From 2a74f6f7e72c0bc420316d0d7cfb72bdcaedf414 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sun, 31 Dec 2017 13:42:58 -0500
Subject: gnu: gimp: Fix CVE-2017-{17784,17785,17786,17787,17789}.

* gnu/packages/patches/gimp-CVE-2017-17784.patch,
gnu/packages/patches/gimp-CVE-2017-17785.patch,
gnu/packages/patches/gimp-CVE-2017-17786.patch,
gnu/packages/patches/gimp-CVE-2017-17787.patch,
gnu/packages/patches/gimp-CVE-2017-17789.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gimp.scm (gimp)[source]: Use them.
---
 gnu/packages/patches/gimp-CVE-2017-17789.patch | 48 ++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 gnu/packages/patches/gimp-CVE-2017-17789.patch

(limited to 'gnu/packages/patches/gimp-CVE-2017-17789.patch')

diff --git a/gnu/packages/patches/gimp-CVE-2017-17789.patch b/gnu/packages/patches/gimp-CVE-2017-17789.patch
new file mode 100644
index 0000000000..6dfa435fd0
--- /dev/null
+++ b/gnu/packages/patches/gimp-CVE-2017-17789.patch
@@ -0,0 +1,48 @@
+Fix CVE-2017-17789:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17789
+https://bugzilla.gnome.org/show_bug.cgi?id=790849
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/gimp/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f
+
+From 01898f10f87a094665a7fdcf7153990f4e511d3f Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Wed, 20 Dec 2017 16:44:20 +0100
+Subject: [PATCH] Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer
+ overflow...
+
+... in PSP importer.
+Check if declared block length is valid (i.e. within the actual file)
+before going further.
+Consider the file as broken otherwise and fail loading it.
+
+(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
+---
+ plug-ins/common/file-psp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index ac0fff78f0..4cbafe37b1 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1771,6 +1771,15 @@ load_image (const gchar  *filename,
+     {
+       block_start = ftell (f);
+ 
++      if (block_start + block_total_len > st.st_size)
++        {
++          g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                       _("Could not open '%s' for reading: %s"),
++                       gimp_filename_to_utf8 (filename),
++                       _("invalid block size"));
++          goto error;
++        }
++
+       if (id == PSP_IMAGE_BLOCK)
+         {
+           if (block_number != 0)
+-- 
+2.15.1
+
-- 
cgit v1.2.3