gimp: patch CVE-2022-32990

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-32990 Pick the patches that resolved the issue mentioned in the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2025-11-06 20:25:35 +0100
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-11-07 11:37:29 +0100
commit: b0d98aae8c41f43684b0d2afb7ee9a02ad4bd9c7 (patch)
tree: 9a645f6891b080caacbcf4d726bad3e7270d17ad
parent: 62db80942fd5624ca3546f9824109a2c73847327 (diff)
download: meta-openembedded-b0d98aae8c41f43684b0d2afb7ee9a02ad4bd9c7.tar.gz
4 files changed, 313 insertions, 0 deletions
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-1.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-1.patch
new file mode 100644
index 0000000000..a3af142c5a
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-1.patch
@@ -0,0 +1,97 @@
+From 74426d562c0a36287d6ef86bf9caf29022edf0a3 Mon Sep 17 00:00:00 2001
+From: Jacob Boerema <jgboerema@gmail.com>
+Date: Sun, 5 Jun 2022 16:48:10 -0400
+Subject: [PATCH] app: check max dimensions when loading xcf files
+Improvements in loading broken xcf files, based on examining issue #8230.
+Besides checking for a minimum width and height, GIMP also has a maximum
+size we can and should check.
+In the case of the image itself, we change invalid dimensions to a size of
+1 in hope that the individual layers etc will have the correct size.
+For layer, we will also try to go on, but for channel and layer mask, we
+will give up.
+(cherry picked from commit 24c962b95e5c740dff7a87a1f0ccdbf6c0a8c21e)
+CVE: CVE-2022-32990
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/e7d4b580e514029f28dc9bd59c66187e166db47c]
+Signed-off-by: Gyorgy Sarvari
+---
+ app/xcf/xcf-load.c | 36 +++++++++++++++++++++++++++++-------
+ 1 file changed, 29 insertions(+), 7 deletions(-)
+diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
+index a178e40..a01cf41 100644
+--- a/app/xcf/xcf-load.c
+++ b/app/xcf/xcf-load.c
+@@ -183,10 +183,19 @@ xcf_load_image (Gimp     *gimp,
+   xcf_read_int32 (info, (guint32 *) &width, 1);
+   xcf_read_int32 (info, (guint32 *) &height, 1);
+   xcf_read_int32 (info, (guint32 *) &image_type, 1);
+-  if (image_type < GIMP_RGB || image_type > GIMP_INDEXED ||
+-      width <= 0 || height <= 0)
+  if (image_type < GIMP_RGB || image_type > GIMP_INDEXED)
+     goto hard_error;
+ 
+  /* Be lenient with corrupt image dimensions.
+   * Hopefully layer dimensions will be valid. */
+  if (width <= 0 || height <= 0 ||
+      width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE)
+    {
+      GIMP_LOG (XCF, "Invalid image size %d x %d, setting to 1x1.", width, height);
+      width  = 1;
+      height = 1;
+    }
+
+   if (info->file_version >= 4)
+     {
+       gint p;
+@@ -1923,7 +1932,8 @@ xcf_load_layer (XcfInfo    *info,
+       return NULL;
+     }
+ 
+-  if (width <= 0 || height <= 0)
+  if (width <= 0 || height <= 0 ||
+      width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE)
+     {
+       gboolean is_group_layer = FALSE;
+       gboolean is_text_layer  = FALSE;
+@@ -2085,10 +2095,16 @@ xcf_load_channel (XcfInfo   *info,
+   /* read in the layer width, height and name */
+   xcf_read_int32 (info, (guint32 *) &width,  1);
+   xcf_read_int32 (info, (guint32 *) &height, 1);
+-  if (width <= 0 || height <= 0)
+-    return NULL;
+  if (width <= 0 || height <= 0 ||
+      width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE)
+    {
+      GIMP_LOG (XCF, "Invalid channel size %d x %d.", width, height);
+      return NULL;
+    }
+ 
+   xcf_read_string (info, &name, 1);
+  GIMP_LOG (XCF, "Channel width=%d, height=%d, name='%s'",
