pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/graphics/gimp add patches from upstream, via Debian/Ub...
details: https://anonhg.NetBSD.org/pkgsrc/rev/3a9ce6cc9c60
branches: trunk
changeset: 587806:3a9ce6cc9c60
user: drochner <drochner%pkgsrc.org@localhost>
date: Fri Apr 15 16:39:09 2011 +0000
description:
add patches from upstream, via Debian/Ubuntu:
-possible buffer overflows when parsing config files of plugins
(CVE-2010-4540, CVE-2010-4541, CVE-2010-4542)
-possible buffer overflow in PSP image parser plugin (CVE-2010-4543)
bump PKGREV
diffstat:
graphics/gimp/Makefile | 4 +-
graphics/gimp/distinfo | 6 +++-
graphics/gimp/patches/patch-ba | 60 ++++++++++++++++++++++++++++++++++++++++++
graphics/gimp/patches/patch-bb | 32 ++++++++++++++++++++++
graphics/gimp/patches/patch-bc | 35 ++++++++++++++++++++++++
graphics/gimp/patches/patch-bd | 17 +++++++++++
6 files changed, 151 insertions(+), 3 deletions(-)
diffs (190 lines):
diff -r 43944fc611d8 -r 3a9ce6cc9c60 graphics/gimp/Makefile
--- a/graphics/gimp/Makefile Fri Apr 15 16:32:33 2011 +0000
+++ b/graphics/gimp/Makefile Fri Apr 15 16:39:09 2011 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.203 2011/01/24 16:51:59 wiz Exp $
+# $NetBSD: Makefile,v 1.204 2011/04/15 16:39:09 drochner Exp $
DISTNAME= gimp-2.6.11
-PKGREVISION= 4
+PKGREVISION= 5
CATEGORIES= graphics
MASTER_SITES= ftp://ftp.gimp.org/pub/gimp/v2.6/ \
${MASTER_SITE_GNU:=gimp/v2.6/} \
diff -r 43944fc611d8 -r 3a9ce6cc9c60 graphics/gimp/distinfo
--- a/graphics/gimp/distinfo Fri Apr 15 16:32:33 2011 +0000
+++ b/graphics/gimp/distinfo Fri Apr 15 16:39:09 2011 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.61 2011/01/24 16:51:59 wiz Exp $
+$NetBSD: distinfo,v 1.62 2011/04/15 16:39:09 drochner Exp $
SHA1 (gimp-2.6.11.tar.bz2) = 2f9d596e727bdbf304fa78257c1731d9faf3934c
RMD160 (gimp-2.6.11.tar.bz2) = a116377499e58dc2bfe231ab3c057d0be94091ff
@@ -9,3 +9,7 @@
SHA1 (patch-ad) = 4e2ce2f7d8729fb760eac1bad89cfe09fef499b0
SHA1 (patch-ae) = 67aafb1b76925c239795c5dbda34ccb0f11dd6a8
SHA1 (patch-af) = a8379ea6835ac1a44a1a933000cb92336377cf99
+SHA1 (patch-ba) = 5efdceebadab408f2d4465eb1f7ef014c1cc064e
+SHA1 (patch-bb) = c1ac683a55764c63f131a1d8c88f773638c7c66e
+SHA1 (patch-bc) = afc862d6c79770f85a3c37353f6b77aae6726a43
+SHA1 (patch-bd) = b9fec1ed753adadf5b30c31329266978fe2e302e
diff -r 43944fc611d8 -r 3a9ce6cc9c60 graphics/gimp/patches/patch-ba
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/gimp/patches/patch-ba Fri Apr 15 16:39:09 2011 +0000
@@ -0,0 +1,60 @@
+$NetBSD: patch-ba,v 1.1 2011/04/15 16:39:09 drochner Exp $
+
+CVE-2010-4540
+
+--- plug-ins/lighting/lighting-ui.c.orig 2010-07-02 22:51:59.000000000 +0000
++++ plug-ins/lighting/lighting-ui.c
+@@ -1342,6 +1342,7 @@ load_preset_response (GtkFileChooser *ch
+ gchar buffer3[G_ASCII_DTOSTR_BUF_SIZE];
+ gchar type_label[21];
+ gchar *endptr;
++ gchar fmt_str[32];
+
+ if (response_id == GTK_RESPONSE_OK)
+ {
+@@ -1381,23 +1382,41 @@ load_preset_response (GtkFileChooser *ch
+ return;
+ }
+
+- fscanf (fp, " Position: %s %s %s", buffer1, buffer2, buffer3);
++ snprintf (fmt_str, sizeof (fmt_str),
++ " Position: %%%lds %%%lds %%%lds",
++ sizeof (buffer1) - 1,
++ sizeof (buffer2) - 1,
++ sizeof (buffer3) - 1);
++ fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+ source->position.x = g_ascii_strtod (buffer1, &endptr);
+ source->position.y = g_ascii_strtod (buffer2, &endptr);
+ source->position.z = g_ascii_strtod (buffer3, &endptr);
+
+- fscanf (fp, " Direction: %s %s %s", buffer1, buffer2, buffer3);
++ snprintf (fmt_str, sizeof (fmt_str),
++ " Direction: %%%lds %%%lds %%%lds",
++ sizeof (buffer1) - 1,
++ sizeof (buffer2) - 1,
++ sizeof (buffer3) - 1);
++ fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+ source->direction.x = g_ascii_strtod (buffer1, &endptr);
+ source->direction.y = g_ascii_strtod (buffer2, &endptr);
+ source->direction.z = g_ascii_strtod (buffer3, &endptr);
+
