Fix CVE-2023-44442 and CVE-2023-44444

2023-12-04 17:07:18 +08:00 · 2023-12-04 17:07:18 +08:00 · 8876dc7909
commit 8876dc7909
parent c12db11cff
3 changed files with 72 additions and 1 deletions
--- a/CVE-2023-44442.patch
+++ b/CVE-2023-44442.patch
@ -0,0 +1,30 @@
+From f131d4feacfd86825d255effd02cde15373e6fc3 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Fri, 29 Sep 2023 20:39:29 +0000
+Subject: plug-ins: Fix vulnerability in file-psd
+
+Resolves #10101.
+This patch adds a missing break statement after an error condition
+is detected to prevent the code from continuing afterwards.
+
+Origin:
+https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d
+---
+ plug-ins/file-psd/psd-util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plug-ins/file-psd/psd-util.c b/plug-ins/file-psd/psd-util.c
+index f71a57bdd6..4b6507b5de 100644
+--- a/plug-ins/file-psd/psd-util.c
+++ b/plug-ins/file-psd/psd-util.c
+@@ -519,6 +519,7 @@ decode_packbits (const gchar *src,
+             {
+               IFDBG(2) g_debug ("Overrun in packbits replicate of %d chars", n - unpack_left);
+               error_code = 2;
+              break;
+             }
+           dat = *src;
+           for (; n > 0; --n)
+-- 
+2.30.2
+
--- a/CVE-2023-44444.patch
+++ b/CVE-2023-44444.patch
@ -0,0 +1,34 @@
+From 5203f996b5eb018fd08e8e99e42b28f42ef27533 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 23 Sep 2023 02:16:24 +0000
+Subject: plug-ins: Fix PSP vulnerability (ZDI-CAN-22097)
+
+Resolves #10071.
+
+When reading RLE compressed data, a buffer was allocated to 127 bytes.
+However, it can potentially be used to read 128 bytes, leading to a
+off-by-one vulnerability. This patch allocates 128 bytes to the buffer
+to prevent this from occurring.
+
+Origin:
+https://gitlab.gnome.org/GNOME/gimp/-/commit/e1bfd87195e4fe60a92df70cde65464d032dd3c1
+---
+ plug-ins/common/file-psp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index 33c6a2b607..f3aa00fdc0 100644
+--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
+@@ -1235,7 +1235,7 @@ read_channel_data (FILE        *f,
+ 
+         q = pixels[0] + offset;
+         endq = q + npixels * bytespp;
+-        buf = g_malloc (127);
+        buf = g_malloc (128);
+         while (q < endq)
+           {
+             fread (&runcount, 1, 1, f);
+-- 
+2.30.2
+
--- a/gimp.spec
+++ b/gimp.spec
@ -1,6 +1,6 @@
 Name:           gimp
 Version:        2.10.6
-Release:        9
+Release:        10
 Epoch:          2
 Summary:        A versatile graphics manipulation package
 License:        GPLv3+ and GPLv3
@ -9,6 +9,10 @@ URL:            http://www.gimp.org/
 Source0:        http://download.gimp.org/pub/gimp/v2.10/gimp-2.10.6.tar.bz2
 Patch6000:      backport-CVE-2018-12713.patch
 Patch6001:      CVE-2021-45463.patch
+# https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d
+Patch6002:      CVE-2023-44442.patch
+# https://gitlab.gnome.org/GNOME/gimp/-/commit/e1bfd87195e4fe60a92df70cde65464d032dd3c1
+Patch6003:      CVE-2023-44444.patch

 %global apiversion 2.0
 %global textversion 20
@ -255,6 +259,9 @@ make check %{?_smp_mflags}
 %{_mandir}/man*/*

 %changelog
+* Mon Dec 04 2023 yaoxin <yao_xin001@hoperun.com> - 2:2.10.6-10
+- Fix CVE-2023-44442 and CVE-2023-44444
+
 * Fri Jan 07 2022 yaoxin <yaoxin30@huawei.com> - 2:2.10.6-9
 - Fix CVE-2021-45463