+            width, height, name);
+ 
+   /* create a new channel */
+   channel = gimp_channel_new (image, width, height, name, &color);
+@@ -2157,10 +2173,16 @@ xcf_load_layer_mask (XcfInfo   *info,
+   /* read in the layer width, height and name */
+   xcf_read_int32 (info, (guint32 *) &width,  1);
+   xcf_read_int32 (info, (guint32 *) &height, 1);
+-  if (width <= 0 || height <= 0)
+-    return NULL;
+  if (width <= 0 || height <= 0 ||
+      width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE)
+    {
+      GIMP_LOG (XCF, "Invalid layer mask size %d x %d.", width, height);
+      return NULL;
+    }
+ 
+   xcf_read_string (info, &name, 1);
+  GIMP_LOG (XCF, "Layer mask width=%d, height=%d, name='%s'",
+            width, height, name);
+ 
+   /* create a new layer mask */
+   layer_mask = gimp_layer_mask_new (image, width, height, name, &color);
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-2.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-2.patch
new file mode 100644
index 0000000000..ed206eaebd
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-2.patch
@@ -0,0 +1,178 @@
+From d31b4f5cd36c1d111d3f6653b0af2d45e6a3e453 Mon Sep 17 00:00:00 2001
+From: Jacob Boerema <jgboerema@gmail.com>
+Date: Sun, 5 Jun 2022 18:44:45 -0400
+Subject: [PATCH] app: check for invalid offsets when loading XCF files
+More safety checks for detecting broken xcf files, also based on examining
+issue #8230.
+After reading an offset where layer, channel, etc. data is stored, we
+add a check to make sure that offset is not before where we read the
+offset value. Because the data is always written after the offset that
+points to it.
+(cherry picked from commit a842869247eb2cae2b40476b5d93f88d8b01aa27)
+CVE: CVE-2022-32990
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/744959433647bdefcdf00b3f0d575f6812cd0d6d]
+Signed-off-by: Gyorgy Sarvari
+---
+ app/xcf/xcf-load.c | 55 ++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 53 insertions(+), 2 deletions(-)
+diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
+index a01cf41..48f4fb1 100644
+--- a/app/xcf/xcf-load.c
+++ b/app/xcf/xcf-load.c
+@@ -485,6 +485,13 @@ xcf_load_image (Gimp     *gimp,
+        */
+       saved_pos = info->cp;
+ 
+      if (offset < saved_pos)
+        {
+          GIMP_LOG (XCF, "Invalid layer offset: %" G_GOFFSET_FORMAT
+                    " at offset: %" G_GOFFSET_FORMAT, offset, saved_pos);
+          goto error;
+        }
+
+       /* seek to the layer offset */
+       if (! xcf_seek_pos (info, offset, NULL))
+         goto error;
+@@ -625,6 +632,13 @@ xcf_load_image (Gimp     *gimp,
+        */
+       saved_pos = info->cp;
+ 
+      if (offset < saved_pos)
+        {
+          GIMP_LOG (XCF, "Invalid channel offset: %" G_GOFFSET_FORMAT
+                    " at offset: % "G_GOFFSET_FORMAT, offset, saved_pos);
+          goto error;
+        }
+
+       /* seek to the channel offset */
+       if (! xcf_seek_pos (info, offset, NULL))
+         goto error;
+@@ -634,6 +648,7 @@ xcf_load_image (Gimp     *gimp,
+       if (!channel)
+         {
+           n_broken_channels++;
+          GIMP_LOG (XCF, "Failed to load channel.");
+ 
+           if (! xcf_seek_pos (info, saved_pos, NULL))
+             goto error;
+@@ -1881,6 +1896,7 @@ xcf_load_layer (XcfInfo    *info,
+   const Babl        *format;
+   gboolean           is_fs_drawable;
+   gchar             *name;
+  goffset            cur_offset;
+ 
+   /* check and see if this is the drawable the floating selection
+    *  is attached to. if it is then we'll do the attachment in our caller.
