community/gimp: security fixes

CVE-2017-17784, CVE-2017-17785, CVE-2017-17786, CVE-2017-17787, CVE-2017-17789

Fixes #8351

CVE-2017-17788 applies only to >= v2.9.6

7 files changed, 373 insertions, 3 deletions

diff --git a/community/gimp/APKBUILD b/community/gimp/APKBUILD
index a67b526f9e8..1e212aec703 100644
--- a/community/gimp/APKBUILD
+++ b/community/gimp/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=gimp
 pkgver=2.8.22
-pkgrel=1
+pkgrel=2
 pkgdesc="GNU Image Manipulation Program"
 url="https://www.gimp.org/"
 arch="all"
@@ -12,9 +12,25 @@ makedepends="gtk+-dev libxpm-dev libxmu-dev librsvg-dev dbus-glib-dev
 	libexif-dev desktop-file-utils intltool gegl-dev tiff-dev
 	libjpeg-turbo-dev libpng-dev iso-codes-dev lcms2-dev poppler-dev babl-dev"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
-source="https://download.gimp.org/mirror/pub/$pkgname/v${pkgver%.*}/$pkgname-$pkgver.tar.bz2"
+source="https://download.gimp.org/mirror/pub/$pkgname/v${pkgver%.*}/$pkgname-$pkgver.tar.bz2
+	CVE-2017-17784.patch
+	CVE-2017-17785.patch
+	CVE-2017-17786-1.patch
+	CVE-2017-17786-2.patch
+	CVE-2017-17787.patch
+	CVE-2017-17789.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"
 
+# secfixes:
+#   2.8.22-r2:
+#     - CVE-2017-17784
+#     - CVE-2017-17785
+#     - CVE-2017-17786
+#     - CVE-2017-17787
+#     - CVE-2017-17788
+#     - CVE-2017-17789
+
 build() {
 	cd "$builddir"
 	./configure \
@@ -43,4 +59,10 @@ dev() {
 	mv "$pkgdir"/usr/bin/gimptool* "$subpkgdir"/usr/bin
 }
 
