Adding debian version 2.10.34-1+deb12u2.debian/2.10.34-1+deb12u2debian

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

8 files changed, 348 insertions, 0 deletions

diff --git a/debian/patches/01_hurd_ftbfs.patch b/debian/patches/01_hurd_ftbfs.patch
new file mode 100644
index 0000000..087cba2
--- /dev/null
+++ b/debian/patches/01_hurd_ftbfs.patch
@@ -0,0 +1,24 @@
+From: Svante Signell <svante.signell@telia.com>
+Date: Sun, 1 Apr 2018 17:43:04 -0400
+Subject: Define PATH_MAX to fix build on the Hurd.
+
+Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/424
+Applied-upstream: no
+---
+ libgimpbase/gimpreloc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libgimpbase/gimpreloc.c b/libgimpbase/gimpreloc.c
+index b9fa4df..8cd72f9 100644
+--- a/libgimpbase/gimpreloc.c
++++ b/libgimpbase/gimpreloc.c
+@@ -27,6 +27,9 @@
+ 
+ #include "gimpreloc.h"
+ 
++#ifndef PATH_MAX
++#define PATH_MAX 4096
++#endif
+ 
+ /*
+  * Find the canonical filename of the executable. Returns the filename
diff --git a/debian/patches/02_hurd_ftbfs.patch b/debian/patches/02_hurd_ftbfs.patch
new file mode 100644
index 0000000..f4c1fc7
--- /dev/null
+++ b/debian/patches/02_hurd_ftbfs.patch
@@ -0,0 +1,25 @@
+From: Svante Signell <svante.signell@gmail.com>
+Date: Tue, 6 Aug 2019 21:04:22 +0200
+Subject: qbist: Define PATH_MAX on Hurd
+
+Bug-Debian: https://bugs.debian.org/934077
+Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/424
+Applied-upstream: no
+---
+ plug-ins/common/qbist.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/plug-ins/common/qbist.c b/plug-ins/common/qbist.c
+index f8f94d4..6f1b582 100644
+--- a/plug-ins/common/qbist.c
++++ b/plug-ins/common/qbist.c
+@@ -38,6 +38,9 @@
+ 
+ #include "libgimp/stdplugins-intl.h"
+ 
++#ifndef PATH_MAX
++#define PATH_MAX 4096
++#endif
+ 
+ /** qbist renderer ***********************************************************/
+ 
diff --git a/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch
new file mode 100644
index 0000000..b0b45cc
--- /dev/null
+++ b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch
@@ -0,0 +1,53 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 28 Oct 2023 21:44:51 +0000
+Subject: plug-ins: Additional fixes for DDS Import
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
+Bug-Debian: https://bugs.debian.org/1055984
+
+@Wormnest noted remaining regressions after 8faad92e.
+The second fread() only runs if the DDSD_PITCH flag is set,
+so the error handling check should also be conditional.
+Additionally, the ZDI-CAN-22093 exploit no longer runs but
+still could cause a plug-in crash. This patch adds an additional
+check to ensure the buffer size was within bounds.
+---
+ plug-ins/file-dds/ddsread.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index 74368d04e41a..dcb4449a9f97 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -928,6 +928,7 @@ load_layer (FILE            *fp,
+   current_position = ftell (fp);
+   fseek (fp, 0L, SEEK_END);
+   file_size = ftell (fp);
++  fseek (fp, 0, SEEK_SET);
+   fseek (fp, current_position, SEEK_SET);
+ 
+   if (width < 1) width = 1;
+@@ -1033,7 +1034,8 @@ load_layer (FILE            *fp,
+         size *= 16;
+     }
+ 
+-  if (size > (file_size - current_position))
++  if (size > (file_size - current_position) ||
++      size > hdr->pitch_or_linsize)
+     {
+       g_message ("Requested data exceeds size of file.\n");
+       return 0;
+@@ -1078,7 +1080,9 @@ load_layer (FILE            *fp,
+             }
+ 
+           current_position = ftell (fp);
+-          if ((width * d->bpp) > (file_size - current_position))
++          if ((hdr->flags & DDSD_PITCH)                          &&
++              ((width * d->bpp) > (file_size - current_position) ||
++               (width * d->bpp) > hdr->pitch_or_linsize))
+             {
+               g_message ("Requested data exceeds size of file.\n");
+               return 0;
+-- 
+2.42.0
+
diff --git a/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch b/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
new file mode 100644
index 0000000..d6f2776
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
@@ -0,0 +1,99 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Fri, 27 Oct 2023 22:04:48 +0000
+Subject: plug-ins: Fix DDS import regression from 7db71cd0
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/e92f279c97282a2b20dca0d923db7465f2057703
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
+Bug-Debian: https://bugs.debian.org/1055984
+
+@Wormnest pointed out that compressed files are likely smaller than
+width * height * bps, so our check to prevent ZDI-CAN-22093
+also caught valid files.
