From 930ddca64ec92521e83b8b673523835772b437ac Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 18:23:27 +0200 Subject: Adding debian version 2.10.22-4+deb11u2. Signed-off-by: Daniel Baumann --- debian/patches/01_hurd_ftbfs.patch | 24 ++++++ debian/patches/02_hurd_ftbfs.patch | 25 ++++++ ...-Don-t-second-guess-the-dependency-system.patch | 56 +++++++++++++ ...-digit-LittleCMS-minor-versions-correctly.patch | 41 ++++++++++ .../plug-ins-Additional-fixes-for-DDS-Import.patch | 53 ++++++++++++ ...s-Fix-DDS-import-regression-from-7db71cd0.patch | 94 ++++++++++++++++++++++ ...g-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch | 62 ++++++++++++++ .../plug-ins-Fix-vulnerabilities-in-file-psp.patch | 49 +++++++++++ .../plug-ins-Fix-vulnerability-in-file-psd.patch | 29 +++++++ debian/patches/series | 9 +++ 10 files changed, 442 insertions(+) create mode 100644 debian/patches/01_hurd_ftbfs.patch create mode 100644 debian/patches/02_hurd_ftbfs.patch create mode 100644 debian/patches/app-Don-t-second-guess-the-dependency-system.patch create mode 100644 debian/patches/app-Print-2-digit-LittleCMS-minor-versions-correctly.patch create mode 100644 debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch create mode 100644 debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch create mode 100644 debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch create mode 100644 debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch create mode 100644 debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch create mode 100644 debian/patches/series (limited to 'debian/patches') diff --git a/debian/patches/01_hurd_ftbfs.patch b/debian/patches/01_hurd_ftbfs.patch new file mode 100644 index 0000000..087cba2 --- /dev/null +++ b/debian/patches/01_hurd_ftbfs.patch @@ -0,0 +1,24 @@ +From: Svante Signell +Date: Sun, 1 Apr 2018 17:43:04 -0400 +Subject: Define PATH_MAX to fix build on the Hurd. + +Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/424 +Applied-upstream: no +--- + libgimpbase/gimpreloc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libgimpbase/gimpreloc.c b/libgimpbase/gimpreloc.c +index b9fa4df..8cd72f9 100644 +--- a/libgimpbase/gimpreloc.c ++++ b/libgimpbase/gimpreloc.c +@@ -27,6 +27,9 @@ + + #include "gimpreloc.h" + ++#ifndef PATH_MAX ++#define PATH_MAX 4096 ++#endif + + /* + * Find the canonical filename of the executable. Returns the filename diff --git a/debian/patches/02_hurd_ftbfs.patch b/debian/patches/02_hurd_ftbfs.patch new file mode 100644 index 0000000..f4c1fc7 --- /dev/null +++ b/debian/patches/02_hurd_ftbfs.patch @@ -0,0 +1,25 @@ +From: Svante Signell +Date: Tue, 6 Aug 2019 21:04:22 +0200 +Subject: qbist: Define PATH_MAX on Hurd + +Bug-Debian: https://bugs.debian.org/934077 +Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/424 +Applied-upstream: no +--- + plug-ins/common/qbist.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/plug-ins/common/qbist.c b/plug-ins/common/qbist.c +index f8f94d4..6f1b582 100644 +--- a/plug-ins/common/qbist.c ++++ b/plug-ins/common/qbist.c +@@ -38,6 +38,9 @@ + + #include "libgimp/stdplugins-intl.h" + ++#ifndef PATH_MAX ++#define PATH_MAX 4096 ++#endif + + /** qbist renderer ***********************************************************/ + diff --git a/debian/patches/app-Don-t-second-guess-the-dependency-system.patch b/debian/patches/app-Don-t-second-guess-the-dependency-system.patch new file mode 100644 index 0000000..2234d35 --- /dev/null +++ b/debian/patches/app-Don-t-second-guess-the-dependency-system.patch @@ -0,0 +1,56 @@ +From: Simon McVittie +Date: Sat, 3 Apr 2021 11:40:22 +0100 +Subject: app: Don't second-guess the dependency system + +Removing this check makes the treatment of LittleCMS consistent with +all the other dependencies checked in the same file, which only check +that the runtime version is at least the required version. + +As long as we were compiled against LittleCMS >= 2.8, and are now +running against a version that has at least the same symbols, it doesn't +necessarily matter whether the version we are running against is the +same one we were compiled against. + +Distributions like Debian and Ubuntu track the versions in which +individual symbols were introduced, which allows runtime dependencies +to be weakened when no newer symbols are actually used; this is +practically necessary when working with very large numbers of packages, +to avoid a new version of a dependency library unnecessarily blocking +upgrade of dependent packages. However, this doesn't work if dependent +packages add their own checks that bypass this mechanism. + +Bug-Debian: https://bugs.debian.org/900819 +Bug-Debian: https://bugs.debian.org/986192 +Signed-off-by: Simon McVittie +Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/430 +--- + app/sanity.