Control: tags 860766 + patch
Control: tags 860766 + pending
Control: tags 884836 + pending
Control: tags 884837 + patch
Control: tags 884837 + pending
Control: tags 884862 + patch
Control: tags 884862 + pending
Control: tags 884925 + pending
Control: tags 884927 + pending
Control: tags 885347 + pending
Hi Ari,
I've prepared an NMU for gimp (versioned as 2.8.20-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -Nru gimp-2.8.20/debian/changelog gimp-2.8.20/debian/changelog
--- gimp-2.8.20/debian/changelog 2017-03-04 22:15:02.000000000 +0100
+++ gimp-2.8.20/debian/changelog 2017-12-26 22:11:46.000000000 +0100
@@ -1,3 +1,24 @@
+gimp (2.8.20-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+
+ [ Ari Pollak ]
+ * Move gimp to Enhances on gimp-data instead of Recommends (Closes: #860766)
+
+ [ Salvatore Bonaccorso ]
+ * Out of bounds read / heap overflow in TGA importer (CVE-2017-17786)
+ (Closes: #884862)
+ * plug-ins: TGA 16-bit RGB (without alpha bit) is also valid
+ * Heap buffer overflow in PSP importer (CVE-2017-17789) (Closes: #884837)
+ * heap overread in gbr parser / load_image (CVE-2017-17784)
+ (Closes: #884925)
+ * heap overread in psp importer (CVE-2017-17787) (Closes: #884927)
+ * Heap overflow while parsing FLI files (CVE-2017-17785) (Closes: #884836)
+ * buffer overread in XCF parser if version field has no null terminator
+ (CVE-2017-17788) (Closes: #885347)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Tue, 26 Dec 2017 22:11:46 +0100
+
gimp (2.8.20-1) unstable; urgency=low
* New upstream version 2.8.20
diff -Nru gimp-2.8.20/debian/control gimp-2.8.20/debian/control
--- gimp-2.8.20/debian/control 2016-09-12 00:27:25.000000000 +0200
+++ gimp-2.8.20/debian/control 2017-12-26 22:11:46.000000000 +0100
@@ -109,7 +109,7 @@
Package: gimp-data
Architecture: all
-Recommends: gimp
+Enhances: gimp
Depends: ${misc:Depends}
Conflicts: gimp (<< 2.4.0~rc2-2),
gimp-python (<< 2.6.0)
diff -Nru gimp-2.8.20/debian/patches/790783-buffer-overread-in-XCF-parser-if-version-fiel.patch gimp-2.8.20/debian/patches/790783-buffer-overread-in-XCF-parser-if-version-fiel.patch
--- gimp-2.8.20/debian/patches/790783-buffer-overread-in-XCF-parser-if-version-fiel.patch 1970-01-01 01:00:00.000000000 +0100
+++ gimp-2.8.20/debian/patches/790783-buffer-overread-in-XCF-parser-if-version-fiel.patch 2017-12-26 22:11:46.000000000 +0100
@@ -0,0 +1,29 @@
+From: Hanno Boeck <ha...@hboeck.de>
+Date: Mon, 27 Nov 2017 00:37:29 +0100
+Subject: 790783 - buffer overread in XCF parser if version field...
+Origin: https://git.gnome.org/browse/GIMP/commit/?id=702c4227e8b6169f781e4bb5ae4b5733f51ab126
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17788
+Bug-Debian: https://bugs.debian.org/885347
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=790783
+
+...has no null terminator
+
+Check for the presence of '\0' before using atoi() on the version
+string. Patch slightly modified (mitch).
+[carnil: backport to gimp-2-8: affected code in xcf_load_invoker]
+---
+ app/xcf/xcf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/app/xcf/xcf.c
++++ b/app/xcf/xcf.c
+@@ -318,7 +318,8 @@ xcf_load_invoker (GimpProcedure *pr
+ {
+ info.file_version = 0;
+ }
+- else if (id[9] == 'v')
++ else if (id[9] == 'v' &&
++ id[13] == '\0')
+ {
+ info.file_version = atoi (id + 10);
+ }
diff -Nru gimp-2.8.20/debian/patches/Bug-739133-CVE-2017-17785-Heap-overflow-while-parsin.patch gimp-2.8.20/debian/patches/Bug-739133-CVE-2017-17785-Heap-overflow-while-parsin.patch
--- gimp-2.8.20/debian/patches/Bug-739133-CVE-2017-17785-Heap-overflow-while-parsin.patch 1970-01-01 01:00:00.000000000 +0100
+++ gimp-2.8.20/debian/patches/Bug-739133-CVE-2017-17785-Heap-overflow-while-parsin.patch 2017-12-26 22:11:46.000000000 +0100
@@ -0,0 +1,164 @@
+From: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Sun, 29 Oct 2017 15:19:41 +0100
+Subject: Bug 739133 - (CVE-2017-17785) Heap overflow while parsing FLI files.
