--- a/ChangeLog Wed Sep 28 08:01:54 2011 +0000
+++ b/ChangeLog Tue Oct 18 07:00:28 2011 +0000
@@ -1,3 +1,9 @@
+2011-10-18 Abhijit Nath <[email protected]>
+
+ * base-specs/gimp.spec
+ * patches/gimp-07-CVE-2011-2896.diff
+ * Added the patch to fix security issue CR# 7079990
+
2011-09-28 Rohini S <[email protected]>
* base-specs/thunderbird.spec: Bump to 3.1.11
--- a/base-specs/gimp.spec Wed Sep 28 08:01:54 2011 +0000
+++ b/base-specs/gimp.spec Tue Oct 18 07:00:28 2011 +0000
@@ -40,6 +40,8 @@
Patch5: gimp-05-libpng12.diff
# date:2011-08-16 owner:abhijit.nath type:bug
Patch6: gimp-06-CVE-2010-454x.diff
+# date:2011-08-16 owner:abhijit.nath type:bug
+Patch7: gimp-07-CVE-2011-2896.diff
URL: http://www.gimp.org
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -117,6 +119,7 @@
%patch4 -p1
%patch5 -p1
%patch6 -p1
+%patch7 -p1
%build
%ifos linux
if [ -x /usr/bin/getconf ]; then
@@ -240,6 +243,8 @@
%{_mandir}/man1/gimptool-%{subver_install}.1*
%changelog
+* Mon Sep 19 2011 - [email protected]
+- Added patches/gimp-07-CVE-2011-2896.diff to fix CR #7079990
* Mon Aug 8 2011 - [email protected]
- Added patches/gimp-06-CVE-2010-454x.diff to fix CR #7075500
* Tue Aug 31 2010 [email protected]
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/gimp-07-CVE-2011-2896.diff Tue Oct 18 07:00:28 2011 +0000
@@ -0,0 +1,49 @@
+--- gimp-2.6.10/plug-ins/common/file-gif-load.c 2010-07-03 04:21:56.000000000 +0530
++++ gimp-2.6.10.new/plug-ins/common/file-gif-load.c 2011-09-20 02:03:54.506907683 +0530
+@@ -697,7 +697,8 @@ LZWReadByte (FILE *fd,
+ static gint firstcode, oldcode;
+ static gint clear_code, end_code;
+ static gint table[2][(1 << MAX_LZW_BITS)];
+- static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
++ #define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
++ static gint stack[STACK_SIZE], *sp;
+ gint i;
+
+ if (just_reset_LZW)
+@@ -772,7 +773,7 @@ LZWReadByte (FILE *fd,
+
+ return firstcode;
+ }
+- else if (code == end_code)
++ else if (code == end_code || code > max_code)
+ {
+ gint count;
+ guchar buf[260];
+@@ -791,13 +792,14 @@ LZWReadByte (FILE *fd,
+
+ incode = code;
+
+- if (code >= max_code)
++ if (code == max_code)
+ {
+- *sp++ = firstcode;
++ if (sp < &(stack[STACK_SIZE]))
++ *sp++ = firstcode;
+ code = oldcode;
+ }
+
+- while (code >= clear_code)
++ while (code >= clear_code && sp < &(stack[STACK_SIZE]))
+ {
+ *sp++ = table[1][code];
+ if (code == table[0][code])
+@@ -808,7 +810,8 @@ LZWReadByte (FILE *fd,
+ code = table[0][code];
+ }
+
+- *sp++ = firstcode = table[1][code];
++ if (sp < &(stack[STACK_SIZE]))
++ *sp++ = firstcode = table[1][code];
+
+ if ((code = max_code) < (1 << MAX_LZW_BITS))
+ {