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +diff --git a/app/sanity.c b/app/sanity.c +index 7360fd0..a0550d3 100644 +--- a/app/sanity.c ++++ b/app/sanity.c +@@ -391,22 +391,6 @@ sanity_check_lcms (void) + + gint lcms_version = cmsGetEncodedCMMversion (); + +- if (LCMS_VERSION > lcms_version) +- { +- return g_strdup_printf +- ("Liblcms2 version mismatch!\n\n" +- "GIMP was compiled against LittleCMS version %d.%d, but the\n" +- "LittleCMS version found at runtime is only %d.%d.\n\n" +- "Somehow you or your software packager managed\n" +- "to install a LittleCMS that is older than what GIMP was\n" +- "built against.\n\n" +- "Please make sure that the installed LittleCMS version\n" +- "is at least %d.%d and that headers and library match.", +- LCMS_VERSION / 1000, LCMS_VERSION % 1000 / 10, +- lcms_version / 1000, lcms_version % 1000 / 10, +- LCMS_VERSION / 1000, LCMS_VERSION % 1000 / 10); +- } +- + if (lcms_version < (LCMS_REQUIRED_MAJOR * 1000 + + LCMS_REQUIRED_MINOR * 10)) + { diff --git a/debian/patches/app-Print-2-digit-LittleCMS-minor-versions-correctly.patch b/debian/patches/app-Print-2-digit-LittleCMS-minor-versions-correctly.patch new file mode 100644 index 0000000..7f8055f --- /dev/null +++ b/debian/patches/app-Print-2-digit-LittleCMS-minor-versions-correctly.patch @@ -0,0 +1,41 @@ +From: Simon McVittie +Date: Sat, 3 Apr 2021 11:18:30 +0100 +Subject: app: Print 2-digit LittleCMS minor versions correctly + +LittleCMS 2.12.0 defines LCMS_VERSION as 2120. We want to print that +as 2.12.0, not 2.2.0. + +Bug: https://gitlab.gnome.org/GNOME/gimp/-/issues/6505 +Bug-Debian: https://bugs.debian.org/900819 +Bug-Debian: https://bugs.debian.org/986192 +Signed-off-by: Simon McVittie +Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/429 +--- + app/sanity.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/app/sanity.c b/app/sanity.c +index 0ad044a..7360fd0 100644 +--- a/app/sanity.c ++++ b/app/sanity.c +@@ -402,16 +402,16 @@ sanity_check_lcms (void) + "built against.\n\n" + "Please make sure that the installed LittleCMS version\n" + "is at least %d.%d and that headers and library match.", +- LCMS_VERSION / 1000, LCMS_VERSION % 100 / 10, +- lcms_version / 1000, lcms_version % 100 / 10, +- LCMS_VERSION / 1000, LCMS_VERSION % 100 / 10); ++ LCMS_VERSION / 1000, LCMS_VERSION % 1000 / 10, ++ lcms_version / 1000, lcms_version % 1000 / 10, ++ LCMS_VERSION / 1000, LCMS_VERSION % 1000 / 10); + } + + if (lcms_version < (LCMS_REQUIRED_MAJOR * 1000 + + LCMS_REQUIRED_MINOR * 10)) + { + const gint lcms_major_version = lcms_version / 1000; +- const gint lcms_minor_version = lcms_version % 100 / 10; ++ const gint lcms_minor_version = lcms_version % 1000 / 10; + + return g_strdup_printf + ("Liblcms2 version too old!\n\n" diff --git a/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch new file mode 100644 index 0000000..b0b45cc --- /dev/null +++ b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch @@ -0,0 +1,53 @@ +From: Alx Sa +Date: Sat, 28 Oct 2023 21:44:51 +0000 +Subject: plug-ins: Additional fixes for DDS Import +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441 +Bug-Debian: https://bugs.debian.org/1055984 + +@Wormnest noted remaining regressions after 8faad92e. +The second fread() only runs if the DDSD_PITCH flag is set, +so the error handling check should also be conditional. +Additionally, the ZDI-CAN-22093 exploit no longer runs but +still could cause a plug-in crash. This patch adds an additional +check to ensure the buffer size was within bounds. +--- + plug-ins/file-dds/ddsread.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c +index 74368d04e41a..dcb4449a9f97 100644 +--- a/plug-ins/file-dds/ddsread.c ++++ b/plug-ins/file-dds/ddsread.c +@@ -928,6 +928,7 @@ load_layer (FILE *fp, + current_position = ftell (fp); + fseek (fp, 0L, SEEK_END); + file_size = ftell (fp); ++ fseek (fp, 0, SEEK_SET); + fseek (fp, current_position, SEEK_SET); + + if (width < 1) width = 1; +@@ -1033,7 +1034,8 @@ load_layer (FILE *fp, + size *= 16; + } + +- if (size > (file_size - current_position)) ++ if (size > (file_size - current_position) || ++ size > hdr->pitch_or_linsize) + { + g_message ("Requested data exceeds size of file.