aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/gimp-CVE-2017-17789.patch
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2017-12-31 13:42:58 -0500
committerLeo Famulari <leo@famulari.name>2017-12-31 13:51:20 -0500
commit2a74f6f7e72c0bc420316d0d7cfb72bdcaedf414 (patch)
treeceae006e75a655a0c5b21d8a20177a927050a7b0 /gnu/packages/patches/gimp-CVE-2017-17789.patch
parentc41fb54f9556ccfa01225fe03765b2cbd6fb611a (diff)
downloadguix-2a74f6f7e72c0bc420316d0d7cfb72bdcaedf414.tar
guix-2a74f6f7e72c0bc420316d0d7cfb72bdcaedf414.tar.gz
gnu: gimp: Fix CVE-2017-{17784,17785,17786,17787,17789}.
* gnu/packages/patches/gimp-CVE-2017-17784.patch, gnu/packages/patches/gimp-CVE-2017-17785.patch, gnu/packages/patches/gimp-CVE-2017-17786.patch, gnu/packages/patches/gimp-CVE-2017-17787.patch, gnu/packages/patches/gimp-CVE-2017-17789.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gimp.scm (gimp)[source]: Use them.
Diffstat (limited to 'gnu/packages/patches/gimp-CVE-2017-17789.patch')
-rw-r--r--gnu/packages/patches/gimp-CVE-2017-17789.patch48
1 files changed, 48 insertions, 0 deletions
diff --git a/gnu/packages/patches/gimp-CVE-2017-17789.patch b/gnu/packages/patches/gimp-CVE-2017-17789.patch
new file mode 100644
index 0000000000..6dfa435fd0
--- /dev/null
+++ b/gnu/packages/patches/gimp-CVE-2017-17789.patch
@@ -0,0 +1,48 @@
+Fix CVE-2017-17789:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17789
+https://bugzilla.gnome.org/show_bug.cgi?id=790849
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/gimp/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f
+
+From 01898f10f87a094665a7fdcf7153990f4e511d3f Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Wed, 20 Dec 2017 16:44:20 +0100
+Subject: [PATCH] Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer
+ overflow...
+
+... in PSP importer.
+Check if declared block length is valid (i.e. within the actual file)
+before going further.
+Consider the file as broken otherwise and fail loading it.
+
+(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
+---
+ plug-ins/common/file-psp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index ac0fff78f0..4cbafe37b1 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1771,6 +1771,15 @@ load_image (const gchar *filename,
+ {
+ block_start = ftell (f);
+
++ if (block_start + block_total_len > st.st_size)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("Could not open '%s' for reading: %s"),
++ gimp_filename_to_utf8 (filename),
++ _("invalid block size"));
++ goto error;
++ }
++
+ if (id == PSP_IMAGE_BLOCK)
+ {
+ if (block_number != 0)
+--
+2.15.1
+