gimp fix for bmp integer overflow

(Portage version: 2.2_rc50/cvs/Linux x86_64)

3 files changed, 148 insertions, 1 deletions

diff --git a/media-gfx/gimp/ChangeLog b/media-gfx/gimp/ChangeLog
index 5c2b9cf41236..49d0e28da148 100644
--- a/media-gfx/gimp/ChangeLog
+++ b/media-gfx/gimp/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for media-gfx/gimp
 # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-gfx/gimp/ChangeLog,v 1.294 2009/09/01 09:09:53 patrick Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-gfx/gimp/ChangeLog,v 1.295 2009/11/16 17:31:00 hanno Exp $
+
+*gimp-2.6.7-r1 (16 Nov 2009)
+
+  16 Nov 2009; Hanno Boeck <hanno@gentoo.org> +gimp-2.6.7-r1.ebuild,
+  +files/gimp-2.6.7-bmp-overflow.patch:
+  Fix for integer overflow in bmp handling, CVE-2009-1570.
 
 *gimp-2.6.7 (01 Sep 2009)
 
diff --git a/media-gfx/gimp/files/gimp-2.6.7-bmp-overflow.patch b/media-gfx/gimp/files/gimp-2.6.7-bmp-overflow.patch
new file mode 100644
index 000000000000..10432b571a25
--- /dev/null
+++ b/media-gfx/gimp/files/gimp-2.6.7-bmp-overflow.patch
@@ -0,0 +1,43 @@
+From df2b0aca2e7cdb95ebfd3454c65aaba0a83e9bbe Mon Sep 17 00:00:00 2001
+From: Simon Budig <simon@gimp.org>
+Date: Mon, 09 Nov 2009 23:08:59 +0000
+Subject: Harden the BMP plugin against integer overflows.
+
+Issues discovered by Stefan Cornelius, Secunia Research, advisory SA37232
+and CVE identifier CVE-2009-1570. Fixes bug #600484.
+---
+diff --git a/plug-ins/file-bmp/bmp-read.c b/plug-ins/file-bmp/bmp-read.c
+index a1ebe47..7d7133a 100644
+--- a/plug-ins/file-bmp/bmp-read.c
++++ b/plug-ins/file-bmp/bmp-read.c
+@@ -424,7 +424,8 @@ ReadBMP (const gchar  *name,
+       return -1;
+     }
+ 
+-  if (Bitmap_Head.biWidth < 0)
++  if (Bitmap_Head.biWidth < 0 ||
++      ABS (Bitmap_Head.biHeight) < 0)
+     {
+       g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+                    _("'%s' is not a valid BMP file"),
+@@ -448,6 +449,18 @@ ReadBMP (const gchar  *name,
+       return -1;
+     }
+ 
++  /* protect against integer overflows caused by malicious BMPs */
++
++  if (((guint64) Bitmap_Head.biWidth) * Bitmap_Head.biBitCnt > G_MAXINT32 ||
++      ((guint64) Bitmap_Head.biWidth) * ABS (Bitmap_Head.biHeight) > G_MAXINT32 ||
++      ((guint64) Bitmap_Head.biWidth) * ABS (Bitmap_Head.biHeight) * 4 > G_MAXINT32)
++    {
++      g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                   _("'%s' is not a valid BMP file"),
++                   gimp_filename_to_utf8 (filename));
++      return -1;
++    }
++
+   /* Windows and OS/2 declare filler so that rows are a multiple of
+    * word length (32 bits == 4 bytes)
+    */
+--
+cgit v0.8.2
diff --git a/media-gfx/gimp/gimp-2.6.7-r1.ebuild b/media-gfx/gimp/gimp-2.6.7-r1.ebuild
