* [bug#31322] [PATCH 4/6] gnu: gegl: Update to 0.4.
2018-04-30 20:38 ` [bug#31322] [PATCH 1/6] gnu: Add libmypaint Leo Famulari
2018-04-30 20:38 ` [bug#31322] [PATCH 2/6] gnu: Add mypaint-brushes Leo Famulari
2018-04-30 20:38 ` [bug#31322] [PATCH 3/6] gnu: Add poppler-data Leo Famulari
@ 2018-04-30 20:38 ` Leo Famulari
2018-04-30 20:38 ` [bug#31322] [PATCH 5/6] gnu: babl: Update to 0.1.46 Leo Famulari
` (2 subsequent siblings)
5 siblings, 0 replies; 14+ messages in thread
From: Leo Famulari @ 2018-04-30 20:38 UTC (permalink / raw)
To: 31322
* gnu/packages/gimp.scm (gegl): Update to 0.4.
[inputs]: Move babl and glib to propagated-inputs.
[propagated-inputs]: Add json-glib.
[arguments]: Re-enable the tests and remove the obsolete 'pre-build'
phase.
[source]: Use HTTPS URL.
* gnu/packages/patches/gegl-CVE-2012-4433.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
gnu/local.mk | 1 -
gnu/packages/gimp.scm | 36 ++----
gnu/packages/patches/gegl-CVE-2012-4433.patch | 117 ------------------
3 files changed, 9 insertions(+), 145 deletions(-)
delete mode 100644 gnu/packages/patches/gegl-CVE-2012-4433.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index ec11b2663..78358d983 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -696,7 +696,6 @@ dist_patch_DATA = \
%D%/packages/patches/gd-CVE-2018-5711.patch \
%D%/packages/patches/gd-fix-tests-on-i686.patch \
%D%/packages/patches/gd-freetype-test-failure.patch \
- %D%/packages/patches/gegl-CVE-2012-4433.patch \
%D%/packages/patches/gemma-intel-compat.patch \
%D%/packages/patches/geoclue-config.patch \
%D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \
diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm
index 9b63d56e0..8bd7bd845 100644
--- a/gnu/packages/gimp.scm
+++ b/gnu/packages/gimp.scm
@@ -77,43 +77,25 @@ provided, as well as a framework to add new color models and data types.")
(define-public gegl
(package
(name "gegl")
- (version "0.2.0")
+ (version "0.4.0")
(source (origin
(method url-fetch)
- (uri (list (string-append "http://download.gimp.org/pub/gegl/"
+ (uri (list (string-append "https://download.gimp.org/pub/gegl/"
(string-take version 3)
"/" name "-" version ".tar.bz2")))
(sha256
(base32
- "09nlv06li9nrn74ifpm7223mxpg0s7cii702z72cpbwrjh6nlbnz"))
- (patches (search-patches "gegl-CVE-2012-4433.patch"))))
+ "1ighk4z8nlqrzyj8w97s140hzj59564l3xv6fpzbr97m1zx2nkfh"))))
(build-system gnu-build-system)
(arguments
- '(;; More than just the one test disabled below now fails; disable them
- ;; all according to the rationale given below.
- #:tests? #f
- #:configure-flags '("LDFLAGS=-lm")
- #:phases
- (modify-phases %standard-phases
- (add-before 'build 'pre-build
- (lambda _
- ;; This test program seems to crash on exit. Specifically, whilst
- ;; g_object_unreffing bufferA and bufferB - This seems to be a bug
- ;; in the destructor. This is just a test program so will not have
- ;; any wider effect, although might be hiding another problem.
- ;; According to advice received on irc.gimp.org#gegl although 0.2.0
- ;; is the latest released version, any bug reports against it will
- ;; be ignored. So we are on our own.
- (substitute* "tools/img_cmp.c"
- (("g_object_unref \\(buffer.\\);") ""))
-
- (substitute* "tests/compositions/Makefile"
- (("/bin/sh") (which "sh")))
- #t)))))
- (inputs
+ '(#:configure-flags '("LDFLAGS=-lm")))
+ ;; These are propagated to satisfy 'gegl-0.4.pc'.
