summaryrefslogtreecommitdiffstats
path: root/meta-gnome
diff options
context:
space:
mode:
authorGyorgy Sarvari <skandigraun@gmail.com>2026-03-05 20:46:04 +0100
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-03-24 08:52:05 +0530
commit67d0242d70b9acd16bae03ea60f2aa5fa68a2da1 (patch)
tree4604a0ea3dd887f49b3923969bc27bf00670ae78 /meta-gnome
parentada8211493388476677d61ffee32464c1cebf35f (diff)
downloadmeta-openembedded-67d0242d70b9acd16bae03ea60f2aa5fa68a2da1.tar.gz
gimp: add additional patch for CVE-2026-0797
There is an additional patch for CVE-2026-0797, which is not mentioned in the CVE advisory, nor in the related issue nor in the related PR, however both the change, and the commit message shows that this is a continuation of the original fix, which was incomplete. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-gnome')
-rw-r--r--meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-1.patch (renamed from meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch)0
-rw-r--r--meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-2.patch62
-rw-r--r--meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb3
3 files changed, 64 insertions, 1 deletions
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-1.patch
index 46e83ac30c..46e83ac30c 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-1.patch
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-2.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-2.patch
new file mode 100644
index 0000000000..e3766240ef
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-2.patch
@@ -0,0 +1,62 @@
1From 48cf2ffa1630af389fe12653f7e57529c2744664 Mon Sep 17 00:00:00 2001
2From: Gyorgy Sarvari <skandigraun@gmail.com>
3Date: Sat, 27 Dec 2025 05:24:03 +0000
4Subject: [PATCH] plug-ins: Additional fread () checks in ICO plug-in
5
6From: Alx Sa <cmyk.student@gmail.com>
7
8A continuation of c54bf22a that adds checks to the
9initial header loading as well, to prevent reading
10beyond the file size.
11
12CVE: CVE-2026-0797
13Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/905ce4b48782c5e71c79714b7ba7f6ebe4d0329d]
14Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
15---
16 plug-ins/file-ico/ico-load.c | 26 +++++++++++++++-----------
17 1 file changed, 15 insertions(+), 11 deletions(-)
18
19diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
20index 7eb9cb7..5068b10 100644
21--- a/plug-ins/file-ico/ico-load.c
22+++ b/plug-ins/file-ico/ico-load.c
23@@ -437,16 +437,20 @@ ico_read_icon (FILE *fp,
24 palette = NULL;
25
26 data.header_size = header_size;
27- ico_read_int32 (fp, &data.width, 1);
28- ico_read_int32 (fp, &data.height, 1);
29- ico_read_int16 (fp, &data.planes, 1);
30- ico_read_int16 (fp, &data.bpp, 1);
31- ico_read_int32 (fp, &data.compression, 1);
32- ico_read_int32 (fp, &data.image_size, 1);
33- ico_read_int32 (fp, &data.x_res, 1);
34- ico_read_int32 (fp, &data.y_res, 1);
35- ico_read_int32 (fp, &data.used_clrs, 1);
36- ico_read_int32 (fp, &data.important_clrs, 1);
37+ if (ico_read_int32 (fp, &data.width, 1) != 4 ||
38+ ico_read_int32 (fp, &data.height, 1) != 4 ||
39+ ico_read_int16 (fp, &data.planes, 1) != 2 ||
40+ ico_read_int16 (fp, &data.bpp, 1) != 2 ||
41+ ico_read_int32 (fp, &data.compression, 1) != 4 ||
42+ ico_read_int32 (fp, &data.image_size, 1) != 4 ||
43+ ico_read_int32 (fp, &data.x_res, 1) != 4 ||
44+ ico_read_int32 (fp, &data.y_res, 1) != 4 ||
45+ ico_read_int32 (fp, &data.used_clrs, 1) != 4 ||
46+ ico_read_int32 (fp, &data.important_clrs, 1) != 4)
47+ {
48+ D(("skipping image: invalid header\n"));
49+ return FALSE;
50+ }
51
52 D((" header size %i, "
53 "w %i, h %i, planes %i, size %i, bpp %i, used %i, imp %i.\n",
54@@ -509,7 +513,7 @@ ico_read_icon (FILE *fp,
55
56 /* Read in and_map. It's padded out to 32 bits per line: */
57 and_map = ico_alloc_map (w, h, 1, &length);
58- if (! ico_read_int8 (fp, and_map, length) != length)
59+ if (ico_read_int8 (fp, and_map, length) != length)
60 {
61 D(("skipping image: too large\n"));
62 return FALSE;
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
index f2fd22043b..4a83020a39 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
@@ -54,7 +54,8 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
54 file://CVE-2025-2760-1.patch \ 54 file://CVE-2025-2760-1.patch \
55 file://CVE-2025-2760-2.patch \ 55 file://CVE-2025-2760-2.patch \
56 file://CVE-2025-2761.patch \ 56 file://CVE-2025-2761.patch \
57 file://CVE-2026-0797.patch \ 57 file://CVE-2026-0797-1.patch \
58 file://CVE-2026-0797-2.patch \
58 file://CVE-2026-2044.patch \ 59 file://CVE-2026-2044.patch \
59 file://CVE-2026-2045.patch \ 60 file://CVE-2026-2045.patch \
60 file://CVE-2026-2048.patch \ 61 file://CVE-2026-2048.patch \