2a74f6f7e7
* gnu/packages/patches/gimp-CVE-2017-17784.patch, gnu/packages/patches/gimp-CVE-2017-17785.patch, gnu/packages/patches/gimp-CVE-2017-17786.patch, gnu/packages/patches/gimp-CVE-2017-17787.patch, gnu/packages/patches/gimp-CVE-2017-17789.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gimp.scm (gimp)[source]: Use them.
41 lines
1.4 KiB
Diff
41 lines
1.4 KiB
Diff
Fix CVE-2017-17784:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17784
|
|
https://bugzilla.gnome.org/show_bug.cgi?id=790784
|
|
|
|
Patch copied from upstream source repository:
|
|
|
|
https://git.gnome.org/browse/gimp/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270
|
|
|
|
From c57f9dcf1934a9ab0cd67650f2dea18cb0902270 Mon Sep 17 00:00:00 2001
|
|
From: Jehan <jehan@girinstud.io>
|
|
Date: Thu, 21 Dec 2017 12:25:32 +0100
|
|
Subject: [PATCH] Bug 790784 - (CVE-2017-17784) heap overread in gbr parser /
|
|
load_image.
|
|
|
|
We were assuming the input name was well formed, hence was
|
|
nul-terminated. As any data coming from external input, this has to be
|
|
thorougly checked.
|
|
Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted
|
|
to older gimp-2-8 code.
|
|
---
|
|
plug-ins/common/file-gbr.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
|
|
index b028100bef..d3f01d9c56 100644
|
|
--- a/plug-ins/common/file-gbr.c
|
|
+++ b/plug-ins/common/file-gbr.c
|
|
@@ -443,7 +443,8 @@ load_image (const gchar *filename,
|
|
{
|
|
gchar *temp = g_new (gchar, bn_size);
|
|
|
|
- if ((read (fd, temp, bn_size)) < bn_size)
|
|
+ if ((read (fd, temp, bn_size)) < bn_size ||
|
|
+ temp[bn_size - 1] != '\0')
|
|
{
|
|
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
|
|
_("Error in GIMP brush file '%s'"),
|
|
--
|
|
2.15.1
|
|
|