diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-03-05 12:07:07 +0100 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-03-24 08:47:04 +0530 |
| commit | 50d7ec475b2f088baa568b88c0504048a0b557fd (patch) | |
| tree | ce6ec5fdf244dbe14decadaa99bc029693340327 /meta-gnome | |
| parent | 42d1f2f68181645a8cb9ef896d9c3fc29687c38f (diff) | |
| download | meta-openembedded-50d7ec475b2f088baa568b88c0504048a0b557fd.tar.gz | |
gimp: patch CVE-2025-2760
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2760
Use the fixes from Debian.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-gnome')
| -rw-r--r-- | meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch | 38 | ||||
| -rw-r--r-- | meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch | 84 | ||||
| -rw-r--r-- | meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 2 |
3 files changed, 124 insertions, 0 deletions
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch new file mode 100644 index 0000000000..d5871958b4 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch | |||
| @@ -0,0 +1,38 @@ | |||
| 1 | From e4e21387f773598915a2399b348d019fd9c26ad6 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 3 | Date: Thu, 5 Mar 2026 09:06:34 +0100 | ||
| 4 | Subject: [PATCH] CVE-2025-2760 | ||
| 5 | |||
| 6 | https://gitlab.gnome.org/GNOME/gimp/-/issues/12790#note_2328950 | ||
| 7 | |||
| 8 | Gimp stopped supporting 2.10.x series (in favor of 3.x), and they do not | ||
| 9 | plan to fix this in the old version. This patch is taken from Debian, | ||
| 10 | and is a backport of the fix from 3.x series. | ||
| 11 | |||
| 12 | CVE: CVE-2025-2760 | ||
| 13 | Upstream-Status: Inappropriate [unsupported version. Debian ref: https://sources.debian.org/patches/gimp/2.10.34-1+deb12u8/CVE-2025-2760.patch/] | ||
| 14 | |||
| 15 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 16 | --- | ||
| 17 | plug-ins/file-dds/ddsread.c | 8 ++++++++ | ||
| 18 | 1 file changed, 8 insertions(+) | ||
| 19 | |||
| 20 | diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c | ||
| 21 | index dcb4449..da35a0b 100644 | ||
| 22 | --- a/plug-ins/file-dds/ddsread.c | ||
| 23 | +++ b/plug-ins/file-dds/ddsread.c | ||
| 24 | @@ -934,6 +934,14 @@ load_layer (FILE *fp, | ||
| 25 | if (width < 1) width = 1; | ||
| 26 | if (height < 1) height = 1; | ||
| 27 | |||
| 28 | + if (width <= 0 ||height <= 0 || d->gimp_bpp <= 0 || | ||
| 29 | + (gsize) width > G_MAXSIZE / height || | ||
| 30 | + (gsize) width * height > G_MAXSIZE / d->gimp_bpp) | ||
| 31 | + { | ||
| 32 | + g_message ("Invalid dimensions in header."); | ||
| 33 | + return 0; | ||
| 34 | + } | ||
| 35 | + | ||
| 36 | switch (d->bpp) | ||
| 37 | { | ||
| 38 | case 1: | ||
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch new file mode 100644 index 0000000000..196ae11376 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch | |||
| @@ -0,0 +1,84 @@ | |||
| 1 | From f7a458d072c266a4b2ae48de9ecec1706faad170 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 3 | Date: Thu, 5 Mar 2026 09:07:19 +0100 | ||
| 4 | Subject: [PATCH] plug-ins/dds: fix #12790 for 32-bit | ||
| 5 | |||
| 6 | with 2.10 backport bits by Sylvain Beucler <beuc@debian.org> | ||
| 7 | |||
| 8 | Gimp stopped supporting 2.10.x series (in favor of 3.x), and they do not | ||
| 9 | plan to fix this in the old version. This patch is taken from Debian, | ||
| 10 | and is a backport of the fix from 3.x series. | ||
| 11 | |||
| 12 | CVE: CVE-2025-2760 | ||
| 13 | Upstream-Status: Inappropriate [unsupported version. Debian ref: https://sources.debian.org/patches/gimp/2.10.34-1+deb12u8/CVE-2025-2760-32bit-followup.patch/] | ||