+ (propagated-inputs
`(("babl" ,babl)
("glib" ,glib)
- ("cairo" ,cairo)
+ ("json-glib" ,json-glib)))
+ (inputs
+ `(("cairo" ,cairo)
("pango" ,pango)
("libpng" ,libpng)
("libjpeg" ,libjpeg-8)))
diff --git a/gnu/packages/patches/gegl-CVE-2012-4433.patch b/gnu/packages/patches/gegl-CVE-2012-4433.patch
deleted file mode 100644
index 7352b78db..000000000
--- a/gnu/packages/patches/gegl-CVE-2012-4433.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From: Michael Gilbert <mgilbert@debian.org>
-Date: Mon, 9 Sep 2013 17:34:32 +0200
-Subject: Fix_CVE-2012-4433
-
-Multiple buffer overflow issues.
-
-Closes: #692435
----
- operations/external/ppm-load.c | 62 ++++++++++++++++++++++++++++++++++++------
- 1 file changed, 53 insertions(+), 9 deletions(-)
-
-diff --git a/operations/external/ppm-load.c b/operations/external/ppm-load.c
-index efe6d56..465096d 100644
---- a/operations/external/ppm-load.c
-+++ b/operations/external/ppm-load.c
-@@ -36,6 +36,7 @@ gegl_chant_file_path (path, _("File"), "", _("Path of file to load."))
- #include "gegl-chant.h"
- #include <stdio.h>
- #include <stdlib.h>
-+#include <errno.h>
-
- typedef enum {
- PIXMAP_ASCII = 51,
-@@ -44,8 +45,8 @@ typedef enum {
-
- typedef struct {
- map_type type;
-- gint width;
-- gint height;
-+ glong width;
-+ glong height;
- gsize numsamples; /* width * height * channels */
- gsize bpc; /* bytes per channel */
- guchar *data;
-@@ -82,12 +83,33 @@ ppm_load_read_header(FILE *fp,
- }
-
- /* Get Width and Height */
-- img->width = strtol (header,&ptr,0);
-- img->height = atoi (ptr);
-- img->numsamples = img->width * img->height * CHANNEL_COUNT;
-+ errno = 0;
-+ img->width = strtol (header,&ptr,10);
-+ if (errno)
-+ {
-+ g_warning ("Error reading width: %s", strerror(errno));
-+ return FALSE;
-+ }
-+ else if (img->width < 0)
-+ {
-+ g_warning ("Error: width is negative");
-+ return FALSE;
-+ }
-+
-+ img->height = strtol (ptr,&ptr,10);
-+ if (errno)
-+ {
-+ g_warning ("Error reading height: %s", strerror(errno));
-+ return FALSE;
-+ }
-+ else if (img->width < 0)
-+ {
-+ g_warning ("Error: height is negative");
-+ return FALSE;
-+ }
-
- fgets (header,MAX_CHARS_IN_ROW,fp);
-- maxval = strtol (header,&ptr,0);
-+ maxval = strtol (header,&ptr,10);
-
- if ((maxval != 255) && (maxval != 65535))
- {
-@@ -109,6 +131,16 @@ ppm_load_read_header(FILE *fp,
- g_warning ("%s: Programmer stupidity error", G_STRLOC);
- }
-
-+ /* Later on, img->numsamples is multiplied with img->bpc to allocate
-+ * memory. Ensure it doesn't overflow. */
-+ if (!img->width || !img->height ||
-+ G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc)
-+ {
-+ g_warning ("Illegal width/height: %ld/%ld", img->width, img->height);
-+ return FALSE;
-+ }
-+ img->numsamples = img->width * img->height * CHANNEL_COUNT;
-+
- return TRUE;
- }
-
-@@ -229,12 +261,24 @@ process (GeglOperation *operation,
- if (!ppm_load_read_header (fp, &img))
- goto out;
-
-- rect.height = img.height;
-- rect.width = img.width;
--
- /* Allocating Array Size */
-+
-+ /* Should use g_try_malloc(), but this causes crashes elsewhere because the
-+ * error signalled by returning FALSE isn't properly acted upon. Therefore
-+ * g_malloc() is used here which aborts if the requested memory size can't be
-+ * allocated causing a controlled crash. */
- img.data = (guchar*) g_malloc (img.numsamples * img.bpc);
-
-+ /* No-op without g_try_malloc(), see above. */
-+ if (! img.data)
-+ {
-+ g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc));
-+ goto out;
-+ }
-+
-+ rect.height = img.height;
-+ rect.width = img.width;
-+
- switch (img.bpc)
- {
- case 1:
--
2.17.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [bug#31322] [PATCH 6/6] gnu: gimp: Update to 2.10.0.
