Mercurial Mercurial > upstream > oracle > spec-files / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
CR#7075500 s11express-2010-11 OSE1011_SRU12_02
authoran230044
Tue, 13 Sep 2011 12:17:59 +0000
branchs11express-2010-11
changeset 22124 4322392a11ea
parent 22123 474d740f8c6e
child 22148 0b787dd33e0d
CR#7075500
ChangeLog file | annotate | diff | comparison | revisions
base-specs/gimp.spec file | annotate | diff | comparison | revisions
patches/gimp-06-CVE-2010-454x.diff file | annotate | diff | comparison | revisions 
--- a/ChangeLog	Tue Sep 13 05:47:54 2011 +0000
+++ b/ChangeLog	Tue Sep 13 12:17:59 2011 +0000
@@ -1,3 +1,9 @@
+2011-09-12  Abhijit Nath <[email protected]>
+
+	* base-specs/gimp.spec
+	* patches/gimp-06-CVE-2010-454x.diff
+	Added the patch to fix CR# 7075500
+
 2011-09-13  Rohini S  <[email protected]>
 
 	* base-specs/vino.spec:
--- a/base-specs/gimp.spec	Tue Sep 13 05:47:54 2011 +0000
+++ b/base-specs/gimp.spec	Tue Sep 13 12:17:59 2011 +0000
@@ -38,6 +38,8 @@
 Patch4:       gimp-04-fixxref-modules.diff
 # date:2010-08-31 owner:leon.sha type:bug
 Patch5:       gimp-05-libpng12.diff
+# date:2011-08-16 owner:abhijit.nath type:bug
+Patch6:       gimp-06-CVE-2010-454x.diff 
 
 URL:          http://www.gimp.org
 BuildRoot:    %{_tmppath}/%{name}-%{version}-build
@@ -114,6 +116,7 @@
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 %build
 %ifos linux
 if [ -x /usr/bin/getconf ]; then
@@ -237,6 +240,8 @@
 %{_mandir}/man1/gimptool-%{subver_install}.1*
 