+- fscanf (fp, " Color: %s %s %s", buffer1, buffer2, buffer3);
++ snprintf (fmt_str, sizeof (fmt_str),
++ " Color: %%%lds %%%lds %%%lds",
++ sizeof (buffer1) - 1,
++ sizeof (buffer2) - 1,
++ sizeof (buffer3) - 1);
++ fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+ source->color.r = g_ascii_strtod (buffer1, &endptr);
+ source->color.g = g_ascii_strtod (buffer2, &endptr);
+ source->color.b = g_ascii_strtod (buffer3, &endptr);
+ source->color.a = 1.0;
+
+- fscanf (fp, " Intensity: %s", buffer1);
++ snprintf (fmt_str, sizeof (fmt_str),
++ " Intensity: %%%lds",
++ sizeof (buffer1) - 1);
++ fscanf (fp, fmt_str, buffer1);
+ source->intensity = g_ascii_strtod (buffer1, &endptr);
+
+ }
diff -r 43944fc611d8 -r 3a9ce6cc9c60 graphics/gimp/patches/patch-bb
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/gimp/patches/patch-bb Fri Apr 15 16:39:09 2011 +0000
@@ -0,0 +1,32 @@
+$NetBSD: patch-bb,v 1.1 2011/04/15 16:39:09 drochner Exp $
+
+CVE-2010-4541
+
+--- plug-ins/common/sphere-designer.c.orig 2010-07-02 22:51:56.000000000 +0000
++++ plug-ins/common/sphere-designer.c
+@@ -1992,6 +1992,7 @@ loadit (const gchar * fn)
+ gchar endbuf[21 * (G_ASCII_DTOSTR_BUF_SIZE + 1)];
+ gchar *end = endbuf;
+ gchar line[1024];
++ gchar fmt_str[16];
+ gint i;
+ texture *t;
+ gint majtype, type;
+@@ -2016,6 +2017,8 @@ loadit (const gchar * fn)
+
+ s.com.numtexture = 0;
+
++ snprintf (fmt_str, sizeof (fmt_str), "%%d %%d %%%lds", sizeof (endbuf) - 1);
++
+ while (!feof (f))
+ {
+
+@@ -2026,7 +2029,7 @@ loadit (const gchar * fn)
+ t = &s.com.texture[i];
+ setdefaults (t);
+
+- if (sscanf (line, "%d %d %s", &t->majtype, &t->type, end) != 3)
++ if (sscanf (line, fmt_str, &t->majtype, &t->type, end) != 3)
+ t->color1.x = g_ascii_strtod (end, &end);
+ if (end && errno != ERANGE)
+ t->color1.y = g_ascii_strtod (end, &end);
diff -r 43944fc611d8 -r 3a9ce6cc9c60 graphics/gimp/patches/patch-bc
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/gimp/patches/patch-bc Fri Apr 15 16:39:09 2011 +0000
@@ -0,0 +1,35 @@
+$NetBSD: patch-bc,v 1.1 2011/04/15 16:39:10 drochner Exp $
+
+CVE-2010-4542
+
+--- plug-ins/gfig/gfig-style.c.orig 2010-07-02 22:51:59.000000000 +0000
++++ plug-ins/gfig/gfig-style.c
+@@ -165,6 +165,7 @@ gfig_read_parameter_gimp_rgb (gchar
+ gchar *ptr;
+ gchar *tmpstr;
+ gchar *endptr;
++ gchar fmt_str[32];
+ gchar colorstr_r[G_ASCII_DTOSTR_BUF_SIZE];
+ gchar colorstr_g[G_ASCII_DTOSTR_BUF_SIZE];
+ gchar colorstr_b[G_ASCII_DTOSTR_BUF_SIZE];
+@@ -172,6 +173,10 @@ gfig_read_parameter_gimp_rgb (gchar
+
+ style_entry->r = style_entry->g = style_entry->b = style_entry->a = 0.;
+
++ snprintf (fmt_str, sizeof (fmt_str), "%%%lds %%%lds %%%lds %%%lds",
++ sizeof (colorstr_r) - 1, sizeof (colorstr_g) - 1,
++ sizeof (colorstr_b) - 1, sizeof (colorstr_a) - 1);
++
+ while (n < nitems)
+ {
+ ptr = strchr (text[n], ':');
+@@ -181,7 +186,8 @@ gfig_read_parameter_gimp_rgb (gchar
+ ptr++;
+ if (!strcmp (tmpstr, name))
+ {
+- sscanf (ptr, "%s %s %s %s", colorstr_r, colorstr_g, colorstr_b, colorstr_a);
++ sscanf (ptr, fmt_str,
++ colorstr_r, colorstr_g, colorstr_b, colorstr_a);
+ style_entry->r = g_ascii_strtod (colorstr_r, &endptr);
+ style_entry->g = g_ascii_strtod (colorstr_g, &endptr);
+ style_entry->b = g_ascii_strtod (colorstr_b, &endptr);
diff -r 43944fc611d8 -r 3a9ce6cc9c60 graphics/gimp/patches/patch-bd
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/gimp/patches/patch-bd Fri Apr 15 16:39:09 2011 +0000
@@ -0,0 +1,17 @@
+$NetBSD: patch-bd,v 1.1 2011/04/15 16:39:10 drochner Exp $
+
+CVE-2010-4543
+
+--- plug-ins/common/file-psp.c.orig 2010-07-02 22:51:56.000000000 +0000
++++ plug-ins/common/file-psp.c
+@@ -1244,6 +1244,10 @@ read_channel_data (FILE *f,
+ }
+ else
+ fread (buf, runcount, 1, f);
++
++ /* prevent buffer overflow for bogus data */
++ runcount = MIN (runcount, endq - q);
++
+ if (bytespp == 1)
+ {
+ memmove (q, buf, runcount);
Home |
Main Index |
Thread Index |
Old Index