diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2012-07-03 13:08:58 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-07-03 13:09:51 +0000 |
commit | b66f36cabcb08c2c0c87b798b8a4eb6ba822e01a (patch) | |
tree | 1ed0dc990522ccbbec7eb573064c610c8e9c42c5 | |
parent | 6584eb6ae6df8e88c404669652e821f158f4c3ca (diff) | |
download | aports-b66f36cabcb08c2c0c87b798b8a4eb6ba822e01a.tar.bz2 aports-b66f36cabcb08c2c0c87b798b8a4eb6ba822e01a.tar.xz |
main/gimp: upgrade to 2.6.12 and fix CVE-2012-2763
fixes #1201
-rw-r--r-- | main/gimp/APKBUILD | 15 | ||||
-rw-r--r-- | main/gimp/CVE-2012-2763.patch | 122 | ||||
-rw-r--r-- | main/gimp/cve-2011-2896.patch | 61 | ||||
-rw-r--r-- | main/gimp/gimp-curl-fix.patch | 12 |
4 files changed, 143 insertions, 67 deletions
diff --git a/main/gimp/APKBUILD b/main/gimp/APKBUILD index aabe19fe21..b6bf2133a9 100644 --- a/main/gimp/APKBUILD +++ b/main/gimp/APKBUILD @@ -1,17 +1,19 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=gimp -pkgver=2.6.11 -pkgrel=1 +pkgver=2.6.12 +pkgrel=0 pkgdesc="GNU Image Manipulation Program" url="http://www.gimp.org/" license="GPL" makedepends="gtk+-dev libxpm-dev libxmu-dev librsvg-dev dbus-glib-dev libexif-dev desktop-file-utils intltool gegl-dev tiff-dev - jpeg-dev libpng-dev curl-dev" + jpeg-dev libpng-dev curl-dev openssl-dev" install= subpackages="$pkgname-dev $pkgname-doc" source="ftp://ftp.$pkgname.org/pub/$pkgname/v2.6/$pkgname-$pkgver.tar.bz2 - cve-2011-2896.patch" + gimp-curl-fix.patch + CVE-2012-2763.patch + " prepare() { cd "$srcdir"/$pkgname-$pkgver @@ -43,5 +45,6 @@ package() { make DESTDIR="$pkgdir" install || return 1 ln -s gimptool-2.0 "$pkgdir/usr/bin/gimptool" || return 1 } -md5sums="bb2939fe13e54fc7255cef5d097bb5dd gimp-2.6.11.tar.bz2 -c317eae455c808b8434e9b600afee648 cve-2011-2896.patch" +md5sums="9f876ee63a0c4a4c83f50f32fb3bbe63 gimp-2.6.12.tar.bz2 +678010acec374e06140e65f7de24ff69 gimp-curl-fix.patch +5ec673cf5c153af8a19eb264bea5d3f5 CVE-2012-2763.patch" diff --git a/main/gimp/CVE-2012-2763.patch b/main/gimp/CVE-2012-2763.patch new file mode 100644 index 0000000000..c3f81c4898 --- /dev/null +++ b/main/gimp/CVE-2012-2763.patch @@ -0,0 +1,122 @@ +From 744f7a4a2b5acb8b531a6f5dd8744ebb95348fc2 Mon Sep 17 00:00:00 2001 +From: Kevin Cozens <kcozens@cvs.gnome.org> +Date: Mon, 17 Aug 2009 23:29:02 +0000 +Subject: script-fu: Bug #679215: Fixed potential buffer overflow in readstr_upto() + +Cherry picked from commit 76155d79df8d497d9a5994029247387e222da9e9. + +gimp-2-6 is no longer maintained. But we might as well commit this for +the benefit of EL/LTS distros. This patch hasn't even been compiled, so +YMMV. Enjoy. +--- +diff --git a/plug-ins/script-fu/tinyscheme/scheme.c b/plug-ins/script-fu/tinyscheme/scheme.c +index 60440fc..1f509f2 100644 +--- a/plug-ins/script-fu/tinyscheme/scheme.c ++++ b/plug-ins/script-fu/tinyscheme/scheme.c +@@ -1710,7 +1710,7 @@ static char *readstr_upto(scheme *sc, char *delim) { + char *p = sc->strbuff; + gunichar c = 0; + gunichar c_prev = 0; +- int len = 0; ++ int len = 0; + + #if 0 + while (!is_one_of(delim, (*p++ = inchar(sc)))) +@@ -1727,7 +1727,8 @@ static char *readstr_upto(scheme *sc, char *delim) { + c = inchar(sc); + len = g_unichar_to_utf8(c, p); + p += len; +- } while (c && !is_one_of(delim, c)); ++ } while ((p - sc->strbuff < sizeof(sc->strbuff)) && ++ (c && !is_one_of(delim, c))); + + if(p==sc->strbuff+2 && c_prev=='\\') + *p = '\0'; +@@ -2053,9 +2054,11 @@ static void atom2str(scheme *sc, pointer l, int f, char **pp, int *plen) { + default: + #if USE_ASCII_NAMES + if(c==127) { +- strcpy(p,"#\\del"); break; ++ snprintf(p,STRBUFFSIZE, "#\\del"); ++ break; + } else if(c<32) { +- strcpy(p,"#\\"); strcat(p,charnames[c]); break; ++ snprintf(p,STRBUFFSIZE, "#\\%s", charnames[c]); ++ break; + } + #else + if(c<32) { +@@ -2655,7 +2658,7 @@ static pointer opexe_0(scheme *sc, enum scheme_opcodes op) { + if(sc->tracing) { + s_save(sc,OP_REAL_APPLY,sc->args,sc->code); + sc->print_flag = 1; +- /* sc->args=cons(sc,sc->code,sc->args);*/ ++ /* sc->args=cons(sc,sc->code,sc->args);*/ + putstr(sc,"\nApply to: "); + s_goto(sc,OP_P0LIST); + } +@@ -2769,7 +2772,7 @@ static pointer opexe_0(scheme *sc, enum scheme_opcodes op) { + + case OP_SET0: /* set! */ + if(is_immutable(car(sc->code))) +- Error_1(sc,"set!: unable to alter immutable variable", car(sc->code)); ++ Error_1(sc,"set!: unable to alter immutable variable",car(sc->code)); + s_save(sc,OP_SET1, sc->NIL, car(sc->code)); + sc->code = cadr(sc->code); + s_goto(sc,OP_EVAL); +@@ -3593,17 +3596,11 @@ static pointer opexe_2(scheme *sc, enum scheme_opcodes op) { + static int is_list(scheme *sc, pointer a) + { return list_length(sc,a) >= 0; } + +-/* Result is: +- proper list: length +- circular list: -1 +- not even a pair: -2 +- dotted list: -2 minus length before dot +-*/ +-int list_length(scheme *sc, pointer a) { ++int list_length(scheme *sc, pointer p) { + int i=0; + pointer slow, fast; + +- slow = fast = a; ++ slow = fast = p; + while (1) + { + if (fast == sc->NIL) +@@ -4156,13 +4153,13 @@ static pointer opexe_5(scheme *sc, enum scheme_opcodes op) { + case OP_RDVEC: + /*sc->code=cons(sc,mk_proc(sc,OP_VECTOR),sc->value); + s_goto(sc,OP_EVAL); Cannot be quoted*/ +- /*x=cons(sc,mk_proc(sc,OP_VECTOR),sc->value); +- s_return(sc,x); Cannot be part of pairs*/ +- /*sc->code=mk_proc(sc,OP_VECTOR); +- sc->args=sc->value; +- s_goto(sc,OP_APPLY);*/ +- sc->args=sc->value; +- s_goto(sc,OP_VECTOR); ++ /*x=cons(sc,mk_proc(sc,OP_VECTOR),sc->value); ++ s_return(sc,x); Cannot be part of pairs*/ ++ /*sc->code=mk_proc(sc,OP_VECTOR); ++ sc->args=sc->value; ++ s_goto(sc,OP_APPLY);*/ ++ sc->args=sc->value; ++ s_goto(sc,OP_VECTOR); + + /* ========== printing part ========== */ + case OP_P0LIST: +diff --git a/plug-ins/script-fu/tinyscheme/scheme.h b/plug-ins/script-fu/tinyscheme/scheme.h +index 