diff options
| author | drochner <drochner@pkgsrc.org> | 2011-04-15 16:39:09 +0000 |
|---|---|---|
| committer | drochner <drochner@pkgsrc.org> | 2011-04-15 16:39:09 +0000 |
| commit | 07d3bd16b7ec64c30665da923fd4f26fa3a74073 (patch) | |
| tree | 449f84ffd6b915931719313675e1a20ca7501d1e /graphics/gimp | |
| parent | d434f0f8f785a058b52eb1dca4d1eecf82c1ddfd (diff) | |
| download | pkgsrc-07d3bd16b7ec64c30665da923fd4f26fa3a74073.tar.gz | |
add patches from upstream, via Debian/Ubuntu:
-possible buffer overflows when parsing config files of plugins
(CVE-2010-4540, CVE-2010-4541, CVE-2010-4542)
-possible buffer overflow in PSP image parser plugin (CVE-2010-4543)
bump PKGREV
Diffstat (limited to 'graphics/gimp')
| -rw-r--r-- | graphics/gimp/Makefile | 4 | ||||
| -rw-r--r-- | graphics/gimp/distinfo | 6 | ||||
| -rw-r--r-- | graphics/gimp/patches/patch-ba | 60 | ||||
| -rw-r--r-- | graphics/gimp/patches/patch-bb | 32 | ||||
| -rw-r--r-- | graphics/gimp/patches/patch-bc | 35 | ||||
| -rw-r--r-- | graphics/gimp/patches/patch-bd | 17 |
6 files changed, 151 insertions, 3 deletions
diff --git a/graphics/gimp/Makefile b/graphics/gimp/Makefile index a634300aa3b..afb447bfd45 100644 --- a/graphics/gimp/Makefile +++ b/graphics/gimp/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.203 2011/01/24 16:51:59 wiz Exp $ +# $NetBSD: Makefile,v 1.204 2011/04/15 16:39:09 drochner Exp $ DISTNAME= gimp-2.6.11 -PKGREVISION= 4 +PKGREVISION= 5 CATEGORIES= graphics MASTER_SITES= ftp://ftp.gimp.org/pub/gimp/v2.6/ \ ${MASTER_SITE_GNU:=gimp/v2.6/} \ diff --git a/graphics/gimp/distinfo b/graphics/gimp/distinfo index 3a0e91d6853..0d505a10553 100644 --- a/graphics/gimp/distinfo +++ b/graphics/gimp/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.61 2011/01/24 16:51:59 wiz Exp $ +$NetBSD: distinfo,v 1.62 2011/04/15 16:39:09 drochner Exp $ SHA1 (gimp-2.6.11.tar.bz2) = 2f9d596e727bdbf304fa78257c1731d9faf3934c RMD160 (gimp-2.6.11.tar.bz2) = a116377499e58dc2bfe231ab3c057d0be94091ff @@ -9,3 +9,7 @@ SHA1 (patch-ac) = 42f44b45640bdde305c1e52b95ee633360ebccb8 SHA1 (patch-ad) = 4e2ce2f7d8729fb760eac1bad89cfe09fef499b0 SHA1 (patch-ae) = 67aafb1b76925c239795c5dbda34ccb0f11dd6a8 SHA1 (patch-af) = a8379ea6835ac1a44a1a933000cb92336377cf99 +SHA1 (patch-ba) = 5efdceebadab408f2d4465eb1f7ef014c1cc064e +SHA1 (patch-bb) = c1ac683a55764c63f131a1d8c88f773638c7c66e +SHA1 (patch-bc) = afc862d6c79770f85a3c37353f6b77aae6726a43 +SHA1 (patch-bd) = b9fec1ed753adadf5b30c31329266978fe2e302e diff --git a/graphics/gimp/patches/patch-ba b/graphics/gimp/patches/patch-ba new file mode 100644 index 00000000000..2d5524a8df8 --- /dev/null +++ b/graphics/gimp/patches/patch-ba @@ -0,0 +1,60 @@ +$NetBSD: patch-ba,v 1.1 2011/04/15 16:39:09 drochner Exp $ + +CVE-2010-4540 + +--- plug-ins/lighting/lighting-ui.c.orig 2010-07-02 22:51:59.000000000 +0000 ++++ plug-ins/lighting/lighting-ui.c +@@ -1342,6 +1342,7 @@ load_preset_response (GtkFileChooser *ch + gchar buffer3[G_ASCII_DTOSTR_BUF_SIZE]; + gchar type_label[21]; + gchar *endptr; ++ gchar fmt_str[32]; + + if (response_id == GTK_RESPONSE_OK) + { +@@ -1381,23 +1382,41 @@ load_preset_response (GtkFileChooser *ch + return; + } + +- fscanf (fp, " Position: %s %s %s", buffer1, buffer2, buffer3); ++ snprintf (fmt_str, sizeof (fmt_str), ++ " Position: %%%lds %%%lds %%%lds", ++ sizeof (buffer1) - 1, ++ sizeof (buffer2) - 1, ++ sizeof (buffer3) - 1); ++ fscanf (fp, fmt_str, buffer1, buffer2, buffer3); + source->position.x = g_ascii_strtod (buffer1, &endptr); + source->position.y = g_ascii_strtod (buffer2, &endptr); + source->position.z = g_ascii_strtod (buffer3, &endptr); + +- fscanf (fp, " Direction: %s %s %s", buffer1, buffer2, buffer3); ++ snprintf (fmt_str, sizeof (fmt_str), ++ " Direction: %%%lds %%%lds %%%lds", ++ sizeof (buffer1) - 1, ++ sizeof (buffer2) - 1, ++ sizeof (buffer3) - 1); ++ fscanf (fp, fmt_str, buffer1, buffer2, buffer3); + source->direction.x = g_ascii_strtod (buffer1, &endptr); + source->direction.y = g_ascii_strtod (buffer2, &endptr); + source->direction.z = g_ascii_strtod (buffer3, &endptr); + +- fscanf (fp, " Color: %s %s %s", buffer1, buffer2, buffer3); ++ snprintf (fmt_str, sizeof (fmt_str), ++ " Color: %%%lds %%%lds %%%lds", ++ sizeof (buffer1) - 1, ++ sizeof (buffer2) - 1, ++ sizeof (buffer3) - 1); ++ fscanf (fp, fmt_str, buffer1, buffer2, buffer3); + source->color.r = g_ascii_strtod (buffer1, &endptr); + source->color.g = g_ascii_strtod (buffer2, &endptr); + source->color.b = g_ascii_strtod (buffer3, &endptr); + source->color.a = 1.0; + +- fscanf (fp, " Intensity: %s", buffer1); ++ snprintf (fmt_str, sizeof (fmt_str), ++ " Intensity: %%%lds", ++ sizeof (buffer1) - 1); ++ fscanf (fp, fmt_str, buffer1); + source->intensity = g_ascii_strtod (buffer1, &endptr); + + } diff --git a/graphics/gimp/patches/patch-bb b/graphics/gimp/patches/patch-bb new file mode 100644 index 00000000000..ec6bef8b544 --- /dev/null +++ b/graphics/gimp/patches/patch-bb @@ -0,0 +1,32 @@ +$NetBSD: patch-bb,v 1.1 2011/04/15 16:39:09 drochner Exp $ + +CVE-2010-4541 + +--- plug-ins/common/sphere-designer.c.orig 2010-07-02 22:51:56.000000000 +0000 ++++ plug-ins/common/sphere-designer.c +@@ -1992,6 +1992,7 @@ loadit (const gchar * fn) + gchar endbuf[21 * (G_ASCII_DTOSTR_BUF_SIZE + 1)]; + gchar *end = endbuf; + gchar line[1024]; ++ gchar