
++ snprintf (fmt_str, sizeof (fmt_str),
++ " Direction: %%%lds %%%lds %%%lds",
++ sizeof (buffer1) - 1,
++ sizeof (buffer2) - 1,
++ sizeof (buffer3) - 1);
++ fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+ source->direction.x = g_ascii_strtod (buffer1, &endptr);
+ source->direction.y = g_ascii_strtod (buffer2, &endptr);
+ source->direction.z = g_ascii_strtod (buffer3, &endptr);
+
+- fscanf (fp, " Color: %s %s %s", buffer1, buffer2, buffer3);
++ snprintf (fmt_str, sizeof (fmt_str),
++ " Color: %%%lds %%%lds %%%lds",
++ sizeof (buffer1) - 1,
++ sizeof (buffer2) - 1,
++ sizeof (buffer3) - 1);
++ fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+ source->color.r = g_ascii_strtod (buffer1, &endptr);
+ source->color.g = g_ascii_strtod (buffer2, &endptr);
+ source->color.b = g_ascii_strtod (buffer3, &endptr);
+ source->color.a = 1.0;
+
+- fscanf (fp, " Intensity: %s", buffer1);
++ snprintf (fmt_str, sizeof (fmt_str),
++ " Intensity: %%%lds",
++ sizeof (buffer1) - 1);
++ fscanf (fp, fmt_str, buffer1);
+ source->intensity = g_ascii_strtod (buffer1, &endptr);
+
+ }
diff -Nru gimp-2.6.11/debian/patches/06_CVE-2010-4543.patch gimp-2.6.11/debian/patches/06_CVE-2010-4543.patch
--- gimp-2.6.11/debian/patches/06_CVE-2010-4543.patch 1969-12-31 19:00:00.000000000 -0500
+++ gimp-2.6.11/debian/patches/06_CVE-2010-4543.patch 2011-04-07 11:00:39.000000000 -0400
@@ -0,0 +1,21 @@
+Description: fix denial of service and possible code execution via
+ malformed PSP image file
+Origin: upstream, http://git.gnome.org/browse/gimp/commit/?id=48ec15890e1751dede061f6d1f469b6508c13439
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608497
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=639203
+
+Index: gimp-2.6.11/plug-ins/common/file-psp.c
+===================================================================
+--- gimp-2.6.11.orig/plug-ins/common/file-psp.c 2011-04-07 10:55:48.556192230 -0400
++++ gimp-2.6.11/plug-ins/common/file-psp.c 2011-04-07 10:55:58.576192227 -0400
+@@ -1244,6 +1244,10 @@
+ }
+ else
+ fread (buf, runcount, 1, f);
++
++ /* prevent buffer overflow for bogus data */
++ runcount = MIN (runcount, endq - q);
++
+ if (bytespp == 1)
+ {
+ memmove (q, buf, runcount);
diff -Nru gimp-2.6.11/debian/patches/series gimp-2.6.11/debian/patches/series
--- gimp-2.6.11/debian/patches/series 2011-01-27 04:04:05.000000000 -0500
+++ gimp-2.6.11/debian/patches/series 2011-04-07 10:55:35.000000000 -0400
@@ -2,3 +2,5 @@
02_help-message.patch
03_gimp.desktop.in.in.patch
04_gold_linker.patch
+05_CVE-2010-454x.patch
+06_CVE-2010-4543.patch
