callisto-debian/gimp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Import Debian changes 2.10.34-1+deb12u1

Browse Source 
gimp (2.10.34-1+deb12u1) bookworm-security; urgency=high
.
  * Non-maintainer upload by the Security Team.
  * plug-ins: Fix vulnerabilities in file-psp (CVE-2023-44443, CVE-2023-44444)
    (Closes: #1055984)
  * plug-ins: Fix vulnerability in file-psd (CVE-2023-44442)
    (Closes: #1055984)
  * plug-ins: Fix DDS vulnerability (ZDI-CAN-22093) (CVE-2023-44441)
    (Closes: #1055984)
  * plug-ins: Fix DDS import regression
  * plug-ins: Additional fixes for DDS Import
This commit is contained in:
Salvatore Bonaccorso
2023-11-18 16:59:10 +01:00
committed by Jeremy Bícha
parent 745eaa94e6
commit 27ecc73732
7 changed files with 311 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
debian/changelog vendored
View File

@ -1,3 +1,17 @@
gimp (2.10.34-1+deb12u1) bookworm-security; urgency=high
* Non-maintainer upload by the Security Team.
* plug-ins: Fix vulnerabilities in file-psp (CVE-2023-44443, CVE-2023-44444)
(Closes: #1055984)
* plug-ins: Fix vulnerability in file-psd (CVE-2023-44442)
(Closes: #1055984)
* plug-ins: Fix DDS vulnerability (ZDI-CAN-22093) (CVE-2023-44441)
(Closes: #1055984)
* plug-ins: Fix DDS import regression
* plug-ins: Additional fixes for DDS Import
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 18 Nov 2023 16:59:10 +0100
gimp (2.10.34-1) unstable; urgency=medium
[ Jeremy Bicha ]

53
debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch vendored Normal file
View File

@ -0,0 +1,53 @@
From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 28 Oct 2023 21:44:51 +0000
Subject: plug-ins: Additional fixes for DDS Import
Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
Bug-Debian: https://bugs.debian.org/1055984
@Wormnest noted remaining regressions after 8faad92e.
The second fread() only runs if the DDSD_PITCH flag is set,
so the error handling check should also be conditional.
Additionally, the ZDI-CAN-22093 exploit no longer runs but
still could cause a plug-in crash. This patch adds an additional
check to ensure the buffer size was within bounds.
---
plug-ins/file-dds/ddsread.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index 74368d04e41a..dcb4449a9f97 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -928,6 +928,7 @@ load_layer (FILE *fp,
current_position = ftell (fp);
fseek (fp, 0L, SEEK_END);
file_size = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
fseek (fp, current_position, SEEK_SET);
if (width < 1) width = 1;
@@ -1033,7 +1034,8 @@ load_layer (FILE *fp,
size *= 16;
}
- if (size > (file_size - current_position))
+ if (size > (file_size - current_position) ||
+ size > hdr->pitch_or_linsize)
{
g_message ("Requested data exceeds size of file.\n");
return 0;
@@ -1078,7 +1080,9 @@ load_layer (FILE *fp,
}
current_position = ftell (fp);
- if ((width * d->bpp) > (file_size - current_position))
+ if ((hdr->flags & DDSD_PITCH) &&
+ ((width * d->bpp) > (file_size - current_position) ||
+ (width * d->bpp) > hdr->pitch_or_linsize))
{
g_message ("Requested data exceeds size of file.\n");
return 0;
--
2.42.0

99
debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch vendored Normal file
View File

@ -0,0 +1,99 @@
From: Alx Sa <cmyk.student@gmail.com>
Date: Fri, 27 Oct 2023 22:04:48 +0000
Subject: plug-ins: Fix DDS import regression from 7db71cd0
Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/e92f279c97282a2b20dca0d923db7465f2057703
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
Bug-Debian: https://bugs.debian.org/1055984
@Wormnest pointed out that compressed files are likely smaller than
width * height * bps, so our check to prevent ZDI-CAN-22093
also caught valid files.
The size check is removed from load_image () and moved to load_layer ()
before the two fread() functions, as we know exactly how much we'll
try to read at that point.
(Backport of 8faad92e)
---
plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++----------
1 file changed, 29 insertions(+), 10 deletions(-)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index 98e122de8aff..74368d04e41a 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -191,16 +191,6 @@ read_dds (gchar *filename,
}
}
- /* verify header information is accurate */
- if (hdr.depth < 1 ||
- (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
- (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
- {
- fclose (fp);
- g_message ("Invalid or corrupted DDS header\n");
- return GIMP_PDB_EXECUTION_ERROR;
- }
-
if (hdr.pixelfmt.flags & DDPF_FOURCC)
{
/* fourcc is dXt* or rXgb */
@@ -310,6 +300,15 @@ read_dds (gchar *filename,
precision = GIMP_PRECISION_U8_GAMMA;
}
+ /* verify header information is accurate */
+ if (d.bpp < 1 ||
+ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))))
+ {
+ fclose (fp);
+ g_message ("Invalid or corrupted DDS header\n");
+ return GIMP_PDB_EXECUTION_ERROR;
+ }
+
image = gimp_image_new_with_precision (hdr.width, hdr.height, type, precision);
if (image == -1)
@@ -923,6 +922,13 @@ load_layer (FILE *fp,
unsigned int size = hdr->pitch_or_linsize >> (2 * level);
unsigned int layerw;
int format = DDS_COMPRESS_NONE;
+ gsize file_size;
+ gsize current_position;
+
+ current_position = ftell (fp);
+ fseek (fp, 0L, SEEK_END);
+ file_size = ftell (fp);
+ fseek (fp, current_position, SEEK_SET);
if (width < 1) width = 1;
if (height < 1) height = 1;
@@ -1027,6 +1033,12 @@ load_layer (FILE *fp,
size *= 16;
}
+ if (size > (file_size - current_position))
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+ }
+
if ((hdr->flags & DDSD_LINEARSIZE) &&
!fread (buf, size, 1, fp))
{
@@ -1065,6 +1077,13 @@ load_layer (FILE *fp,
gimp_progress_update ((double)y / (double)hdr->height);
}
+ current_position = ftell (fp);
+ if ((width * d->bpp) > (file_size - current_position))
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+ }
+
if ((hdr->flags & DDSD_PITCH) &&
!fread (buf, width * d->bpp, 1, fp))
{
--
2.42.0

