diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2012-07-03 12:57:03 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-07-03 13:22:56 +0000 |
| commit | 7cbf993f1a9a0f30b833795efddd3979c2d646b9 (patch) | |
| tree | dfac3fb7eb72db1915631bb2a4b624b71dd2c578 | |
| parent | 091c1d85c06009c152eea01ff3fbab169a04bdf5 (diff) | |
main/gimp: upgrade to 2.6.12 and fix CVE-2012-2763
fixes #1200
| -rw-r--r-- | main/gimp/APKBUILD | 10 | ||||
| -rw-r--r-- | main/gimp/CVE-2012-2763.patch | 122 | ||||
| -rw-r--r-- | main/gimp/cve-2011-2896.patch | 61 |
3 files changed, 127 insertions, 66 deletions
diff --git a/main/gimp/APKBUILD b/main/gimp/APKBUILD index 4680c599c62..7e2bc9e9a94 100644 --- a/main/gimp/APKBUILD +++ b/main/gimp/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=gimp -pkgver=2.6.11 -pkgrel=2 +pkgver=2.6.12 +pkgrel=0 pkgdesc="GNU Image Manipulation Program" url="http://www.gimp.org/" arch="all" @@ -12,7 +12,7 @@ makedepends="gtk+-dev libxpm-dev libxmu-dev librsvg-dev dbus-glib-dev install= subpackages="$pkgname-dev $pkgname-doc" source="ftp://ftp.$pkgname.org/pub/$pkgname/v2.6/$pkgname-$pkgver.tar.bz2 - cve-2011-2896.patch" + CVE-2012-2763.patch" prepare() { cd "$srcdir"/$pkgname-$pkgver @@ -44,5 +44,5 @@ package() { make DESTDIR="$pkgdir" install || return 1 ln -s gimptool-2.0 "$pkgdir/usr/bin/gimptool" || return 1 } -md5sums="bb2939fe13e54fc7255cef5d097bb5dd gimp-2.6.11.tar.bz2 -c317eae455c808b8434e9b600afee648 cve-2011-2896.patch" +md5sums="9f876ee63a0c4a4c83f50f32fb3bbe63 gimp-2.6.12.tar.bz2 +5ec673cf5c153af8a19eb264bea5d3f5 CVE-2012-2763.patch" diff --git a/main/gimp/CVE-2012-2763.patch b/main/gimp/CVE-2012-2763.patch new file mode 100644 index 00000000000..c3f81c48985 --- /dev/null +++ b/main/gimp/CVE-2012-2763.patch @@ -0,0 +1,122 @@ +From 744f7a4a2b5acb8b531a6f5dd8744ebb95348fc2 Mon Sep 17 00:00:00 2001 +From: Kevin Cozens <kcozens@cvs.gnome.org> +Date: Mon, 17 Aug 2009 23:29:02 +0000 +Subject: script-fu: Bug #679215: Fixed potential buffer overflow in readstr_upto() + +Cherry picked from commit 76155d79df8d497d9a5994029247387e222da9e9. + +gimp-2-6 is no longer maintained. But we might as well commit this for +the benefit of EL/LTS distros. This patch hasn't even been compiled, so +YMMV. Enjoy. +--- +diff --git a/plug-ins/script-fu/tinyscheme/scheme.c b/plug-ins/script-fu/tinyscheme/scheme.c +index 60440fc..1f509f2 100644 +--- a/plug-ins/script-fu/tinyscheme/scheme.c ++++ b/plug-ins/script-fu/tinyscheme/scheme.c +@@ -1710,7 +1710,7 @@ static char *readstr_upto(scheme *sc, char *delim) { + char *p = sc->strbuff; + gunichar c = 0; + gunichar c_prev = 0; +- int len = 0; ++ int len = 0; + + #if 0 + while (!is_one_of(delim, (*p++ = inchar(sc)))) +@@ -1727,7 +1727,8 @@ static char *readstr_upto(scheme *sc, char *delim) { + c = inchar(sc); + len = g_unichar_to_utf8(c, p); + p += len; +- } while (c && !is_one_of(delim, c)); ++ } while ((p - sc->strbuff < sizeof(sc->strbuff)) && ++ (c && !is_one_of(delim, c))); + + if(p==sc->strbuff+2 && c_prev=='\\') + *p = '\0'; +@@ -2053,9 +2054,11 @@ static void atom2str(scheme *sc, pointer l, int f, char **pp, int *plen) { + default: + #if USE_ASCII_NAMES + if(c==127) { +- strcpy(p,"#\\del"); break; ++ snprintf(p,STRBUFFSIZE, "#\\del"); ++ break; + } else if(c<32) { +- strcpy(p,"#\\"); strcat(p,charnames[c]); break; ++ snprintf(p,STRBUFFSIZE, "#\\%s", charnames[c]); ++ break; + } + #else + if(c<32) { +@@ -2655,7 +2658,7 @@ static pointer opexe_0(scheme *sc, enum scheme_opcodes op) { + if(sc->tracing) { + s_save(sc,OP_REAL_APPLY,sc->args,sc->code); + sc->print_flag = 1; +- /* sc->args=cons(sc,sc->code,sc->args);*/ ++ /* sc->args=cons(sc,sc->code,sc->args);*/ + putstr(sc,"\nApply to: "); + s_goto(sc,OP_P0LIST); + } +@@ -2769,7 +2772,7 @@ static pointer opexe_0(scheme *sc, enum scheme_opcodes op) { + + case OP_SET0: /* set! */ + if(is_immutable(car(sc->code))) +- Error_1(sc,"set!: