packages/gdk-pixbuf2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:0e19045e08571d7b462349965f7ead2db95faae2
Branches Tags
packages:main
...
compare: packages:4412cafdf6f235f306b3eab965b16a48be33e850
Branches Tags
packages:main

10 Commits
0e19045e08 ... 4412cafdf6

Author SHA1 Message Date
openeuler-ci-bot
4412cafdf6
!60 fix duplicate packaged files for help subpackages 
From: @zppzhangpan 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2024-10-16 01:04:11 +00:00
zhangpan
f3de84b364 fix duplicate packaged files for help subpackages 2024-10-14 07:39:53 +00:00
openeuler-ci-bot
d08a378e92
!49 Fix CVE-2022-48622 
From: @li_ning_jie 
Reviewed-by: @weidongkl 
Signed-off-by: @weidongkl
 2024-06-26 06:29:08 +00:00
liningjie
29602f8096 Fix CVE-2022-48622 2024-06-26 12:07:52 +08:00
openeuler-ci-bot
937f760c19
!36 [sync] PR-33: disable make check 
From: @openeuler-sync-bot 
Reviewed-by: @leeffo 
Signed-off-by: @leeffo
 2023-03-22 07:20:16 +00:00
zhouwenpei
a97c522839 disable make check 
(cherry picked from commit 104e91d89f6a9fd17fd9632034b1f9cb4d381248)
 2023-03-21 17:29:19 +08:00
openeuler-ci-bot
c7a84f67d0
!30 Update to 2.42.10 
From: @dwl301 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2023-02-02 02:48:26 +00:00
dwl301
0519d0bead Update to 2.42.10 2023-01-31 16:27:23 +08:00
openeuler-ci-bot
f2970722f6
!14 Update to 2.42.8 
From: @zhang__3125 
Reviewed-by: @dwl301 
Signed-off-by: @dwl301
 2022-04-13 04:48:34 +00:00
zhang__3125
7ab6fafe53 Update to 2.42.8 2022-04-13 12:18:34 +08:00
3 changed files with 144 additions and 9 deletions
Show Stats Expand all files Collapse all files

113
backport-CVE-2022-48622.patch Normal file
View File

@ -0,0 +1,113 @@
From 00c071dd11f723ca608608eef45cb1aa98da89cc Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 07:26:54 -0500
Subject: [PATCH 1/3] ANI: Reject files with multiple anih chunks
An anih chunk causes us to initialize a bunch of state, which we only
expect to do once per file.
Fixes: #202
Fixes: CVE-2022-48622
---
gdk-pixbuf/io-ani.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index c6c4642cf4..a78ea7ace4 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
if (context->chunk_id == TAG_anih)
{
+ if (context->animation)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Invalid header in animation"));
+ return FALSE;
+ }
+
context->HeaderSize = read_int32 (context);
context->NumFrames = read_int32 (context);
context->NumSteps = read_int32 (context);
--
GitLab
From d52134373594ff76614fb415125b0d1c723ddd56 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 07:13:37 -0500
Subject: [PATCH 2/3] ANI: Reject files with multiple INAM or IART chunks
There should be at most one chunk each. These would cause memory leaks
otherwise.
---
gdk-pixbuf/io-ani.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index a78ea7ace4..8e8414117c 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
}
else if (context->chunk_id == TAG_INAM)
{
- if (!context->animation)
+ if (!context->animation || context->title)
{
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
}
else if (context->chunk_id == TAG_IART)
{
- if (!context->animation)
+ if (!context->animation || context->author)
{
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
--
GitLab
From 91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 08:17:25 -0500
Subject: [PATCH 3/3] ANI: Validate anih chunk size
Before reading a chunk, we verify that enough bytes are available to match
the chunk size declared by the file. However, uniquely, the anih chunk
loader doesn't verify that this size matches the number of bytes it
actually intends to read. Thus, if the chunk size is too small and the
file ends in the middle of the chunk, we populate some context fields with
stack garbage. (But we'd still fail later on because the file doesn't
contain any images.) Fix this.
---
gdk-pixbuf/io-ani.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index 8e8414117c..cfafd7b196 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
if (context->chunk_id == TAG_anih)
{
+ if (context->chunk_size < 36)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Malformed chunk in animation"));
+ return FALSE;
+ }
if (context->animation)
{
g_set_error_literal (error,
--
GitLab

BIN
gdk-pixbuf-2.42.6.tar.xz → gdk-pixbuf-2.42.10.tar.xz
View File

Binary file not shown.