+Origin: https://git.gnome.org/browse/GIMP/commit/?id=1882bac996a20ab5c15c42b0c5e8f49033a1af54
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17785
+Bug-Debian: https://bugs.debian.org/884836
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=739133
+
+It is possible to trigger a heap overflow while parsing FLI files. The
+RLE decoder is vulnerable to out of boundary writes due to lack of
+boundary checks.
+
+The variable "framebuf" points to a memory area which was allocated
+with fli_header->width * fli_header->height bytes. The RLE decoder
+therefore must never write beyond that limit.
+
+If an illegal frame is detected, the parser won't stop, which means
+that the next valid sequence is properly parsed again. This should
+allow GIMP to parse FLI files as good as possible even if they are
+broken by an attacker or by accident.
+
+While at it, I changed the variable xc to be of type size_t, because
+the multiplication of width and height could overflow a 16 bit type.
+
+Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+(cherry picked from commit edb251a7ef1602d20a5afcbf23f24afb163de63b)
+---
+ plug-ins/file-fli/fli.c | 50 ++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 35 insertions(+), 15 deletions(-)
+
+diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c
+index 313efeb977..ffb651e2af 100644
+--- a/plug-ins/file-fli/fli.c
++++ b/plug-ins/file-fli/fli.c
+@@ -25,6 +25,8 @@
+
+ #include "config.h"
+
++#include <glib/gstdio.h>
++
+ #include <string.h>
+ #include <stdio.h>
+
+@@ -461,23 +463,27 @@ void fli_read_brun(FILE *f, s_fli_header *fli_header, unsigned char *framebuf)
+ unsigned short yc;
+ unsigned char *pos;
+ for (yc=0; yc < fli_header->height; yc++) {
+- unsigned short xc, pc, pcnt;
++ unsigned short pc, pcnt;
++ size_t n, xc;
+ pc=fli_read_char(f);
+ xc=0;
+ pos=framebuf+(fli_header->width * yc);
++ n=(size_t)fli_header->width * (fli_header->height-yc);
+ for (pcnt=pc; pcnt>0; pcnt--) {
+ unsigned short ps;
+ ps=fli_read_char(f);
+ if (ps & 0x80) {
+ unsigned short len;
+- for (len=-(signed char)ps; len>0; len--) {
++ for (len=-(signed char)ps; len>0 && xc<n; len--) {
+ pos[xc++]=fli_read_char(f);
+ }
+ } else {
+ unsigned char val;
++ size_t len;
++ len=MIN(n-xc,ps);
+ val=fli_read_char(f);
+- memset(&(pos[xc]), val, ps);
+- xc+=ps;
++ memset(&(pos[xc]), val, len);
++ xc+=len;
+ }
+ }
+ }
+@@ -564,25 +570,34 @@ void fli_read_lc(FILE *f, s_fli_header *fli_header, unsigned char *old_framebuf,
+ memcpy(framebuf, old_framebuf, fli_header->width * fli_header->height);
+ firstline = fli_read_short(f);
+ numline = fli_read_short(f);
++ if (numline > fli_header->height || fli_header->height-numline < firstline)
++ return;
++
+ for (yc=0; yc < numline; yc++) {
+- unsigned short xc, pc, pcnt;
++ unsigned short pc, pcnt;
++ size_t n, xc;
+ pc=fli_read_char(f);
+ xc=0;
+ pos=framebuf+(fli_header->width * (firstline+yc));
