diff -Nru gimp-2.8.20/debian/changelog gimp-2.8.20/debian/changelog --- gimp-2.8.20/debian/changelog 2017-03-04 21:15:02.000000000 +0000 +++ gimp-2.8.20/debian/changelog 2017-12-26 21:11:46.000000000 +0000 @@ -1,3 +1,24 @@ +gimp (2.8.20-1.1) unstable; urgency=medium + + * Non-maintainer upload. + + [ Ari Pollak ] + * Move gimp to Enhances on gimp-data instead of Recommends (Closes: #860766) + + [ Salvatore Bonaccorso ] + * Out of bounds read / heap overflow in TGA importer (CVE-2017-17786) + (Closes: #884862) + * plug-ins: TGA 16-bit RGB (without alpha bit) is also valid + * Heap buffer overflow in PSP importer (CVE-2017-17789) (Closes: #884837) + * heap overread in gbr parser / load_image (CVE-2017-17784) + (Closes: #884925) + * heap overread in psp importer (CVE-2017-17787) (Closes: #884927) + * Heap overflow while parsing FLI files (CVE-2017-17785) (Closes: #884836) + * buffer overread in XCF parser if version field has no null terminator + (CVE-2017-17788) (Closes: #885347) + + -- Salvatore Bonaccorso Tue, 26 Dec 2017 22:11:46 +0100 + gimp (2.8.20-1) unstable; urgency=low * New upstream version 2.8.20 diff -Nru gimp-2.8.20/debian/control gimp-2.8.20/debian/control --- gimp-2.8.20/debian/control 2016-09-11 22:27:25.000000000 +0000 +++ gimp-2.8.20/debian/control 2017-12-26 21:11:46.000000000 +0000 @@ -109,7 +109,7 @@ Package: gimp-data Architecture: all -Recommends: gimp +Enhances: gimp Depends: ${misc:Depends} Conflicts: gimp (<< 2.4.0~rc2-2), gimp-python (<< 2.6.0) diff -Nru gimp-2.8.20/debian/patches/790783-buffer-overread-in-XCF-parser-if-version-fiel.patch gimp-2.8.20/debian/patches/790783-buffer-overread-in-XCF-parser-if-version-fiel.patch --- gimp-2.8.20/debian/patches/790783-buffer-overread-in-XCF-parser-if-version-fiel.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.8.20/debian/patches/790783-buffer-overread-in-XCF-parser-if-version-fiel.patch 2017-12-26 21:11:46.000000000 +0000 @@ -0,0 +1,29 @@ +From: Hanno Boeck +Date: Mon, 27 Nov 2017 00:37:29 +0100 +Subject: 790783 - buffer overread in XCF parser if version field... +Origin: https://git.gnome.org/browse/GIMP/commit/?id=702c4227e8b6169f781e4bb5ae4b5733f51ab126 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17788 +Bug-Debian: https://bugs.debian.org/885347 +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=790783 + +...has no null terminator + +Check for the presence of '\0' before using atoi() on the version +string. Patch slightly modified (mitch). +[carnil: backport to gimp-2-8: affected code in xcf_load_invoker] +--- + app/xcf/xcf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/app/xcf/xcf.c ++++ b/app/xcf/xcf.c +@@ -318,7 +318,8 @@ xcf_load_invoker (GimpProcedure *pr + { + info.file_version = 0; + } +- else if (id[9] == 'v') ++ else if (id[9] == 'v' && ++ id[13] == '\0') + { + info.file_version = atoi (id + 10); + } diff -Nru gimp-2.8.20/debian/patches/Bug-739133-CVE-2017-17785-Heap-overflow-while-parsin.patch gimp-2.8.20/debian/patches/Bug-739133-CVE-2017-17785-Heap-overflow-while-parsin.patch --- gimp-2.8.20/debian/patches/Bug-739133-CVE-2017-17785-Heap-overflow-while-parsin.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.8.20/debian/patches/Bug-739133-CVE-2017-17785-Heap-overflow-while-parsin.patch 2017-12-26 21:11:46.000000000 +0000 @@ -0,0 +1,164 @@ +From: Tobias Stoeckmann +Date: Sun, 29 Oct 2017 15:19:41 +0100 +Subject: Bug 739133 - (CVE-2017-17785) Heap overflow while parsing FLI files. +Origin: https://git.gnome.org/browse/GIMP/commit/?id=1882bac996a20ab5c15c42b0c5e8f49033a1af54 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17785 +Bug-Debian: https://bugs.debian.org/884836 +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=739133 + +It is possible to trigger a heap overflow while parsing FLI files. The +RLE decoder is vulnerable to out of boundary writes due to lack of +boundary checks. + +The variable "framebuf" points to a memory area which was allocated +with fli_header->width * fli_header->height bytes. The RLE