diff -Nru gimp-2.8.22/debian/changelog gimp-2.8.22/debian/changelog --- gimp-2.8.22/debian/changelog 2018-03-28 17:21:18.000000000 +0100 +++ gimp-2.8.22/debian/changelog 2022-07-20 18:57:49.000000000 +0100 @@ -1,3 +1,25 @@ +gimp (2.8.22-1ubuntu0.1~ppa1) bionic-security; urgency=medium + + * SECURITY UPDATE: Temporary filenames can already exist + - debian/patches/CVE-2018-12713.patch: Create unique temporary file with + g_file_open_tmp(). Based on upstream patch. + - CVE-2018-12713 + * SECURITY UPDATE: Buffer overflow leading to insufficient memory or program + crash + - debian/patches/CVE-2022-30067.patch: Stop loading paths and skip to the + next property when xcf_old_path fails. Based on upstream patch. + - CVE-2022-30067 + * SECURITY UPDATE: Denial of service via a crafted XCF file + - debian/patches/CVE-2022-32990-1.patch: Check maximum dimensions when + loading XCF files. Based on upstream patch. + - debian/patches/CVE-2022-32990-2.patch: Check for invalid offsets when + loading XCF files. Based on upstream patch. + - debian/patches/CVE-2022-32990-3.patch: Return TRUE in + gimp_channel_is_empty when channel is NULL. + - CVE-2022-32990 + + -- Luís Infante da Câmara Wed, 20 Jul 2022 18:57:49 +0100 + gimp (2.8.22-1) unstable; urgency=medium * New upstream release (Closes: #870568, #885382, CVE-2007-3126) diff -Nru gimp-2.8.22/debian/control gimp-2.8.22/debian/control --- gimp-2.8.22/debian/control 2018-03-28 17:21:18.000000000 +0100 +++ gimp-2.8.22/debian/control 2022-07-20 18:57:49.000000000 +0100 @@ -5,7 +5,8 @@ Source: gimp Priority: optional Section: graphics -Maintainer: Debian GNOME Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GNOME Maintainers Uploaders: Hideki Yamane , Jeremy Bicha , Jordi Mallach , Ari Pollak Build-Depends: debhelper (>= 11), dh-python, diff -Nru gimp-2.8.22/debian/control.in gimp-2.8.22/debian/control.in --- gimp-2.8.22/debian/control.in 2018-03-28 17:21:18.000000000 +0100 +++ gimp-2.8.22/debian/control.in 2022-07-20 18:57:49.000000000 +0100 @@ -1,7 +1,8 @@ Source: gimp Priority: optional Section: graphics -Maintainer: Debian GNOME Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GNOME Maintainers Uploaders: @GNOME_TEAM@, Ari Pollak Build-Depends: debhelper (>= 11), dh-python, diff -Nru gimp-2.8.22/debian/patches/CVE-2018-12713.patch gimp-2.8.22/debian/patches/CVE-2018-12713.patch --- gimp-2.8.22/debian/patches/CVE-2018-12713.patch 1970-01-01 01:00:00.000000000 +0100 +++ gimp-2.8.22/debian/patches/CVE-2018-12713.patch 2022-07-20 18:57:49.000000000 +0100 @@ -0,0 +1,47 @@ +This patvh was backported to the version in Ubuntu 18.04. + +From c21eff4b031acb04fb4dfce8bd5fdfecc2b6524f Mon Sep 17 00:00:00 2001 +From: Jehan +Date: Sun, 24 Jun 2018 04:48:48 +0200 +Subject: [PATCH] Issue #1689: create unique temporary file with + g_file_open_tmp(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Not sure this is really solving the issue reported, which is that +`g_get_tmp_dir()` uses environment variables (yet as g_file_open_tmp() +uses g_get_tmp_dir()…). But at least g_file_open_tmp() should create +unique temporary files, which prevents overriding existing files (which +is most likely the only real attack possible here, or at least the only +one I can think of unless some weird vulnerabilities exist in glib). +--- + app/tests/test-xcf.