-sha512sums="84a78d428282538b606b3cd1ff571e52c3d828fceade171b2012bc1cdcb85919fc7734e7e6c45ed3a8683657fa580412b32c1b511b8a512172a8c1df930493e6  gimp-2.8.22.tar.bz2"
+sha512sums="84a78d428282538b606b3cd1ff571e52c3d828fceade171b2012bc1cdcb85919fc7734e7e6c45ed3a8683657fa580412b32c1b511b8a512172a8c1df930493e6  gimp-2.8.22.tar.bz2
+8feab75b01c8d5d57bf869f64ca377f8cfb239079fba97f66bf34f341d9d15f9a8e403b1fe04d27bdbb39151f99a208aa5236c8dd0b6afeac45400a29efa0da7  CVE-2017-17784.patch
+51794739489a5e8babbc13c426dc34172caeab07cc8a64b5a8f19a4b88b736e3c9801cc4dadf6848b1e49031d2f1c7a336403a470a26a9ad8cad0a485a8342bd  CVE-2017-17785.patch
+d4887c49cf73c8f0238c338137ac94854524daea8535e206e34a9dfdb63dbc9ec91839d01085c484c995b26882215b652f4f7e23aa614f29272b5a18c8afc019  CVE-2017-17786-1.patch
+24d02cff72ec684aafd2cc6006955f283e6d5e102c37be0b426cade34219022a8225b367643ce3cfd786425fe53005e7db6a595ba507c7eacf402eebe2b44fa0  CVE-2017-17786-2.patch
+438376075d0a46809fd5f12f3d364b914c989ca512739b69da0f609100525da8dbc525ce57c144b5388eec525fd2d7b5c8098e63ddb70c68c186dee9b2ce7b83  CVE-2017-17787.patch
+f2f4aff0f0478356513a1f6da0732c5d0986ef1deb7b8e68bd283b7259887cf9a4d4785f00e48f03892cc86aa715b9764302640b2b891ab16617ef595ab779b8  CVE-2017-17789.patch"
diff --git a/community/gimp/CVE-2017-17784.patch b/community/gimp/CVE-2017-17784.patch
new file mode 100644
index 00000000000..c7df330409f
--- /dev/null
+++ b/community/gimp/CVE-2017-17784.patch
@@ -0,0 +1,32 @@
+From c57f9dcf1934a9ab0cd67650f2dea18cb0902270 Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Thu, 21 Dec 2017 12:25:32 +0100
+Subject: Bug 790784 - (CVE-2017-17784) heap overread in gbr parser /
+ load_image.
+
+We were assuming the input name was well formed, hence was
+nul-terminated. As any data coming from external input, this has to be
+thorougly checked.
+Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted
+to older gimp-2-8 code.
+---
+ plug-ins/common/file-gbr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
+index b028100..d3f01d9 100644
+--- a/plug-ins/common/file-gbr.c
++++ b/plug-ins/common/file-gbr.c
+@@ -443,7 +443,8 @@ load_image (const gchar  *filename,
+     {
+       gchar *temp = g_new (gchar, bn_size);
+ 
+-      if ((read (fd, temp, bn_size)) < bn_size)
++      if ((read (fd, temp, bn_size)) < bn_size ||
++          temp[bn_size - 1] != '\0')
+         {
+           g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+                        _("Error in GIMP brush file '%s'"),
+-- 
+cgit v0.12
+
diff --git a/community/gimp/CVE-2017-17785.patch b/community/gimp/CVE-2017-17785.patch
new file mode 100644
index 00000000000..1f77d36ec6c
--- /dev/null
+++ b/community/gimp/CVE-2017-17785.patch
@@ -0,0 +1,161 @@
+From 1882bac996a20ab5c15c42b0c5e8f49033a1af54 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 29 Oct 2017 15:19:41 +0100
+Subject: Bug 739133 - (CVE-2017-17785) Heap overflow while parsing FLI files.
+
+It is possible to trigger a heap overflow while parsing FLI files. The
+RLE decoder is vulnerable to out of boundary writes due to lack of
+boundary checks.
+
+The variable "framebuf" points to a memory area which was allocated
+with fli_header->width * fli_header->height bytes. The RLE decoder
+therefore must never write beyond that limit.
+
+If an illegal frame is detected, the parser won't stop, which means
+that the next valid sequence is properly parsed again. This should
+allow GIMP to parse FLI files as good as possible even if they are
+broken by an attacker or by accident.
+
+While at it, I changed the variable xc to be of type size_t, because
+the multiplication of width and height could overflow a 16 bit type.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+(cherry picked from commit edb251a7ef1602d20a5afcbf23f24afb163de63b)
+---
+ plug-ins/file-fli/fli.c | 50 ++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 35 insertions(+), 15 deletions(-)
+
+diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c
+index 313efeb..ffb651e 100644
+--- a/plug-ins/file-fli/fli.c
++++ b/plug-ins/file-fli/fli.c
+@@ -25,6 +25,8 @@
+ 
+ #include "config.h"
+ 
++#include <glib/gstdio.h>
++
+ #include <string.h>
+ #include <stdio.h>
+ 
+@@ -461,23 +463,27 @@ void fli_read_brun(FILE *f, s_fli_header *fli_header, unsigned char *framebuf)
+ 	unsigned short yc;
+ 	unsigned char *pos;
+ 	for (yc=0; yc < fli_header->height; yc++) {
+-		unsigned short xc, pc, pcnt;
++		unsigned short pc, pcnt;
++		size_t n, xc;
+ 		pc=fli_read_char(f);
+ 		xc=0;
+ 		pos=framebuf+(fli_header->width * yc);
