From owner-freebsd-gnome@FreeBSD.ORG  Sun Jul  1 14:42:21 2012
Return-Path: <owner-freebsd-gnome@FreeBSD.ORG>
Delivered-To: gnome@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 5610B1065672
	for <gnome@freebsd.org>; Sun,  1 Jul 2012 14:42:21 +0000 (UTC)
	(envelope-from lists@eitanadler.com)
Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com
	[209.85.214.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 157598FC14
	for <gnome@freebsd.org>; Sun,  1 Jul 2012 14:42:20 +0000 (UTC)
Received: by obbun3 with SMTP id un3so8723252obb.13
	for <gnome@freebsd.org>; Sun, 01 Jul 2012 07:42:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=eitanadler.com; s=0xdeadbeef;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc:content-type;
	bh=NAun6eJCLPil+5/CntH0sblgqgxvqrmMdzNhVdOCgd0=;
	b=pfo4dN+9UHyX+KtkScCwLG+ihau6Aact9uatjssHpwKc6TOoDsaPTq+rLpt1omtTL7
	XC2Fm+vXUDfiQYir48w6oyalf3ZzYiVeHbs5XiAN9AtzDkAu1tWtCt0vQoCBp2cGbW0I
	CApcFXCO/Hjs0e+Aiq3B7dI1lSihtSaCHeDFY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc:content-type:x-gm-message-state;
	bh=NAun6eJCLPil+5/CntH0sblgqgxvqrmMdzNhVdOCgd0=;
	b=pt3YEgHegotodPpP5Nvu2x1KL+TM/sGuHVH09ZD3UFptoxWAOl/rIj7iTIlGT+UEwP
	GMiY+23d5o57KyE8arYKapOHGwti0Q/IcUSWA2mUMfhFKdcj4Dd6dndO4XZ7fNABcphm
	u3cqgJpHdZ407bQMvKzLoOkqb5b6RkQa1M+DKckMBjP6vtD8NJ/uRpoRqSB+BPoAXlKV
	iwNT2oJUKK7UN98WB8PB9pRZPzi1L1R2B8b+rCxoND1tVsVdf6hNjzYmrh+3YPspAczl
	8D3aZ7ALDdw7ibwxZmWgsvTCqlEaOqKmFbpCvu+k3mHtkfD8glZCFYr1MuV9TSadAvOG
	3x+w==
Received: by 10.60.13.201 with SMTP id j9mr8673079oec.51.1341153740328; Sun,
	01 Jul 2012 07:42:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.125.70 with HTTP; Sun, 1 Jul 2012 07:41:50 -0700 (PDT)
In-Reply-To: <20120701024401.ED97214DBD8@smtp.hushmail.com>
References: <20120701024401.ED97214DBD8@smtp.hushmail.com>
From: Eitan Adler <lists@eitanadler.com>
Date: Sun, 1 Jul 2012 07:41:50 -0700
Message-ID: <CAF6rxg=m+ZcqVnSZefXcgGWqrp4D161V-682aBJ+P8aLCDOFWQ@mail.gmail.com>
To: gnome@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Gm-Message-State: ALoCoQnXvXvBjJdKWXeygwPhIzuWt2pTm5nAOr2MGJZmSOk0fhGOKRSJowluqe/BAjbXouen6B0B
Cc: ports-security@freebsd.org
Subject: Fwd: [oss-security] Re: ScriptFu Server Buffer Overflow in GIMP <=
	2.6
X-BeenThere: freebsd-gnome@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: GNOME for FreeBSD -- porting and maintaining
	<freebsd-gnome.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-gnome>,
	<mailto:freebsd-gnome-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-gnome>
List-Post: <mailto:freebsd-gnome@freebsd.org>
List-Help: <mailto:freebsd-gnome-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-gnome>,
	<mailto:freebsd-gnome-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jul 2012 14:42:21 -0000

A vulnerability has been found in a port you maintain. If you haven't
yet done so
please update the port and write up a VuXML report. If you need help
feel free to
email ports-security@freebsd.org.


---------- Forwarded message ----------
From:  <mancha@mac.hush.com>
Date: 30 June 2012 19:44
Subject: [oss-security] Re: ScriptFu Server Buffer Overflow in GIMP <= 2.6
To: oss-security@lists.openwall.com


Below find a patch for the 2.6.x branch of GIMP to address a potential
buffer overflow in the script-fu server (CVE-2012-2763) reported on this list
by J. Sheridan (http://www.openwall.com/lists/oss-security/2012/05/31/1)

 --mancha

======================

Fix for CVE-2012-2763 for GIMP 2.6.x by mancha. Based on commit
76155d79df8d497. Thanks to muks, Kevin, and Ankh for identifying the
relevant code change.

Ref: Fixed potential buffer overflow in readstr_upto().

----------

--- a/plug-ins/script-fu/tinyscheme/scheme.c            2012-06-30
+++ b/plug-ins/script-fu/tinyscheme/scheme.c            2012-06-30
@@ -1727,7 +1727,8 @@ static char *readstr_upto(scheme *sc, ch
     c = inchar(sc);
     len = g_unichar_to_utf8(c, p);
     p += len;
-  } while (c && !is_one_of(delim, c));
+  } while ((p - sc->strbuff < sizeof(sc->strbuff)) &&
+          (c && !is_one_of(delim, c)));

   if(p==sc->strbuff+2 && c_prev=='\\')
     *p = '\0';



-- 
Eitan Adler