 %changelog
+* Mon Aug 8 2011 - [email protected]
+- Added patches/gimp-06-CVE-2010-454x.diff to fix CR #7075500 
 * Tue Aug 31 2010 [email protected]
 - Bump to 2.6.10
 - Remove patch gimp-03-bmp-integer-overflows.diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/gimp-06-CVE-2010-454x.diff	Tue Sep 13 12:17:59 2011 +0000
@@ -0,0 +1,116 @@
+--- gimp-2.6.10.orig/plug-ins/common/sphere-designer.c	2011-08-16 11:48:50.451538000 +0530
++++ gimp-2.6.10/plug-ins/common/sphere-designer.c	2011-08-16 11:53:08.714956000 +0530
+@@ -1992,6 +1992,7 @@ loadit (const gchar * fn)
+   gchar    endbuf[21 * (G_ASCII_DTOSTR_BUF_SIZE + 1)];
+   gchar   *end = endbuf;
+   gchar    line[1024];
++  gchar    fmt_str[16];
+   gint     i;
+   texture *t;
+   gint     majtype, type;
+@@ -2016,6 +2017,8 @@ loadit (const gchar * fn)
+ 
+   s.com.numtexture = 0;
+ 
++  snprintf (fmt_str, sizeof (fmt_str), "%%d %%d %%%lds", sizeof (endbuf) - 1);
++
+   while (!feof (f))
+     {
+ 
+@@ -2026,7 +2029,7 @@ loadit (const gchar * fn)
+       t = &s.com.texture[i];
+       setdefaults (t);
+ 
+-      if (sscanf (line, "%d %d %s", &t->majtype, &t->type, end) != 3)
++      if (sscanf (line, fmt_str, &t->majtype, &t->type, end) != 3)
+         t->color1.x = g_ascii_strtod (end, &end);
+       if (end && errno != ERANGE)
+         t->color1.y = g_ascii_strtod (end, &end);
+--- gimp-2.6.10.orig/plug-ins/gfig/gfig-style.c	2011-08-16 11:48:42.938675000 +0530
++++ gimp-2.6.10/plug-ins/gfig/gfig-style.c	2011-08-16 11:57:17.625677000 +0530
+@@ -165,6 +165,7 @@ gfig_read_parameter_gimp_rgb (gchar     
+   gchar *ptr;
+   gchar *tmpstr;
+   gchar *endptr;
++  gchar  fmt_str[32];
+   gchar  colorstr_r[G_ASCII_DTOSTR_BUF_SIZE];
+   gchar  colorstr_g[G_ASCII_DTOSTR_BUF_SIZE];
+   gchar  colorstr_b[G_ASCII_DTOSTR_BUF_SIZE];
+@@ -172,6 +173,8 @@ gfig_read_parameter_gimp_rgb (gchar     
+ 
+   style_entry->r = style_entry->g = style_entry->b = style_entry->a = 0.;
+ 
++  snprintf (fmt_str, sizeof (fmt_str), "%%%lds %%%lds %%%lds %%%lds", sizeof (colorstr_r) - 1, sizeof (colorstr_g) - 1, sizeof (colorstr_b) - 1, sizeof (colorstr_a) - 1);
++
+   while (n < nitems)
+     {
+       ptr = strchr (text[n], ':');
+@@ -181,7 +184,7 @@ gfig_read_parameter_gimp_rgb (gchar     
+           ptr++;
+           if (!strcmp (tmpstr, name))
+             {
+-              sscanf (ptr, "%s %s %s %s", colorstr_r, colorstr_g, colorstr_b, colorstr_a);
++              sscanf (ptr, fmt_str, colorstr_r, colorstr_g, colorstr_b, colorstr_a);
+               style_entry->r = g_ascii_strtod (colorstr_r, &endptr);
+               style_entry->g = g_ascii_strtod (colorstr_g, &endptr);
+               style_entry->b = g_ascii_strtod (colorstr_b, &endptr);
+--- gimp-2.6.10.orig/plug-ins/lighting/lighting-ui.c	2011-08-16 11:48:41.292829000 +0530
++++ gimp-2.6.10/plug-ins/lighting/lighting-ui.c	2011-08-16 12:14:35.185283000 +0530
+@@ -1342,6 +1342,7 @@ load_preset_response (GtkFileChooser *ch
+   gchar          buffer3[G_ASCII_DTOSTR_BUF_SIZE];
+   gchar          type_label[21];
+   gchar         *endptr;
++  gchar          fmt_str[32];
+ 
+   if (response_id == GTK_RESPONSE_OK)
+     {
+@@ -1381,23 +1382,27 @@ load_preset_response (GtkFileChooser *ch
+                   return;
+                 }
+ 
+-              fscanf (fp, " Position: %s %s %s", buffer1, buffer2, buffer3);
++              snprintf (fmt_str, sizeof (fmt_str), " Position: %%%lds %%%lds %%%lds", sizeof (buffer1) - 1, sizeof (buffer2) - 1, sizeof (buffer3) - 1);
++              fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+               source->position.x = g_ascii_strtod (buffer1, &endptr);
+               source->position.y = g_ascii_strtod (buffer2, &endptr);
+               source->position.z = g_ascii_strtod (buffer3, &endptr);
+ 
+-              fscanf (fp, " Direction: %s %s %s", buffer1, buffer2, buffer3);
++              snprintf (fmt_str, sizeof (fmt_str), " Direction: %%%lds %%%lds %%%lds", sizeof (buffer1) - 1, sizeof (buffer2) - 1, sizeof (buffer3) - 1);
++              fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+               source->direction.x = g_ascii_strtod (buffer1, &endptr);
+               source->direction.y = g_ascii_strtod (buffer2, &endptr);
+               source->direction.z = g_ascii_strtod (buffer3, &endptr);
+ 
+-              fscanf (fp, " Color: %s %s %s", buffer1, buffer2, buffer3);
++              snprintf (fmt_str, sizeof (fmt_str), " Color: %%%lds %%%lds %%%lds", sizeof (buffer1) - 1, sizeof (buffer2) - 1, sizeof (buffer3) - 1);
++              fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+               source->color.r = g_ascii_strtod (buffer1, &endptr);
+               source->color.g = g_ascii_strtod (buffer2, &endptr);
+               source->color.b = g_ascii_strtod (buffer3, &endptr);
+               source->color.a = 1.0;
+ 
+-              fscanf (fp, " Intensity: %s", buffer1);
++              snprintf (fmt_str, sizeof (fmt_str), " Intensity: %%%lds", sizeof (buffer1) - 1);
++              fscanf (fp, fmt_str, buffer1);
+               source->intensity = g_ascii_strtod (buffer1, &endptr);
+ 
+             }
+--- gimp-2.6.10.orig/plug-ins/common/file-psp.c	2011-08-16 11:48:49.945737000 +0530
++++ gimp-2.6.10/plug-ins/common/file-psp.c	2011-08-16 12:04:16.278205000 +0530
+@@ -1246,13 +1246,14 @@ read_channel_data (FILE       *f,
+             fread (buf, runcount, 1, f);
+           if (bytespp == 1)
+             {
++              runcount = MIN (runcount, endq - q);
+               memmove (q, buf, runcount);
+               q += runcount;
+             }
+           else
+             {
+               p = buf;
+-              for (i = 0; i < runcount; i++)
++              for (i = 0; i < runcount && q < endq; i++)
+                 {
+                   *q = *p++;
+                   q += bytespp;
upstream/oracle/spec-files