new file mode 100644
index 000000000000..a5a51ec5edc1
--- /dev/null
+++ b/media-gfx/gimp/gimp-2.6.7-r1.ebuild
@@ -0,0 +1,98 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-gfx/gimp/gimp-2.6.7-r1.ebuild,v 1.1 2009/11/16 17:31:00 hanno Exp $
+
+EAPI=2
+
+inherit eutils gnome2 fdo-mime multilib python
+
+DESCRIPTION="GNU Image Manipulation Program"
+HOMEPAGE="http://www.gimp.org/"
+SRC_URI="mirror://gimp/v2.6/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86"
+
+IUSE="alsa aalib altivec curl dbus debug doc exif gnome hal jpeg lcms mmx mng pdf png python smp sse svg tiff webkit wmf"
+
+RDEPEND=">=dev-libs/glib-2.18.1
+	>=x11-libs/gtk+-2.12.5
+	>=x11-libs/pango-1.18.0
+	>=media-libs/freetype-2.1.7
+	>=media-libs/fontconfig-2.2.0
+	sys-libs/zlib
+	dev-libs/libxml2
+	dev-libs/libxslt
+	x11-misc/xdg-utils
+	x11-themes/hicolor-icon-theme
+	>=media-libs/gegl-0.0.22
+	aalib? ( media-libs/aalib )
+	alsa? ( media-libs/alsa-lib )
+	curl? ( net-misc/curl )
+	dbus? ( dev-libs/dbus-glib )
+	hal? ( sys-apps/hal )
+	gnome? ( gnome-base/gvfs )
+	webkit? ( net-libs/webkit-gtk )
+	jpeg? ( >=media-libs/jpeg-6b-r2 )
+	exif? ( >=media-libs/libexif-0.6.15 )
+	lcms? ( media-libs/lcms )
+	mng? ( media-libs/libmng )
+	pdf? ( >=virtual/poppler-glib-0.3.1[cairo] )
+	png? ( >=media-libs/libpng-1.2.2 )
+	python?	( >=dev-lang/python-2.5.0
+		>=dev-python/pygtk-2.10.4 )
+	tiff? ( >=media-libs/tiff-3.5.7 )
+	svg? ( >=gnome-base/librsvg-2.8.0 )
+	wmf? ( >=media-libs/libwmf-0.2.8 )"
+DEPEND="${RDEPEND}
+	>=dev-util/pkgconfig-0.12.0
+	>=dev-util/intltool-0.40
+	>=sys-devel/gettext-0.17
+	doc? ( >=dev-util/gtk-doc-1 )"
+
+DOCS="AUTHORS ChangeLog* HACKING NEWS README*"
+
+src_prepare() {
+	epatch "${FILESDIR}/${P}-bmp-overflow.patch"
+}
+
+pkg_setup() {
+	G2CONF="--enable-default-binary \
+		--with-x \
+		$(use_with aalib aa) \
+		$(use_with alsa) \
+		$(use_enable altivec) \
+		$(use_with curl libcurl) \
+		$(use_with dbus) \
+		$(use_with hal) \
+		$(use_with gnome gvfs) \
+		--without-gnomevfs \
+		$(use_with webkit) \
+		$(use_with jpeg libjpeg) \
+		$(use_with exif libexif) \
+		$(use_with lcms) \
+		$(use_enable mmx) \
+		$(use_with mng libmng) \
+		$(use_with pdf poppler) \
+		$(use_with png libpng) \
+		$(use_enable python) \
+		$(use_enable smp mp) \
+		$(use_enable sse) \
+		$(use_with svg librsvg) \
+		$(use_with tiff libtiff) \
+		$(use_with wmf)"
+}
+
+pkg_postinst() {
+	gnome2_pkg_postinst
+
+	python_mod_optimize /usr/$(get_libdir)/gimp/2.0/python \
+		/usr/$(get_libdir)/gimp/2.0/plug-ins
+}
+
+pkg_postrm() {
+	gnome2_pkg_postrm
+	python_mod_cleanup /usr/$(get_libdir)/gimp/2.0/python \
+		/usr/$(get_libdir)/gimp/2.0/plug-ins
+}