diff -Nru gimp-2.10.18/debian/changelog gimp-2.10.18/debian/changelog --- gimp-2.10.18/debian/changelog 2020-03-29 06:27:45.000000000 +0100 +++ gimp-2.10.18/debian/changelog 2023-09-01 20:53:10.000000000 +0100 @@ -1,3 +1,25 @@ +gimp (2.10.18-1ubuntu0.1) focal-security; urgency=medium + + * SECURITY UPDATE: Temporary filenames can already exist when running the + tests (LP: #1982422) + - debian/patches/CVE-2018-12713.patch: Create unique temporary file with + g_file_open_tmp(). Based on upstream patch. + - CVE-2018-12713 + * SECURITY UPDATE: Buffer overflow leading to insufficient memory or program + crash via a crafted XCF file (LP: #1982422) + - debian/patches/CVE-2022-30067.patch: Stop loading paths and skip to the + next property when xcf_old_path fails. Based on upstream patch. + - CVE-2022-30067 + * SECURITY UPDATE: Denial of service via a crafted XCF file (LP: #1982422) + - debian/patches/CVE-2022-32990-1.patch: Check maximum dimensions when + loading XCF files. Based on upstream patch. + - debian/patches/CVE-2022-32990-2.patch: Check for invalid offsets when + loading XCF files. Based on upstream patch. + - debian/patches/CVE-2022-32990-3.patch: Return TRUE in + gimp_channel_is_empty when channel is NULL. Based on upstream patch. + - CVE-2022-32990 + + -- Luís Infante da Câmara Fri, 01 Sep 2023 20:53:10 +0100 + gimp (2.10.18-1) unstable; urgency=medium * New upstream release (Closes: #954143) diff -Nru gimp-2.10.18/debian/control gimp-2.10.18/debian/control --- gimp-2.10.18/debian/control 2020-03-29 06:27:45.000000000 +0100 +++ gimp-2.10.18/debian/control 2023-09-01 20:53:10.000000000 +0100 @@ -5,7 +5,8 @@ Source: gimp Priority: optional Section: graphics -Maintainer: Debian GNOME Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GNOME Maintainers Uploaders: Iain Lane , Jeremy Bicha , Ari Pollak Build-Depends: debhelper-compat (= 12), desktop-file-utils , diff -Nru gimp-2.10.18/debian/control.in gimp-2.10.18/debian/control.in --- gimp-2.10.18/debian/control.in 2020-03-29 06:27:45.000000000 +0100 +++ gimp-2.10.18/debian/control.in 2023-09-01 20:53:10.000000000 +0100 @@ -1,7 +1,8 @@ Source: gimp Priority: optional Section: graphics -Maintainer: Debian GNOME Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GNOME Maintainers Uploaders: @GNOME_TEAM@, Ari Pollak Build-Depends: debhelper-compat (= 12), desktop-file-utils , diff -Nru gimp-2.10.18/debian/patches/CVE-2018-12713.patch gimp-2.10.18/debian/patches/CVE-2018-12713.patch --- gimp-2.10.18/debian/patches/CVE-2018-12713.patch 1970-01-01 01:00:00.000000000 +0100 +++ gimp-2.10.18/debian/patches/CVE-2018-12713.patch 2023-09-01 20:53:10.000000000 +0100 @@ -0,0 +1,48 @@ +This patch was backported to the version in Ubuntu 20.04. + +From c21eff4b031acb04fb4dfce8bd5fdfecc2b6524f Mon Sep 17 00:00:00 2001 +From: Jehan +Date: Sun, 24 Jun 2018 04:48:48 +0200 +Subject: [PATCH] Issue #1689: create unique temporary file with + g_file_open_tmp(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Not sure this is really solving the issue reported, which is that +`g_get_tmp_dir()` uses environment variables (yet as g_file_open_tmp() +uses g_get_tmp_dir()…). But at least g_file_open_tmp() should create +unique temporary files, which prevents overriding existing files (which +is most likely the only real attack possible here, or at least the only +one I can think of unless some weird vulnerabilities exist in glib). +--- + app/tests/test-xcf.