+@@ -1998,6 +2014,7 @@ xcf_load_layer (XcfInfo    *info,
+     }
+ 
+   /* read the hierarchy and layer mask offsets */
+  cur_offset = info->cp;
+   xcf_read_offset (info, &hierarchy_offset,  1);
+   xcf_read_offset (info, &layer_mask_offset, 1);
+ 
+@@ -2007,6 +2024,11 @@ xcf_load_layer (XcfInfo    *info,
+    */
+   if (! gimp_viewable_get_children (GIMP_VIEWABLE (layer)))
+     {
+      if (hierarchy_offset < cur_offset)
+        {
+          GIMP_LOG (XCF, "Invalid layer hierarchy offset!");
+          goto error;
+        }
+       if (! xcf_seek_pos (info, hierarchy_offset, NULL))
+         goto error;
+ 
+@@ -2030,6 +2052,11 @@ xcf_load_layer (XcfInfo    *info,
+   /* read in the layer mask */
+   if (layer_mask_offset != 0)
+     {
+      if (layer_mask_offset < cur_offset)
+        {
+          GIMP_LOG (XCF, "Invalid layer mask offset!");
+          goto error;
+        }
+       if (! xcf_seek_pos (info, layer_mask_offset, NULL))
+         goto error;
+ 
+@@ -2086,6 +2113,7 @@ xcf_load_channel (XcfInfo   *info,
+   gboolean     is_fs_drawable;
+   gchar       *name;
+   GimpRGB      color = { 0.0, 0.0, 0.0, GIMP_OPACITY_OPAQUE };
+  goffset      cur_offset;
+ 
+   /* check and see if this is the drawable the floating selection
+    *  is attached to. if it is then we'll do the attachment in our caller.
+@@ -2118,9 +2146,16 @@ xcf_load_channel (XcfInfo   *info,
+ 
+   xcf_progress_update (info);
+ 
+-  /* read the hierarchy and layer mask offsets */
+  /* read the hierarchy offset */
+  cur_offset = info->cp;
+   xcf_read_offset (info, &hierarchy_offset, 1);
+ 
+  if (hierarchy_offset < cur_offset)
+    {
+      GIMP_LOG (XCF, "Invalid hierarchy offset!");
+      goto error;
+    }
+
+   /* read in the hierarchy */
+   if (! xcf_seek_pos (info, hierarchy_offset, NULL))
+     goto error;
+@@ -2164,6 +2199,7 @@ xcf_load_layer_mask (XcfInfo   *info,
+   gboolean       is_fs_drawable;
+   gchar         *name;
+   GimpRGB        color = { 0.0, 0.0, 0.0, GIMP_OPACITY_OPAQUE };
+  goffset        cur_offset;
+ 
+   /* check and see if this is the drawable the floating selection
+    *  is attached to. if it is then we'll do the attachment in our caller.