2018-04-30 20:38 ` [bug#31322] [PATCH 1/6] gnu: Add libmypaint Leo Famulari
` (3 preceding siblings ...)
2018-04-30 20:38 ` [bug#31322] [PATCH 5/6] gnu: babl: Update to 0.1.46 Leo Famulari
@ 2018-04-30 20:38 ` Leo Famulari
2018-04-30 22:19 ` [bug#31322] [PATCH 1/6] gnu: Add libmypaint Marius Bakke
5 siblings, 0 replies; 14+ messages in thread
From: Leo Famulari @ 2018-04-30 20:38 UTC (permalink / raw)
To: 31322
* gnu/packages/gimp.scm (gimp): Update to 2.10.0.
[inputs]: Add glib-networking, gexiv2, libmypaint, mypaint-brushes and
poppler-data.
[native-inputs]: Add glib:bin.
[source]: Remove obsolete patches and use HTTPS URL.
[home-page]: Use HTTPS URL.
* gnu/packages/patches/gimp-CVE-2017-17784.patch,
gnu/packages/patches/gimp-CVE-2017-17785.patch,
gnu/packages/patches/gimp-CVE-2017-17786.patch,
gnu/packages/patches/gimp-CVE-2017-17787.patch,
gnu/packages/patches/gimp-CVE-2017-17789.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
gnu/local.mk | 5 -
gnu/packages/gimp.scm | 24 +--
.../patches/gimp-CVE-2017-17784.patch | 41 -----
.../patches/gimp-CVE-2017-17785.patch | 171 ------------------
.../patches/gimp-CVE-2017-17786.patch | 94 ----------
.../patches/gimp-CVE-2017-17787.patch | 42 -----
.../patches/gimp-CVE-2017-17789.patch | 48 -----
7 files changed, 13 insertions(+), 412 deletions(-)
delete mode 100644 gnu/packages/patches/gimp-CVE-2017-17784.patch
delete mode 100644 gnu/packages/patches/gimp-CVE-2017-17785.patch
delete mode 100644 gnu/packages/patches/gimp-CVE-2017-17786.patch
delete mode 100644 gnu/packages/patches/gimp-CVE-2017-17787.patch
delete mode 100644 gnu/packages/patches/gimp-CVE-2017-17789.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 78358d983..4580cc559 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -705,11 +705,6 @@ dist_patch_DATA = \
%D%/packages/patches/ghostscript-no-header-creationdate.patch \
%D%/packages/patches/ghostscript-runpath.patch \
%D%/packages/patches/giflib-make-reallocarray-private.patch \
- %D%/packages/patches/gimp-CVE-2017-17784.patch \
- %D%/packages/patches/gimp-CVE-2017-17785.patch \
- %D%/packages/patches/gimp-CVE-2017-17786.patch \
- %D%/packages/patches/gimp-CVE-2017-17787.patch \
- %D%/packages/patches/gimp-CVE-2017-17789.patch \
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
%D%/packages/patches/glib-respect-datadir.patch \
%D%/packages/patches/glib-tests-timer.patch \
diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm
index b9cf204a7..b8df074d1 100644
--- a/gnu/packages/gimp.scm
+++ b/gnu/packages/gimp.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Leo Famulari <leo@famulari.name>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -115,23 +116,18 @@ buffers.")
(define-public gimp
(package
(name "gimp")
- (version "2.8.22")
+ (version "2.10.0")
(source (origin
(method url-fetch)
- (uri (string-append "http://download.gimp.org/pub/gimp/v"
+ (uri (string-append "https://download.gimp.org/pub/gimp/v"
(version-major+minor version)
"/gimp-" version ".tar.bz2"))
- (patches (search-patches "gimp-CVE-2017-17784.patch"
- "gimp-CVE-2017-17785.patch"
- "gimp-CVE-2017-17786.patch"
- "gimp-CVE-2017-17787.patch"
- "gimp-CVE-2017-17789.patch"))
(sha256
(base32
- "12k3lp938qdc9cqj29scg55f3bb8iav2fysd29w0s49bqmfa71wi"))))
+ "1qkxaigbfkx26xym5nzrgfrmn97cbnhn63v1saaha2nbi3xrdk3z"))))
(build-system gnu-build-system)
(outputs '("out"
- "doc")) ;5 MiB of gtk-doc HTML
+ "doc")) ;9 MiB of gtk-doc HTML
(arguments
'(#:configure-flags (list (string-append "--with-html-dir="
(assoc-ref %outputs "doc")
@@ -155,21 +151,27 @@ buffers.")
