summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/01_hurd_ftbfs.patch24
-rw-r--r--debian/patches/02_hurd_ftbfs.patch25
-rw-r--r--debian/patches/app-Don-t-second-guess-the-dependency-system.patch56
-rw-r--r--debian/patches/app-Print-2-digit-LittleCMS-minor-versions-correctly.patch41
-rw-r--r--debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch53
-rw-r--r--debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch94
-rw-r--r--debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch62
-rw-r--r--debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch49
-rw-r--r--debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch29
-rw-r--r--debian/patches/series9
10 files changed, 442 insertions, 0 deletions
diff --git a/debian/patches/01_hurd_ftbfs.patch b/debian/patches/01_hurd_ftbfs.patch
new file mode 100644
index 0000000..087cba2
--- /dev/null
+++ b/debian/patches/01_hurd_ftbfs.patch
@@ -0,0 +1,24 @@
+From: Svante Signell <svante.signell@telia.com>
+Date: Sun, 1 Apr 2018 17:43:04 -0400
+Subject: Define PATH_MAX to fix build on the Hurd.
+
+Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/424
+Applied-upstream: no
+---
+ libgimpbase/gimpreloc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libgimpbase/gimpreloc.c b/libgimpbase/gimpreloc.c
+index b9fa4df..8cd72f9 100644
+--- a/libgimpbase/gimpreloc.c
++++ b/libgimpbase/gimpreloc.c
+@@ -27,6 +27,9 @@
+
+ #include "gimpreloc.h"
+
++#ifndef PATH_MAX
++#define PATH_MAX 4096
++#endif
+
+ /*
+ * Find the canonical filename of the executable. Returns the filename
diff --git a/debian/patches/02_hurd_ftbfs.patch b/debian/patches/02_hurd_ftbfs.patch
new file mode 100644
index 0000000..f4c1fc7
--- /dev/null
+++ b/debian/patches/02_hurd_ftbfs.patch
@@ -0,0 +1,25 @@
+From: Svante Signell <svante.signell@gmail.com>
+Date: Tue, 6 Aug 2019 21:04:22 +0200
+Subject: qbist: Define PATH_MAX on Hurd
+
+Bug-Debian: https://bugs.debian.org/934077
+Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/424
+Applied-upstream: no
+---
+ plug-ins/common/qbist.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/plug-ins/common/qbist.c b/plug-ins/common/qbist.c
+index f8f94d4..6f1b582 100644
+--- a/plug-ins/common/qbist.c
++++ b/plug-ins/common/qbist.c
+@@ -38,6 +38,9 @@
+
+ #include "libgimp/stdplugins-intl.h"
+
++#ifndef PATH_MAX
++#define PATH_MAX 4096
++#endif
+
+ /** qbist renderer ***********************************************************/
+
diff --git a/debian/patches/app-Don-t-second-guess-the-dependency-system.patch b/debian/patches/app-Don-t-second-guess-the-dependency-system.patch
new file mode 100644
index 0000000..2234d35
--- /dev/null
+++ b/debian/patches/app-Don-t-second-guess-the-dependency-system.patch
@@ -0,0 +1,56 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Sat, 3 Apr 2021 11:40:22 +0100
+Subject: app: Don't second-guess the dependency system
+
+Removing this check makes the treatment of LittleCMS consistent with
+all the other dependencies checked in the same file, which only check
+that the runtime version is at least the required version.
+
+As long as we were compiled against LittleCMS >= 2.8, and are now
+running against a version that has at least the same symbols, it doesn't
+necessarily matter whether the version we are running against is the
+same one we were compiled against.
+
+Distributions like Debian and Ubuntu track the versions in which
+individual symbols were introduced, which allows runtime dependencies
+to be weakened when no newer symbols are actually used; this is
+practically necessary when working with very large numbers of packages,
+to avoid a new version of a dependency library unnecessarily blocking
+upgrade of dependent packages. However, this doesn't work if dependent
+packages add their own checks that bypass this mechanism.