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/app/tests/test-xcf.c b/app/tests/test-xcf.c +index 9fc2ec1f4b..98ca4f0bed 100644 +--- a/app/tests/test-xcf.c ++++ b/app/tests/test-xcf.c +@@ -294,6 +294,7 @@ gimp_write_and_read_file (Gimp *gimp, + GimpImage *loaded_image = NULL; + GimpPlugInProcedure *proc = NULL; + gchar *uri = NULL; ++ gint file_handle; + + /* Create the image */ + image = gimp_create_mainimage (gimp, +@@ -311,7 +312,9 @@ gimp_write_and_read_file (Gimp *gimp, + use_gimp_2_8_features); + + /* Write to file */ +- uri = g_build_filename (g_get_tmp_dir (), "gimp-test.xcf", NULL); ++ file_handle = g_file_open_tmp ("gimp-test-XXXXXX.xcf", &uri, NULL); ++ g_assert (file_handle != -1); ++ close (file_handle); + proc = file_procedure_find (image->gimp->plug_in_manager->save_procs, + uri, + NULL /*error*/); +-- +2.17.1 + diff -Nru gimp-2.8.22/debian/patches/CVE-2022-30067.patch gimp-2.8.22/debian/patches/CVE-2022-30067.patch --- gimp-2.8.22/debian/patches/CVE-2022-30067.patch 1970-01-01 01:00:00.000000000 +0100 +++ gimp-2.8.22/debian/patches/CVE-2022-30067.patch 2022-07-20 18:57:49.000000000 +0100 @@ -0,0 +1,65 @@ +This patch was backported to the version in Ubuntu 18.04. + +From 8cd6d05232795ac31076013db1c6be3dc67e8e09 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Fri, 29 Apr 2022 16:40:32 -0400 +Subject: [PATCH] app: fix #8120 GIMP 2.10.30 crashed when allocate large + memory + +GIMP could crash if the information regarding old path properties read +from XCF was incorrect. It did not check if xcf_old_path succeeded and +kept trying to load more paths even if the last one failed to load. + +Instead we now stop loading paths as soon as that function fails. +In case we have a failure here we also try to skip to the next property +based on the size of the path property, in hopes that the only problem +was this property. + +(cherry picked from commit 4f99f1fcfd892ead19831b5adcd38a99d71214b6) +--- + app/xcf/xcf-load.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c +index 5543e57af7..1a1a460f0e 100644 +--- a/app/xcf/xcf-load.c ++++ b/app/xcf/xcf-load.c +@@ -657,7 +657,12 @@ xcf_load_image_props (XcfInfo *info, + break; + + case PROP_PATHS: +- xcf_load_old_paths (info, image); ++ { ++ goffset base = info->cp; ++ ++ if (! xcf_load_old_paths (info, image)) ++ xcf_seek_pos (info, base + prop_size, NULL); ++ } + break; + + case PROP_USER_UNIT: +@@ -1765,8 +1770,11 @@ xcf_load_old_paths (XcfInfo *info, + info->cp += xcf_read_int32 (info->fp, &last_selected_row, 1); + info->cp += xcf_read_int32 (info->fp, &num_paths, 1); + ++ GIMP_LOG (XCF, "Number of old paths: %u", num_paths); ++ + while (num_paths-- > 0) +- xcf_load_old_path (info, image); ++ if (! xcf_load_old_path (info, image)) ++ return FALSE; + + active_vectors = + GIMP_VECTORS (gimp_container_get_child_by_index (gimp_image_get_vectors (image), +@@ -2799,7 +2807,7 @@ xcf_load_old_path (XcfInfo *info, + } + else if (version != 1) + { +- g_warning ("Unknown path type. Possibly corrupt XCF file"); ++ g_warning ("Unknown path type (version: %u). Possibly corrupt XCF file.\n", version); + + return FALSE; + } +-- +2.17.1 + diff -Nru gimp-2.8.22/debian/patches/CVE-2022-32990-1.patch gimp-2.8.22/debian/patches/CVE-2022-32990-1.patch --- gimp-2.8.22/debian/patches/CVE-2022-32990-1.patch 1970-01-01 01:00:00.000000000 +0100 +++ gimp-2.8.22/debian/patches/CVE-2022-32990-1.patch 2022-07-20 18:57:49.000000000 +0100 @@ -0,0 +1,98 @@ +This patch was backported to the version in Ubuntu 18.04. + +From e7d4b580e514029f28dc9bd59c66187e166db47c Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Sun, 5 Jun 2022 16:48:10 -0400 +Subject: [PATCH] app: check max dimensions when loading