40
gdk-pixbuf2.spec
View File

@ -1,12 +1,14 @@
%global glib2_version 2.56.0
Name: gdk-pixbuf2
Version: 2.42.6
Release: 2
Version: 2.42.10
Release: 4
Summary: gdk is a multi-platform toolkit for creating graphical user interfaces.
License: LGPLv2+
URL: https://gitlab.gnome.org/GNOME/gdk-pixbuf
Source0: https://download-fallback.gnome.org/sources/gdk-pixbuf/2.42/gdk-pixbuf-%{version}.tar.xz
Source0: https://download.gnome.org/sources/gdk-pixbuf/2.42/gdk-pixbuf-%{version}.tar.xz
Patch6000: backport-CVE-2022-48622.patch
BuildRequires: docbook-style-xsl
BuildRequires: gettext
@ -18,9 +20,10 @@ BuildRequires: libxslt
BuildRequires: meson
BuildRequires: pkgconfig(gobject-introspection-1.0)
BuildRequires: shared-mime-info
BuildRequires: cmake gi-docgen python3-docutils
Requires: glib2%{?_isa} >= %{glib2_version}
Requires: shared-mime-info
Requires: glib2%{?_isa} >= %{glib2_version}
Requires: shared-mime-info
%description
gdk is written in C but has been designed from the ground up to support a wide range of languages.
@ -66,16 +69,13 @@ developing applications that uses gdk-pixbuf2 xlib and test.
%build
%meson \
-Dgtk_doc=false \
-Dgtk_doc=true \
-Dman=true \
%{nil}
%global _smp_mflags -j1
%meson_build
%check
%meson_test
%install
%meson_install
@ -84,6 +84,8 @@ touch $RPM_BUILD_ROOT%{_libdir}/gdk-pixbuf-2.0/2.10.0/loaders.cache
(cd $RPM_BUILD_ROOT%{_bindir}
mv gdk-pixbuf-query-loaders gdk-pixbuf-query-loaders-%{__isa_bits}
)
sed -i -e 's/gdk-pixbuf-query-loaders/gdk-pixbuf-query-loaders-%{__isa_bits}/' \
$RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdk-pixbuf-2.0.pc
%find_lang gdk-pixbuf
@ -126,8 +128,28 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
%defattr(-,root,root)
%{_mandir}/man1/gdk-pixbuf-query-loaders.1*
%{_mandir}/man1/gdk-pixbuf-csource.1*
%{_datadir}/doc/gdk-pixbuf/
%{_datadir}/doc/gdk-pixdata/
%changelog
* Mon Oct 14 2024 zhangpan <zhangpan103@h-partners.com> - 2.42.10-4
- fix duplicate packaged files for help subpackages
* Wed Jun 26 2024 liningjie <liningjie@xfusion.com> - 2.42.10-3
- Fix CVE-2022-48622
* Tue Mar 07 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.42.10-2
- disable make check
* Mon Jan 2 2023 lin zhang <lin.zhang@turbolinux.com.cn> - 2.42.10-1
- Update to 2.42.10
* Tue Sep 06 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2.42.8-2
- fix test fails when testing gif images
* Mon Mar 28 2022 lin zhang <lin.zhang@turbolinux.com.cn> - 2.42.8-1
- Update to 2.42.8
* Wed Mar 30 2022 liuyumeng <liuyumeng5@h-partners.com> - 2.42.6-2
- enable tests