\n"); + return 0; +@@ -1078,7 +1080,9 @@ load_layer (FILE *fp, + } + + current_position = ftell (fp); +- if ((width * d->bpp) > (file_size - current_position)) ++ if ((hdr->flags & DDSD_PITCH) && ++ ((width * d->bpp) > (file_size - current_position) || ++ (width * d->bpp) > hdr->pitch_or_linsize)) + { + g_message ("Requested data exceeds size of file.\n"); + return 0; +-- +2.42.0 + diff --git a/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch b/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch new file mode 100644 index 0000000..85e54f5 --- /dev/null +++ b/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch @@ -0,0 +1,94 @@ +From: Alx Sa +Date: Fri, 27 Oct 2023 22:04:48 +0000 +Subject: plug-ins: Fix DDS import regression from 7db71cd0 +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/e92f279c97282a2b20dca0d923db7465f2057703 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441 +Bug-Debian: https://bugs.debian.org/1055984 + +@Wormnest pointed out that compressed files are likely smaller than +width * height * bps, so our check to prevent ZDI-CAN-22093 +also caught valid files. +The size check is removed from load_image () and moved to load_layer () +before the two fread() functions, as we know exactly how much we'll +try to read at that point. +(Backport of 8faad92e) +--- + plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++---------- + 1 file changed, 29 insertions(+), 10 deletions(-) + +--- a/plug-ins/file-dds/ddsread.c ++++ b/plug-ins/file-dds/ddsread.c +@@ -189,16 +189,6 @@ read_dds (gchar *filename, + } + } + +- /* verify header information is accurate */ +- if (hdr.depth < 1 || +- (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) || +- (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr)))) +- { +- fclose (fp); +- g_message ("Invalid or corrupted DDS header\n"); +- return GIMP_PDB_EXECUTION_ERROR; +- } +- + if (hdr.pixelfmt.flags & DDPF_FOURCC) + { + /* fourcc is dXt* or rXgb */ +@@ -288,6 +278,15 @@ read_dds (gchar *filename, + } + } + ++ /* verify header information is accurate */ ++ if (d.bpp < 1 || ++ (hdr.pitch_or_linsize > (file_size - sizeof (hdr)))) ++ { ++ fclose (fp); ++ g_message ("Invalid or corrupted DDS header\n"); ++ return GIMP_PDB_EXECUTION_ERROR; ++ } ++ + image = gimp_image_new (hdr.width, hdr.height, type); + + if (image == -1) +@@ -896,6 +895,13 @@ load_layer (FILE *fp, + unsigned int size = hdr->pitch_or_linsize >> (2 * level); + unsigned int layerw; + int format = DDS_COMPRESS_NONE; ++ gsize file_size; ++ gsize current_position; ++ ++ current_position = ftell (fp); ++ fseek (fp, 0L, SEEK_END); ++ file_size = ftell (fp); ++ fseek (fp, current_position, SEEK_SET); + + if (width < 1) width = 1; + if (height < 1) height = 1; +@@ -993,6 +999,12 @@ load_layer (FILE *fp, + size *= 16; + } + ++ if (size > (file_size - current_position)) ++ { ++ g_message ("Requested data exceeds size of file.\n"); ++ return 0; ++ } ++ + if ((hdr->flags & DDSD_LINEARSIZE) && + !fread (buf, size, 1, fp)) + { +@@ -1014,6 +1026,13 @@ load_layer (FILE *fp, + gimp_progress_update ((double)y / (double)hdr->height); + } + ++ current_position = ftell (fp); ++ if ((width * d->bpp) > (file_size - current_position)) ++ { ++ g_message ("Requested data exceeds size of file.\n"); ++ return 0; ++ } ++ + if ((hdr->flags & DDSD_PITCH) && + !fread (buf, width * d->bpp, 1, fp)) + { diff --git a/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch b/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch new file mode 100644 index 0000000..c5ae876 --- /dev/null +++ b/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch @@ -0,0 +1,62 @@ +From: Alx Sa +Date: Sun, 1 Oct 2023 17:54:08 +0000 +Subject: plug-ins: Fix DDS vulnerability (ZDI-CAN-22093) +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441 +Bug-Debian: https://bugs.debian.org/1055984 + +Resolves #10069 + +Currently, the DDS header information for the width, height, and bytes per scan line +are read in and assumed to be correct. As these values are used for memory allocation +and reading, it would be good to verify they do not exceed the file size. + +This patch adds a condition after the header is read in to verify those values. If they exceed +the file size (mins an offset), the file is not read in and an error message is shown. +--- + plug-ins/file-dds/ddsread.