xcf files + +Improvements in loading broken xcf files, based on examining issue #8230. +Besides checking for a minimum width and height, GIMP also has a maximum +size we can and should check. + +In the case of the image itself, we change invalid dimensions to a size of +1 in hope that the individual layers etc will have the correct size. +For layer, we will also try to go on, but for channel and layer mask, we +will give up. + +(cherry picked from commit 24c962b95e5c740dff7a87a1f0ccdbf6c0a8c21e) +--- + app/xcf/xcf-load.c | 36 +++++++++++++++++++++++++++++------- + 1 file changed, 29 insertions(+), 7 deletions(-) + +diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c +index 1a1a460f0e..f68909a038 100644 +--- a/app/xcf/xcf-load.c ++++ b/app/xcf/xcf-load.c +@@ -183,10 +183,19 @@ xcf_load_image (Gimp *gimp, + info->cp += xcf_read_int32 (info->fp, (guint32 *) &width, 1); + info->cp += xcf_read_int32 (info->fp, (guint32 *) &height, 1); + info->cp += xcf_read_int32 (info->fp, (guint32 *) &image_type, 1); +- if (image_type < GIMP_RGB || image_type > GIMP_INDEXED || +- width <= 0 || height <= 0) ++ if (image_type < GIMP_RGB || image_type > GIMP_INDEXED) + goto hard_error; + ++ /* Be lenient with corrupt image dimensions. ++ * Hopefully layer dimensions will be valid. */ ++ if (width <= 0 || height <= 0 || ++ width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE) ++ { ++ GIMP_LOG (XCF, "Invalid image size %d x %d, setting to 1x1.", width, height); ++ width = 1; ++ height = 1; ++ } ++ + image = gimp_create_image (gimp, width, height, image_type, FALSE); + + gimp_image_undo_disable (image); +@@ -1933,7 +1942,8 @@ xcf_load_layer (XcfInfo *info, + info->cp += xcf_read_int32 (info->fp, (guint32 *) &width, 1); + info->cp += xcf_read_int32 (info->fp, (guint32 *) &height, 1); + info->cp += xcf_read_int32 (info->fp, (guint32 *) &type, 1); +- if (width <= 0 || height <= 0) ++ if (width <= 0 || height <= 0 || ++ width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE) + return NULL; + + info->cp += xcf_read_string (info->fp, &name, 1); +@@ -2095,10 +2105,16 @@ xcf_load_channel (XcfInfo *info, + /* read in the layer width, height and name */ + info->cp += xcf_read_int32 (info->fp, (guint32 *) &width, 1); + info->cp += xcf_read_int32 (info->fp, (guint32 *) &height, 1); +- if (width <= 0 || height <= 0) +- return NULL; ++ if (width <= 0 || height <= 0 || ++ width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE) ++ { ++ GIMP_LOG (XCF, "Invalid channel size %d x %d.", width, height); ++ return NULL; ++ } + + info->cp += xcf_read_string (info->fp, &name, 1); ++ GIMP_LOG (XCF, "Channel width=%d, height=%d, name='%s'", ++ width, height, name); + + /* create a new channel */ + channel = gimp_channel_new (image, width, height, name, &color); +@@ -2167,10 +2183,16 @@ xcf_load_layer_mask (XcfInfo *info, + /* read in the layer width, height and name */ + info->cp += xcf_read_int32 (info->fp, (guint32 *) &width, 1); + info->cp += xcf_read_int32 (info->fp, (guint32 *) &height, 1); +- if (width <= 0 || height <= 0) +- return NULL; ++ if (width <= 0 || height <= 0 || ++ width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE) ++ { ++ GIMP_LOG (XCF, "Invalid layer mask size %d x %d.", width, height); ++ return NULL; ++ } + + info->cp += xcf_read_string (info->fp, &name, 1); ++ GIMP_LOG (XCF, "Layer mask width=%d, height=%d, name='%s'", ++ width, height, name); + + /* create a new layer mask */ + layer_mask = gimp_layer_mask_new (image, width, height, name, &color); +-- +2.17.1 + diff -Nru gimp-2.8.22/debian/patches/CVE-2022-32990-2.patch gimp-2.8.22/debian/patches/CVE-2022-32990-2.patch --- gimp-2.8.22/debian/patches/CVE-2022-32990-2.patch 1970-01-01 01:00:00.000000000 +0100 +++ gimp-2.8.22/debian/patches/CVE-2022-32990-2.patch 2022-07-20 18:57:49.000000000 +0100 @@ -0,0 +1,159 @@ +This patch was backported to the version in Ubuntu 18.04. + +From 744959433647bdefcdf00b3f0d575f6812cd0d6d Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Sun, 5 Jun 2022 18:44:45 -0400 +Subject: [PATCH] app: check for invalid offsets when loading XCF files + +More safety checks for detecting broken xcf files, also based on examining +issue #8230. + +After reading an offset where layer, channel, etc. data is stored, we +add a check to make sure that offset is not before where we read the +offset value. Because the data is always written after the offset that +points to it. + +(cherry picked from commit a842869247eb2cae2b40476b5d93f88d8b01aa27) +--- + app/xcf/xcf-load.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 53 insertions(+), 2 deletions(-) + +diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c +index f68909a038..da196bcdb2 100644 +--- a/app/xcf/xcf-load.c ++++ b/app/xcf/xcf-load.c +@@ -244,6 +244,13 @@ xcf_load_image (Gimp *gimp, + */ + saved_pos = info->cp; + ++ if (offset < saved_pos) ++ { ++ GIMP_LOG (XCF, "Invalid layer offset: %" G_GOFFSET_FORMAT ++ " at offset: %" G_GOFFSET_FORMAT, offset, saved_pos); ++ goto error; ++ } ++ + /* seek to the layer offset */ + if (! xcf_seek_pos (info, offset, NULL)) + goto error; +@@ -327,6 +334,13 @@ xcf_load_image (Gimp *gimp, + */ + saved_pos = info->cp; + ++ if (offset < saved_pos) ++ { ++ GIMP_LOG (XCF, "Invalid channel offset: %" G_GOFFSET_FORMAT ++ " at offset: % "G_GOFFSET_FORMAT, offset, saved_pos); ++ goto error; ++ } ++ + /* seek to the channel offset */ + if (! xcf_seek_pos (info, offset, NULL)) + goto error; +@@ -334,7 +348,10 @@ xcf_load_image (Gimp *gimp, + /* read in the channel */ + channel = xcf_load_channel (info, image); + if (!channel) +- goto error; ++ { ++ GIMP_LOG (XCF, "Failed to load channel."); ++ goto error; ++ } + + num_successful_elements++; + +@@ -1187,6 +1204,7 @@ xcf_load_layer (XcfInfo *info, + gint type; + gboolean is_fs_drawable; + gchar *name; ++ goffset cur_offset; + + /* check and see if this is the drawable the floating selection + * is attached to. if it is then we'll do the attachment in our caller. +@@ -1234,6 +1252,7 @@ xcf_load_layer (XcfInfo *info, + } + + /* read the hierarchy and layer mask offsets */ ++ cur_offset = info->cp; + info->cp += xcf_read_int32 (info->fp, &hierarchy_offset, 1); + info->cp += xcf_read_int32 (info->fp, &layer_mask_offset, 1); + +@@ -1243,6 +1262,11 @@ xcf_load_layer (XcfInfo *info, + */ + if (! gimp_viewable_get_children (GIMP_VIEWABLE (layer))) + { ++ if (hierarchy_offset < cur_offset) ++ { ++ GIMP_LOG (XCF, "Invalid layer hierarchy offset!"); ++ goto error; ++ } + if (! xcf_seek_pos (info, hierarchy_offset, NULL)) + goto error; + +@@ -1262,6 +1286,11 @@ xcf_load_layer (XcfInfo *info, + /* read in the layer mask */ + if (layer_mask_offset != 0) + { ++ if (layer_mask_offset < cur_offset) ++ { ++ GIMP_LOG (XCF, "Invalid layer mask offset!"); ++ goto error; ++ } + if (! xcf_seek_pos (info, layer_mask_offset, NULL)) + goto error; + +@@ -1306,6 +1335,7 @@ xcf_load_channel (XcfInfo *info, + gboolean is_fs_drawable; + gchar *name; + GimpRGB color = { 0.0, 0.0, 0.0, GIMP_OPACITY_OPAQUE }; ++ goffset