From ead04564e878ad0531e77537ce874009ed9fa258 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Mon, 4 Dec 2023 17:07:18 +0800 Subject: [PATCH] Fix CVE-2023-44442 and CVE-2023-44444 (cherry picked from commit 8876dc7909cbc49ffd1be1e49b49f371abd35919) --- CVE-2023-44442.patch | 30 ++++++++++++++++++++++++++++++ CVE-2023-44444.patch | 34 ++++++++++++++++++++++++++++++++++ gimp.spec | 9 ++++++++- 3 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-44442.patch create mode 100644 CVE-2023-44444.patch diff --git a/CVE-2023-44442.patch b/CVE-2023-44442.patch new file mode 100644 index 0000000..8f9e9c4 --- /dev/null +++ b/CVE-2023-44442.patch @@ -0,0 +1,30 @@ +From f131d4feacfd86825d255effd02cde15373e6fc3 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Fri, 29 Sep 2023 20:39:29 +0000 +Subject: plug-ins: Fix vulnerability in file-psd + +Resolves #10101. +This patch adds a missing break statement after an error condition +is detected to prevent the code from continuing afterwards. + +Origin: +https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d +--- + plug-ins/file-psd/psd-util.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/plug-ins/file-psd/psd-util.c b/plug-ins/file-psd/psd-util.c +index f71a57bdd6..4b6507b5de 100644 +--- a/plug-ins/file-psd/psd-util.c ++++ b/plug-ins/file-psd/psd-util.c +@@ -519,6 +519,7 @@ decode_packbits (const gchar *src, + { + IFDBG(2) g_debug ("Overrun in packbits replicate of %d chars", n - unpack_left); + error_code = 2; ++ break; + } + dat = *src; + for (; n > 0; --n) +-- +2.30.2 + diff --git a/CVE-2023-44444.patch b/CVE-2023-44444.patch new file mode 100644 index 0000000..49dffe2 --- /dev/null +++ b/CVE-2023-44444.patch @@ -0,0 +1,34 @@ +From 5203f996b5eb018fd08e8e99e42b28f42ef27533 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Sat, 23 Sep 2023 02:16:24 +0000 +Subject: plug-ins: Fix PSP vulnerability (ZDI-CAN-22097) + +Resolves #10071. + +When reading RLE compressed data, a buffer was allocated to 127 bytes. +However, it can potentially be used to read 128 bytes, leading to a +off-by-one vulnerability. This patch allocates 128 bytes to the buffer +to prevent this from occurring. + +Origin: +https://gitlab.gnome.org/GNOME/gimp/-/commit/e1bfd87195e4fe60a92df70cde65464d032dd3c1 +--- + plug-ins/common/file-psp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c +index 33c6a2b607..f3aa00fdc0 100644 +--- a/plug-ins/common/file-psp.c ++++ b/plug-ins/common/file-psp.c +@@ -1235,7 +1235,7 @@ read_channel_data (FILE *f, + + q = pixels[0] + offset; + endq = q + npixels * bytespp; +- buf = g_malloc (127); ++ buf = g_malloc (128); + while (q < endq) + { + fread (&runcount, 1, 1, f); +-- +2.30.2 + diff --git a/gimp.spec b/gimp.spec index 1b99885..3391cb1 100644 --- a/gimp.spec +++ b/gimp.spec @@ -1,6 +1,6 @@ Name: gimp Version: 2.10.6 -Release: 9 +Release: 10 Epoch: 2 Summary: A versatile graphics manipulation package License: GPLv3+ and GPLv3 @@ -9,6 +9,10 @@ URL: http://www.gimp.org/ Source0: http://download.gimp.org/pub/gimp/v2.10/gimp-2.10.6.tar.bz2 Patch6000: backport-CVE-2018-12713.patch Patch6001: CVE-2021-45463.patch +# https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d +Patch6002: CVE-2023-44442.patch +# https://gitlab.gnome.org/GNOME/gimp/-/commit/e1bfd87195e4fe60a92df70cde65464d032dd3c1 +Patch6003: CVE-2023-44444.patch %global apiversion 2.0 %global textversion 20 @@ -255,6 +259,9 @@ make check %{?_smp_mflags} %{_mandir}/man*/* %changelog +* Mon Dec 04 2023 yaoxin - 2:2.10.6-10 +- Fix CVE-2023-44442 and CVE-2023-44444 + * Fri Jan 07 2022 yaoxin - 2:2.10.6-9 - Fix CVE-2021-45463 -- Gitee