summaryrefslogtreecommitdiffstats
path: root/meta-gnome
diff options
context:
space:
mode:
authorGyorgy Sarvari <skandigraun@gmail.com>2026-03-05 12:07:07 +0100
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-03-24 08:47:04 +0530
commit50d7ec475b2f088baa568b88c0504048a0b557fd (patch)
treece6ec5fdf244dbe14decadaa99bc029693340327 /meta-gnome
parent42d1f2f68181645a8cb9ef896d9c3fc29687c38f (diff)
downloadmeta-openembedded-50d7ec475b2f088baa568b88c0504048a0b557fd.tar.gz
gimp: patch CVE-2025-2760
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2760 Use the fixes from Debian. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-gnome')
-rw-r--r--meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch38
-rw-r--r--meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch84
-rw-r--r--meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb2
3 files changed, 124 insertions, 0 deletions
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch
new file mode 100644
index 0000000000..d5871958b4
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch
@@ -0,0 +1,38 @@
1From e4e21387f773598915a2399b348d019fd9c26ad6 Mon Sep 17 00:00:00 2001
2From: Gyorgy Sarvari <skandigraun@gmail.com>
3Date: Thu, 5 Mar 2026 09:06:34 +0100
4Subject: [PATCH] CVE-2025-2760
5
6https://gitlab.gnome.org/GNOME/gimp/-/issues/12790#note_2328950
7
8Gimp stopped supporting 2.10.x series (in favor of 3.x), and they do not
9plan to fix this in the old version. This patch is taken from Debian,
10and is a backport of the fix from 3.x series.
11
12CVE: CVE-2025-2760
13Upstream-Status: Inappropriate [unsupported version. Debian ref: https://sources.debian.org/patches/gimp/2.10.34-1+deb12u8/CVE-2025-2760.patch/]
14
15Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
16---
17 plug-ins/file-dds/ddsread.c | 8 ++++++++
18 1 file changed, 8 insertions(+)
19
20diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
21index dcb4449..da35a0b 100644
22--- a/plug-ins/file-dds/ddsread.c
23+++ b/plug-ins/file-dds/ddsread.c
24@@ -934,6 +934,14 @@ load_layer (FILE *fp,
25 if (width < 1) width = 1;
26 if (height < 1) height = 1;
27
28+ if (width <= 0 ||height <= 0 || d->gimp_bpp <= 0 ||
29+ (gsize) width > G_MAXSIZE / height ||
30+ (gsize) width * height > G_MAXSIZE / d->gimp_bpp)
31+ {
32+ g_message ("Invalid dimensions in header.");
33+ return 0;
34+ }
35+
36 switch (d->bpp)
37 {
38 case 1:
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch
new file mode 100644
index 0000000000..196ae11376
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch
@@ -0,0 +1,84 @@
1From f7a458d072c266a4b2ae48de9ecec1706faad170 Mon Sep 17 00:00:00 2001
2From: Gyorgy Sarvari <skandigraun@gmail.com>
3Date: Thu, 5 Mar 2026 09:07:19 +0100
4Subject: [PATCH] plug-ins/dds: fix #12790 for 32-bit
5
6with 2.10 backport bits by Sylvain Beucler <beuc@debian.org>
7
8Gimp stopped supporting 2.10.x series (in favor of 3.x), and they do not
9plan to fix this in the old version. This patch is taken from Debian,
10and is a backport of the fix from 3.x series.
11
12CVE: CVE-2025-2760
13Upstream-Status: Inappropriate [unsupported version. Debian ref: https://sources.debian.org/patches/gimp/2.10.34-1+deb12u8/CVE-2025-2760-32bit-followup.patch/]
14Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
15---
16 plug-ins/file-dds/ddsread.c | 28 ++++++++++++++++++++--------
17 1 file changed, 20 insertions(+), 8 deletions(-)
18
19diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
20index da35a0b..e0b53f6 100644
21--- a/plug-ins/file-dds/ddsread.c
22+++ b/plug-ins/file-dds/ddsread.c
23@@ -169,26 +169,33 @@ read_dds (gchar *filename,
24 /* a lot of DDS images out there don't have this for some reason -_- */
25 if (hdr.pitch_or_linsize == 0)
26 {
27+ gboolean valid = TRUE;
28 if (hdr.pixelfmt.flags & DDPF_FOURCC) /* assume linear size */
29 {
30- hdr.pitch_or_linsize = ((hdr.width + 3) >> 2) * ((hdr.height + 3) >> 2);
31+ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, (hdr.width + 3) >> 2, (hdr.height + 3) >> 2);
32 switch (GETL32(hdr.pixelfmt.fourcc))
33 {
34 case FOURCC ('D','X','T','1'):
35 case FOURCC ('A','T','I','1'):
36 case FOURCC ('B','C','4','U'):
37 case FOURCC ('B','C','4','S'):
38- hdr.pitch_or_linsize *= 8;
39+ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, 8);
40 break;
41 default:
42- hdr.pitch_or_linsize *= 16;
43+ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, 16);
44 break;
45 }
46 }
47 else /* assume pitch */
48 {
49- hdr.pitch_or_linsize = hdr.height * hdr.width * (hdr.pixelfmt.bpp >> 3);
50+ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.height, hdr.width);
51+ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, hdr.pixelfmt.bpp >> 3);
52 }
53+ if (!valid) {
54+ fclose (fp);
55+ g_message ("Image size is too big to handle.\n");
56+ return GIMP_PDB_EXECUTION_ERROR;
57+ }
58 }
59
60 if (hdr.pixelfmt.flags & DDPF_FOURCC)
61@@ -1217,14 +1224,19 @@ load_layer (FILE *fp,
62 {
63 unsigned char *dst;
64
65- dst = g_malloc (width * height * d->gimp_bpp);
66- memset (dst, 0, width * height * d->gimp_bpp);
67+ dst = g_malloc ((gsize) width * height * d->gimp_bpp);
68+ memset (dst, 0, (gsize) width * height * d->gimp_bpp);
69
70 if (d->gimp_bpp == 4)
71 {
72- for (y = 0; y < height; ++y)
73+ guchar *dst_line;
74+
75+ dst_line = dst;
76+ for (y = 0; y < height; ++y) {
77 for (x = 0; x < width; ++x)
78- dst[y * (width * 4) + (x * 4) + 3] = 255;
79+ dst_line[(x * 4) + 3] = 255;
80+ dst_line += width * 4;
81+ }
82 }
83
84 dxt_decompress (dst, buf, format, size, width, height, d->gimp_bpp,
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
index 95a6dfd7c8..afb1cd69e5 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
@@ -51,6 +51,8 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
51 file://CVE-2025-14425.patch \ 51 file://CVE-2025-14425.patch \
52 file://CVE-2025-5473.patch \ 52 file://CVE-2025-5473.patch \
53 file://CVE-2025-15059.patch \ 53 file://CVE-2025-15059.patch \
54 file://CVE-2025-2760-1.patch \
55 file://CVE-2025-2760-2.patch \
54 " 56 "
55SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e" 57SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"
56 58