+@@ -2197,9 +2233,16 @@ xcf_load_layer_mask (XcfInfo   *info,
+ 
+   xcf_progress_update (info);
+ 
+-  /* read the hierarchy and layer mask offsets */
+  /* read the hierarchy offset */
+  cur_offset = info->cp;
+   xcf_read_offset (info, &hierarchy_offset, 1);
+ 
+  if (hierarchy_offset < cur_offset)
+    {
+      GIMP_LOG (XCF, "Invalid hierarchy offset!");
+      goto error;
+    }
+
+   /* read in the hierarchy */
+   if (! xcf_seek_pos (info, hierarchy_offset, NULL))
+     goto error;
+@@ -2237,6 +2280,7 @@ xcf_load_buffer (XcfInfo    *info,
+   gint        width;
+   gint        height;
+   gint        bpp;
+  goffset     cur_offset;
+ 
+   format = gegl_buffer_get_format (buffer);
+ 
+@@ -2252,8 +2296,15 @@ xcf_load_buffer (XcfInfo    *info,
+       bpp    != babl_format_get_bytes_per_pixel (format))
+     return FALSE;
+ 
+  cur_offset = info->cp;
+   xcf_read_offset (info, &offset, 1); /* top level */
+ 
+  if (offset < cur_offset)
+    {
+      GIMP_LOG (XCF, "Invalid buffer offset!");
+      return FALSE;
+    }
+
+   /* seek to the level offset */
+   if (! xcf_seek_pos (info, offset, NULL))
+     return FALSE;
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-3.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-3.patch
new file mode 100644
index 0000000000..01f7c7fc20
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-3.patch
@@ -0,0 +1,35 @@
+From 81860b9a56d83f429824aa0073c2152b49f9d332 Mon Sep 17 00:00:00 2001
+From: Jacob Boerema <jgboerema@gmail.com>
+Date: Sun, 5 Jun 2022 15:38:24 -0400
+Subject: [PATCH] app: fix #8230 crash in gimp_layer_invalidate_boundary when
+ channel is NULL
+gimp_channel_is_empty returns FALSE if channel is NULL. This causes
+gimp_layer_invalidate_boundary to crash if the mask channel is NULL.
+With a NULL channel gimp_channel_is_empty should return TRUE, just like
+the similar gimp_image_is_empty does, because returning FALSE here
+suggests we have a non empty channel.
+(cherry picked from commit 22af0bcfe67c1c86381f33975ca7fdbde6b36b39)
+CVE: CVE-2022-32990
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/744959433647bdefcdf00b3f0d575f6812cd0d6d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ app/core/gimpchannel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/app/core/gimpchannel.c b/app/core/gimpchannel.c
+index a9b7546..784551a 100644
+--- a/app/core/gimpchannel.c
+++ b/app/core/gimpchannel.c
+@@ -1824,7 +1824,7 @@ gimp_channel_boundary (GimpChannel         *channel,
+ gboolean
+ gimp_channel_is_empty (GimpChannel *channel)
+ {
+-  g_return_val_if_fail (GIMP_IS_CHANNEL (channel), FALSE);
+  g_return_val_if_fail (GIMP_IS_CHANNEL (channel), TRUE);
+ 
+   return GIMP_CHANNEL_GET_CLASS (channel)->is_empty (channel);
+ }
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb
index 3f3e56f6ec..ad9d34ef6d 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb
@@ -45,6 +45,9 @@ SHPV = "${@gnome_verdir("${PV}")}"
 SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
           file://CVE-2022-30067.patch \
+           file://CVE-2022-32990-1.patch \
+           file://CVE-2022-32990-2.patch \
+           file://CVE-2022-32990-3.patch \
           "
 SRC_URI[sha256sum] = "88815daa76ed7d4277eeb353358bafa116cd2fcd2c861d95b95135c1d52b67dc"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2025-11-06 20:25:35 +0100
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-11-07 11:37:29 +0100
commit	b0d98aae8c41f43684b0d2afb7ee9a02ad4bd9c7 (patch)
tree	9a645f6891b080caacbcf4d726bad3e7270d17ad
parent	62db80942fd5624ca3546f9824109a2c73847327 (diff)
download	meta-openembedded-b0d98aae8c41f43684b0d2afb7ee9a02ad4bd9c7.tar.gz

diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-1.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-1.patch new file mode 100644 index 0000000000..a3af142c5a --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-1.patch
@@ -0,0 +1,97 @@
		1	From 74426d562c0a36287d6ef86bf9caf29022edf0a3 Mon Sep 17 00:00:00 2001
		2	From: Jacob Boerema <jgboerema@gmail.com>
		3	Date: Sun, 5 Jun 2022 16:48:10 -0400
		4	Subject: [PATCH] app: check max dimensions when loading xcf files
		5
		6	Improvements in loading broken xcf files, based on examining issue #8230.
		7	Besides checking for a minimum width and height, GIMP also has a maximum
		8	size we can and should check.