62
debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch vendored Normal file
View File

@ -0,0 +1,62 @@
From: Alx Sa <cmyk.student@gmail.com>
Date: Sun, 1 Oct 2023 17:54:08 +0000
Subject: plug-ins: Fix DDS vulnerability (ZDI-CAN-22093)
Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
Bug-Debian: https://bugs.debian.org/1055984
Resolves #10069
Currently, the DDS header information for the width, height, and bytes per scan line
are read in and assumed to be correct. As these values are used for memory allocation
and reading, it would be good to verify they do not exceed the file size.
This patch adds a condition after the header is read in to verify those values. If they exceed
the file size (mins an offset), the file is not read in and an error message is shown.
---
plug-ins/file-dds/ddsread.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index a8eb8b8ad9f3..98e122de8aff 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -109,6 +109,7 @@ read_dds (gchar *filename,
guchar *pixels;
gchar *tmp;
FILE *fp;
+ gsize file_size;
dds_header_t hdr;
dds_header_dx10_t dx10hdr;
dds_load_info_t d;
@@ -130,6 +131,10 @@ read_dds (gchar *filename,
return GIMP_PDB_EXECUTION_ERROR;
}
+ fseek (fp, 0L, SEEK_END);
+ file_size = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
+
if (strrchr (filename, '/'))
tmp = g_strdup_printf ("Loading %s:", strrchr (filename, '/') + 1);
else
@@ -186,6 +191,16 @@ read_dds (gchar *filename,
}
}
+ /* verify header information is accurate */
+ if (hdr.depth < 1 ||
+ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
+ (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
+ {
+ fclose (fp);
+ g_message ("Invalid or corrupted DDS header\n");
+ return GIMP_PDB_EXECUTION_ERROR;
+ }
+
if (hdr.pixelfmt.flags & DDPF_FOURCC)
{
/* fourcc is dXt* or rXgb */
--
2.42.0

49
debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch vendored Normal file
View File

@ -0,0 +1,49 @@
From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 23 Sep 2023 20:40:18 +0000
Subject: plug-ins: Fix vulnerabilities in file-psp
Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44444
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44443
Bug-Debian: https://bugs.debian.org/1055984
Backports commits e1bfd871 and 96f536a3
from master
---
plug-ins/common/file-psp.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index c0f3480641c2..6a6b93d0cde7 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -1128,8 +1128,17 @@ read_color_block (FILE *f,
}
color_palette_entries = GUINT32_FROM_LE (entry_count);
+ /* TODO: GIMP currently only supports a maximum of 256 colors
+ * in an indexed image. If this changes, we can change this check */
+ if (color_palette_entries > 256)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("Error: Unsupported palette size"));
+ return -1;
+ }
+
/* psp color palette entries are stored as RGBA so 4 bytes per entry
- where the fourth bytes is always zero */
+ * where the fourth bytes is always zero */
pal_size = color_palette_entries * 4;
color_palette = g_malloc (pal_size);
if (fread (color_palette, pal_size, 1, f) < 1)
@@ -1498,7 +1507,7 @@ read_channel_data (FILE *f,
else
endq = q + line_width * height;
- buf = g_malloc (127);
+ buf = g_malloc (128);
while (q < endq)
{
fread (&runcount, 1, 1, f);
--
2.42.0

29
debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch vendored Normal file
View File

@ -0,0 +1,29 @@
From: Alx Sa <cmyk.student@gmail.com>
Date: Fri, 29 Sep 2023 20:39:29 +0000
Subject: plug-ins: Fix vulnerability in file-psd
Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44442
Bug-Debian: https://bugs.debian.org/1055984
Resolves #10101.
This patch adds a missing break statement after an error condition
is detected to prevent the code from continuing afterwards.
---
plug-ins/file-psd/psd-util.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/plug-ins/file-psd/psd-util.c b/plug-ins/file-psd/psd-util.c
index 1eccdd640e1c..34b442dc4966 100644
--- a/plug-ins/file-psd/psd-util.c
+++ b/plug-ins/file-psd/psd-util.c
@@ -518,6 +518,7 @@ decode_packbits (const gchar *src,
{
IFDBG(2) g_debug ("Overrun in packbits replicate of %d chars", n - unpack_left);
error_code = 2;
+ break;
}
memset (dst, *src, n);
src++;
--
2.42.0

5
debian/patches/series vendored
View File

@ -1,2 +1,7 @@
01_hurd_ftbfs.patch
02_hurd_ftbfs.patch
plug-ins-Fix-vulnerabilities-in-file-psp.patch
plug-ins-Fix-vulnerability-in-file-psd.patch
plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
plug-ins-Additional-fixes-for-DDS-Import.patch