++ n=(size_t)fli_header->width * (fli_header->height-firstline-yc);
+ for (pcnt=pc; pcnt>0; pcnt--) {
+ unsigned short ps,skip;
+ skip=fli_read_char(f);
+ ps=fli_read_char(f);
+- xc+=skip;
++ xc+=MIN(n-xc,skip);
+ if (ps & 0x80) {
+ unsigned char val;
++ size_t len;
+ ps=-(signed char)ps;
+ val=fli_read_char(f);
+- memset(&(pos[xc]), val, ps);
+- xc+=ps;
++ len=MIN(n-xc,ps);
++ memset(&(pos[xc]), val, len);
++ xc+=len;
+ } else {
+- fread(&(pos[xc]), ps, 1, f);
+- xc+=ps;
++ size_t len;
++ len=MIN(n-xc,ps);
++ fread(&(pos[xc]), len, 1, f);
++ xc+=len;
+ }
+ }
+ }
+@@ -689,7 +704,8 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
+ yc=0;
+ numline = fli_read_short(f);
+ for (lc=0; lc < numline; lc++) {
+- unsigned short xc, pc, pcnt, lpf, lpn;
++ unsigned short pc, pcnt, lpf, lpn;
++ size_t n, xc;
+ pc=fli_read_short(f);
+ lpf=0; lpn=0;
+ while (pc & 0x8000) {
+@@ -700,26 +716,30 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
+ }
+ pc=fli_read_short(f);
+ }
++ yc=MIN(yc, fli_header->height);
+ xc=0;
+ pos=framebuf+(fli_header->width * yc);
++ n=(size_t)fli_header->width * (fli_header->height-yc);
+ for (pcnt=pc; pcnt>0; pcnt--) {
+ unsigned short ps,skip;
+ skip=fli_read_char(f);
+ ps=fli_read_char(f);
+- xc+=skip;
++ xc+=MIN(n-xc,skip);
+ if (ps & 0x80) {
+ unsigned char v1,v2;
+ ps=-(signed char)ps;
+ v1=fli_read_char(f);
+ v2=fli_read_char(f);
+- while (ps>0) {
++ while (ps>0 && xc+1<n) {
+ pos[xc++]=v1;
+ pos[xc++]=v2;
+ ps--;
+ }
+ } else {
+- fread(&(pos[xc]), ps, 2, f);
+- xc+=ps << 1;
++ size_t len;
++ len=MIN((n-xc)/2,ps);
++ fread(&(pos[xc]), len, 2, f);
++ xc+=len << 1;
+ }
+ }
+ if (lpf) pos[xc]=lpn;
+--
+2.15.1
+
diff -Nru gimp-2.8.20/debian/patches/Bug-739134-CVE-2017-17786-Out-of-bounds-read-heap-ov.patch gimp-2.8.20/debian/patches/Bug-739134-CVE-2017-17786-Out-of-bounds-read-heap-ov.patch
--- gimp-2.8.20/debian/patches/Bug-739134-CVE-2017-17786-Out-of-bounds-read-heap-ov.patch 1970-01-01 01:00:00.000000000 +0100
+++ gimp-2.8.20/debian/patches/Bug-739134-CVE-2017-17786-Out-of-bounds-read-heap-ov.patch 2017-12-26 22:11:46.000000000 +0100
@@ -0,0 +1,56 @@
+From: Jehan <je...@girinstud.io>
+Date: Wed, 20 Dec 2017 13:02:38 +0100
+Subject: Bug 739134 - (CVE-2017-17786) Out of bounds read / heap overflow
+ in...
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.gnome.org/browse/GIMP/commit/?id=ef9c821fff8b637a2178eab1c78cae6764c50e12
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17786
+Bug-Debian: https://bugs.debian.org/884862
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=739134
+
+... TGA importer.
+
+Be more thorough on valid TGA RGB and RGBA images.
+In particular current TGA plug-in can import RGBA as 32 bits (8 bits per
+channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and
+RGB as 15 and 24 bits.
+Maybe there exist more variants, but if they do exist, we simply don't
+support them yet.
+
+Thanks to Hanno B??ck for the report and a first patch attempt.