(inputs
`(("babl" ,babl)
("glib" ,glib)
+ ("glib-networking" ,glib-networking)
("libtiff" ,libtiff)
("libjpeg" ,libjpeg-8)
("atk" ,atk)
+ ("gexiv2" ,gexiv2)
("gtk+" ,gtk+-2)
+ ("libmypaint" ,libmypaint)
+ ("mypaint-brushes" ,mypaint-brushes)
("exif" ,libexif) ; optional, EXIF + XMP support
("lcms" ,lcms) ; optional, color management
("librsvg" ,librsvg) ; optional, SVG support
("poppler" ,poppler) ; optional, PDF support
+ ("poppler-data" ,poppler-data)
("python" ,python-2) ; optional, Python support
("python2-pygtk" ,python2-pygtk) ; optional, Python support
("gegl" ,gegl)))
(native-inputs
- `(("pkg-config" ,pkg-config)
+ `(("glib:bin" ,glib "bin") ; for glib-compile-resources and gdbus-codegen
+ ("pkg-config" ,pkg-config)
("intltool" ,intltool)))
- (home-page "http://gimp.org")
+ (home-page "https://gimp.org")
(synopsis "GNU Image Manipulation Program")
(description
"GIMP is an application for image manipulation tasks such as photo
diff --git a/gnu/packages/patches/gimp-CVE-2017-17784.patch b/gnu/packages/patches/gimp-CVE-2017-17784.patch
deleted file mode 100644
index c791772fb..000000000
--- a/gnu/packages/patches/gimp-CVE-2017-17784.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Fix CVE-2017-17784:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17784
-https://bugzilla.gnome.org/show_bug.cgi?id=790784
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/gimp/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270
-
-From c57f9dcf1934a9ab0cd67650f2dea18cb0902270 Mon Sep 17 00:00:00 2001
-From: Jehan <jehan@girinstud.io>
-Date: Thu, 21 Dec 2017 12:25:32 +0100
-Subject: [PATCH] Bug 790784 - (CVE-2017-17784) heap overread in gbr parser /
- load_image.
-
-We were assuming the input name was well formed, hence was
-nul-terminated. As any data coming from external input, this has to be
-thorougly checked.
-Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted
-to older gimp-2-8 code.
----
- plug-ins/common/file-gbr.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
-index b028100bef..d3f01d9c56 100644
---- a/plug-ins/common/file-gbr.c
-+++ b/plug-ins/common/file-gbr.c
-@@ -443,7 +443,8 @@ load_image (const gchar *filename,
- {
- gchar *temp = g_new (gchar, bn_size);
-
-- if ((read (fd, temp, bn_size)) < bn_size)
-+ if ((read (fd, temp, bn_size)) < bn_size ||
-+ temp[bn_size - 1] != '\0')
- {
- g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
- _("Error in GIMP brush file '%s'"),
---
-2.15.1
-
diff --git a/gnu/packages/patches/gimp-CVE-2017-17785.patch b/gnu/packages/patches/gimp-CVE-2017-17785.patch
deleted file mode 100644
index 939b01f21..000000000
--- a/gnu/packages/patches/gimp-CVE-2017-17785.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-Fix CVE-2017-17785:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17785
-https://bugzilla.gnome.org/show_bug.cgi?id=739133
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/gimp/commit/?id=1882bac996a20ab5c15c42b0c5e8f49033a1af54
-
-From 1882bac996a20ab5c15c42b0c5e8f49033a1af54 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 29 Oct 2017 15:19:41 +0100
-Subject: [PATCH] Bug 739133 - (CVE-2017-17785) Heap overflow while parsing FLI
- files.