		9
		10	In the case of the image itself, we change invalid dimensions to a size of
		11	1 in hope that the individual layers etc will have the correct size.
		12	For layer, we will also try to go on, but for channel and layer mask, we
		13	will give up.
		14
		15	(cherry picked from commit 24c962b95e5c740dff7a87a1f0ccdbf6c0a8c21e)
		16
		17	CVE: CVE-2022-32990
		18	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/e7d4b580e514029f28dc9bd59c66187e166db47c]
		19	Signed-off-by: Gyorgy Sarvari
		20	---
		21	app/xcf/xcf-load.c \| 36 +++++++++++++++++++++++++++++-------
		22	1 file changed, 29 insertions(+), 7 deletions(-)
		23
		24	diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
		25	index a178e40..a01cf41 100644
		26	--- a/app/xcf/xcf-load.c
		27	+++ b/app/xcf/xcf-load.c
		28	@@ -183,10 +183,19 @@ xcf_load_image (Gimp *gimp,
		29	xcf_read_int32 (info, (guint32 *) &width, 1);
		30	xcf_read_int32 (info, (guint32 *) &height, 1);
		31	xcf_read_int32 (info, (guint32 *) &image_type, 1);
		32	- if (image_type < GIMP_RGB \|\| image_type > GIMP_INDEXED \|\|
		33	- width <= 0 \|\| height <= 0)
		34	+ if (image_type < GIMP_RGB \|\| image_type > GIMP_INDEXED)
		35	goto hard_error;
		36
		37	+ /* Be lenient with corrupt image dimensions.
		38	+ * Hopefully layer dimensions will be valid. */
		39	+ if (width <= 0 \|\| height <= 0 \|\|
		40	+ width > GIMP_MAX_IMAGE_SIZE \|\| height > GIMP_MAX_IMAGE_SIZE)
		41	+ {
		42	+ GIMP_LOG (XCF, "Invalid image size %d x %d, setting to 1x1.", width, height);
		43	+ width = 1;
		44	+ height = 1;
		45	+ }
		46	+
		47	if (info->file_version >= 4)
		48	{
		49	gint p;
		50	@@ -1923,7 +1932,8 @@ xcf_load_layer (XcfInfo *info,
		51	return NULL;
		52	}
		53
		54	- if (width <= 0 \|\| height <= 0)
		55	+ if (width <= 0 \|\| height <= 0 \|\|
		56	+ width > GIMP_MAX_IMAGE_SIZE \|\| height > GIMP_MAX_IMAGE_SIZE)
		57	{
		58	gboolean is_group_layer = FALSE;
		59	gboolean is_text_layer = FALSE;
		60	@@ -2085,10 +2095,16 @@ xcf_load_channel (XcfInfo *info,
		61	/* read in the layer width, height and name */
		62	xcf_read_int32 (info, (guint32 *) &width, 1);
		63	xcf_read_int32 (info, (guint32 *) &height, 1);
		64	- if (width <= 0 \|\| height <= 0)
		65	- return NULL;
		66	+ if (width <= 0 \|\| height <= 0 \|\|
		67	+ width > GIMP_MAX_IMAGE_SIZE \|\| height > GIMP_MAX_IMAGE_SIZE)
		68	+ {
		69	+ GIMP_LOG (XCF, "Invalid channel size %d x %d.", width, height);
		70	+ return NULL;
		71	+ }
		72
		73	xcf_read_string (info, &name, 1);
		74	+ GIMP_LOG (XCF, "Channel width=%d, height=%d, name='%s'",
		75	+ width, height, name);
		76
		77	/* create a new channel */
		78	channel = gimp_channel_new (image, width, height, name, &color);
		79	@@ -2157,10 +2173,16 @@ xcf_load_layer_mask (XcfInfo *info,
		80	/* read in the layer width, height and name */
		81	xcf_read_int32 (info, (guint32 *) &width, 1);
		82	xcf_read_int32 (info, (guint32 *) &height, 1);
		83	- if (width <= 0 \|\| height <= 0)
		84	- return NULL;
		85	+ if (width <= 0 \|\| height <= 0 \|\|
		86	+ width > GIMP_MAX_IMAGE_SIZE \|\| height > GIMP_MAX_IMAGE_SIZE)