decoder +therefore must never write beyond that limit. + +If an illegal frame is detected, the parser won't stop, which means +that the next valid sequence is properly parsed again. This should +allow GIMP to parse FLI files as good as possible even if they are +broken by an attacker or by accident. + +While at it, I changed the variable xc to be of type size_t, because +the multiplication of width and height could overflow a 16 bit type. + +Signed-off-by: Tobias Stoeckmann +(cherry picked from commit edb251a7ef1602d20a5afcbf23f24afb163de63b) +--- + plug-ins/file-fli/fli.c | 50 ++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 35 insertions(+), 15 deletions(-) + +diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c +index 313efeb977..ffb651e2af 100644 +--- a/plug-ins/file-fli/fli.c ++++ b/plug-ins/file-fli/fli.c +@@ -25,6 +25,8 @@ + + #include "config.h" + ++#include ++ + #include + #include + +@@ -461,23 +463,27 @@ void fli_read_brun(FILE *f, s_fli_header *fli_header, unsigned char *framebuf) + unsigned short yc; + unsigned char *pos; + for (yc=0; yc < fli_header->height; yc++) { +- unsigned short xc, pc, pcnt; ++ unsigned short pc, pcnt; ++ size_t n, xc; + pc=fli_read_char(f); + xc=0; + pos=framebuf+(fli_header->width * yc); ++ n=(size_t)fli_header->width * (fli_header->height-yc); + for (pcnt=pc; pcnt>0; pcnt--) { + unsigned short ps; + ps=fli_read_char(f); + if (ps & 0x80) { + unsigned short len; +- for (len=-(signed char)ps; len>0; len--) { ++ for (len=-(signed char)ps; len>0 && xcwidth * fli_header->height); + firstline = fli_read_short(f); + numline = fli_read_short(f); ++ if (numline > fli_header->height || fli_header->height-numline < firstline) ++ return; ++ + for (yc=0; yc < numline; yc++) { +- unsigned short xc, pc, pcnt; ++ unsigned short pc, pcnt; ++ size_t n, xc; + pc=fli_read_char(f); + xc=0; + pos=framebuf+(fli_header->width * (firstline+yc)); ++ n=(size_t)fli_header->width * (fli_header->height-firstline-yc); + for (pcnt=pc; pcnt>0; pcnt--) { + unsigned short ps,skip; + skip=fli_read_char(f); + ps=fli_read_char(f); +- xc+=skip; ++ xc+=MIN(n-xc,skip); + if (ps & 0x80) { + unsigned char val; ++ size_t len; + ps=-(signed char)ps; + val=fli_read_char(f); +- memset(&(pos[xc]), val, ps); +- xc+=ps; ++ len=MIN(n-xc,ps); ++ memset(&(pos[xc]), val, len); ++ xc+=len; + } else { +- fread(&(pos[xc]), ps, 1, f); +- xc+=ps; ++ size_t len; ++ len=MIN(n-xc,ps); ++ fread(&(pos[xc]), len, 1, f); ++ xc+=len; + } + } + } +@@ -689,7 +704,8 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu + yc=0; + numline = fli_read_short(f); + for (lc=0; lc < numline; lc++) { +- unsigned short xc, pc, pcnt, lpf, lpn; ++ unsigned short pc, pcnt, lpf, lpn; ++ size_t n, xc; + pc=fli_read_short(f); + lpf=0; lpn=0; + while (pc & 0x8000) { +@@ -700,26 +716,30 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu + } + pc=fli_read_short(f); + } ++ yc=MIN(yc, fli_header->height); + xc=0; + pos=framebuf+(fli_header->width * yc); ++ n=(size_t)fli_header->width * (fli_header->height-yc); + for (pcnt=pc; pcnt>0; pcnt--) { + unsigned short ps,skip; + skip=fli_read_char(f); + ps=fli_read_char(f); +- xc+=skip; ++ xc+=MIN(n-xc,skip); + if (ps & 0x80) { + unsigned char v1,v2; + ps=-(signed char)ps; + v1=fli_read_char(f); + v2=fli_read_char(f); +- while (ps>0) { ++ while (ps>0 && xc+1 +Date: Wed, 20 Dec 2017 13:02:38 +0100 +Subject: Bug 739134 - (CVE-2017-17786) Out of bounds read / heap overflow + in... +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.gnome.org/browse/GIMP/commit/?id=ef9c821fff8b637a2178eab1c78cae6764c50e12 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17786 +Bug-Debian: https://bugs.debian.org/884862 +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=739134 + +... TGA importer. + +Be more thorough on valid TGA RGB and RGBA images. +In particular current TGA plug-in can import RGBA as 32 bits (8 bits per +channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and +RGB as 15 and 24 bits. +Maybe there exist more variants, but if they do exist, we simply don't +support them yet. + +Thanks to Hanno Böck for the report and a first patch attempt. + +(cherry picked from commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b) +--- + plug-ins/common/file-tga.