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c +index a8eb8b8ad9f3..98e122de8aff 100644 +--- a/plug-ins/file-dds/ddsread.c ++++ b/plug-ins/file-dds/ddsread.c +@@ -109,6 +109,7 @@ read_dds (gchar *filename, + guchar *pixels; + gchar *tmp; + FILE *fp; ++ gsize file_size; + dds_header_t hdr; + dds_header_dx10_t dx10hdr; + dds_load_info_t d; +@@ -130,6 +131,10 @@ read_dds (gchar *filename, + return GIMP_PDB_EXECUTION_ERROR; + } + ++ fseek (fp, 0L, SEEK_END); ++ file_size = ftell (fp); ++ fseek (fp, 0, SEEK_SET); ++ + if (strrchr (filename, '/')) + tmp = g_strdup_printf ("Loading %s:", strrchr (filename, '/') + 1); + else +@@ -186,6 +191,16 @@ read_dds (gchar *filename, + } + } + ++ /* verify header information is accurate */ ++ if (hdr.depth < 1 || ++ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) || ++ (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr)))) ++ { ++ fclose (fp); ++ g_message ("Invalid or corrupted DDS header\n"); ++ return GIMP_PDB_EXECUTION_ERROR; ++ } ++ + if (hdr.pixelfmt.flags & DDPF_FOURCC) + { + /* fourcc is dXt* or rXgb */ +-- +2.42.0 + diff --git a/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch new file mode 100644 index 0000000..3f32a28 --- /dev/null +++ b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch @@ -0,0 +1,49 @@ +From: Alx Sa +Date: Sat, 23 Sep 2023 20:40:18 +0000 +Subject: plug-ins: Fix vulnerabilities in file-psp +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44444 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44443 +Bug-Debian: https://bugs.debian.org/1055984 + +Backports commits e1bfd871 and 96f536a3 +from master +--- + plug-ins/common/file-psp.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c +index c0f3480641c2..6a6b93d0cde7 100644 +--- a/plug-ins/common/file-psp.c ++++ b/plug-ins/common/file-psp.c +@@ -1128,8 +1128,17 @@ read_color_block (FILE *f, + } + + color_palette_entries = GUINT32_FROM_LE (entry_count); ++ /* TODO: GIMP currently only supports a maximum of 256 colors ++ * in an indexed image. If this changes, we can change this check */ ++ if (color_palette_entries > 256) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Error: Unsupported palette size")); ++ return -1; ++ } ++ + /* psp color palette entries are stored as RGBA so 4 bytes per entry +- where the fourth bytes is always zero */ ++ * where the fourth bytes is always zero */ + pal_size = color_palette_entries * 4; + color_palette = g_malloc (pal_size); + if (fread (color_palette, pal_size, 1, f) < 1) +@@ -1498,7 +1507,7 @@ read_channel_data (FILE *f, + else + endq = q + line_width * height; + +- buf = g_malloc (127); ++ buf = g_malloc (128); + while (q < endq) + { + fread (&runcount, 1, 1, f); +-- +2.42.0 + diff --git a/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch b/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch new file mode 100644 index 0000000..a6ba842 --- /dev/null +++ b/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch @@ -0,0 +1,29 @@ +From: Alx Sa +Date: Fri, 29 Sep 2023 20:39:29 +0000 +Subject: plug-ins: Fix vulnerability in file-psd +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44442 +Bug-Debian: https://bugs.debian.org/1055984 + +Resolves #10101. +This patch adds a missing break statement after an error condition +is detected to prevent the code from continuing afterwards. +--- + plug-ins/file-psd/psd-util.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/plug-ins/file-psd/psd-util.c b/plug-ins/file-psd/psd-util.c +index 1eccdd640e1c..34b442dc4966 100644 +--- a/plug-ins/file-psd/psd-util.c ++++ b/plug-ins/file-psd/psd-util.c +@@ -518,6 +518,7 @@ decode_packbits (const gchar *src, + { + IFDBG(2) g_debug ("Overrun in packbits replicate of %d chars", n - unpack_left); + error_code = 2; ++ break; + } + memset (dst, *src, n); + src++; +-- +2.42.0 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..d97742b --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,9 @@ +app-Print-2-digit-LittleCMS-minor-versions-correctly.patch +app-Don-t-second-guess-the-dependency-system.patch +01_hurd_ftbfs.patch +02_hurd_ftbfs.patch +plug-ins-Fix-vulnerabilities-in-file-psp.patch +plug-ins-Fix-vulnerability-in-file-psd.patch +plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch +plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch +plug-ins-Additional-fixes-for-DDS-Import.patch -- cgit v1.2.3