diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-03-05 20:46:04 +0100 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-03-24 08:52:05 +0530 |
| commit | 67d0242d70b9acd16bae03ea60f2aa5fa68a2da1 (patch) | |
| tree | 4604a0ea3dd887f49b3923969bc27bf00670ae78 /meta-gnome | |
| parent | ada8211493388476677d61ffee32464c1cebf35f (diff) | |
| download | meta-openembedded-67d0242d70b9acd16bae03ea60f2aa5fa68a2da1.tar.gz | |
gimp: add additional patch for CVE-2026-0797
There is an additional patch for CVE-2026-0797, which is not mentioned
in the CVE advisory, nor in the related issue nor in the related PR, however
both the change, and the commit message shows that this is a continuation
of the original fix, which was incomplete.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-gnome')
| -rw-r--r-- | meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-1.patch (renamed from meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch) | 0 | ||||
| -rw-r--r-- | meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-2.patch | 62 | ||||
| -rw-r--r-- | meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 3 |
3 files changed, 64 insertions, 1 deletions
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-1.patch index 46e83ac30c..46e83ac30c 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-1.patch | |||
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-2.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-2.patch new file mode 100644 index 0000000000..e3766240ef --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-2.patch | |||
| @@ -0,0 +1,62 @@ | |||
| 1 | From 48cf2ffa1630af389fe12653f7e57529c2744664 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 3 | Date: Sat, 27 Dec 2025 05:24:03 +0000 | ||
| 4 | Subject: [PATCH] plug-ins: Additional fread () checks in ICO plug-in | ||
| 5 | |||
| 6 | From: Alx Sa <cmyk.student@gmail.com> | ||
| 7 | |||
| 8 | A continuation of c54bf22a that adds checks to the | ||
| 9 | initial header loading as well, to prevent reading | ||
| 10 | beyond the file size. | ||
| 11 | |||
| 12 | CVE: CVE-2026-0797 | ||
| 13 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/905ce4b48782c5e71c79714b7ba7f6ebe4d0329d] | ||
| 14 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 15 | --- | ||
| 16 | plug-ins/file-ico/ico-load.c | 26 +++++++++++++++----------- | ||
| 17 | 1 file changed, 15 insertions(+), 11 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c | ||
| 20 | index 7eb9cb7..5068b10 100644 | ||
| 21 | --- a/plug-ins/file-ico/ico-load.c | ||
| 22 | +++ b/plug-ins/file-ico/ico-load.c | ||
| 23 | @@ -437,16 +437,20 @@ ico_read_icon (FILE *fp, | ||
| 24 | palette = NULL; | ||
| 25 | |||
| 26 | data.header_size = header_size; | ||
| 27 | - ico_read_int32 (fp, &data.width, 1); | ||
| 28 | - ico_read_int32 (fp, &data.height, 1); | ||
| 29 | - ico_read_int16 (fp, &data.planes, 1); | ||
| 30 | - ico_read_int16 (fp, &data.bpp, 1); | ||
| 31 | - ico_read_int32 (fp, &data.compression, 1); | ||
| 32 | - ico_read_int32 (fp, &data.image_size, 1); | ||
| 33 | - ico_read_int32 (fp, &data.x_res, 1); | ||
| 34 | - ico_read_int32 (fp, &data.y_res, 1); | ||
| 35 | - ico_read_int32 (fp, &data.used_clrs, 1); | ||
| 36 | - ico_read_int32 (fp, &data.important_clrs, 1); | ||
| 37 | + if (ico_read_int32 (fp, &data.width, 1) != 4 || | ||
| 38 | + ico_read_int32 (fp, &data.height, 1) != 4 || | ||
| 39 | + ico_read_int16 (fp, &data.planes, 1) != 2 || | ||
| 40 | + ico_read_int16 (fp, &data.bpp, 1) != 2 || | ||
| 41 | + ico_read_int32 (fp, &data.compression, 1) != 4 || | ||
| 42 | + ico_read_int32 (fp, &data.image_size, 1) != 4 || | ||
| 43 | + ico_read_int32 (fp, &data.x_res, 1) != 4 || | ||
| 44 | + ico_read_int32 (fp, &data.y_res, 1) != 4 || | ||
| 45 | + ico_read_int32 (fp, &data.used_clrs, 1) != 4 || | ||
| 46 | + ico_read_int32 (fp, &data.important_clrs, 1) != 4) | ||
| 47 | + { | ||
| 48 | + D(("skipping image: invalid header\n")); | ||
| 49 | + return FALSE; | ||
| 50 | + } | ||
| 51 | |||
| 52 | D((" header size %i, " | ||
| 53 | "w %i, h %i, planes %i, size %i, bpp %i, used %i, imp %i.\n", | ||
| 54 | @@ -509,7 +513,7 @@ ico_read_icon (FILE *fp, | ||
| 55 | |||
| 56 | /* Read in and_map. It's padded out to 32 bits per line: */ | ||
| 57 | and_map = ico_alloc_map (w, h, 1, &length); | ||
| 58 | - if (! ico_read_int8 (fp, and_map, length) != length) | ||
| 59 | + if (ico_read_int8 (fp, and_map, length) != length) | ||
| 60 | { | ||
| 61 | D(("skipping image: too large\n")); | ||
| 62 | return FALSE; | ||
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index f2fd22043b..4a83020a39 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | |||
| @@ -54,7 +54,8 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ | |||
| 54 | file://CVE-2025-2760-1.patch \ | 54 | file://CVE-2025-2760-1.patch \ |
| 55 | file://CVE-2025-2760-2.patch \ | 55 | file://CVE-2025-2760-2.patch \ |
| 56 | file://CVE-2025-2761.patch \ | 56 | file://CVE-2025-2761.patch \ |
| 57 | file://CVE-2026-0797.patch \ | 57 | file://CVE-2026-0797-1.patch \ |
| 58 | file://CVE-2026-0797-2.patch \ | ||
| 58 | file://CVE-2026-2044.patch \ | 59 | file://CVE-2026-2044.patch \ |
| 59 | file://CVE-2026-2045.patch \ | 60 | file://CVE-2026-2045.patch \ |
| 60 | file://CVE-2026-2048.patch \ | 61 | file://CVE-2026-2048.patch \ |
