summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/01_hurd_ftbfs.patch24
-rw-r--r--debian/patches/02_hurd_ftbfs.patch25
-rw-r--r--debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch53
-rw-r--r--debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch99
-rw-r--r--debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch62
-rw-r--r--debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch49
-rw-r--r--debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch29
-rw-r--r--debian/patches/series7
8 files changed, 348 insertions, 0 deletions
diff --git a/debian/patches/01_hurd_ftbfs.patch b/debian/patches/01_hurd_ftbfs.patch
new file mode 100644
index 0000000..087cba2
--- /dev/null
+++ b/debian/patches/01_hurd_ftbfs.patch
@@ -0,0 +1,24 @@
+From: Svante Signell <svante.signell@telia.com>
+Date: Sun, 1 Apr 2018 17:43:04 -0400
+Subject: Define PATH_MAX to fix build on the Hurd.
+
+Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/424
+Applied-upstream: no
+---
+ libgimpbase/gimpreloc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libgimpbase/gimpreloc.c b/libgimpbase/gimpreloc.c
+index b9fa4df..8cd72f9 100644
+--- a/libgimpbase/gimpreloc.c
++++ b/libgimpbase/gimpreloc.c
+@@ -27,6 +27,9 @@
+
+ #include "gimpreloc.h"
+
++#ifndef PATH_MAX
++#define PATH_MAX 4096
++#endif
+
+ /*
+ * Find the canonical filename of the executable. Returns the filename
diff --git a/debian/patches/02_hurd_ftbfs.patch b/debian/patches/02_hurd_ftbfs.patch
new file mode 100644
index 0000000..f4c1fc7
--- /dev/null
+++ b/debian/patches/02_hurd_ftbfs.patch
@@ -0,0 +1,25 @@
+From: Svante Signell <svante.signell@gmail.com>
+Date: Tue, 6 Aug 2019 21:04:22 +0200
+Subject: qbist: Define PATH_MAX on Hurd
+
+Bug-Debian: https://bugs.debian.org/934077
+Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/424
+Applied-upstream: no
+---
+ plug-ins/common/qbist.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/plug-ins/common/qbist.c b/plug-ins/common/qbist.c
+index f8f94d4..6f1b582 100644
+--- a/plug-ins/common/qbist.c
++++ b/plug-ins/common/qbist.c
+@@ -38,6 +38,9 @@
+
+ #include "libgimp/stdplugins-intl.h"
+
++#ifndef PATH_MAX
++#define PATH_MAX 4096
++#endif
+
+ /** qbist renderer ***********************************************************/
+
diff --git a/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch
new file mode 100644
index 0000000..b0b45cc
--- /dev/null
+++ b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch
@@ -0,0 +1,53 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 28 Oct 2023 21:44:51 +0000
+Subject: plug-ins: Additional fixes for DDS Import
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
+Bug-Debian: https://bugs.debian.org/1055984
+
+@Wormnest noted remaining regressions after 8faad92e.
+The second fread() only runs if the DDSD_PITCH flag is set,
+so the error handling check should also be conditional.
+Additionally, the ZDI-CAN-22093 exploit no longer runs but
+still could cause a plug-in crash. This patch adds an additional
+check to ensure the buffer size was within bounds.
+---
+ plug-ins/file-dds/ddsread.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index 74368d04e41a..dcb4449a9f97 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -928,6 +928,7 @@ load_layer (FILE *fp,
+ current_position = ftell (fp);
+ fseek (fp, 0L, SEEK_END);
+ file_size = ftell (fp);
++ fseek (fp, 0, SEEK_SET);
+ fseek (fp, current_position, SEEK_SET);
+
+ if (width < 1) width = 1;
+@@ -1033,7 +1034,8 @@ load_layer (FILE *fp,
+ size *= 16;
+ }
+
+- if (size > (file_size - current_position))
++ if (size > (file_size - current_position) ||
++ size > hdr->pitch_or_linsize)
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+@@ -1078,7 +1080,9 @@ load_layer (FILE *fp,
+ }
+
+ current_position = ftell (fp);
+- if ((width * d->bpp) > (file_size - current_position))
++ if ((hdr->flags & DDSD_PITCH) &&
++ ((width * d->bpp) > (file_size - current_position) ||
++ (width * d->bpp) > hdr->pitch_or_linsize))
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+--
+2.42.0
+
diff --git a/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch b/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
new file mode 100644
index 0000000..d6f2776
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
@@ -0,0 +1,99 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Fri, 27 Oct 2023 22:04:48 +0000
+Subject: plug-ins: Fix DDS import regression from 7db71cd0
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/e92f279c97282a2b20dca0d923db7465f2057703
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
+Bug-Debian: https://bugs.debian.org/1055984
+
+@Wormnest pointed out that compressed files are likely smaller than
+width * height * bps, so our check to prevent ZDI-CAN-22093
+also caught valid files.
