* GIMP: Fix CVE-2016-4994
@ 2016-07-01 20:19 Leo Famulari
2016-07-02 13:19 ` Ludovic Courtès
0 siblings, 1 reply; 2+ messages in thread
From: Leo Famulari @ 2016-07-01 20:19 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 726 bytes --]
GIMP has a use-after-free bug related to XCF file parsing that allows
arbitrary code execution:
https://security-tracker.debian.org/tracker/CVE-2016-4994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994
This patch cherry-picks the upstream commit from the gimp-2-8 branch:
https://git.gnome.org/browse/gimp/commit/?h=gimp-2-8&id=e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f
Leo Famulari (1):
gnu: gimp: Fix CVE-2016-4994.
gnu/local.mk | 1 +
gnu/packages/gimp.scm | 1 +
gnu/packages/patches/gimp-CVE-2016-4994.patch | 96 +++++++++++++++++++++++++++
3 files changed, 98 insertions(+)
create mode 100644 gnu/packages/patches/gimp-CVE-2016-4994.patch
[-- Attachment #2: 0001-gnu-gimp-Fix-CVE-2016-4994.patch --]
[-- Type: text/x-diff, Size: 5459 bytes --]
From 92df989d76da73963c7d05006ca6fcf535d364b4 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 1 Jul 2016 16:05:40 -0400
Subject: [PATCH] gnu: gimp: Fix CVE-2016-4994.
* gnu/packages/patches/gimp-CVE-2016-4994.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gimp.scm (gimp): Use it.
---
gnu/local.mk | 1 +
gnu/packages/gimp.scm | 1 +
gnu/packages/patches/gimp-CVE-2016-4994.patch | 96 +++++++++++++++++++++++++++
3 files changed, 98 insertions(+)
create mode 100644 gnu/packages/patches/gimp-CVE-2016-4994.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 7dfda9b..829693a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -515,6 +515,7 @@ dist_patch_DATA = \
%D%/packages/patches/geoclue-config.patch \
%D%/packages/patches/ghostscript-CVE-2015-3228.patch \
%D%/packages/patches/ghostscript-runpath.patch \
+ %D%/packages/patches/gimp-CVE-2016-4994.patch \
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
%D%/packages/patches/glib-tests-timer.patch \
%D%/packages/patches/glibc-CVE-2015-7547.patch \
diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm
index 1cd779a..d5c58e2 100644
--- a/gnu/packages/gimp.scm
+++ b/gnu/packages/gimp.scm
@@ -130,6 +130,7 @@ buffers.")
(uri (string-append "http://download.gimp.org/pub/gimp/v"
(version-major+minor version)
"/gimp-" version ".tar.bz2"))
+ (patches (search-patches "gimp-CVE-2016-4994.patch"))
(sha256
(base32
"1dsgazia9hmab8cw3iis7s69dvqyfj5wga7ds7w2q5mms1xqbqwm"))))
diff --git a/gnu/packages/patches/gimp-CVE-2016-4994.patch b/gnu/packages/patches/gimp-CVE-2016-4994.patch
new file mode 100644
index 0000000..6c81c63
--- /dev/null
+++ b/gnu/packages/patches/gimp-CVE-2016-4994.patch
@@ -0,0 +1,96 @@
+Fix CVE-2016-4994:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994
+
+Copied from upstream repository:
+https://git.gnome.org/browse/gimp/patch/?id=e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f
+
+From e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f Mon Sep 17 00:00:00 2001
+From: Shmuel H <shmuelgimp@gmail.com>
+Date: Mon, 20 Jun 2016 17:14:41 +0300
+Subject: Bug 767873 - (CVE-2016-4994) Multiple Use-After-Free when parsing...
+
+...XCF channel and layer properties
+
+The properties PROP_ACTIVE_LAYER, PROP_FLOATING_SELECTION,
+PROP_ACTIVE_CHANNEL saves the current object pointer the @info
+structure. Others like PROP_SELECTION (for channel) and
+PROP_GROUP_ITEM (for layer) will delete the current object and create
+a new object, leaving the pointers in @info invalid (dangling).
+
+Therefore, if a property from the first type will come before the
+second, the result will be an UaF in the last lines of xcf_load_image
+(when it actually using the pointers from @info).
+
+I wasn't able to exploit this bug because that
+g_object_instance->c_class gets cleared by the last g_object_unref and
+GIMP_IS_{LAYER,CHANNEL} detects that and return FALSE.
+
+(cherry picked from commit 6d804bf9ae77bc86a0a97f9b944a129844df9395)
+---
+ app/xcf/xcf-load.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
+index b180377..67cc6d4 100644
+--- a/app/xcf/xcf-load.c
++++ b/app/xcf/xcf-load.c
+@@ -904,6 +904,18 @@ xcf_load_layer_props (XcfInfo *info,
+ case PROP_GROUP_ITEM:
+ {
+ GimpLayer *group;
++ gboolean is_active_layer;
++
++ /* We're going to delete *layer, Don't leave its pointers
++ * in @info. After that, we'll restore them back with the
++ * new pointer. See bug #767873.
++ */
++ is_active_layer = (*layer == info->active_layer);
++ if (is_active_layer)
++ info->active_layer = NULL;
++
++ if (*layer == info->floating_sel)
++ info->floating_sel = NULL;
+
+ group = gimp_group_layer_new (image);
+
+@@ -916,6 +928,13 @@ xcf_load_layer_props (XcfInfo *info,
+ g_object_ref_sink (*layer);
+ g_object_unref (*layer);
+ *layer = group;
++
++ if (is_active_layer)
++ info->active_layer = *layer;
++
++ /* Don't restore info->floating_sel because group layers
++ * can't be floating selections
++ */
+ }
+ break;
+
+@@ -986,6 +1005,12 @@ xcf_load_channel_props (XcfInfo *info,
+ {
+ GimpChannel *mask;
+
++ /* We're going to delete *channel, Don't leave its pointer
++ * in @info. See bug #767873.
++ */
++ if (*channel == info->active_channel)
++ info->active_channel = NULL;
++
+ mask =
+ gimp_selection_new (image,
+ gimp_item_get_width (GIMP_ITEM (*channel)),
+@@ -1000,6 +1025,10 @@ xcf_load_channel_props (XcfInfo *info,
+ *channel = mask;
+ (*channel)->boundary_known = FALSE;
+ (*channel)->bounds_known = FALSE;
++
++ /* Don't restore info->active_channel because the
++ * selection can't be the active channel
++ */
+ }
+ break;
+
+--
+cgit v0.12
+
--
2.9.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: GIMP: Fix CVE-2016-4994
2016-07-01 20:19 GIMP: Fix CVE-2016-4994 Leo Famulari
@ 2016-07-02 13:19 ` Ludovic Courtès
0 siblings, 0 replies; 2+ messages in thread
From: Ludovic Courtès @ 2016-07-02 13:19 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> skribis:
> GIMP has a use-after-free bug related to XCF file parsing that allows
> arbitrary code execution:
> https://security-tracker.debian.org/tracker/CVE-2016-4994
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994
>
> This patch cherry-picks the upstream commit from the gimp-2-8 branch:
> https://git.gnome.org/browse/gimp/commit/?h=gimp-2-8&id=e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f
Go for it!
Thank you for taking care of it, as usual!
Ludo’.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-07-02 13:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-01 20:19 GIMP: Fix CVE-2016-4994 Leo Famulari
2016-07-02 13:19 ` Ludovic Courtès
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.