+
+(cherry picked from commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b)
+---
+ plug-ins/common/file-tga.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
+index aef98702d4..426acc2925 100644
+--- a/plug-ins/common/file-tga.c
++++ b/plug-ins/common/file-tga.c
+@@ -564,12 +564,16 @@ load_image (const gchar *filename,
+ }
+ break;
+ case TGA_TYPE_COLOR:
+- if (info.bpp != 15 && info.bpp != 16 &&
+- info.bpp != 24 && info.bpp != 32)
++ if ((info.bpp != 15 && info.bpp != 16 &&
++ info.bpp != 24 && info.bpp != 32) ||
++ ((info.bpp == 15 || info.bpp == 24) &&
++ info.alphaBits != 0) ||
++ (info.bpp == 16 && info.alphaBits != 1) ||
++ (info.bpp == 32 && info.alphaBits != 8))
+ {
+- g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
++ g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
+ gimp_filename_to_utf8 (filename),
+- info.imageType, info.bpp);
++ info.imageType, info.bpp, info.alphaBits);
+ return -1;
+ }
+ break;
+--
+2.15.1
+
diff -Nru gimp-2.8.20/debian/patches/Bug-790784-CVE-2017-17784-heap-overread-in-gbr-parse.patch gimp-2.8.20/debian/patches/Bug-790784-CVE-2017-17784-heap-overread-in-gbr-parse.patch
--- gimp-2.8.20/debian/patches/Bug-790784-CVE-2017-17784-heap-overread-in-gbr-parse.patch 1970-01-01 01:00:00.000000000 +0100
+++ gimp-2.8.20/debian/patches/Bug-790784-CVE-2017-17784-heap-overread-in-gbr-parse.patch 2017-12-26 22:11:46.000000000 +0100
@@ -0,0 +1,35 @@
+From: Jehan <je...@girinstud.io>
+Date: Thu, 21 Dec 2017 12:25:32 +0100
+Subject: Bug 790784 - (CVE-2017-17784) heap overread in gbr parser /
+ load_image.
+Origin: https://git.gnome.org/browse/GIMP/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17784
+Bug-Debian: https://bugs.debian.org/884925
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=790784
+
+We were assuming the input name was well formed, hence was
+nul-terminated. As any data coming from external input, this has to be
+thorougly checked.
+Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted
+to older gimp-2-8 code.
+---
+ plug-ins/common/file-gbr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
+index b028100bef..d3f01d9c56 100644
+--- a/plug-ins/common/file-gbr.c
++++ b/plug-ins/common/file-gbr.c
+@@ -443,7 +443,8 @@ load_image (const gchar *filename,
+ {
+ gchar *temp = g_new (gchar, bn_size);
+
+- if ((read (fd, temp, bn_size)) < bn_size)
++ if ((read (fd, temp, bn_size)) < bn_size ||
++ temp[bn_size - 1] != '\0')
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("Error in GIMP brush file '%s'"),
+--
+2.15.1
+
diff -Nru gimp-2.8.20/debian/patches/Bug-790849-CVE-2017-17789-CVE-2017-17789-Heap-buffer.patch gimp-2.8.20/debian/patches/Bug-790849-CVE-2017-17789-CVE-2017-17789-Heap-buffer.patch
--- gimp-2.8.20/debian/patches/Bug-790849-CVE-2017-17789-CVE-2017-17789-Heap-buffer.patch 1970-01-01 01:00:00.000000000 +0100
+++ gimp-2.8.20/debian/patches/Bug-790849-CVE-2017-17789-CVE-2017-17789-Heap-buffer.patch 2017-12-26 22:11:46.000000000 +0100
@@ -0,0 +1,41 @@
+From: Jehan <je...@girinstud.io>
+Date: Wed, 20 Dec 2017 16:44:20 +0100
+Subject: Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer overflow...
+Origin: https://git.gnome.org/browse/GIMP/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17789
+Bug-Debian: https://bugs.debian.org/884837
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=790849
+
+... in PSP importer.
+Check if declared block length is valid (i.e. within the actual file)
+before going further.
+Consider the file as broken otherwise and fail loading it.
+
+(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
+---
+ plug-ins/common/file-psp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index ac0fff78f0..4cbafe37b1 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1771,6 +1771,15 @@ load_image (const gchar *filename,
+ {
+ block_start = ftell (f);
+
++ if (block_start + block_total_len > st.st_size)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("Could not open '%s' for reading: %s"),
++ gimp_filename_to_utf8 (filename),
++ _("invalid block size"));
++ goto error;
++ }
++
+ if (id == PSP_IMAGE_BLOCK)
+ {
+ if (block_number != 0)
+--
+2.15.1
+
diff -Nru gimp-2.8.20/debian/patches/Bug-790853-CVE-2017-17787-heap-overread-in-psp-impor.patch gimp-2.8.20/debian/patches/Bug-790853-CVE-2017-17787-heap-overread-in-psp-impor.patch
--- gimp-2.8.20/debian/patches/Bug-790853-CVE-2017-17787-heap-overread-in-psp-impor.patch 1970-01-01 01:00:00.000000000 +0100
+++ gimp-2.8.20/debian/patches/Bug-790853-CVE-2017-17787-heap-overread-in-psp-impor.patch 2017-12-26 22:11:46.000000000 +0100
@@ -0,0 +1,36 @@
+From: Jehan <je...@girinstud.io>
+Date: Thu, 21 Dec 2017 12:49:41 +0100
+Subject: Bug 790853 - (CVE-2017-17787) heap overread in psp importer.
