community/gimp: security fixes

CVE-2017-17784, CVE-2017-17785, CVE-2017-17786, CVE-2017-17787, CVE-2017-17789

Fixes #8350

CVE-2017-17788 applies only to >= v2.9.6

1 files changed, 38 insertions, 0 deletions

diff --git a/community/gimp/CVE-2017-17789.patch b/community/gimp/CVE-2017-17789.patch
new file mode 100644
index 0000000000..3d63694f67
--- /dev/null
+++ b/community/gimp/CVE-2017-17789.patch
@@ -0,0 +1,38 @@
+From 01898f10f87a094665a7fdcf7153990f4e511d3f Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Wed, 20 Dec 2017 16:44:20 +0100
+Subject: Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer overflow...
+
+... in PSP importer.
+Check if declared block length is valid (i.e. within the actual file)
+before going further.
+Consider the file as broken otherwise and fail loading it.
+
+(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
+---
+ plug-ins/common/file-psp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index ac0fff7..4cbafe3 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1771,6 +1771,15 @@ load_image (const gchar  *filename,
+     {
+       block_start = ftell (f);
+ 
++      if (block_start + block_total_len > st.st_size)
++        {
++          g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                       _("Could not open '%s' for reading: %s"),
++                       gimp_filename_to_utf8 (filename),
++                       _("invalid block size"));
++          goto error;
++        }
++
+       if (id == PSP_IMAGE_BLOCK)
+         {
+           if (block_number != 0)
+-- 
+cgit v0.12
+