++		n=(size_t)fli_header->width * (fli_header->height-yc);
+ 		for (pcnt=pc; pcnt>0; pcnt--) {
+ 			unsigned short ps;
+ 			ps=fli_read_char(f);
+ 			if (ps & 0x80) {
+ 				unsigned short len;
+-				for (len=-(signed char)ps; len>0; len--) {
++				for (len=-(signed char)ps; len>0 && xc<n; len--) {
+ 					pos[xc++]=fli_read_char(f);
+ 				}
+ 			} else {
+ 				unsigned char val;
++				size_t len;
++				len=MIN(n-xc,ps);
+ 				val=fli_read_char(f);
+-				memset(&(pos[xc]), val, ps);
+-				xc+=ps;
++				memset(&(pos[xc]), val, len);
++				xc+=len;
+ 			}
+ 		}
+ 	}
+@@ -564,25 +570,34 @@ void fli_read_lc(FILE *f, s_fli_header *fli_header, unsigned char *old_framebuf,
+ 	memcpy(framebuf, old_framebuf, fli_header->width * fli_header->height);
+ 	firstline = fli_read_short(f);
+ 	numline = fli_read_short(f);
++	if (numline > fli_header->height || fli_header->height-numline < firstline)
++		return;
++
+ 	for (yc=0; yc < numline; yc++) {
+-		unsigned short xc, pc, pcnt;
++		unsigned short pc, pcnt;
++		size_t n, xc;
+ 		pc=fli_read_char(f);
+ 		xc=0;
+ 		pos=framebuf+(fli_header->width * (firstline+yc));
++		n=(size_t)fli_header->width * (fli_header->height-firstline-yc);
+ 		for (pcnt=pc; pcnt>0; pcnt--) {
+ 			unsigned short ps,skip;
+ 			skip=fli_read_char(f);
+ 			ps=fli_read_char(f);
+-			xc+=skip;
++			xc+=MIN(n-xc,skip);
+ 			if (ps & 0x80) {
+ 				unsigned char val;
++				size_t len;
+ 				ps=-(signed char)ps;
+ 				val=fli_read_char(f);
+-				memset(&(pos[xc]), val, ps);
+-				xc+=ps;
++				len=MIN(n-xc,ps);
++				memset(&(pos[xc]), val, len);
++				xc+=len;
+ 			} else {
+-				fread(&(pos[xc]), ps, 1, f);
+-				xc+=ps;
++				size_t len;
++				len=MIN(n-xc,ps);
++				fread(&(pos[xc]), len, 1, f);
++				xc+=len;
+ 			}
+ 		}
+ 	}
+@@ -689,7 +704,8 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
+ 	yc=0;
+ 	numline = fli_read_short(f);
+ 	for (lc=0; lc < numline; lc++) {
+-		unsigned short xc, pc, pcnt, lpf, lpn;
++		unsigned short pc, pcnt, lpf, lpn;
++		size_t n, xc;
+ 		pc=fli_read_short(f);
+ 		lpf=0; lpn=0;
+ 		while (pc & 0x8000) {
+@@ -700,26 +716,30 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
+ 			}
+ 			pc=fli_read_short(f);
+ 		}
++		yc=MIN(yc, fli_header->height);
+ 		xc=0;
+ 		pos=framebuf+(fli_header->width * yc);
++		n=(size_t)fli_header->width * (fli_header->height-yc);
+ 		for (pcnt=pc; pcnt>0; pcnt--) {
+ 			unsigned short ps,skip;
+ 			skip=fli_read_char(f);
+ 			ps=fli_read_char(f);
+-			xc+=skip;
++			xc+=MIN(n-xc,skip);
+ 			if (ps & 0x80) {
+ 				unsigned char v1,v2;
+ 				ps=-(signed char)ps;
+ 				v1=fli_read_char(f);
+ 				v2=fli_read_char(f);
+-				while (ps>0) {
++				while (ps>0 && xc+1<n) {
+ 					pos[xc++]=v1;
+ 					pos[xc++]=v2;
+ 					ps--;
+ 				}
+ 			} else {
+-				fread(&(pos[xc]), ps, 2, f);
+-				xc+=ps << 1;
++				size_t len;
++				len=MIN((n-xc)/2,ps);
++				fread(&(pos[xc]), len, 2, f);
++				xc+=len << 1;
+ 			}
+ 		}
+ 		if (lpf) pos[xc]=lpn;
+-- 
+cgit v0.12
+
diff --git a/community/gimp/CVE-2017-17786-1.patch b/community/gimp/CVE-2017-17786-1.patch
new file mode 100644
index 00000000000..4047f7cb3c9
--- /dev/null
+++ b/community/gimp/CVE-2017-17786-1.patch
@@ -0,0 +1,53 @@
+From ef9c821fff8b637a2178eab1c78cae6764c50e12 Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Wed, 20 Dec 2017 13:02:38 +0100
+Subject: Bug 739134 - (CVE-2017-17786) Out of bounds read / heap overflow
+ in...
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+... TGA importer.
+
+Be more thorough on valid TGA RGB and RGBA images.
+In particular current TGA plug-in can import RGBA as 32 bits (8 bits per
+channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and
+RGB as 15 and 24 bits.
+Maybe there exist more variants, but if they do exist, we simply don't
+support them yet.
+
+Thanks to Hanno Böck for the report and a first patch attempt.
+
+(cherry picked from commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b)
+---
+ plug-ins/common/file-tga.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
+index aef9870..426acc2 100644
+--- a/plug-ins/common/file-tga.c
++++ b/plug-ins/common/file-tga.c
+@@ -564,12 +564,16 @@ load_image (const gchar  *filename,
+           }
+         break;
+       case TGA_TYPE_COLOR:
+-        if (info.bpp != 15 && info.bpp != 16 &&
+-            info.bpp != 24 && info.bpp != 32)
++        if ((info.bpp != 15 && info.bpp != 16 &&
++             info.bpp != 24 && info.bpp != 32)      ||
++            ((info.bpp == 15 || info.bpp == 24) &&