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/app/tests/test-xcf.c b/app/tests/test-xcf.c +index 9fc2ec1f4b..98ca4f0bed 100644 +--- a/app/tests/test-xcf.c ++++ b/app/tests/test-xcf.c +@@ -294,6 +294,7 @@ gimp_write_and_read_file (Gimp *gimp, + GimpPlugInProcedure *proc; + gchar *filename; + GFile *file; ++ gint file_handle; + + /* Create the image */ + image = gimp_create_mainimage (gimp, +@@ -311,7 +312,9 @@ gimp_write_and_read_file (Gimp *gimp, + use_gimp_2_8_features); + + /* Write to file */ +- filename = g_build_filename (g_get_tmp_dir (), "gimp-test.xcf", NULL); ++ file_handle = g_file_open_tmp ("gimp-test-XXXXXX.xcf", &filename, NULL); ++ g_assert (file_handle != -1); ++ close (file_handle); + file = g_file_new_for_path (filename); + g_free (filename); + +-- +2.17.1 + + diff -Nru gimp-2.10.18/debian/patches/CVE-2022-30067.patch gimp-2.10.18/debian/patches/CVE-2022-30067.patch --- gimp-2.10.18/debian/patches/CVE-2022-30067.patch 1970-01-01 01:00:00.000000000 +0100 +++ gimp-2.10.18/debian/patches/CVE-2022-30067.patch 2023-09-01 20:53:10.000000000 +0100 @@ -0,0 +1,63 @@ +From 8cd6d05232795ac31076013db1c6be3dc67e8e09 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Fri, 29 Apr 2022 16:40:32 -0400 +Subject: [PATCH] app: fix #8120 GIMP 2.10.30 crashed when allocate large + memory + +GIMP could crash if the information regarding old path properties read +from XCF was incorrect. It did not check if xcf_old_path succeeded and +kept trying to load more paths even if the last one failed to load. + +Instead we now stop loading paths as soon as that function fails. +In case we have a failure here we also try to skip to the next property +based on the size of the path property, in hopes that the only problem +was this property. + +(cherry picked from commit 4f99f1fcfd892ead19831b5adcd38a99d71214b6) +--- + app/xcf/xcf-load.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c +index 5543e57af7..1a1a460f0e 100644 +--- a/app/xcf/xcf-load.c ++++ b/app/xcf/xcf-load.c +@@ -1060,7 +1060,12 @@ xcf_load_image_props (XcfInfo *info, + break; + + case PROP_PATHS: +- xcf_load_old_paths (info, image); ++ { ++ goffset base = info->cp; ++ ++ if (! xcf_load_old_paths (info, image)) ++ xcf_seek_pos (info, base + prop_size, NULL); ++ } + break; + + case PROP_USER_UNIT: +@@ -2747,8 +2752,11 @@ xcf_load_old_paths (XcfInfo *info, + xcf_read_int32 (info, &last_selected_row, 1); + xcf_read_int32 (info, &num_paths, 1); + ++ GIMP_LOG (XCF, "Number of old paths: %u", num_paths); ++ + while (num_paths-- > 0) +- xcf_load_old_path (info, image); ++ if (! xcf_load_old_path (info, image)) ++ return FALSE; + + active_vectors = + GIMP_VECTORS (gimp_container_get_child_by_index (gimp_image_get_vectors (image), +@@ -2799,7 +2807,7 @@ xcf_load_old_path (XcfInfo *info, + } + else if (version != 1) + { +- g_printerr ("Unknown path type. Possibly corrupt XCF file"); ++ g_printerr ("Unknown path type (version: %u). Possibly corrupt XCF file.\n", version); + + return FALSE; + } +-- +2.25.1 + diff -Nru gimp-2.10.18/debian/patches/CVE-2022-32990-1.patch gimp-2.10.18/debian/patches/CVE-2022-32990-1.patch --- gimp-2.10.18/debian/patches/CVE-2022-32990-1.patch 1970-01-01 01:00:00.000000000 +0100 +++ gimp-2.10.18/debian/patches/CVE-2022-32990-1.patch 2023-09-01 20:53:10.000000000 +0100 @@ -0,0 +1,96 @@ +From e7d4b580e514029f28dc9bd59c66187e166db47c Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Sun, 5 Jun 2022 16:48:10 -0400 +Subject: [PATCH] app: check max