+The size check is removed from load_image () and moved to load_layer ()
+before the two fread() functions, as we know exactly how much we'll
+try to read at that point.
+(Backport of 8faad92e)
+---
+ plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++----------
+ 1 file changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index 98e122de8aff..74368d04e41a 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -191,16 +191,6 @@ read_dds (gchar *filename,
+ }
+ }
+
+- /* verify header information is accurate */
+- if (hdr.depth < 1 ||
+- (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
+- (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
+- {
+- fclose (fp);
+- g_message ("Invalid or corrupted DDS header\n");
+- return GIMP_PDB_EXECUTION_ERROR;
+- }
+-
+ if (hdr.pixelfmt.flags & DDPF_FOURCC)
+ {
+ /* fourcc is dXt* or rXgb */
+@@ -310,6 +300,15 @@ read_dds (gchar *filename,
+ precision = GIMP_PRECISION_U8_GAMMA;
+ }
+
++ /* verify header information is accurate */
++ if (d.bpp < 1 ||
++ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))))
++ {
++ fclose (fp);
++ g_message ("Invalid or corrupted DDS header\n");
++ return GIMP_PDB_EXECUTION_ERROR;
++ }
++
+ image = gimp_image_new_with_precision (hdr.width, hdr.height, type, precision);
+
+ if (image == -1)
+@@ -923,6 +922,13 @@ load_layer (FILE *fp,
+ unsigned int size = hdr->pitch_or_linsize >> (2 * level);
+ unsigned int layerw;
+ int format = DDS_COMPRESS_NONE;
++ gsize file_size;
++ gsize current_position;
++
++ current_position = ftell (fp);
++ fseek (fp, 0L, SEEK_END);
++ file_size = ftell (fp);
++ fseek (fp, current_position, SEEK_SET);
+
+ if (width < 1) width = 1;
+ if (height < 1) height = 1;
+@@ -1027,6 +1033,12 @@ load_layer (FILE *fp,
+ size *= 16;
+ }
+
++ if (size > (file_size - current_position))
++ {
++ g_message ("Requested data exceeds size of file.\n");
++ return 0;
++ }
++
+ if ((hdr->flags & DDSD_LINEARSIZE) &&
+ !fread (buf, size, 1, fp))
+ {
+@@ -1065,6 +1077,13 @@ load_layer (FILE *fp,
+ gimp_progress_update ((double)y / (double)hdr->height);
+ }
+
++ current_position = ftell (fp);
++ if ((width * d->bpp) > (file_size - current_position))
++ {
++ g_message ("Requested data exceeds size of file.\n");
++ return 0;
++ }
++
+ if ((hdr->flags & DDSD_PITCH) &&
+ !fread (buf, width * d->bpp, 1, fp))
+ {
+--
+2.42.0
+
diff --git a/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch b/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
new file mode 100644
index 0000000..c5ae876
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
@@ -0,0 +1,62 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sun, 1 Oct 2023 17:54:08 +0000
+Subject: plug-ins: Fix DDS vulnerability (ZDI-CAN-22093)
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
+Bug-Debian: https://bugs.debian.org/1055984
+
+Resolves #10069
+
+Currently, the DDS header information for the width, height, and bytes per scan line
+are read in and assumed to be correct. As these values are used for memory allocation
+and reading, it would be good to verify they do not exceed the file size.
+
+This patch adds a condition after the header is read in to verify those values. If they exceed
+the file size (mins an offset), the file is not read in and an error message is shown.