+
+Bug-Debian: https://bugs.debian.org/900819
+Bug-Debian: https://bugs.debian.org/986192
+Signed-off-by: Simon McVittie <smcv@debian.org>
+Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/430
+---
+ app/sanity.c | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+diff --git a/app/sanity.c b/app/sanity.c
+index 7360fd0..a0550d3 100644
+--- a/app/sanity.c
++++ b/app/sanity.c
+@@ -391,22 +391,6 @@ sanity_check_lcms (void)
+
+ gint lcms_version = cmsGetEncodedCMMversion ();
+
+- if (LCMS_VERSION > lcms_version)
+- {
+- return g_strdup_printf
+- ("Liblcms2 version mismatch!\n\n"
+- "GIMP was compiled against LittleCMS version %d.%d, but the\n"
+- "LittleCMS version found at runtime is only %d.%d.\n\n"
+- "Somehow you or your software packager managed\n"
+- "to install a LittleCMS that is older than what GIMP was\n"
+- "built against.\n\n"
+- "Please make sure that the installed LittleCMS version\n"
+- "is at least %d.%d and that headers and library match.",
+- LCMS_VERSION / 1000, LCMS_VERSION % 1000 / 10,
+- lcms_version / 1000, lcms_version % 1000 / 10,
+- LCMS_VERSION / 1000, LCMS_VERSION % 1000 / 10);
+- }
+-
+ if (lcms_version < (LCMS_REQUIRED_MAJOR * 1000 +
+ LCMS_REQUIRED_MINOR * 10))
+ {
diff --git a/debian/patches/app-Print-2-digit-LittleCMS-minor-versions-correctly.patch b/debian/patches/app-Print-2-digit-LittleCMS-minor-versions-correctly.patch
new file mode 100644
index 0000000..7f8055f
--- /dev/null
+++ b/debian/patches/app-Print-2-digit-LittleCMS-minor-versions-correctly.patch
@@ -0,0 +1,41 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Sat, 3 Apr 2021 11:18:30 +0100
+Subject: app: Print 2-digit LittleCMS minor versions correctly
+
+LittleCMS 2.12.0 defines LCMS_VERSION as 2120. We want to print that
+as 2.12.0, not 2.2.0.
+
+Bug: https://gitlab.gnome.org/GNOME/gimp/-/issues/6505
+Bug-Debian: https://bugs.debian.org/900819
+Bug-Debian: https://bugs.debian.org/986192
+Signed-off-by: Simon McVittie <smcv@debian.org>
+Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/429
+---
+ app/sanity.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/app/sanity.c b/app/sanity.c
+index 0ad044a..7360fd0 100644
+--- a/app/sanity.c
++++ b/app/sanity.c
+@@ -402,16 +402,16 @@ sanity_check_lcms (void)
+ "built against.\n\n"
+ "Please make sure that the installed LittleCMS version\n"
+ "is at least %d.%d and that headers and library match.",
+- LCMS_VERSION / 1000, LCMS_VERSION % 100 / 10,
+- lcms_version / 1000, lcms_version % 100 / 10,
+- LCMS_VERSION / 1000, LCMS_VERSION % 100 / 10);
++ LCMS_VERSION / 1000, LCMS_VERSION % 1000 / 10,
++ lcms_version / 1000, lcms_version % 1000 / 10,
++ LCMS_VERSION / 1000, LCMS_VERSION % 1000 / 10);
+ }
+
+ if (lcms_version < (LCMS_REQUIRED_MAJOR * 1000 +
+ LCMS_REQUIRED_MINOR * 10))
+ {
+ const gint lcms_major_version = lcms_version / 1000;
+- const gint lcms_minor_version = lcms_version % 100 / 10;
++ const gint lcms_minor_version = lcms_version % 1000 / 10;
+
+ return g_strdup_printf
+ ("Liblcms2 version too old!\n\n"
diff --git a/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch
new file mode 100644
index 0000000..b0b45cc
--- /dev/null
+++ b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch
@@ -0,0 +1,53 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 28 Oct 2023 21:44:51 +0000
+Subject: plug-ins: Additional fixes for DDS Import
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
+Bug-Debian: https://bugs.debian.org/1055984
+
+@Wormnest noted remaining regressions after 8faad92e.
+The second fread() only runs if the DDSD_PITCH flag is set,
+so the error handling check should also be conditional.
+Additionally, the ZDI-CAN-22093 exploit no longer runs but
+still could cause a plug-in crash. This patch adds an additional
+check to ensure the buffer size was within bounds.