dimensions when loading xcf files + +Improvements in loading broken xcf files, based on examining issue #8230. +Besides checking for a minimum width and height, GIMP also has a maximum +size we can and should check. + +In the case of the image itself, we change invalid dimensions to a size of +1 in hope that the individual layers etc will have the correct size. +For layer, we will also try to go on, but for channel and layer mask, we +will give up. + +(cherry picked from commit 24c962b95e5c740dff7a87a1f0ccdbf6c0a8c21e) +--- + app/xcf/xcf-load.c | 36 +++++++++++++++++++++++++++++------- + 1 file changed, 29 insertions(+), 7 deletions(-) + +diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c +index 1a1a460f0e..f68909a038 100644 +--- a/app/xcf/xcf-load.c ++++ b/app/xcf/xcf-load.c +@@ -183,10 +183,19 @@ xcf_load_image (Gimp *gimp, + xcf_read_int32 (info, (guint32 *) &width, 1); + xcf_read_int32 (info, (guint32 *) &height, 1); + xcf_read_int32 (info, (guint32 *) &image_type, 1); +- if (image_type < GIMP_RGB || image_type > GIMP_INDEXED || +- width <= 0 || height <= 0) ++ if (image_type < GIMP_RGB || image_type > GIMP_INDEXED) + goto hard_error; + ++ /* Be lenient with corrupt image dimensions. ++ * Hopefully layer dimensions will be valid. */ ++ if (width <= 0 || height <= 0 || ++ width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE) ++ { ++ GIMP_LOG (XCF, "Invalid image size %d x %d, setting to 1x1.", width, height); ++ width = 1; ++ height = 1; ++ } ++ + if (info->file_version >= 4) + { + gint p; +@@ -1933,7 +1942,8 @@ xcf_load_layer (XcfInfo *info, + return NULL; + } + +- if (width <= 0 || height <= 0) ++ if (width <= 0 || height <= 0 || ++ width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE) + { + gboolean is_group_layer = FALSE; + gboolean is_text_layer = FALSE; +@@ -2095,10 +2105,16 @@ xcf_load_channel (XcfInfo *info, + /* read in the layer width, height and name */ + xcf_read_int32 (info, (guint32 *) &width, 1); + xcf_read_int32 (info, (guint32 *) &height, 1); +- if (width <= 0 || height <= 0) +- return NULL; ++ if (width <= 0 || height <= 0 || ++ width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE) ++ { ++ GIMP_LOG (XCF, "Invalid channel size %d x %d.", width, height); ++ return NULL; ++ } + + xcf_read_string (info, &name, 1); ++ GIMP_LOG (XCF, "Channel width=%d, height=%d, name='%s'", ++ width, height, name); + + /* create a new channel */ + channel = gimp_channel_new (image, width, height, name, &color); +@@ -2167,10 +2183,16 @@ xcf_load_layer_mask (XcfInfo *info, + /* read in the layer width, height and name */ + xcf_read_int32 (info, (guint32 *) &width, 1); + xcf_read_int32 (info, (guint32 *) &height, 1); +- if (width <= 0 || height <= 0) +- return NULL; ++ if (width <= 0 || height <= 0 || ++ width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE) ++ { ++ GIMP_LOG (XCF, "Invalid layer mask size %d x %d.", width, height); ++ return NULL; ++ } + + xcf_read_string (info, &name, 1); ++ GIMP_LOG (XCF, "Layer mask width=%d, height=%d, name='%s'", ++ width, height, name); + + /* create a new layer mask */ + layer_mask = gimp_layer_mask_new (image, width, height, name, &color); +-- +2.25.1 + diff -Nru gimp-2.10.18/debian/patches/CVE-2022-32990-2.patch gimp-2.10.18/debian/patches/CVE-2022-32990-2.patch --- gimp-2.10.18/debian/patches/CVE-2022-32990-2.patch 1970-01-01 01:00:00.000000000 +0100 +++ gimp-2.10.18/debian/patches/CVE-2022-32990-2.patch 2023-09-01 20:53:10.000000000 +0100 @@ -0,0 +1,177 @@ +From 744959433647bdefcdf00b3f0d575f6812cd0d6d Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Sun, 5 Jun 2022 18:44:45 -0400 +Subject: [PATCH] app: check for invalid offsets when loading XCF files + +More safety checks for detecting broken xcf files, also based on examining +issue #8230. + +After reading an offset where layer, channel, etc. data is stored, we +add a check to make sure that offset is not before where we read the +offset value. Because the data is always written after the offset that +points to it. + +(cherry picked from commit a842869247eb2cae2b40476b5d93f88d8b01aa27) +--- + app/xcf/xcf-load.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 53 insertions(+), 2 deletions(-) + +diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c +index f68909a038..da196bcdb2 100644 +--- a/app/xcf/xcf-load.c ++++ b/app/xcf/xcf-load.c +@@ -485,6 +485,13 @@ xcf_load_image (Gimp *gimp, + */ + saved_pos = info->cp; + ++ if (offset < saved_pos) ++ { ++ GIMP_LOG (XCF, "Invalid layer offset: %" G_GOFFSET_FORMAT ++ " at offset: %" G_GOFFSET_FORMAT, offset, saved_pos); ++ goto error; ++ } ++ + /* seek to the layer offset */ + if (! xcf_seek_pos (info, offset, NULL)) + goto error; +@@ -625,6 +632,13 @@ xcf_load_image (Gimp *gimp, + */ + saved_pos = info->cp; + ++ if (offset < saved_pos) ++ { ++ GIMP_LOG (XCF, "Invalid channel offset: %" G_GOFFSET_FORMAT ++ " at offset: % "G_GOFFSET_FORMAT, offset, saved_pos); ++ goto error; ++ } ++ + /* seek to the channel offset */ + if (! xcf_seek_pos (info, offset, NULL)) + goto error; +@@ -634,6 +648,7 @@ xcf_load_image (Gimp *gimp, + if (!channel) + { + n_broken_channels++; ++ GIMP_LOG (XCF, "Failed to load channel."); + + if (! xcf_seek_pos (info, saved_pos, NULL)) + goto error; +@@ -1891,6 +1906,7 @@ xcf_load_layer (XcfInfo *info, + const Babl *format; + gboolean is_fs_drawable; + gchar *name; ++ goffset cur_offset; + + /* check and see if this is the drawable the floating selection + * is attached to. if it is then we'll do the attachment in our caller. +@@ -2008,6 +2024,7 @@ xcf_load_layer (XcfInfo *info, + } + + /* read the hierarchy and layer mask offsets */ ++ cur_offset = info->cp; + xcf_read_offset (info, &hierarchy_offset, 1); + xcf_read_offset (info, &layer_mask_offset, 1); + +@@ -2017,6 +2034,11 @@ xcf_load_layer (XcfInfo *info, + */ + if (! gimp_viewable_get_children (GIMP_VIEWABLE (layer))) + { ++ if (hierarchy_offset < cur_offset) ++ { ++ GIMP_LOG (XCF, "Invalid layer hierarchy offset!"); ++ goto error; ++ } + if (! xcf_seek_pos (info, hierarchy_offset, NULL)) + goto error; + +@@ -2040,6 +2062,11 @@ xcf_load_layer (XcfInfo *info, + /* read in the layer mask */ + if (layer_mask_offset != 0) + { ++ if (layer_mask_offset < cur_offset) ++ { ++ GIMP_LOG (XCF, "Invalid layer mask offset!"); ++ goto error; ++ } + if (! xcf_seek_pos (info, layer_mask_offset, NULL)) + goto error; + +@@ -2096,6 +2123,7 @@ xcf_load_channel (XcfInfo *info, + gboolean is_fs_drawable; + gchar *name; + GimpRGB color = { 0.0, 0.0, 0.0, GIMP_OPACITY_OPAQUE }; ++ goffset cur_offset; + + /* check and see if this is the drawable the floating selection + * is attached to. if it is then we'll do the attachment in our caller. +@@ -2128,9 +2156,16 @@ xcf_load_channel (XcfInfo *info, + + xcf_progress_update (info); + +- /* read the hierarchy and layer mask offsets */ ++ /* read the hierarchy offset */ ++ cur_offset = info->cp; + xcf_read_offset (info, &hierarchy_offset, 