+---
+ plug-ins/file-dds/ddsread.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index a8eb8b8ad9f3..98e122de8aff 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -109,6 +109,7 @@ read_dds (gchar *filename,
+ guchar *pixels;
+ gchar *tmp;
+ FILE *fp;
++ gsize file_size;
+ dds_header_t hdr;
+ dds_header_dx10_t dx10hdr;
+ dds_load_info_t d;
+@@ -130,6 +131,10 @@ read_dds (gchar *filename,
+ return GIMP_PDB_EXECUTION_ERROR;
+ }
+
++ fseek (fp, 0L, SEEK_END);
++ file_size = ftell (fp);
++ fseek (fp, 0, SEEK_SET);
++
+ if (strrchr (filename, '/'))
+ tmp = g_strdup_printf ("Loading %s:", strrchr (filename, '/') + 1);
+ else
+@@ -186,6 +191,16 @@ read_dds (gchar *filename,
+ }
+ }
+
++ /* verify header information is accurate */
++ if (hdr.depth < 1 ||
++ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
++ (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
++ {
++ fclose (fp);
++ g_message ("Invalid or corrupted DDS header\n");
++ return GIMP_PDB_EXECUTION_ERROR;
++ }
++
+ if (hdr.pixelfmt.flags & DDPF_FOURCC)
+ {
+ /* fourcc is dXt* or rXgb */
+--
+2.42.0
+
diff --git a/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch
new file mode 100644
index 0000000..3f32a28
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch
@@ -0,0 +1,49 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 23 Sep 2023 20:40:18 +0000
+Subject: plug-ins: Fix vulnerabilities in file-psp
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44444
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44443
+Bug-Debian: https://bugs.debian.org/1055984
+
+Backports commits e1bfd871 and 96f536a3
+from master
+---
+ plug-ins/common/file-psp.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index c0f3480641c2..6a6b93d0cde7 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1128,8 +1128,17 @@ read_color_block (FILE *f,
+ }
+
+ color_palette_entries = GUINT32_FROM_LE (entry_count);
++ /* TODO: GIMP currently only supports a maximum of 256 colors
++ * in an indexed image. If this changes, we can change this check */
++ if (color_palette_entries > 256)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("Error: Unsupported palette size"));
++ return -1;
++ }
++
+ /* psp color palette entries are stored as RGBA so 4 bytes per entry
+- where the fourth bytes is always zero */
++ * where the fourth bytes is always zero */
+ pal_size = color_palette_entries * 4;
+ color_palette = g_malloc (pal_size);
+ if (fread (color_palette, pal_size, 1, f) < 1)
+@@ -1498,7 +1507,7 @@ read_channel_data (FILE *f,
+ else
+ endq = q + line_width * height;
+
+- buf = g_malloc (127);
++ buf = g_malloc (128);
+ while (q < endq)
+ {
+ fread (&runcount, 1, 1, f);
+--
+2.42.0
+
diff --git a/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch b/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch
new file mode 100644
index 0000000..a6ba842
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch
@@ -0,0 +1,29 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Fri, 29 Sep 2023 20:39:29 +0000
+Subject: plug-ins: Fix vulnerability in file-psd
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44442
+Bug-Debian: https://bugs.debian.org/1055984
+
+Resolves #10101.
+This patch adds a missing break statement after an error condition
+is detected to prevent the code from continuing afterwards.
+---
+ plug-ins/file-psd/psd-util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plug-ins/file-psd/psd-util.c b/plug-ins/file-psd/psd-util.c
+index 1eccdd640e1c..34b442dc4966 100644
+--- a/plug-ins/file-psd/psd-util.c
++++ b/plug-ins/file-psd/psd-util.c
+@@ -518,6 +518,7 @@ decode_packbits (const gchar *src,
+ {
+ IFDBG(2) g_debug ("Overrun in packbits replicate of %d chars", n - unpack_left);
+ error_code = 2;
++ break;
+ }
+ memset (dst, *src, n);
+ src++;
+--
+2.42.0
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..899cd95
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,7 @@
+01_hurd_ftbfs.patch
+02_hurd_ftbfs.patch
+plug-ins-Fix-vulnerabilities-in-file-psp.patch
+plug-ins-Fix-vulnerability-in-file-psd.patch
+plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
+plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
+plug-ins-Additional-fixes-for-DDS-Import.patch