+The size check is removed from load_image () and moved to load_layer ()
+before the two fread() functions, as we know exactly how much we'll
+try to read at that point.
+(Backport of 8faad92e)
+---
+ plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++----------
+ 1 file changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index 98e122de8aff..74368d04e41a 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -191,16 +191,6 @@ read_dds (gchar    *filename,
+         }
+     }
+ 
+-  /* verify header information is accurate */
+-  if (hdr.depth < 1                                       ||
+-      (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
+-      (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
+-    {
+-      fclose (fp);
+-      g_message ("Invalid or corrupted DDS header\n");
+-      return GIMP_PDB_EXECUTION_ERROR;
+-    }
+-
+   if (hdr.pixelfmt.flags & DDPF_FOURCC)
+     {
+       /* fourcc is dXt* or rXgb */
+@@ -310,6 +300,15 @@ read_dds (gchar    *filename,
+       precision = GIMP_PRECISION_U8_GAMMA;
+     }
+ 
++  /* verify header information is accurate */
++  if (d.bpp < 1 ||
++      (hdr.pitch_or_linsize > (file_size - sizeof (hdr))))
++    {
++      fclose (fp);
++      g_message ("Invalid or corrupted DDS header\n");
++      return GIMP_PDB_EXECUTION_ERROR;
++    }
++
+   image = gimp_image_new_with_precision (hdr.width, hdr.height, type, precision);
+ 
+   if (image == -1)
+@@ -923,6 +922,13 @@ load_layer (FILE            *fp,
+   unsigned int   size = hdr->pitch_or_linsize >> (2 * level);
+   unsigned int   layerw;
+   int            format = DDS_COMPRESS_NONE;
++  gsize          file_size;
++  gsize          current_position;
++
++  current_position = ftell (fp);
++  fseek (fp, 0L, SEEK_END);
++  file_size = ftell (fp);
++  fseek (fp, current_position, SEEK_SET);
+ 
+   if (width < 1) width = 1;
+   if (height < 1) height = 1;
+@@ -1027,6 +1033,12 @@ load_layer (FILE            *fp,
+         size *= 16;
+     }
+ 
++  if (size > (file_size - current_position))
++    {
++      g_message ("Requested data exceeds size of file.\n");
++      return 0;
++    }
++
+   if ((hdr->flags & DDSD_LINEARSIZE) &&
+       !fread (buf, size, 1, fp))
+     {
+@@ -1065,6 +1077,13 @@ load_layer (FILE            *fp,
+               gimp_progress_update ((double)y / (double)hdr->height);
+             }
+ 
++          current_position = ftell (fp);
++          if ((width * d->bpp) > (file_size - current_position))
++            {
++              g_message ("Requested data exceeds size of file.\n");
++              return 0;
++            }
++
+           if ((hdr->flags & DDSD_PITCH) &&
+               !fread (buf, width * d->bpp, 1, fp))
+             {
+-- 
+2.42.0
+
diff --git a/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch b/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
new file mode 100644
index 0000000..c5ae876
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
@@ -0,0 +1,62 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sun, 1 Oct 2023 17:54:08 +0000
+Subject: plug-ins: Fix DDS vulnerability (ZDI-CAN-22093)
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
+Bug-Debian: https://bugs.debian.org/1055984
+
+Resolves #10069
+
+Currently, the DDS header information for the width, height, and bytes per scan line
+are read in and assumed to be correct. As these values are used for memory allocation
+and reading, it would be good to verify they do not exceed the file size.
+
+This patch adds a condition after the header is read in to verify those values. If they exceed
+the file size (mins an offset), the file is not read in and an error message is shown.