		87	+ {
		88	+ GIMP_LOG (XCF, "Invalid layer mask size %d x %d.", width, height);
		89	+ return NULL;
		90	+ }
		91
		92	xcf_read_string (info, &name, 1);
		93	+ GIMP_LOG (XCF, "Layer mask width=%d, height=%d, name='%s'",
		94	+ width, height, name);
		95
		96	/* create a new layer mask */
		97	layer_mask = gimp_layer_mask_new (image, width, height, name, &color);


diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-2.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-2.patch new file mode 100644 index 0000000000..ed206eaebd --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-2.patch
@@ -0,0 +1,178 @@
		1	From d31b4f5cd36c1d111d3f6653b0af2d45e6a3e453 Mon Sep 17 00:00:00 2001
		2	From: Jacob Boerema <jgboerema@gmail.com>
		3	Date: Sun, 5 Jun 2022 18:44:45 -0400
		4	Subject: [PATCH] app: check for invalid offsets when loading XCF files
		5
		6	More safety checks for detecting broken xcf files, also based on examining
		7	issue #8230.
		8
		9	After reading an offset where layer, channel, etc. data is stored, we
		10	add a check to make sure that offset is not before where we read the
		11	offset value. Because the data is always written after the offset that
		12	points to it.
		13
		14	(cherry picked from commit a842869247eb2cae2b40476b5d93f88d8b01aa27)
		15
		16	CVE: CVE-2022-32990
		17	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/744959433647bdefcdf00b3f0d575f6812cd0d6d]
		18	Signed-off-by: Gyorgy Sarvari
		19	---
		20	app/xcf/xcf-load.c \| 55 ++++++++++++++++++++++++++++++++++++++++++++--
		21	1 file changed, 53 insertions(+), 2 deletions(-)
		22
		23	diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
		24	index a01cf41..48f4fb1 100644
		25	--- a/app/xcf/xcf-load.c
		26	+++ b/app/xcf/xcf-load.c
		27	@@ -485,6 +485,13 @@ xcf_load_image (Gimp *gimp,
		28	*/
		29	saved_pos = info->cp;
		30
		31	+ if (offset < saved_pos)
		32	+ {
		33	+ GIMP_LOG (XCF, "Invalid layer offset: %" G_GOFFSET_FORMAT
		34	+ " at offset: %" G_GOFFSET_FORMAT, offset, saved_pos);
		35	+ goto error;
		36	+ }
		37	+
		38	/* seek to the layer offset */
		39	if (! xcf_seek_pos (info, offset, NULL))
		40	goto error;
		41	@@ -625,6 +632,13 @@ xcf_load_image (Gimp *gimp,
		42	*/
		43	saved_pos = info->cp;
		44
		45	+ if (offset < saved_pos)
		46	+ {
		47	+ GIMP_LOG (XCF, "Invalid channel offset: %" G_GOFFSET_FORMAT
		48	+ " at offset: % "G_GOFFSET_FORMAT, offset, saved_pos);
		49	+ goto error;
		50	+ }
		51	+
		52	/* seek to the channel offset */
		53	if (! xcf_seek_pos (info, offset, NULL))
		54	goto error;
		55	@@ -634,6 +648,7 @@ xcf_load_image (Gimp *gimp,
		56	if (!channel)
		57	{
		58	n_broken_channels++;
		59	+ GIMP_LOG (XCF, "Failed to load channel.");
		60
		61	if (! xcf_seek_pos (info, saved_pos, NULL))
		62	goto error;
		63	@@ -1881,6 +1896,7 @@ xcf_load_layer (XcfInfo *info,
		64	const Babl *format;
		65	gboolean is_fs_drawable;
		66	gchar *name;
		67	+ goffset cur_offset;
		68
		69	/* check and see if this is the drawable the floating selection
		70	* is attached to. if it is then we'll do the attachment in our caller.
