Package: gimp / 2.8.14-1+deb8u2

Metadata

Package Version Patches format
gimp 2.8.14-1+deb8u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
disable internal help browser | (download)

etc/gimprc | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
01_hurd_ftbfs.patch | (download)

libgimpbase/gimpreloc.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 define path_max to fix build on the hurd.
02_CVE 2016 4994.patch | (download)

app/xcf/xcf-load.c | 29 29 + 0 - 0 !
1 file changed, 29 insertions(+)

 bug 767873 - (cve-2016-4994) multiple use-after-free when parsing...

...XCF channel and layer properties

The properties PROP_ACTIVE_LAYER, PROP_FLOATING_SELECTION,
PROP_ACTIVE_CHANNEL saves the current object pointer the @info
structure. Others like PROP_SELECTION (for channel) and
PROP_GROUP_ITEM (for layer) will delete the current object and create
a new object, leaving the pointers in @info invalid (dangling).

Therefore, if a property from the first type will come before the
second, the result will be an UaF in the last lines of xcf_load_image
(when it actually using the pointers from @info).

I wasn't able to exploit this bug because that
g_object_instance->c_class gets cleared by the last g_object_unref and
GIMP_IS_{LAYER,CHANNEL} detects that and return FALSE.

(cherry picked from commit 6d804bf9ae77bc86a0a97f9b944a129844df9395)

Bug 739134 CVE 2017 17786 Out of bounds read heap ov.patch | (download)

plug-ins/common/file-tga.c | 12 8 + 4 - 0 !
1 file changed, 8 insertions(+), 4 deletions(-)

 bug 739134 - (cve-2017-17786) out of bounds read / heap overflow
 in...
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
plug ins TGA 16 bit RGB without alpha bit is also va.patch | (download)

plug-ins/common/file-tga.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 plug-ins: tga 16-bit rgb (without alpha bit) is also valid.
Bug 790849 CVE 2017 17789 CVE 2017 17789 Heap buffer.patch | (download)

plug-ins/common/file-psp.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 bug 790849 - (cve-2017-17789) cve-2017-17789 heap buffer overflow...
Bug 790784 CVE 2017 17784 heap overread in gbr parse.patch | (download)

plug-ins/common/file-gbr.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 bug 790784 - (cve-2017-17784) heap overread in gbr parser /
 load_image.
Bug 790853 CVE 2017 17787 heap overread in psp impor.patch | (download)

plug-ins/common/file-psp.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 bug 790853 - (cve-2017-17787) heap overread in psp importer.
Bug 739133 CVE 2017 17785 Heap overflow while parsin.patch | (download)

plug-ins/file-fli/fli.c | 50 35 + 15 - 0 !
1 file changed, 35 insertions(+), 15 deletions(-)

 bug 739133 - (cve-2017-17785) heap overflow while parsing fli files.
790783 buffer overread in XCF parser if version fiel.patch | (download)

app/xcf/xcf.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 790783 - buffer overread in xcf parser if version field...