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c +index aef98702d4..426acc2925 100644 +--- a/plug-ins/common/file-tga.c ++++ b/plug-ins/common/file-tga.c +@@ -564,12 +564,16 @@ load_image (const gchar *filename, + } + break; + case TGA_TYPE_COLOR: +- if (info.bpp != 15 && info.bpp != 16 && +- info.bpp != 24 && info.bpp != 32) ++ if ((info.bpp != 15 && info.bpp != 16 && ++ info.bpp != 24 && info.bpp != 32) || ++ ((info.bpp == 15 || info.bpp == 24) && ++ info.alphaBits != 0) || ++ (info.bpp == 16 && info.alphaBits != 1) || ++ (info.bpp == 32 && info.alphaBits != 8)) + { +- g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)", ++ g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)", + gimp_filename_to_utf8 (filename), +- info.imageType, info.bpp); ++ info.imageType, info.bpp, info.alphaBits); + return -1; + } + break; +-- +2.15.1 + diff -Nru gimp-2.8.20/debian/patches/Bug-790784-CVE-2017-17784-heap-overread-in-gbr-parse.patch gimp-2.8.20/debian/patches/Bug-790784-CVE-2017-17784-heap-overread-in-gbr-parse.patch --- gimp-2.8.20/debian/patches/Bug-790784-CVE-2017-17784-heap-overread-in-gbr-parse.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.8.20/debian/patches/Bug-790784-CVE-2017-17784-heap-overread-in-gbr-parse.patch 2017-12-26 21:11:46.000000000 +0000 @@ -0,0 +1,35 @@ +From: Jehan +Date: Thu, 21 Dec 2017 12:25:32 +0100 +Subject: Bug 790784 - (CVE-2017-17784) heap overread in gbr parser / + load_image. +Origin: https://git.gnome.org/browse/GIMP/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17784 +Bug-Debian: https://bugs.debian.org/884925 +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=790784 + +We were assuming the input name was well formed, hence was +nul-terminated. As any data coming from external input, this has to be +thorougly checked. +Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted +to older gimp-2-8 code. +--- + plug-ins/common/file-gbr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c +index b028100bef..d3f01d9c56 100644 +--- a/plug-ins/common/file-gbr.c ++++ b/plug-ins/common/file-gbr.c +@@ -443,7 +443,8 @@ load_image (const gchar *filename, + { + gchar *temp = g_new (gchar, bn_size); + +- if ((read (fd, temp, bn_size)) < bn_size) ++ if ((read (fd, temp, bn_size)) < bn_size || ++ temp[bn_size - 1] != '\0') + { + g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, + _("Error in GIMP brush file '%s'"), +-- +2.15.1 + diff -Nru gimp-2.8.20/debian/patches/Bug-790849-CVE-2017-17789-CVE-2017-17789-Heap-buffer.patch gimp-2.8.20/debian/patches/Bug-790849-CVE-2017-17789-CVE-2017-17789-Heap-buffer.patch --- gimp-2.8.20/debian/patches/Bug-790849-CVE-2017-17789-CVE-2017-17789-Heap-buffer.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.8.20/debian/patches/Bug-790849-CVE-2017-17789-CVE-2017-17789-Heap-buffer.patch 2017-12-26 21:11:46.000000000 +0000 @@ -0,0 +1,41 @@ +From: Jehan +Date: Wed, 20 Dec 2017 16:44:20 +0100 +Subject: Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer overflow... +Origin: https://git.gnome.org/browse/GIMP/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17789 +Bug-Debian: https://bugs.debian.org/884837 +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=790849 + +... in PSP importer. +Check if declared block length is valid (i.e. within the actual file) +before going further. +Consider the file as broken otherwise and fail loading it. + +(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8) +--- + plug-ins/common/file-psp.