diff mbox

GIMP: Fix CVE-2016-4994

Message ID 20160701201942.GA26834@jasmine
State New
Headers show

Commit Message

Leo Famulari July 1, 2016, 8:19 p.m. UTC
GIMP has a use-after-free bug related to XCF file parsing that allows
arbitrary code execution:
https://security-tracker.debian.org/tracker/CVE-2016-4994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994

This patch cherry-picks the upstream commit from the gimp-2-8 branch:
https://git.gnome.org/browse/gimp/commit/?h=gimp-2-8&id=e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f

Leo Famulari (1):
  gnu: gimp: Fix CVE-2016-4994.

 gnu/local.mk                                  |  1 + 
 gnu/packages/gimp.scm                         |  1 + 
 gnu/packages/patches/gimp-CVE-2016-4994.patch | 96 +++++++++++++++++++++++++++
 3 files changed, 98 insertions(+)
 create mode 100644 gnu/packages/patches/gimp-CVE-2016-4994.patch

Comments

Ludovic Courtès July 2, 2016, 1:19 p.m. UTC | #1
Leo Famulari <leo@famulari.name> skribis:

> GIMP has a use-after-free bug related to XCF file parsing that allows
> arbitrary code execution:
> https://security-tracker.debian.org/tracker/CVE-2016-4994
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994
>
> This patch cherry-picks the upstream commit from the gimp-2-8 branch:
> https://git.gnome.org/browse/gimp/commit/?h=gimp-2-8&id=e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f

Go for it!

Thank you for taking care of it, as usual!

Ludo’.
diff mbox

Patch

From 92df989d76da73963c7d05006ca6fcf535d364b4 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 1 Jul 2016 16:05:40 -0400
Subject: [PATCH] gnu: gimp: Fix CVE-2016-4994.

* gnu/packages/patches/gimp-CVE-2016-4994.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gimp.scm (gimp): Use it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/gimp.scm                         |  1 +
 gnu/packages/patches/gimp-CVE-2016-4994.patch | 96 +++++++++++++++++++++++++++
 3 files changed, 98 insertions(+)
 create mode 100644 gnu/packages/patches/gimp-CVE-2016-4994.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 7dfda9b..829693a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -515,6 +515,7 @@  dist_patch_DATA =						\
   %D%/packages/patches/geoclue-config.patch			\
   %D%/packages/patches/ghostscript-CVE-2015-3228.patch		\
   %D%/packages/patches/ghostscript-runpath.patch		\
+  %D%/packages/patches/gimp-CVE-2016-4994.patch			\
   %D%/packages/patches/glib-networking-ssl-cert-file.patch	\
   %D%/packages/patches/glib-tests-timer.patch			\
   %D%/packages/patches/glibc-CVE-2015-7547.patch		\
diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm
index 1cd779a..d5c58e2 100644
--- a/gnu/packages/gimp.scm
+++ b/gnu/packages/gimp.scm
@@ -130,6 +130,7 @@  buffers.")
               (uri (string-append "http://download.gimp.org/pub/gimp/v"
                                   (version-major+minor version)
                                   "/gimp-" version ".tar.bz2"))
+              (patches (search-patches "gimp-CVE-2016-4994.patch"))
               (sha256
                (base32
                 "1dsgazia9hmab8cw3iis7s69dvqyfj5wga7ds7w2q5mms1xqbqwm"))))
diff --git a/gnu/packages/patches/gimp-CVE-2016-4994.patch b/gnu/packages/patches/gimp-CVE-2016-4994.patch
new file mode 100644
index 0000000..6c81c63
--- /dev/null
+++ b/gnu/packages/patches/gimp-CVE-2016-4994.patch
@@ -0,0 +1,96 @@ 
+Fix CVE-2016-4994:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994
+
+Copied from upstream repository:
+https://git.gnome.org/browse/gimp/patch/?id=e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f
+
+From e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f Mon Sep 17 00:00:00 2001
+From: Shmuel H <shmuelgimp@gmail.com>
+Date: Mon, 20 Jun 2016 17:14:41 +0300
+Subject: Bug 767873 - (CVE-2016-4994) Multiple Use-After-Free when parsing...
+
+...XCF channel and layer properties
+
+The properties PROP_ACTIVE_LAYER, PROP_FLOATING_SELECTION,
+PROP_ACTIVE_CHANNEL saves the current object pointer the @info
+structure. Others like PROP_SELECTION (for channel) and
+PROP_GROUP_ITEM (for layer) will delete the current object and create
+a new object, leaving the pointers in @info invalid (dangling).
+
+Therefore, if a property from the first type will come before the
+second, the result will be an UaF in the last lines of xcf_load_image
+(when it actually using the pointers from @info).
+
+I wasn't able to exploit this bug because that
+g_object_instance->c_class gets cleared by the last g_object_unref and
+GIMP_IS_{LAYER,CHANNEL} detects that and return FALSE.
+
+(cherry picked from commit 6d804bf9ae77bc86a0a97f9b944a129844df9395)
+---
+ app/xcf/xcf-load.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
+index b180377..67cc6d4 100644
+--- a/app/xcf/xcf-load.c
++++ b/app/xcf/xcf-load.c
+@@ -904,6 +904,18 @@ xcf_load_layer_props (XcfInfo    *info,
+         case PROP_GROUP_ITEM:
+           {
+             GimpLayer *group;
++            gboolean   is_active_layer;
++
++            /* We're going to delete *layer, Don't leave its pointers
++             * in @info.  After that, we'll restore them back with the
++             * new pointer. See bug #767873.
++             */
++            is_active_layer = (*layer == info->active_layer);
++            if (is_active_layer)
++              info->active_layer = NULL;
++
++            if (*layer == info->floating_sel)
++              info->floating_sel = NULL;
+ 
+             group = gimp_group_layer_new (image);
+ 
+@@ -916,6 +928,13 @@ xcf_load_layer_props (XcfInfo    *info,
+             g_object_ref_sink (*layer);
+             g_object_unref (*layer);
+             *layer = group;
++
++            if (is_active_layer)
++              info->active_layer = *layer;
++
++            /* Don't restore info->floating_sel because group layers
++             * can't be floating selections
++             */
+           }
+           break;
+ 
+@@ -986,6 +1005,12 @@ xcf_load_channel_props (XcfInfo      *info,
+           {
+             GimpChannel *mask;
+ 
++            /* We're going to delete *channel, Don't leave its pointer
++             * in @info. See bug #767873.
++             */
++            if (*channel == info->active_channel)
++              info->active_channel = NULL;
++
+             mask =
+               gimp_selection_new (image,
+                                   gimp_item_get_width  (GIMP_ITEM (*channel)),
+@@ -1000,6 +1025,10 @@ xcf_load_channel_props (XcfInfo      *info,
+             *channel = mask;
+             (*channel)->boundary_known = FALSE;
+             (*channel)->bounds_known   = FALSE;
++
++            /* Don't restore info->active_channel because the
++             * selection can't be the active channel
++             */
+           }
+           break;
+ 
+-- 
+cgit v0.12
+
-- 
2.9.0