unable to alter immutable variable", car(sc->code)); ++ Error_1(sc,"set!: unable to alter immutable variable",car(sc->code)); + s_save(sc,OP_SET1, sc->NIL, car(sc->code)); + sc->code = cadr(sc->code); + s_goto(sc,OP_EVAL); +@@ -3593,17 +3596,11 @@ static pointer opexe_2(scheme *sc, enum scheme_opcodes op) { + static int is_list(scheme *sc, pointer a) + { return list_length(sc,a) >= 0; } + +-/* Result is: +- proper list: length +- circular list: -1 +- not even a pair: -2 +- dotted list: -2 minus length before dot +-*/ +-int list_length(scheme *sc, pointer a) { ++int list_length(scheme *sc, pointer p) { + int i=0; + pointer slow, fast; + +- slow = fast = a; ++ slow = fast = p; + while (1) + { + if (fast == sc->NIL) +@@ -4156,13 +4153,13 @@ static pointer opexe_5(scheme *sc, enum scheme_opcodes op) { + case OP_RDVEC: + /*sc->code=cons(sc,mk_proc(sc,OP_VECTOR),sc->value); + s_goto(sc,OP_EVAL); Cannot be quoted*/ +- /*x=cons(sc,mk_proc(sc,OP_VECTOR),sc->value); +- s_return(sc,x); Cannot be part of pairs*/ +- /*sc->code=mk_proc(sc,OP_VECTOR); +- sc->args=sc->value; +- s_goto(sc,OP_APPLY);*/ +- sc->args=sc->value; +- s_goto(sc,OP_VECTOR); ++ /*x=cons(sc,mk_proc(sc,OP_VECTOR),sc->value); ++ s_return(sc,x); Cannot be part of pairs*/ ++ /*sc->code=mk_proc(sc,OP_VECTOR); ++ sc->args=sc->value; ++ s_goto(sc,OP_APPLY);*/ ++ sc->args=sc->value; ++ s_goto(sc,OP_VECTOR); + + /* ========== printing part ========== */ + case OP_P0LIST: +diff --git a/plug-ins/script-fu/tinyscheme/scheme.h b/plug-ins/script-fu/tinyscheme/scheme.h +index 92edba6..c3bf08e 100644 +--- a/plug-ins/script-fu/tinyscheme/scheme.h ++++ b/plug-ins/script-fu/tinyscheme/scheme.h +@@ -198,7 +198,7 @@ struct scheme_interface { + gunichar (*charvalue)(pointer p); + int (*is_list)(scheme *sc, pointer p); + int (*is_vector)(pointer p); +- int (*list_length)(scheme *sc, pointer a); ++ int (*list_length)(scheme *sc, pointer p); + long (*vector_length)(pointer vec); + void (*fill_vector)(pointer vec, pointer elem); + pointer (*vector_elem)(pointer vec, int ielem); +-- +cgit v0.9.0.2 diff --git a/main/gimp/cve-2011-2896.patch b/main/gimp/cve-2011-2896.patch deleted file mode 100644 index 735d771750d..00000000000 --- a/main/gimp/cve-2011-2896.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 376ad788c1a1c31d40f18494889c383f6909ebfc Mon Sep 17 00:00:00 2001 -From: Nils Philippsen <nils@redhat.com> -Date: Thu, 04 Aug 2011 10:51:42 +0000 -Subject: file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896) - ---- -(limited to 'plug-ins/common/file-gif-load.c') - -diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c -index 81f3bd0..c91e7aa 100644 ---- a/plug-ins/common/file-gif-load.c -+++ b/plug-ins/common/file-gif-load.c -@@ -713,7 +713,8 @@ LZWReadByte (FILE *fd, - static gint firstcode, oldcode; - static gint clear_code, end_code; - static gint table[2][(1 << MAX_LZW_BITS)]; -- static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp; -+#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2) -+ static gint stack[STACK_SIZE], *sp; - gint i; - - if (just_reset_LZW) -@@ -788,7 +789,7 @@ LZWReadByte (FILE *fd, - - return firstcode & 255; - } -- else if (code == end_code) -+ else if (code == end_code || code > max_code) - { - gint count; - guchar buf[260]; -@@ -807,13 +808,14 @@ LZWReadByte (FILE *fd, - - incode = code; - -- if (code >= max_code) -+ if (code == max_code) - { -- *sp++ = firstcode; -+ if (sp < &(stack[STACK_SIZE])) -+ *sp++ = firstcode; - code = oldcode; - } - -- while (code >= clear_code) -+ while (code >= clear_code && sp < &(stack[STACK_SIZE])) - { - *sp++ = table[1][code]; - if (code == table[0][code]) -@@ -824,7 +826,8 @@ LZWReadByte (FILE *fd, - code = table[0][code]; - } - -- *sp++ = firstcode = table[1][code]; -+ if (sp < &(stack[STACK_SIZE])) -+ *sp++ = firstcode = table[1][code]; - - if ((code = max_code) < (1 << MAX_LZW_BITS)) - { --- -cgit v0.9.0.2 |