cur_offset; + + /* check and see if this is the drawable the floating selection + * is attached to. if it is then we'll do the attachment in our caller. +@@ -1338,9 +1368,16 @@ xcf_load_channel (XcfInfo *info, + + xcf_progress_update (info); + +- /* read the hierarchy and layer mask offsets */ ++ /* read the hierarchy offset */ ++ cur_offset = info->cp; + info->cp += xcf_read_int32 (info->fp, &hierarchy_offset, 1); + ++ if (hierarchy_offset < cur_offset) ++ { ++ GIMP_LOG (XCF, "Invalid hierarchy offset!"); ++ goto error; ++ } ++ + /* read in the hierarchy */ + if (!xcf_seek_pos (info, hierarchy_offset, NULL)) + goto error; +@@ -1373,6 +1403,7 @@ xcf_load_layer_mask (XcfInfo *info, + gboolean is_fs_drawable; + gchar *name; + GimpRGB color = { 0.0, 0.0, 0.0, GIMP_OPACITY_OPAQUE }; ++ goffset cur_offset; + + /* check and see if this is the drawable the floating selection + * is attached to. if it is then we'll do the attachment in our caller. +@@ -1406,9 +1437,16 @@ xcf_load_layer_mask (XcfInfo *info, + + xcf_progress_update (info); + +- /* read the hierarchy and layer mask offsets */ ++ /* read the hierarchy offset */ ++ cur_offset = info->cp; + info->cp += xcf_read_int32 (info->fp, &hierarchy_offset, 1); + ++ if (hierarchy_offset < cur_offset) ++ { ++ GIMP_LOG (XCF, "Invalid hierarchy offset!"); ++ goto error; ++ } ++ + /* read in the hierarchy */ + if (! xcf_seek_pos (info, hierarchy_offset, NULL)) + goto error; +-- +2.17.1 + diff -Nru gimp-2.8.22/debian/patches/CVE-2022-32990-3.patch gimp-2.8.22/debian/patches/CVE-2022-32990-3.patch --- gimp-2.8.22/debian/patches/CVE-2022-32990-3.patch 1970-01-01 01:00:00.000000000 +0100 +++ gimp-2.8.22/debian/patches/CVE-2022-32990-3.patch 2022-07-20 18:57:49.000000000 +0100 @@ -0,0 +1,36 @@ +This patch was backported to the version in Ubuntu 18.04. + +From 6ab90ecbbd7cc95901933f62227fd140c0576d55 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Sun, 5 Jun 2022 15:38:24 -0400 +Subject: [PATCH] app: fix #8230 crash in gimp_layer_invalidate_boundary when + channel is NULL + +gimp_channel_is_empty returns FALSE if channel is NULL. This causes +gimp_layer_invalidate_boundary to crash if the mask channel is NULL. + +With a NULL channel gimp_channel_is_empty should return TRUE, just like +the similar gimp_image_is_empty does, because returning FALSE here +suggests we have a non empty channel. + +(cherry picked from commit 22af0bcfe67c1c86381f33975ca7fdbde6b36b39) +--- + app/core/gimpchannel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/app/core/gimpchannel.c b/app/core/gimpchannel.c +index a9b7546809..784551a242 100644 +--- a/app/core/gimpchannel.c ++++ b/app/core/gimpchannel.c +@@ -1994,7 +1994,7 @@ gimp_channel_boundary (GimpChannel *channel, + gboolean + gimp_channel_is_empty (GimpChannel *channel) + { +- g_return_val_if_fail (GIMP_IS_CHANNEL (channel), FALSE); ++ g_return_val_if_fail (GIMP_IS_CHANNEL (channel), TRUE); + + return GIMP_CHANNEL_GET_CLASS (channel)->is_empty (channel); + } +-- +2.17.1 + diff -Nru gimp-2.8.22/debian/patches/series gimp-2.8.22/debian/patches/series --- gimp-2.8.22/debian/patches/series 2018-03-28 17:21:18.000000000 +0100 +++ gimp-2.8.22/debian/patches/series 2022-07-20 18:57:49.000000000 +0100 @@ -10,3 +10,8 @@ Bug-739133-CVE-2017-17785-Heap-overflow-while-parsin.patch 790783-buffer-overread-in-XCF-parser-if-version-fiel.patch Workaround-for-cage-transform-freeze.patch +CVE-2018-12713.patch +CVE-2022-30067.patch +CVE-2022-32990-1.patch +CVE-2022-32990-2.patch +CVE-2022-32990-3.patch