| 14 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 15 | --- | ||
| 16 | plug-ins/file-dds/ddsread.c | 28 ++++++++++++++++++++-------- | ||
| 17 | 1 file changed, 20 insertions(+), 8 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c | ||
| 20 | index da35a0b..e0b53f6 100644 | ||
| 21 | --- a/plug-ins/file-dds/ddsread.c | ||
| 22 | +++ b/plug-ins/file-dds/ddsread.c | ||
| 23 | @@ -169,26 +169,33 @@ read_dds (gchar *filename, | ||
| 24 | /* a lot of DDS images out there don't have this for some reason -_- */ | ||
| 25 | if (hdr.pitch_or_linsize == 0) | ||
| 26 | { | ||
| 27 | + gboolean valid = TRUE; | ||
| 28 | if (hdr.pixelfmt.flags & DDPF_FOURCC) /* assume linear size */ | ||
| 29 | { | ||
| 30 | - hdr.pitch_or_linsize = ((hdr.width + 3) >> 2) * ((hdr.height + 3) >> 2); | ||
| 31 | + valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, (hdr.width + 3) >> 2, (hdr.height + 3) >> 2); | ||
| 32 | switch (GETL32(hdr.pixelfmt.fourcc)) | ||
| 33 | { | ||
| 34 | case FOURCC ('D','X','T','1'): | ||
| 35 | case FOURCC ('A','T','I','1'): | ||
| 36 | case FOURCC ('B','C','4','U'): | ||
| 37 | case FOURCC ('B','C','4','S'): | ||
| 38 | - hdr.pitch_or_linsize *= 8; | ||
| 39 | + valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, 8); | ||
| 40 | break; | ||
| 41 | default: | ||
| 42 | - hdr.pitch_or_linsize *= 16; | ||
| 43 | + valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, 16); | ||
| 44 | break; | ||
| 45 | } | ||
| 46 | } | ||
| 47 | else /* assume pitch */ | ||
| 48 | { | ||
| 49 | - hdr.pitch_or_linsize = hdr.height * hdr.width * (hdr.pixelfmt.bpp >> 3); | ||
| 50 | + valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.height, hdr.width); | ||
| 51 | + valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, hdr.pixelfmt.bpp >> 3); | ||
| 52 | } | ||
| 53 | + if (!valid) { | ||
| 54 | + fclose (fp); | ||
| 55 | + g_message ("Image size is too big to handle.\n"); | ||
| 56 | + return GIMP_PDB_EXECUTION_ERROR; | ||
| 57 | + } | ||
| 58 | } | ||
| 59 | |||
| 60 | if (hdr.pixelfmt.flags & DDPF_FOURCC) | ||
| 61 | @@ -1217,14 +1224,19 @@ load_layer (FILE *fp, | ||
| 62 | { | ||
| 63 | unsigned char *dst; | ||
| 64 | |||
| 65 | - dst = g_malloc (width * height * d->gimp_bpp); | ||
| 66 | - memset (dst, 0, width * height * d->gimp_bpp); | ||
| 67 | + dst = g_malloc ((gsize) width * height * d->gimp_bpp); | ||
| 68 | + memset (dst, 0, (gsize) width * height * d->gimp_bpp); | ||
| 69 | |||
| 70 | if (d->gimp_bpp == 4) | ||
| 71 | { | ||
| 72 | - for (y = 0; y < height; ++y) | ||
| 73 | + guchar *dst_line; | ||
| 74 | + | ||
| 75 | + dst_line = dst; | ||
| 76 | + for (y = 0; y < height; ++y) { | ||
| 77 | for (x = 0; x < width; ++x) | ||
| 78 | - dst[y * (width * 4) + (x * 4) + 3] = 255; | ||
| 79 | + dst_line[(x * 4) + 3] = 255; | ||
| 80 | + dst_line += width * 4; | ||
| 81 | + } | ||
| 82 | } | ||
| 83 | |||
| 84 | dxt_decompress (dst, buf, format, size, width, height, d->gimp_bpp, | ||
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index 95a6dfd7c8..afb1cd69e5 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | |||
| @@ -51,6 +51,8 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ | |||
| 51 | file://CVE-2025-14425.patch \ | 51 | file://CVE-2025-14425.patch \ |
| 52 | file://CVE-2025-5473.patch \ | 52 | file://CVE-2025-5473.patch \ |
| 53 | file://CVE-2025-15059.patch \ | 53 | file://CVE-2025-15059.patch \ |
| 54 | file://CVE-2025-2760-1.patch \ | ||
| 55 | file://CVE-2025-2760-2.patch \ | ||
| 54 | " | 56 | " |
| 55 | SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e" | 57 | SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e" |
| 56 | 58 | ||