++             info.alphaBits != 0)                   ||
++            (info.bpp == 16 && info.alphaBits != 1) ||
++            (info.bpp == 32 && info.alphaBits != 8))
+           {
+-            g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
++            g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
+                        gimp_filename_to_utf8 (filename),
+-                       info.imageType, info.bpp);
++                       info.imageType, info.bpp, info.alphaBits);
+             return -1;
+           }
+         break;
+-- 
+cgit v0.12
+
diff --git a/community/gimp/CVE-2017-17786-2.patch b/community/gimp/CVE-2017-17786-2.patch
new file mode 100644
index 00000000000..7177dd3c1f1
--- /dev/null
+++ b/community/gimp/CVE-2017-17786-2.patch
@@ -0,0 +1,31 @@
+From 22e2571c25425f225abdb11a566cc281fca6f366 Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Wed, 20 Dec 2017 13:26:26 +0100
+Subject: plug-ins: TGA 16-bit RGB (without alpha bit) is also valid.
+
+According to some spec on the web, 16-bit RGB is also valid. In this
+case, the last bit is simply ignored (at least that's how it is
+implemented right now).
+
+(cherry picked from commit 8ea316667c8a3296bce2832b3986b58d0fdfc077)
+---
+ plug-ins/common/file-tga.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
+index 426acc2..eb14a1d 100644
+--- a/plug-ins/common/file-tga.c
++++ b/plug-ins/common/file-tga.c
+@@ -568,7 +568,8 @@ load_image (const gchar  *filename,
+              info.bpp != 24 && info.bpp != 32)      ||
+             ((info.bpp == 15 || info.bpp == 24) &&
+              info.alphaBits != 0)                   ||
+-            (info.bpp == 16 && info.alphaBits != 1) ||
++            (info.bpp == 16 && info.alphaBits != 1 &&
++             info.alphaBits != 0)                   ||
+             (info.bpp == 32 && info.alphaBits != 8))
+           {
+             g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
+-- 
+cgit v0.12
+
diff --git a/community/gimp/CVE-2017-17787.patch b/community/gimp/CVE-2017-17787.patch
new file mode 100644
index 00000000000..654726388ea
--- /dev/null
+++ b/community/gimp/CVE-2017-17787.patch
@@ -0,0 +1,33 @@
+From 87ba505fff85989af795f4ab6a047713f4d9381d Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Thu, 21 Dec 2017 12:49:41 +0100
+Subject: Bug 790853 - (CVE-2017-17787) heap overread in psp importer.
+
+As any external data, we have to check that strings being read at fixed
+length are properly nul-terminated.
+
+(cherry picked from commit eb2980683e6472aff35a3117587c4f814515c74d)
+---
+ plug-ins/common/file-psp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index 4cbafe3..e350e4d 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -890,6 +890,12 @@ read_creator_block (FILE     *f,
+               g_free (string);
+               return -1;
+             }
++          if (string[length - 1] != '\0')
++            {
++              g_message ("Creator keyword data not nul-terminated");
++              g_free (string);
++              return -1;
++            }
+           switch (keyword)
+             {
+             case PSP_CRTR_FLD_TITLE:
+-- 
+cgit v0.12
+
diff --git a/community/gimp/CVE-2017-17789.patch b/community/gimp/CVE-2017-17789.patch
new file mode 100644
index 00000000000..3d63694f679
--- /dev/null
+++ b/community/gimp/CVE-2017-17789.patch
@@ -0,0 +1,38 @@
+From 01898f10f87a094665a7fdcf7153990f4e511d3f Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Wed, 20 Dec 2017 16:44:20 +0100
+Subject: Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer overflow...
+
+... in PSP importer.
+Check if declared block length is valid (i.e. within the actual file)
+before going further.
+Consider the file as broken otherwise and fail loading it.
+
+(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
+---
+ plug-ins/common/file-psp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index ac0fff7..4cbafe3 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1771,6 +1771,15 @@ load_image (const gchar  *filename,
+     {
+       block_start = ftell (f);
+ 
++      if (block_start + block_total_len > st.st_size)
++        {
++          g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                       _("Could not open '%s' for reading: %s"),
++                       gimp_filename_to_utf8 (filename),
++                       _("invalid block size"));
++          goto error;
++        }
++
+       if (id == PSP_IMAGE_BLOCK)
+         {
+           if (block_number != 0)
+-- 
+cgit v0.12
+