		71	@@ -1998,6 +2014,7 @@ xcf_load_layer (XcfInfo *info,
		72	}
		73
		74	/* read the hierarchy and layer mask offsets */
		75	+ cur_offset = info->cp;
		76	xcf_read_offset (info, &hierarchy_offset, 1);
		77	xcf_read_offset (info, &layer_mask_offset, 1);
		78
		79	@@ -2007,6 +2024,11 @@ xcf_load_layer (XcfInfo *info,
		80	*/
		81	if (! gimp_viewable_get_children (GIMP_VIEWABLE (layer)))
		82	{
		83	+ if (hierarchy_offset < cur_offset)
		84	+ {
		85	+ GIMP_LOG (XCF, "Invalid layer hierarchy offset!");
		86	+ goto error;
		87	+ }
		88	if (! xcf_seek_pos (info, hierarchy_offset, NULL))
		89	goto error;
		90
		91	@@ -2030,6 +2052,11 @@ xcf_load_layer (XcfInfo *info,
		92	/* read in the layer mask */
		93	if (layer_mask_offset != 0)
		94	{
		95	+ if (layer_mask_offset < cur_offset)
		96	+ {
		97	+ GIMP_LOG (XCF, "Invalid layer mask offset!");
		98	+ goto error;
		99	+ }
		100	if (! xcf_seek_pos (info, layer_mask_offset, NULL))
		101	goto error;
		102
		103	@@ -2086,6 +2113,7 @@ xcf_load_channel (XcfInfo *info,
		104	gboolean is_fs_drawable;
		105	gchar *name;
		106	GimpRGB color = { 0.0, 0.0, 0.0, GIMP_OPACITY_OPAQUE };
		107	+ goffset cur_offset;
		108
		109	/* check and see if this is the drawable the floating selection
		110	* is attached to. if it is then we'll do the attachment in our caller.
		111	@@ -2118,9 +2146,16 @@ xcf_load_channel (XcfInfo *info,
		112
		113	xcf_progress_update (info);
		114
		115	- /* read the hierarchy and layer mask offsets */
		116	+ /* read the hierarchy offset */
		117	+ cur_offset = info->cp;
		118	xcf_read_offset (info, &hierarchy_offset, 1);
		119
		120	+ if (hierarchy_offset < cur_offset)
		121	+ {
		122	+ GIMP_LOG (XCF, "Invalid hierarchy offset!");
		123	+ goto error;
		124	+ }
		125	+
		126	/* read in the hierarchy */
		127	if (! xcf_seek_pos (info, hierarchy_offset, NULL))
		128	goto error;
		129	@@ -2164,6 +2199,7 @@ xcf_load_layer_mask (XcfInfo *info,
		130	gboolean is_fs_drawable;
		131	gchar *name;
		132	GimpRGB color = { 0.0, 0.0, 0.0, GIMP_OPACITY_OPAQUE };
		133	+ goffset cur_offset;
		134
		135	/* check and see if this is the drawable the floating selection
		136	* is attached to. if it is then we'll do the attachment in our caller.