1); + ++ if (hierarchy_offset < cur_offset) ++ { ++ GIMP_LOG (XCF, "Invalid hierarchy offset!"); ++ goto error; ++ } ++ + /* read in the hierarchy */ + if (! xcf_seek_pos (info, hierarchy_offset, NULL)) + goto error; +@@ -2174,6 +2209,7 @@ xcf_load_layer_mask (XcfInfo *info, + gboolean is_fs_drawable; + gchar *name; + GimpRGB color = { 0.0, 0.0, 0.0, GIMP_OPACITY_OPAQUE }; ++ goffset cur_offset; + + /* check and see if this is the drawable the floating selection + * is attached to. if it is then we'll do the attachment in our caller. +@@ -2207,9 +2243,16 @@ xcf_load_layer_mask (XcfInfo *info, + + xcf_progress_update (info); + +- /* read the hierarchy and layer mask offsets */ ++ /* read the hierarchy offset */ ++ cur_offset = info->cp; + xcf_read_offset (info, &hierarchy_offset, 1); + ++ if (hierarchy_offset < cur_offset) ++ { ++ GIMP_LOG (XCF, "Invalid hierarchy offset!"); ++ goto error; ++ } ++ + /* read in the hierarchy */ + if (! xcf_seek_pos (info, hierarchy_offset, NULL)) + goto error; +@@ -2247,6 +2290,7 @@ xcf_load_buffer (XcfInfo *info, + gint width; + gint height; + gint bpp; ++ goffset cur_offset; + + format = gegl_buffer_get_format (buffer); + +@@ -2262,8 +2306,15 @@ xcf_load_buffer (XcfInfo *info, + bpp != babl_format_get_bytes_per_pixel (format)) + return FALSE; + ++ cur_offset = info->cp; + xcf_read_offset (info, &offset, 1); /* top level */ + ++ if (offset < cur_offset) ++ { ++ GIMP_LOG (XCF, "Invalid buffer offset!"); ++ return FALSE; ++ } ++ + /* seek to the level offset */ + if (! xcf_seek_pos (info, offset, NULL)) + return FALSE; +-- +2.25.1 + diff -Nru gimp-2.10.18/debian/patches/CVE-2022-32990-3.patch gimp-2.10.18/debian/patches/CVE-2022-32990-3.patch --- gimp-2.10.18/debian/patches/CVE-2022-32990-3.patch 1970-01-01 01:00:00.000000000 +0100 +++ gimp-2.10.18/debian/patches/CVE-2022-32990-3.patch 2023-09-01 20:53:10.000000000 +0100 @@ -0,0 +1,34 @@ +From 6ab90ecbbd7cc95901933f62227fd140c0576d55 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Sun, 5 Jun 2022 15:38:24 -0400 +Subject: [PATCH] app: fix #8230 crash in gimp_layer_invalidate_boundary when + channel is NULL + +gimp_channel_is_empty returns FALSE if channel is NULL. This causes +gimp_layer_invalidate_boundary to crash if the mask channel is NULL. + +With a NULL channel gimp_channel_is_empty should return TRUE, just like +the similar gimp_image_is_empty does, because returning FALSE here +suggests we have a non empty channel. + +(cherry picked from commit 22af0bcfe67c1c86381f33975ca7fdbde6b36b39) +--- + app/core/gimpchannel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/app/core/gimpchannel.c b/app/core/gimpchannel.c +index a9b7546809..784551a242 100644 +--- a/app/core/gimpchannel.c ++++ b/app/core/gimpchannel.c +@@ -1824,7 +1824,7 @@ gimp_channel_boundary (GimpChannel *channel, + gboolean + gimp_channel_is_empty (GimpChannel *channel) + { +- g_return_val_if_fail (GIMP_IS_CHANNEL (channel), FALSE); ++ g_return_val_if_fail (GIMP_IS_CHANNEL (channel), TRUE); + + return GIMP_CHANNEL_GET_CLASS (channel)->is_empty (channel); + } +-- +2.25.1 + diff -Nru gimp-2.10.18/debian/patches/series gimp-2.10.18/debian/patches/series --- gimp-2.10.18/debian/patches/series 2020-03-29 06:27:45.000000000 +0100 +++ gimp-2.10.18/debian/patches/series 2023-09-01 20:53:10.000000000 +0100 @@ -1 +1,6 @@ 01_hurd_ftbfs.patch +CVE-2018-12713.patch +CVE-2022-30067.patch +CVE-2022-32990-1.patch +CVE-2022-32990-2.patch +CVE-2022-32990-3.patch