+---
+ plug-ins/file-dds/ddsread.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index a8eb8b8ad9f3..98e122de8aff 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -109,6 +109,7 @@ read_dds (gchar    *filename,
+   guchar *pixels;
+   gchar *tmp;
+   FILE *fp;
++  gsize file_size;
+   dds_header_t hdr;
+   dds_header_dx10_t dx10hdr;
+   dds_load_info_t d;
+@@ -130,6 +131,10 @@ read_dds (gchar    *filename,
+       return GIMP_PDB_EXECUTION_ERROR;
+     }
+ 
++  fseek (fp, 0L, SEEK_END);
++  file_size = ftell (fp);
++  fseek (fp, 0, SEEK_SET);
++
+   if (strrchr (filename, '/'))
+     tmp = g_strdup_printf ("Loading %s:", strrchr (filename, '/') + 1);
+   else
+@@ -186,6 +191,16 @@ read_dds (gchar    *filename,
+         }
+     }
+ 
++  /* verify header information is accurate */
++  if (hdr.depth < 1                                       ||
++      (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
++      (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
++    {
++      fclose (fp);
++      g_message ("Invalid or corrupted DDS header\n");
++      return GIMP_PDB_EXECUTION_ERROR;
++    }
++
+   if (hdr.pixelfmt.flags & DDPF_FOURCC)
+     {
+       /* fourcc is dXt* or rXgb */
+-- 
+2.42.0
+
diff --git a/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch
new file mode 100644
index 0000000..3f32a28
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch
@@ -0,0 +1,49 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 23 Sep 2023 20:40:18 +0000
+Subject: plug-ins: Fix vulnerabilities in file-psp
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44444
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44443
+Bug-Debian: https://bugs.debian.org/1055984
+
+Backports commits e1bfd871 and 96f536a3
+from master
+---
+ plug-ins/common/file-psp.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index c0f3480641c2..6a6b93d0cde7 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1128,8 +1128,17 @@ read_color_block (FILE      *f,
+     }
+ 
+   color_palette_entries = GUINT32_FROM_LE (entry_count);
++  /* TODO: GIMP currently only supports a maximum of 256 colors
++   * in an indexed image. If this changes, we can change this check */
++  if (color_palette_entries > 256)
++    {
++      g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                   _("Error: Unsupported palette size"));
++      return -1;
++    }
++
+   /* psp color palette entries are stored as RGBA so 4 bytes per entry
+-     where the fourth bytes is always zero */
++   * where the fourth bytes is always zero */
+   pal_size = color_palette_entries * 4;
+   color_palette = g_malloc (pal_size);
+   if (fread (color_palette, pal_size, 1, f) < 1)
+@@ -1498,7 +1507,7 @@ read_channel_data (FILE        *f,
+         else
+           endq = q + line_width * height;
+ 
+-        buf = g_malloc (127);
++        buf = g_malloc (128);
+         while (q < endq)
+           {
+             fread (&runcount, 1, 1, f);
+-- 
+2.42.0
+
diff --git a/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch b/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch
new file mode 100644
index 0000000..a6ba842
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch
@@ -0,0 +1,29 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Fri, 29 Sep 2023 20:39:29 +0000
+Subject: plug-ins: Fix vulnerability in file-psd
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44442
+Bug-Debian: https://bugs.debian.org/1055984
+
+Resolves #10101.
+This patch adds a missing break statement after an error condition
+is detected to prevent the code from continuing afterwards.
+---
+ plug-ins/file-psd/psd-util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plug-ins/file-psd/psd-util.c b/plug-ins/file-psd/psd-util.c
+index 1eccdd640e1c..34b442dc4966 100644
+--- a/plug-ins/file-psd/psd-util.c
++++ b/plug-ins/file-psd/psd-util.c
+@@ -518,6 +518,7 @@ decode_packbits (const gchar *src,
+             {
+               IFDBG(2) g_debug ("Overrun in packbits replicate of %d chars", n - unpack_left);
+               error_code = 2;
++              break;
+             }
+           memset (dst, *src, n);
+           src++;
+-- 
+2.42.0
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..899cd95
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,7 @@
+01_hurd_ftbfs.patch
+02_hurd_ftbfs.patch
+plug-ins-Fix-vulnerabilities-in-file-psp.patch
+plug-ins-Fix-vulnerability-in-file-psd.patch
+plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
+plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
+plug-ins-Additional-fixes-for-DDS-Import.patch