-
-It is possible to trigger a heap overflow while parsing FLI files. The
-RLE decoder is vulnerable to out of boundary writes due to lack of
-boundary checks.
-
-The variable "framebuf" points to a memory area which was allocated
-with fli_header->width * fli_header->height bytes. The RLE decoder
-therefore must never write beyond that limit.
-
-If an illegal frame is detected, the parser won't stop, which means
-that the next valid sequence is properly parsed again. This should
-allow GIMP to parse FLI files as good as possible even if they are
-broken by an attacker or by accident.
-
-While at it, I changed the variable xc to be of type size_t, because
-the multiplication of width and height could overflow a 16 bit type.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-(cherry picked from commit edb251a7ef1602d20a5afcbf23f24afb163de63b)
----
- plug-ins/file-fli/fli.c | 50 ++++++++++++++++++++++++++++++++++---------------
- 1 file changed, 35 insertions(+), 15 deletions(-)
-
-diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c
-index 313efeb977..ffb651e2af 100644
---- a/plug-ins/file-fli/fli.c
-+++ b/plug-ins/file-fli/fli.c
-@@ -25,6 +25,8 @@
-
- #include "config.h"
-
-+#include <glib/gstdio.h>
-+
- #include <string.h>
- #include <stdio.h>
-
-@@ -461,23 +463,27 @@ void fli_read_brun(FILE *f, s_fli_header *fli_header, unsigned char *framebuf)
- unsigned short yc;
- unsigned char *pos;
- for (yc=0; yc < fli_header->height; yc++) {
-- unsigned short xc, pc, pcnt;
-+ unsigned short pc, pcnt;
-+ size_t n, xc;
- pc=fli_read_char(f);
- xc=0;
- pos=framebuf+(fli_header->width * yc);
-+ n=(size_t)fli_header->width * (fli_header->height-yc);
- for (pcnt=pc; pcnt>0; pcnt--) {
- unsigned short ps;
- ps=fli_read_char(f);
- if (ps & 0x80) {
- unsigned short len;
-- for (len=-(signed char)ps; len>0; len--) {
-+ for (len=-(signed char)ps; len>0 && xc<n; len--) {
- pos[xc++]=fli_read_char(f);
- }
- } else {
- unsigned char val;
-+ size_t len;
-+ len=MIN(n-xc,ps);
- val=fli_read_char(f);
-- memset(&(pos[xc]), val, ps);
-- xc+=ps;
-+ memset(&(pos[xc]), val, len);
-+ xc+=len;
- }
- }
- }
-@@ -564,25 +570,34 @@ void fli_read_lc(FILE *f, s_fli_header *fli_header, unsigned char *old_framebuf,
- memcpy(framebuf, old_framebuf, fli_header->width * fli_header->height);
- firstline = fli_read_short(f);
- numline = fli_read_short(f);
-+ if (numline > fli_header->height || fli_header->height-numline < firstline)
-+ return;
-+
- for (yc=0; yc < numline; yc++) {
-- unsigned short xc, pc, pcnt;
-+ unsigned short pc, pcnt;
-+ size_t n, xc;
- pc=fli_read_char(f);
- xc=0;
- pos=framebuf+(fli_header->width * (firstline+yc));
-+ n=(size_t)fli_header->width * (fli_header->height-firstline-yc);
- for (pcnt=pc; pcnt>0; pcnt--) {
- unsigned short ps,skip;
- skip=fli_read_char(f);
- ps=fli_read_char(f);
-- xc+=skip;
-+ xc+=MIN(n-xc,skip);
- if (ps & 0x80) {
- unsigned char val;
-+ size_t len;
- ps=-(signed char)ps;
- val=fli_read_char(f);
-- memset(&(pos[xc]), val, ps);
-- xc+=ps;
-+ len=MIN(n-xc,ps);
-+ memset(&(pos[xc]), val, len);
-+ xc+=len;
- } else {
-- fread(&(pos[xc]), ps, 1, f);
-- xc+=ps;
-+ size_t len;
-+ len=MIN(n-xc,ps);
-+ fread(&(pos[xc]), len, 1, f);
-+ xc+=len;
- }
- }
- }
-@@ -689,7 +704,8 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
- yc=0;
- numline = fli_read_short(f);
- for (lc=0; lc < numline; lc++) {
-- unsigned short xc, pc, pcnt, lpf, lpn;
