diff options
-rw-r--r-- | main/gimp/APKBUILD | 8 | ||||
-rw-r--r-- | main/gimp/cve-2011-2896.patch | 61 |
2 files changed, 66 insertions, 3 deletions
diff --git a/main/gimp/APKBUILD b/main/gimp/APKBUILD index 71c211895b..d297aae275 100644 --- a/main/gimp/APKBUILD +++ b/main/gimp/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=gimp pkgver=2.6.11 -pkgrel=5 +pkgrel=6 pkgdesc="GNU Image Manipulation Program" url="http://www.gimp.org/" arch="all" @@ -13,7 +13,8 @@ install= subpackages="$pkgname-dev $pkgname-doc $pkgname-lang" source="ftp://ftp.$pkgname.org/pub/$pkgname/v2.6/$pkgname-$pkgver.tar.bz2 gimp-libpng1.5-compat.patch - gimp-curl-fix.patch" + gimp-curl-fix.patch + cve-2011-2896.patch" _builddir="${srcdir}/${pkgname}-${pkgver}" prepare() { @@ -54,4 +55,5 @@ package() { md5sums="bb2939fe13e54fc7255cef5d097bb5dd gimp-2.6.11.tar.bz2 7dfc4006676fdea887f1883ccc6c7772 gimp-libpng1.5-compat.patch -678010acec374e06140e65f7de24ff69 gimp-curl-fix.patch" +678010acec374e06140e65f7de24ff69 gimp-curl-fix.patch +c317eae455c808b8434e9b600afee648 cve-2011-2896.patch" diff --git a/main/gimp/cve-2011-2896.patch b/main/gimp/cve-2011-2896.patch new file mode 100644 index 0000000000..735d771750 --- /dev/null +++ b/main/gimp/cve-2011-2896.patch @@ -0,0 +1,61 @@ +From 376ad788c1a1c31d40f18494889c383f6909ebfc Mon Sep 17 00:00:00 2001 +From: Nils Philippsen <nils@redhat.com> +Date: Thu, 04 Aug 2011 10:51:42 +0000 +Subject: file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896) + +--- +(limited to 'plug-ins/common/file-gif-load.c') + +diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c +index 81f3bd0..c91e7aa 100644 +--- a/plug-ins/common/file-gif-load.c ++++ b/plug-ins/common/file-gif-load.c +@@ -713,7 +713,8 @@ LZWReadByte (FILE *fd, + static gint firstcode, oldcode; + static gint clear_code, end_code; + static gint table[2][(1 << MAX_LZW_BITS)]; +- static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp; ++#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2) ++ static gint stack[STACK_SIZE], *sp; + gint i; + + if (just_reset_LZW) +@@ -788,7 +789,7 @@ LZWReadByte (FILE *fd, + + return firstcode & 255; + } +- else if (code == end_code) ++ else if (code == end_code || code > max_code) + { + gint count; + guchar buf[260]; +@@ -807,13 +808,14 @@ LZWReadByte (FILE *fd, + + incode = code; + +- if (code >= max_code) ++ if (code == max_code) + { +- *sp++ = firstcode; ++ if (sp < &(stack[STACK_SIZE])) ++ *sp++ = firstcode; + code = oldcode; + } + +- while (code >= clear_code) ++ while (code >= clear_code && sp < &(stack[STACK_SIZE])) + { + *sp++ = table[1][code]; + if (code == table[0][code]) +@@ -824,7 +826,8 @@ LZWReadByte (FILE *fd, + code = table[0][code]; + } + +- *sp++ = firstcode = table[1][code]; ++ if (sp < &(stack[STACK_SIZE])) ++ *sp++ = firstcode = table[1][code]; + + if ((code = max_code) < (1 << MAX_LZW_BITS)) + { +-- +cgit v0.9.0.2 |