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c +index ac0fff78f0..4cbafe37b1 100644 +--- a/plug-ins/common/file-psp.c ++++ b/plug-ins/common/file-psp.c +@@ -1771,6 +1771,15 @@ load_image (const gchar *filename, + { + block_start = ftell (f); + ++ if (block_start + block_total_len > st.st_size) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Could not open '%s' for reading: %s"), ++ gimp_filename_to_utf8 (filename), ++ _("invalid block size")); ++ goto error; ++ } ++ + if (id == PSP_IMAGE_BLOCK) + { + if (block_number != 0) +-- +2.15.1 + diff -Nru gimp-2.8.20/debian/patches/Bug-790853-CVE-2017-17787-heap-overread-in-psp-impor.patch gimp-2.8.20/debian/patches/Bug-790853-CVE-2017-17787-heap-overread-in-psp-impor.patch --- gimp-2.8.20/debian/patches/Bug-790853-CVE-2017-17787-heap-overread-in-psp-impor.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.8.20/debian/patches/Bug-790853-CVE-2017-17787-heap-overread-in-psp-impor.patch 2017-12-26 21:11:46.000000000 +0000 @@ -0,0 +1,36 @@ +From: Jehan +Date: Thu, 21 Dec 2017 12:49:41 +0100 +Subject: Bug 790853 - (CVE-2017-17787) heap overread in psp importer. +Origin: https://git.gnome.org/browse/GIMP/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17787 +Bug-Debian: https://bugs.debian.org/884927 +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=790853 + +As any external data, we have to check that strings being read at fixed +length are properly nul-terminated. + +(cherry picked from commit eb2980683e6472aff35a3117587c4f814515c74d) +--- + plug-ins/common/file-psp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c +index 4cbafe37b1..e350e4d88d 100644 +--- a/plug-ins/common/file-psp.c ++++ b/plug-ins/common/file-psp.c +@@ -890,6 +890,12 @@ read_creator_block (FILE *f, + g_free (string); + return -1; + } ++ if (string[length - 1] != '\0') ++ { ++ g_message ("Creator keyword data not nul-terminated"); ++ g_free (string); ++ return -1; ++ } + switch (keyword) + { + case PSP_CRTR_FLD_TITLE: +-- +2.15.1 + diff -Nru gimp-2.8.20/debian/patches/plug-ins-TGA-16-bit-RGB-without-alpha-bit-is-also-va.patch gimp-2.8.20/debian/patches/plug-ins-TGA-16-bit-RGB-without-alpha-bit-is-also-va.patch --- gimp-2.8.20/debian/patches/plug-ins-TGA-16-bit-RGB-without-alpha-bit-is-also-va.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.8.20/debian/patches/plug-ins-TGA-16-bit-RGB-without-alpha-bit-is-also-va.patch 2017-12-26 21:11:46.000000000 +0000 @@ -0,0 +1,32 @@ +From: Jehan +Date: Wed, 20 Dec 2017 13:26:26 +0100 +Subject: plug-ins: TGA 16-bit RGB (without alpha bit) is also valid. +Origin: https://git.gnome.org/browse/GIMP/commit/?id=22e2571c25425f225abdb11a566cc281fca6f366 +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=739134 + +According to some spec on the web, 16-bit RGB is also valid. In this +case, the last bit is simply ignored (at least that's how it is +implemented right now). + +(cherry picked from commit 8ea316667c8a3296bce2832b3986b58d0fdfc077) +--- + plug-ins/common/file-tga.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c +index 426acc2925..eb14a1dadc 100644 +--- a/plug-ins/common/file-tga.c ++++ b/plug-ins/common/file-tga.c +@@ -568,7 +568,8 @@ load_image (const gchar *filename, + info.bpp != 24 && info.bpp != 32) || + ((info.bpp == 15 || info.bpp == 24) && + info.alphaBits != 0) || +- (info.bpp == 16 && info.alphaBits != 1) || ++ (info.bpp == 16 && info.alphaBits != 1 && ++ info.alphaBits != 0) || + (info.bpp == 32 && info.alphaBits != 8)) + { + g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)", +-- +2.15.1 + diff -Nru gimp-2.8.20/debian/patches/series gimp-2.8.20/debian/patches/series --- gimp-2.8.20/debian/patches/series 2016-07-14 20:56:16.000000000 +0000 +++ gimp-2.8.20/debian/patches/series 2017-12-26 21:11:46.000000000 +0000 @@ -2,3 +2,10 @@ 01_hurd_ftbfs.patch bump_Babl-GEGL_versions.patch fix_GEGL_FTBFS.patch +Bug-739134-CVE-2017-17786-Out-of-bounds-read-heap-ov.patch +plug-ins-TGA-16-bit-RGB-without-alpha-bit-is-also-va.patch +Bug-790849-CVE-2017-17789-CVE-2017-17789-Heap-buffer.patch +Bug-790784-CVE-2017-17784-heap-overread-in-gbr-parse.patch +Bug-790853-CVE-2017-17787-heap-overread-in-psp-impor.patch +Bug-739133-CVE-2017-17785-Heap-overflow-while-parsin.patch +790783-buffer-overread-in-XCF-parser-if-version-fiel.patch