fmt_str[16]; + gint i; + texture *t; + gint majtype, type; +@@ -2016,6 +2017,8 @@ loadit (const gchar * fn) + + s.com.numtexture = 0; + ++ snprintf (fmt_str, sizeof (fmt_str), "%%d %%d %%%lds", sizeof (endbuf) - 1); ++ + while (!feof (f)) + { + +@@ -2026,7 +2029,7 @@ loadit (const gchar * fn) + t = &s.com.texture[i]; + setdefaults (t); + +- if (sscanf (line, "%d %d %s", &t->majtype, &t->type, end) != 3) ++ if (sscanf (line, fmt_str, &t->majtype, &t->type, end) != 3) + t->color1.x = g_ascii_strtod (end, &end); + if (end && errno != ERANGE) + t->color1.y = g_ascii_strtod (end, &end); diff --git a/graphics/gimp/patches/patch-bc b/graphics/gimp/patches/patch-bc new file mode 100644 index 00000000000..37f2742ac93 --- /dev/null +++ b/graphics/gimp/patches/patch-bc @@ -0,0 +1,35 @@ +$NetBSD: patch-bc,v 1.1 2011/04/15 16:39:10 drochner Exp $ + +CVE-2010-4542 + +--- plug-ins/gfig/gfig-style.c.orig 2010-07-02 22:51:59.000000000 +0000 ++++ plug-ins/gfig/gfig-style.c +@@ -165,6 +165,7 @@ gfig_read_parameter_gimp_rgb (gchar + gchar *ptr; + gchar *tmpstr; + gchar *endptr; ++ gchar fmt_str[32]; + gchar colorstr_r[G_ASCII_DTOSTR_BUF_SIZE]; + gchar colorstr_g[G_ASCII_DTOSTR_BUF_SIZE]; + gchar colorstr_b[G_ASCII_DTOSTR_BUF_SIZE]; +@@ -172,6 +173,10 @@ gfig_read_parameter_gimp_rgb (gchar + + style_entry->r = style_entry->g = style_entry->b = style_entry->a = 0.; + ++ snprintf (fmt_str, sizeof (fmt_str), "%%%lds %%%lds %%%lds %%%lds", ++ sizeof (colorstr_r) - 1, sizeof (colorstr_g) - 1, ++ sizeof (colorstr_b) - 1, sizeof (colorstr_a) - 1); ++ + while (n < nitems) + { + ptr = strchr (text[n], ':'); +@@ -181,7 +186,8 @@ gfig_read_parameter_gimp_rgb (gchar + ptr++; + if (!strcmp (tmpstr, name)) + { +- sscanf (ptr, "%s %s %s %s", colorstr_r, colorstr_g, colorstr_b, colorstr_a); ++ sscanf (ptr, fmt_str, ++ colorstr_r, colorstr_g, colorstr_b, colorstr_a); + style_entry->r = g_ascii_strtod (colorstr_r, &endptr); + style_entry->g = g_ascii_strtod (colorstr_g, &endptr); + style_entry->b = g_ascii_strtod (colorstr_b, &endptr); diff --git a/graphics/gimp/patches/patch-bd b/graphics/gimp/patches/patch-bd new file mode 100644 index 00000000000..29bcb3c1c52 --- /dev/null +++ b/graphics/gimp/patches/patch-bd @@ -0,0 +1,17 @@ +$NetBSD: patch-bd,v 1.1 2011/04/15 16:39:10 drochner Exp $ + +CVE-2010-4543 + +--- plug-ins/common/file-psp.c.orig 2010-07-02 22:51:56.000000000 +0000 ++++ plug-ins/common/file-psp.c +@@ -1244,6 +1244,10 @@ read_channel_data (FILE *f, + } + else + fread (buf, runcount, 1, f); ++ ++ /* prevent buffer overflow for bogus data */ ++ runcount = MIN (runcount, endq - q); ++ + if (bytespp == 1) + { + memmove (q, buf, runcount); |