92edba6..c3bf08e 100644 +--- a/plug-ins/script-fu/tinyscheme/scheme.h ++++ b/plug-ins/script-fu/tinyscheme/scheme.h +@@ -198,7 +198,7 @@ struct scheme_interface { + gunichar (*charvalue)(pointer p); + int (*is_list)(scheme *sc, pointer p); + int (*is_vector)(pointer p); +- int (*list_length)(scheme *sc, pointer a); ++ int (*list_length)(scheme *sc, pointer p); + long (*vector_length)(pointer vec); + void (*fill_vector)(pointer vec, pointer elem); + pointer (*vector_elem)(pointer vec, int ielem); +-- +cgit v0.9.0.2 diff --git a/main/gimp/cve-2011-2896.patch b/main/gimp/cve-2011-2896.patch deleted file mode 100644 index 735d771750..0000000000 --- a/main/gimp/cve-2011-2896.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 376ad788c1a1c31d40f18494889c383f6909ebfc Mon Sep 17 00:00:00 2001 -From: Nils Philippsen <nils@redhat.com> -Date: Thu, 04 Aug 2011 10:51:42 +0000 -Subject: file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896) - ---- -(limited to 'plug-ins/common/file-gif-load.c') - -diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c -index 81f3bd0..c91e7aa 100644 ---- a/plug-ins/common/file-gif-load.c -+++ b/plug-ins/common/file-gif-load.c -@@ -713,7 +713,8 @@ LZWReadByte (FILE *fd, - static gint firstcode, oldcode; - static gint clear_code, end_code; - static gint table[2][(1 << MAX_LZW_BITS)]; -- static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp; -+#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2) -+ static gint stack[STACK_SIZE], *sp; - gint i; - - if (just_reset_LZW) -@@ -788,7 +789,7 @@ LZWReadByte (FILE *fd, - - return firstcode & 255; - } -- else if (code == end_code) -+ else if (code == end_code || code > max_code) - { - gint count; - guchar buf[260]; -@@ -807,13 +808,14 @@ LZWReadByte (FILE *fd, - - incode = code; - -- if (code >= max_code) -+ if (code == max_code) - { -- *sp++ = firstcode; -+ if (sp < &(stack[STACK_SIZE])) -+ *sp++ = firstcode; - code = oldcode; - } - -- while (code >= clear_code) -+ while (code >= clear_code && sp < &(stack[STACK_SIZE])) - { - *sp++ = table[1][code]; - if (code == table[0][code]) -@@ -824,7 +826,8 @@ LZWReadByte (FILE *fd, - code = table[0][code]; - } - -- *sp++ = firstcode = table[1][code]; -+ if (sp < &(stack[STACK_SIZE])) -+ *sp++ = firstcode = table[1][code]; - - if ((code = max_code) < (1 << MAX_LZW_BITS)) - { --- -cgit v0.9.0.2 diff --git a/main/gimp/gimp-curl-fix.patch b/main/gimp/gimp-curl-fix.patch new file mode 100644 index 0000000000..ea8935d008 --- /dev/null +++ b/main/gimp/gimp-curl-fix.patch @@ -0,0 +1,12 @@ +diff --git a/plug-ins/file-uri/uri-backend-libcurl.c b/plug-ins/file-uri/uri-backend-libcurl.c +index a566966..747dca7 100644 +--- a/plug-ins/file-uri/uri-backend-libcurl.c ++++ b/plug-ins/file-uri/uri-backend-libcurl.c +@@ -24,7 +24,6 @@ + #include <errno.h> + + #include <curl/curl.h> +-#include <curl/types.h> + #include <curl/easy.h> + + #include <glib/gstdio.h> |