-+ unsigned short pc, pcnt, lpf, lpn;
-+ size_t n, xc;
- pc=fli_read_short(f);
- lpf=0; lpn=0;
- while (pc & 0x8000) {
-@@ -700,26 +716,30 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
- }
- pc=fli_read_short(f);
- }
-+ yc=MIN(yc, fli_header->height);
- xc=0;
- pos=framebuf+(fli_header->width * yc);
-+ n=(size_t)fli_header->width * (fli_header->height-yc);
- for (pcnt=pc; pcnt>0; pcnt--) {
- unsigned short ps,skip;
- skip=fli_read_char(f);
- ps=fli_read_char(f);
-- xc+=skip;
-+ xc+=MIN(n-xc,skip);
- if (ps & 0x80) {
- unsigned char v1,v2;
- ps=-(signed char)ps;
- v1=fli_read_char(f);
- v2=fli_read_char(f);
-- while (ps>0) {
-+ while (ps>0 && xc+1<n) {
- pos[xc++]=v1;
- pos[xc++]=v2;
- ps--;
- }
- } else {
-- fread(&(pos[xc]), ps, 2, f);
-- xc+=ps << 1;
-+ size_t len;
-+ len=MIN((n-xc)/2,ps);
-+ fread(&(pos[xc]), len, 2, f);
-+ xc+=len << 1;
- }
- }
- if (lpf) pos[xc]=lpn;
---
-2.15.1
-
diff --git a/gnu/packages/patches/gimp-CVE-2017-17786.patch b/gnu/packages/patches/gimp-CVE-2017-17786.patch
deleted file mode 100644
index 851227ac1..000000000
--- a/gnu/packages/patches/gimp-CVE-2017-17786.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-Fix CVE-2017-17786:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17786
-https://bugzilla.gnome.org/show_bug.cgi?id=739134
-
-Both patches copied from upstream source repository:
-
-https://git.gnome.org/browse/gimp/commit/?id=ef9c821fff8b637a2178eab1c78cae6764c50e12
-https://git.gnome.org/browse/gimp/commit/?id=22e2571c25425f225abdb11a566cc281fca6f366
-
-From ef9c821fff8b637a2178eab1c78cae6764c50e12 Mon Sep 17 00:00:00 2001
-From: Jehan <jehan@girinstud.io>
-Date: Wed, 20 Dec 2017 13:02:38 +0100
-Subject: [PATCH] Bug 739134 - (CVE-2017-17786) Out of bounds read / heap
- overflow in...
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-... TGA importer.
-
-Be more thorough on valid TGA RGB and RGBA images.
-In particular current TGA plug-in can import RGBA as 32 bits (8 bits per
-channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and
-RGB as 15 and 24 bits.
-Maybe there exist more variants, but if they do exist, we simply don't
-support them yet.
-
-Thanks to Hanno Böck for the report and a first patch attempt.
-
-(cherry picked from commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b)
----
- plug-ins/common/file-tga.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
-index aef98702d4..426acc2925 100644
---- a/plug-ins/common/file-tga.c
-+++ b/plug-ins/common/file-tga.c
-@@ -564,12 +564,16 @@ load_image (const gchar *filename,
- }
- break;
- case TGA_TYPE_COLOR:
-- if (info.bpp != 15 && info.bpp != 16 &&
-- info.bpp != 24 && info.bpp != 32)
-+ if ((info.bpp != 15 && info.bpp != 16 &&
-+ info.bpp != 24 && info.bpp != 32) ||
-+ ((info.bpp == 15 || info.bpp == 24) &&
-+ info.alphaBits != 0) ||
-+ (info.bpp == 16 && info.alphaBits != 1) ||
-+ (info.bpp == 32 && info.alphaBits != 8))
- {
-- g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
-+ g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
- gimp_filename_to_utf8 (filename),
-- info.imageType, info.bpp);
-+ info.imageType, info.bpp, info.alphaBits);
- return -1;
- }
- break;
---
-2.15.1
-
-From 22e2571c25425f225abdb11a566cc281fca6f366 Mon Sep 17 00:00:00 2001
-From: Jehan <jehan@girinstud.io>
-Date: Wed, 20 Dec 2017 13:26:26 +0100
-Subject: [PATCH] plug-ins: TGA 16-bit RGB (without alpha bit) is also valid.