+---
+ plug-ins/file-dds/ddsread.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index 74368d04e41a..dcb4449a9f97 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -928,6 +928,7 @@ load_layer (FILE *fp,
+ current_position = ftell (fp);
+ fseek (fp, 0L, SEEK_END);
+ file_size = ftell (fp);
++ fseek (fp, 0, SEEK_SET);
+ fseek (fp, current_position, SEEK_SET);
+
+ if (width < 1) width = 1;
+@@ -1033,7 +1034,8 @@ load_layer (FILE *fp,
+ size *= 16;
+ }
+
+- if (size > (file_size - current_position))
++ if (size > (file_size - current_position) ||
++ size > hdr->pitch_or_linsize)
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+@@ -1078,7 +1080,9 @@ load_layer (FILE *fp,
+ }
+
+ current_position = ftell (fp);
+- if ((width * d->bpp) > (file_size - current_position))
++ if ((hdr->flags & DDSD_PITCH) &&
++ ((width * d->bpp) > (file_size - current_position) ||
++ (width * d->bpp) > hdr->pitch_or_linsize))
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+--
+2.42.0
+
diff --git a/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch b/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
new file mode 100644
index 0000000..85e54f5
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
@@ -0,0 +1,94 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Fri, 27 Oct 2023 22:04:48 +0000
+Subject: plug-ins: Fix DDS import regression from 7db71cd0
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/e92f279c97282a2b20dca0d923db7465f2057703
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
+Bug-Debian: https://bugs.debian.org/1055984
+
+@Wormnest pointed out that compressed files are likely smaller than
+width * height * bps, so our check to prevent ZDI-CAN-22093
+also caught valid files.
+The size check is removed from load_image () and moved to load_layer ()
+before the two fread() functions, as we know exactly how much we'll
+try to read at that point.
+(Backport of 8faad92e)
+---
+ plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++----------
+ 1 file changed, 29 insertions(+), 10 deletions(-)
+
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -189,16 +189,6 @@ read_dds (gchar *filename,
+ }
+ }
+
+- /* verify header information is accurate */
+- if (hdr.depth < 1 ||
+- (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
+- (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
+- {
+- fclose (fp);
+- g_message ("Invalid or corrupted DDS header\n");
+- return GIMP_PDB_EXECUTION_ERROR;
+- }
+-
+ if (hdr.pixelfmt.flags & DDPF_FOURCC)
+ {
+ /* fourcc is dXt* or rXgb */
+@@ -288,6 +278,15 @@ read_dds (gchar *filename,
+ }
+ }
+
++ /* verify header information is accurate */
++ if (d.bpp < 1 ||
++ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))))
++ {
++ fclose (fp);
++ g_message ("Invalid or corrupted DDS header\n");
++ return GIMP_PDB_EXECUTION_ERROR;
++ }
++
+ image = gimp_image_new (hdr.width, hdr.height, type);
+
+ if (image == -1)
+@@ -896,6 +895,13 @@ load_layer (FILE *fp,
+ unsigned int size = hdr->pitch_or_linsize >> (2 * level);
+ unsigned int layerw;
+ int format = DDS_COMPRESS_NONE;
++ gsize file_size;
++ gsize current_position;
++
++ current_position = ftell (fp);
++ fseek (fp, 0L, SEEK_END);
++ file_size = ftell (fp);
++ fseek (fp, current_position, SEEK_SET);
+
+ if (width < 1) width = 1;
+ if (height < 1) height = 1;
+@@ -993,6 +999,12 @@ load_layer (FILE *fp,
+ size *= 16;
+ }
+
++ if (size > (file_size - current_position))
++ {
++ g_message ("Requested data exceeds size of file.\n");
++ return 0;
++ }
++
+ if ((hdr->flags & DDSD_LINEARSIZE) &&
+ !fread (buf, size, 1, fp))
+ {
+@@ -1014,6 +1026,13 @@ load_layer (FILE *fp,
+ gimp_progress_update ((double)y / (double)hdr->height);
+ }
+
++ current_position = ftell (fp);
++ if ((width * d->bpp) > (file_size - current_position))
++ {
++ g_message ("Requested data exceeds size of file.\n");
++ return 0;
++ }
++
+ if ((hdr->flags & DDSD_PITCH) &&
+ !fread (buf, width * d->bpp, 1, fp))
+ {
diff --git a/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch b/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
new file mode 100644
index 0000000..c5ae876
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
@@ -0,0 +1,62 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sun, 1 Oct 2023 17:54:08 +0000
+Subject: plug-ins: Fix DDS vulnerability (ZDI-CAN-22093)
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
+Bug-Debian: https://bugs.debian.org/1055984
+
+Resolves #10069
+
+Currently, the DDS header information for the width, height, and bytes per scan line
+are read in and assumed to be correct. As these values are used for memory allocation
+and reading, it would be good to verify they do not exceed the file size.
+
+This patch adds a condition after the header is read in to verify those values. If they exceed
+the file size (mins an offset), the file is not read in and an error message is shown.
