gnu: gimp: Fix CVE-2016-4994.
* gnu/packages/patches/gimp-CVE-2016-4994.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gimp.scm (gimp): Use it.
This commit is contained in:
Leo Famulari
parent
a4bbf41b25
commit
9996ab16e6
3 changed files with 98 additions and 0 deletions
|
|
@ -515,6 +515,7 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/geoclue-config.patch \
|
%D%/packages/patches/geoclue-config.patch \
|
||||||
%D%/packages/patches/ghostscript-CVE-2015-3228.patch \
|
%D%/packages/patches/ghostscript-CVE-2015-3228.patch \
|
||||||
%D%/packages/patches/ghostscript-runpath.patch \
|
%D%/packages/patches/ghostscript-runpath.patch \
|
||||||
|
%D%/packages/patches/gimp-CVE-2016-4994.patch \
|
||||||
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
|
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
|
||||||
%D%/packages/patches/glib-tests-timer.patch \
|
%D%/packages/patches/glib-tests-timer.patch \
|
||||||
%D%/packages/patches/glibc-CVE-2015-7547.patch \
|
%D%/packages/patches/glibc-CVE-2015-7547.patch \
|
||||||
|
|
|
||||||
|
|
@ -130,6 +130,7 @@ buffers.")
|
||||||
(uri (string-append "http://download.gimp.org/pub/gimp/v"
|
(uri (string-append "http://download.gimp.org/pub/gimp/v"
|
||||||
(version-major+minor version)
|
(version-major+minor version)
|
||||||
"/gimp-" version ".tar.bz2"))
|
"/gimp-" version ".tar.bz2"))
|
||||||
|
(patches (search-patches "gimp-CVE-2016-4994.patch"))
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"1dsgazia9hmab8cw3iis7s69dvqyfj5wga7ds7w2q5mms1xqbqwm"))))
|
"1dsgazia9hmab8cw3iis7s69dvqyfj5wga7ds7w2q5mms1xqbqwm"))))
|
||||||
|
|
|
||||||
96
gnu/packages/patches/gimp-CVE-2016-4994.patch
Normal file
96
gnu/packages/patches/gimp-CVE-2016-4994.patch
Normal file
|
|
@ -0,0 +1,96 @@
|
||||||
|
Fix CVE-2016-4994:
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994
|
||||||
|
|
||||||
|
Copied from upstream repository:
|
||||||
|
https://git.gnome.org/browse/gimp/patch/?id=e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f
|
||||||
|
|
||||||
|
From e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Shmuel H <shmuelgimp@gmail.com>
|
||||||
|
Date: Mon, 20 Jun 2016 17:14:41 +0300
|
||||||
|
Subject: Bug 767873 - (CVE-2016-4994) Multiple Use-After-Free when parsing...
|
||||||
|
|
||||||
|
...XCF channel and layer properties
|
||||||
|
|
||||||
|
The properties PROP_ACTIVE_LAYER, PROP_FLOATING_SELECTION,
|
||||||
|
PROP_ACTIVE_CHANNEL saves the current object pointer the @info
|
||||||
|
structure. Others like PROP_SELECTION (for channel) and
|
||||||
|
PROP_GROUP_ITEM (for layer) will delete the current object and create
|
||||||
|
a new object, leaving the pointers in @info invalid (dangling).
|
||||||
|
|
||||||
|
Therefore, if a property from the first type will come before the
|
||||||
|
second, the result will be an UaF in the last lines of xcf_load_image
|
||||||
|
(when it actually using the pointers from @info).
|
||||||
|
|
||||||
|
I wasn't able to exploit this bug because that
|
||||||
|
g_object_instance->c_class gets cleared by the last g_object_unref and
|
||||||
|
GIMP_IS_{LAYER,CHANNEL} detects that and return FALSE.
|
||||||
|
|
||||||
|
(cherry picked from commit 6d804bf9ae77bc86a0a97f9b944a129844df9395)
|
||||||
|
---
|
||||||
|
app/xcf/xcf-load.c | 29 +++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 29 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
|
||||||
|
index b180377..67cc6d4 100644
|
||||||
|
--- a/app/xcf/xcf-load.c
|
||||||
|
+++ b/app/xcf/xcf-load.c
|
||||||
|
@@ -904,6 +904,18 @@ xcf_load_layer_props (XcfInfo *info,
|
||||||
|
case PROP_GROUP_ITEM:
|
||||||
|
{
|
||||||
|
GimpLayer *group;
|
||||||
|
+ gboolean is_active_layer;
|
||||||
|
+
|
||||||
|
+ /* We're going to delete *layer, Don't leave its pointers
|
||||||
|
+ * in @info. After that, we'll restore them back with the
|
||||||
|
+ * new pointer. See bug #767873.
|
||||||
|
+ */
|
||||||
|
+ is_active_layer = (*layer == info->active_layer);
|
||||||
|
+ if (is_active_layer)
|
||||||
|
+ info->active_layer = NULL;
|
||||||
|
+
|
||||||
|
+ if (*layer == info->floating_sel)
|
||||||
|
+ info->floating_sel = NULL;
|
||||||
|
|
||||||
|
group = gimp_group_layer_new (image);
|
||||||
|
|
||||||
|
@@ -916,6 +928,13 @@ xcf_load_layer_props (XcfInfo *info,
|
||||||
|
g_object_ref_sink (*layer);
|
||||||
|
g_object_unref (*layer);
|
||||||
|
*layer = group;
|
||||||
|
+
|
||||||
|
+ if (is_active_layer)
|
||||||
|
+ info->active_layer = *layer;
|
||||||
|
+
|
||||||
|
+ /* Don't restore info->floating_sel because group layers
|
||||||
|
+ * can't be floating selections
|
||||||
|
+ */
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
@@ -986,6 +1005,12 @@ xcf_load_channel_props (XcfInfo *info,
|
||||||
|
{
|
||||||
|
GimpChannel *mask;
|
||||||
|
|
||||||
|
+ /* We're going to delete *channel, Don't leave its pointer
|
||||||
|
+ * in @info. See bug #767873.
|
||||||
|
+ */
|
||||||
|
+ if (*channel == info->active_channel)
|
||||||
|
+ info->active_channel = NULL;
|
||||||
|
+
|
||||||
|
mask =
|
||||||
|
gimp_selection_new (image,
|
||||||
|
gimp_item_get_width (GIMP_ITEM (*channel)),
|
||||||
|
@@ -1000,6 +1025,10 @@ xcf_load_channel_props (XcfInfo *info,
|
||||||
|
*channel = mask;
|
||||||
|
(*channel)->boundary_known = FALSE;
|
||||||
|
(*channel)->bounds_known = FALSE;
|
||||||
|
+
|
||||||
|
+ /* Don't restore info->active_channel because the
|
||||||
|
+ * selection can't be the active channel
|
||||||
|
+ */
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
--
|
||||||
|
cgit v0.12
|
||||||
|
|
||||||
Reference in a new issue