+Origin: https://git.gnome.org/browse/GIMP/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17787
+Bug-Debian: https://bugs.debian.org/884927
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=790853
+
+As any external data, we have to check that strings being read at fixed
+length are properly nul-terminated.
+
+(cherry picked from commit eb2980683e6472aff35a3117587c4f814515c74d)
+---
+ plug-ins/common/file-psp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index 4cbafe37b1..e350e4d88d 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -890,6 +890,12 @@ read_creator_block (FILE *f,
+ g_free (string);
+ return -1;
+ }
++ if (string[length - 1] != '\0')
++ {
++ g_message ("Creator keyword data not nul-terminated");
++ g_free (string);
++ return -1;
++ }
+ switch (keyword)
+ {
+ case PSP_CRTR_FLD_TITLE:
+--
+2.15.1
+
diff -Nru gimp-2.8.20/debian/patches/plug-ins-TGA-16-bit-RGB-without-alpha-bit-is-also-va.patch gimp-2.8.20/debian/patches/plug-ins-TGA-16-bit-RGB-without-alpha-bit-is-also-va.patch
--- gimp-2.8.20/debian/patches/plug-ins-TGA-16-bit-RGB-without-alpha-bit-is-also-va.patch 1970-01-01 01:00:00.000000000 +0100
+++ gimp-2.8.20/debian/patches/plug-ins-TGA-16-bit-RGB-without-alpha-bit-is-also-va.patch 2017-12-26 22:11:46.000000000 +0100
@@ -0,0 +1,32 @@
+From: Jehan <je...@girinstud.io>
+Date: Wed, 20 Dec 2017 13:26:26 +0100
+Subject: plug-ins: TGA 16-bit RGB (without alpha bit) is also valid.
+Origin: https://git.gnome.org/browse/GIMP/commit/?id=22e2571c25425f225abdb11a566cc281fca6f366
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=739134
+
+According to some spec on the web, 16-bit RGB is also valid. In this
+case, the last bit is simply ignored (at least that's how it is
+implemented right now).
+
+(cherry picked from commit 8ea316667c8a3296bce2832b3986b58d0fdfc077)
+---
+ plug-ins/common/file-tga.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
+index 426acc2925..eb14a1dadc 100644
+--- a/plug-ins/common/file-tga.c
++++ b/plug-ins/common/file-tga.c
+@@ -568,7 +568,8 @@ load_image (const gchar *filename,
+ info.bpp != 24 && info.bpp != 32) ||
+ ((info.bpp == 15 || info.bpp == 24) &&
+ info.alphaBits != 0) ||
+- (info.bpp == 16 && info.alphaBits != 1) ||
++ (info.bpp == 16 && info.alphaBits != 1 &&
++ info.alphaBits != 0) ||
+ (info.bpp == 32 && info.alphaBits != 8))
+ {
+ g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
+--
+2.15.1
+
diff -Nru gimp-2.8.20/debian/patches/series gimp-2.8.20/debian/patches/series
--- gimp-2.8.20/debian/patches/series 2016-07-14 22:56:16.000000000 +0200
+++ gimp-2.8.20/debian/patches/series 2017-12-26 22:11:46.000000000 +0100
@@ -2,3 +2,10 @@
01_hurd_ftbfs.patch
bump_Babl-GEGL_versions.patch
fix_GEGL_FTBFS.patch
+Bug-739134-CVE-2017-17786-Out-of-bounds-read-heap-ov.patch
+plug-ins-TGA-16-bit-RGB-without-alpha-bit-is-also-va.patch
+Bug-790849-CVE-2017-17789-CVE-2017-17789-Heap-buffer.patch
+Bug-790784-CVE-2017-17784-heap-overread-in-gbr-parse.patch
+Bug-790853-CVE-2017-17787-heap-overread-in-psp-impor.patch
+Bug-739133-CVE-2017-17785-Heap-overflow-while-parsin.patch
+790783-buffer-overread-in-XCF-parser-if-version-fiel.patch