		137	@@ -2197,9 +2233,16 @@ xcf_load_layer_mask (XcfInfo *info,
		138
		139	xcf_progress_update (info);
		140
		141	- /* read the hierarchy and layer mask offsets */
		142	+ /* read the hierarchy offset */
		143	+ cur_offset = info->cp;
		144	xcf_read_offset (info, &hierarchy_offset, 1);
		145
		146	+ if (hierarchy_offset < cur_offset)
		147	+ {
		148	+ GIMP_LOG (XCF, "Invalid hierarchy offset!");
		149	+ goto error;
		150	+ }
		151	+
		152	/* read in the hierarchy */
		153	if (! xcf_seek_pos (info, hierarchy_offset, NULL))
		154	goto error;
		155	@@ -2237,6 +2280,7 @@ xcf_load_buffer (XcfInfo *info,
		156	gint width;
		157	gint height;
		158	gint bpp;
		159	+ goffset cur_offset;
		160
		161	format = gegl_buffer_get_format (buffer);
		162
		163	@@ -2252,8 +2296,15 @@ xcf_load_buffer (XcfInfo *info,
		164	bpp != babl_format_get_bytes_per_pixel (format))
		165	return FALSE;
		166
		167	+ cur_offset = info->cp;
		168	xcf_read_offset (info, &offset, 1); /* top level */
		169
		170	+ if (offset < cur_offset)
		171	+ {
		172	+ GIMP_LOG (XCF, "Invalid buffer offset!");
		173	+ return FALSE;
		174	+ }
		175	+
		176	/* seek to the level offset */
		177	if (! xcf_seek_pos (info, offset, NULL))
		178	return FALSE;


diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-3.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-3.patch new file mode 100644 index 0000000000..01f7c7fc20 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2022-32990-3.patch
@@ -0,0 +1,35 @@
		1	From 81860b9a56d83f429824aa0073c2152b49f9d332 Mon Sep 17 00:00:00 2001
		2	From: Jacob Boerema <jgboerema@gmail.com>
		3	Date: Sun, 5 Jun 2022 15:38:24 -0400
		4	Subject: [PATCH] app: fix #8230 crash in gimp_layer_invalidate_boundary when
		5	channel is NULL
		6
		7	gimp_channel_is_empty returns FALSE if channel is NULL. This causes
		8	gimp_layer_invalidate_boundary to crash if the mask channel is NULL.
		9
		10	With a NULL channel gimp_channel_is_empty should return TRUE, just like
		11	the similar gimp_image_is_empty does, because returning FALSE here
		12	suggests we have a non empty channel.
		13
		14	(cherry picked from commit 22af0bcfe67c1c86381f33975ca7fdbde6b36b39)
		15
		16	CVE: CVE-2022-32990
		17	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/744959433647bdefcdf00b3f0d575f6812cd0d6d]
		18	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		19	---
		20	app/core/gimpchannel.c \| 2 +-
		21	1 file changed, 1 insertion(+), 1 deletion(-)
		22
		23	diff --git a/app/core/gimpchannel.c b/app/core/gimpchannel.c
		24	index a9b7546..784551a 100644
		25	--- a/app/core/gimpchannel.c
		26	+++ b/app/core/gimpchannel.c
		27	@@ -1824,7 +1824,7 @@ gimp_channel_boundary (GimpChannel *channel,
		28	gboolean
		29	gimp_channel_is_empty (GimpChannel *channel)
		30	{
		31	- g_return_val_if_fail (GIMP_IS_CHANNEL (channel), FALSE);
		32	+ g_return_val_if_fail (GIMP_IS_CHANNEL (channel), TRUE);
		33
		34	return GIMP_CHANNEL_GET_CLASS (channel)->is_empty (channel);
		35	}


diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb index 3f3e56f6ec..ad9d34ef6d 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb
@@ -45,6 +45,9 @@ SHPV = "${@gnome_verdir("${PV}")}"
45		45
46	SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \	46	SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
47	file://CVE-2022-30067.patch \	47	file://CVE-2022-30067.patch \
		48	file://CVE-2022-32990-1.patch \
		49	file://CVE-2022-32990-2.patch \
		50	file://CVE-2022-32990-3.patch \
48	"	51	"
49	SRC_URI[sha256sum] = "88815daa76ed7d4277eeb353358bafa116cd2fcd2c861d95b95135c1d52b67dc"	52	SRC_URI[sha256sum] = "88815daa76ed7d4277eeb353358bafa116cd2fcd2c861d95b95135c1d52b67dc"
50		53