+---
+ plug-ins/file-dds/ddsread.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index a8eb8b8ad9f3..98e122de8aff 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -109,6 +109,7 @@ read_dds (gchar *filename,
+ guchar *pixels;
+ gchar *tmp;
+ FILE *fp;
++ gsize file_size;
+ dds_header_t hdr;
+ dds_header_dx10_t dx10hdr;
+ dds_load_info_t d;
+@@ -130,6 +131,10 @@ read_dds (gchar *filename,
+ return GIMP_PDB_EXECUTION_ERROR;
+ }
+
++ fseek (fp, 0L, SEEK_END);
++ file_size = ftell (fp);
++ fseek (fp, 0, SEEK_SET);
++
+ if (strrchr (filename, '/'))
+ tmp = g_strdup_printf ("Loading %s:", strrchr (filename, '/') + 1);
+ else
+@@ -186,6 +191,16 @@ read_dds (gchar *filename,
+ }
+ }
+
++ /* verify header information is accurate */
++ if (hdr.depth < 1 ||
++ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
++ (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
++ {
++ fclose (fp);
++ g_message ("Invalid or corrupted DDS header\n");
++ return GIMP_PDB_EXECUTION_ERROR;
++ }
++
+ if (hdr.pixelfmt.flags & DDPF_FOURCC)
+ {
+ /* fourcc is dXt* or rXgb */
+--
+2.42.0
+
diff --git a/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch
new file mode 100644
index 0000000..3f32a28
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch
@@ -0,0 +1,49 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 23 Sep 2023 20:40:18 +0000
+Subject: plug-ins: Fix vulnerabilities in file-psp
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44444
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44443
+Bug-Debian: https://bugs.debian.org/1055984
+
+Backports commits e1bfd871 and 96f536a3
+from master
+---
+ plug-ins/common/file-psp.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index c0f3480641c2..6a6b93d0cde7 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1128,8 +1128,17 @@ read_color_block (FILE *f,
+ }
+
+ color_palette_entries = GUINT32_FROM_LE (entry_count);
++ /* TODO: GIMP currently only supports a maximum of 256 colors
++ * in an indexed image. If this changes, we can change this check */
++ if (color_palette_entries > 256)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("Error: Unsupported palette size"));
++ return -1;
++ }
++
+ /* psp color palette entries are stored as RGBA so 4 bytes per entry
+- where the fourth bytes is always zero */
++ * where the fourth bytes is always zero */
+ pal_size = color_palette_entries * 4;
+ color_palette = g_malloc (pal_size);
+ if (fread (color_palette, pal_size, 1, f) < 1)
+@@ -1498,7 +1507,7 @@ read_channel_data (FILE *f,
+ else
+ endq = q + line_width * height;
+
+- buf = g_malloc (127);
++ buf = g_malloc (128);
+ while (q < endq)
+ {
+ fread (&runcount, 1, 1, f);
+--
+2.42.0
+
diff --git a/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch b/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch
new file mode 100644
index 0000000..a6ba842
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch
@@ -0,0 +1,29 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Fri, 29 Sep 2023 20:39:29 +0000
+Subject: plug-ins: Fix vulnerability in file-psd
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44442
+Bug-Debian: https://bugs.debian.org/1055984
+
+Resolves #10101.
+This patch adds a missing break statement after an error condition
+is detected to prevent the code from continuing afterwards.
+---
+ plug-ins/file-psd/psd-util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plug-ins/file-psd/psd-util.c b/plug-ins/file-psd/psd-util.c
+index 1eccdd640e1c..34b442dc4966 100644
+--- a/plug-ins/file-psd/psd-util.c
++++ b/plug-ins/file-psd/psd-util.c
+@@ -518,6 +518,7 @@ decode_packbits (const gchar *src,
+ {
+ IFDBG(2) g_debug ("Overrun in packbits replicate of %d chars", n - unpack_left);
+ error_code = 2;
++ break;
+ }
+ memset (dst, *src, n);
+ src++;
+--
+2.42.0
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..d97742b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,9 @@
+app-Print-2-digit-LittleCMS-minor-versions-correctly.patch
+app-Don-t-second-guess-the-dependency-system.patch
+01_hurd_ftbfs.patch
+02_hurd_ftbfs.patch
+plug-ins-Fix-vulnerabilities-in-file-psp.patch
+plug-ins-Fix-vulnerability-in-file-psd.patch
+plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
+plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
+plug-ins-Additional-fixes-for-DDS-Import.patch