-
-According to some spec on the web, 16-bit RGB is also valid. In this
-case, the last bit is simply ignored (at least that's how it is
-implemented right now).
-
-(cherry picked from commit 8ea316667c8a3296bce2832b3986b58d0fdfc077)
----
- plug-ins/common/file-tga.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
-index 426acc2925..eb14a1dadc 100644
---- a/plug-ins/common/file-tga.c
-+++ b/plug-ins/common/file-tga.c
-@@ -568,7 +568,8 @@ load_image (const gchar *filename,
- info.bpp != 24 && info.bpp != 32) ||
- ((info.bpp == 15 || info.bpp == 24) &&
- info.alphaBits != 0) ||
-- (info.bpp == 16 && info.alphaBits != 1) ||
-+ (info.bpp == 16 && info.alphaBits != 1 &&
-+ info.alphaBits != 0) ||
- (info.bpp == 32 && info.alphaBits != 8))
- {
- g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
---
-2.15.1
-
diff --git a/gnu/packages/patches/gimp-CVE-2017-17787.patch b/gnu/packages/patches/gimp-CVE-2017-17787.patch
deleted file mode 100644
index b5310d33d..000000000
--- a/gnu/packages/patches/gimp-CVE-2017-17787.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Fix CVE-2017-17787:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17787
-https://bugzilla.gnome.org/show_bug.cgi?id=790853
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/gimp/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d
-
-From 87ba505fff85989af795f4ab6a047713f4d9381d Mon Sep 17 00:00:00 2001
-From: Jehan <jehan@girinstud.io>
-Date: Thu, 21 Dec 2017 12:49:41 +0100
-Subject: [PATCH] Bug 790853 - (CVE-2017-17787) heap overread in psp importer.
-
-As any external data, we have to check that strings being read at fixed
-length are properly nul-terminated.
-
-(cherry picked from commit eb2980683e6472aff35a3117587c4f814515c74d)
----
- plug-ins/common/file-psp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
-index 4cbafe37b1..e350e4d88d 100644
---- a/plug-ins/common/file-psp.c
-+++ b/plug-ins/common/file-psp.c
-@@ -890,6 +890,12 @@ read_creator_block (FILE *f,
- g_free (string);
- return -1;
- }
-+ if (string[length - 1] != '\0')
-+ {
-+ g_message ("Creator keyword data not nul-terminated");
-+ g_free (string);
-+ return -1;
-+ }
- switch (keyword)
- {
- case PSP_CRTR_FLD_TITLE:
---
-2.15.1
-
diff --git a/gnu/packages/patches/gimp-CVE-2017-17789.patch b/gnu/packages/patches/gimp-CVE-2017-17789.patch
deleted file mode 100644
index 6dfa435fd..000000000
--- a/gnu/packages/patches/gimp-CVE-2017-17789.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Fix CVE-2017-17789:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17789
-https://bugzilla.gnome.org/show_bug.cgi?id=790849
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/gimp/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f
-
-From 01898f10f87a094665a7fdcf7153990f4e511d3f Mon Sep 17 00:00:00 2001
-From: Jehan <jehan@girinstud.io>
-Date: Wed, 20 Dec 2017 16:44:20 +0100
-Subject: [PATCH] Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer
- overflow...
-
-... in PSP importer.
-Check if declared block length is valid (i.e. within the actual file)
-before going further.
-Consider the file as broken otherwise and fail loading it.
-
-(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
----
- plug-ins/common/file-psp.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
-index ac0fff78f0..4cbafe37b1 100644
---- a/plug-ins/common/file-psp.c
-+++ b/plug-ins/common/file-psp.c
-@@ -1771,6 +1771,15 @@ load_image (const gchar *filename,
- {
- block_start = ftell (f);
-
-+ if (block_start + block_total_len > st.st_size)
-+ {
-+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
-+ _("Could not open '%s' for reading: %s"),
-+ gimp_filename_to_utf8 (filename),
-+ _("invalid block size"));
-+ goto error;
-+ }
-+
- if (id == PSP_IMAGE_BLOCK)
- {
- if (block_number != 0)
---
-2.15.1
-
--
2.17.0
^ permalink raw reply related [flat|nested] 14+ messages in thread