2 files changed, 80 insertions, 0 deletions
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch
new file mode 100644
index 0000000000..44e9587570
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch
@@ -0,0 +1,79 @@
+From 042e27792026460badbe49664c02fe181e95cb2b Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Wed, 12 Nov 2025 13:25:44 +0000
+Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images
+From: Alx Sa <cmyk.student@gmail.com>
+Resolves #15285
+Per the report, it's possible to exceed the size of the pixel buffer
+with a high precision_scaled value, as we size it to the width * bpp.
+This patch includes precision_scaled in the allocation calculation.
+It also adds a g_size_checked_mul () check to ensure there's no
+overflow, and moves the pixel and buffer memory freeing to occur
+in the out section so that it always runs even on failure.
+CVE: CVE-2025-14425
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/cd1c88a0364ad1444c06536731972a99bd8643fd]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/common/file-jp2-load.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c
+index 064b616..604313a 100644
+--- a/plug-ins/common/file-jp2-load.c
+++ b/plug-ins/common/file-jp2-load.c
+@@ -1045,14 +1045,15 @@ load_image (GimpProcedure     *procedure,
+   GimpColorProfile    *profile    = NULL;
+   GimpImage           *gimp_image = NULL;
+   GimpLayer           *layer;
+  GeglBuffer          *buffer     = NULL;
+  guchar              *pixels     = NULL;
+  gsize                pixels_size;
+   GimpImageType        image_type;
+   GimpImageBaseType    base_type;
+   gint                 width;
+   gint                 height;
+   gint                 num_components;
+-  GeglBuffer          *buffer;
+   gint                 i, j, k, it;
+-  guchar              *pixels;
+   const Babl          *file_format;
+   gint                 bpp;
+   GimpPrecision        image_precision;
+@@ -1318,7 +1319,15 @@ load_image (GimpProcedure     *procedure,
+   bpp = babl_format_get_bytes_per_pixel (file_format);
+ 
+   buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
+-  pixels = g_new0 (guchar, width * bpp);
+
+  if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8))))
+    {
+      g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
+                   _("Defined row size is too large in JP2 image '%s'."),
+                   gimp_file_get_utf8_name (file));
+      goto out;
+    }
+  pixels = g_new0 (guchar, pixels_size);
+ 
+   for (i = 0; i < height; i++)
+     {
+@@ -1344,13 +1353,13 @@ load_image (GimpProcedure     *procedure,
+         gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0,
+                          file_format, pixels, GEGL_AUTO_ROWSTRIDE);
+     }
+-
+-  g_free (pixels);
+-
+-  g_object_unref (buffer);
+   gimp_progress_update (1.0);
+ 
+  out:
+  if (pixels)
+    g_free (pixels);
+  if (buffer)
+    g_object_unref (buffer);
+   if (profile)
+     g_object_unref (profile);
+   if (image)
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
index bc55aed06f..fa192555bc 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
@@ -64,6 +64,7 @@ SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
           file://CVE-2025-14422.patch \
           file://CVE-2025-14423.patch \
           file://CVE-2025-14424.patch \
+           file://CVE-2025-14425.patch \
           "
 SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"

diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch new file mode 100644 index 0000000000..44e9587570 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch
@@ -0,0 +1,79 @@
		1	From 042e27792026460badbe49664c02fe181e95cb2b Mon Sep 17 00:00:00 2001
		2	From: Gyorgy Sarvari <skandigraun@gmail.com>
		3	Date: Wed, 12 Nov 2025 13:25:44 +0000
		4	Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images
		5
		6	From: Alx Sa <cmyk.student@gmail.com>
		7
		8	Resolves #15285
		9	Per the report, it's possible to exceed the size of the pixel buffer
		10	with a high precision_scaled value, as we size it to the width * bpp.
		11	This patch includes precision_scaled in the allocation calculation.
		12	It also adds a g_size_checked_mul () check to ensure there's no
		13	overflow, and moves the pixel and buffer memory freeing to occur
		14	in the out section so that it always runs even on failure.
		15
		16	CVE: CVE-2025-14425
		17	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/cd1c88a0364ad1444c06536731972a99bd8643fd]
		18	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		19	---
		20	plug-ins/common/file-jp2-load.c \| 23 ++++++++++++++++-------
		21	1 file changed, 16 insertions(+), 7 deletions(-)
		22
		23	diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c
		24	index 064b616..604313a 100644
		25	--- a/plug-ins/common/file-jp2-load.c
		26	+++ b/plug-ins/common/file-jp2-load.c
		27	@@ -1045,14 +1045,15 @@ load_image (GimpProcedure *procedure,
		28	GimpColorProfile *profile = NULL;
		29	GimpImage *gimp_image = NULL;
		30	GimpLayer *layer;
		31	+ GeglBuffer *buffer = NULL;
		32	+ guchar *pixels = NULL;
		33	+ gsize pixels_size;
		34	GimpImageType image_type;
		35	GimpImageBaseType base_type;
		36	gint width;
		37	gint height;
		38	gint num_components;
		39	- GeglBuffer *buffer;
		40	gint i, j, k, it;
		41	- guchar *pixels;
		42	const Babl *file_format;
		43	gint bpp;
		44	GimpPrecision image_precision;
		45	@@ -1318,7 +1319,15 @@ load_image (GimpProcedure *procedure,
		46	bpp = babl_format_get_bytes_per_pixel (file_format);
		47
		48	buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
		49	- pixels = g_new0 (guchar, width * bpp);
		50	+
		51	+ if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8))))
		52	+ {
		53	+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
		54	+ _("Defined row size is too large in JP2 image '%s'."),
		55	+ gimp_file_get_utf8_name (file));
		56	+ goto out;
		57	+ }
		58	+ pixels = g_new0 (guchar, pixels_size);
		59
		60	for (i = 0; i < height; i++)
		61	{
		62	@@ -1344,13 +1353,13 @@ load_image (GimpProcedure *procedure,
		63	gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0,
		64	file_format, pixels, GEGL_AUTO_ROWSTRIDE);
		65	}
		66	-
		67	- g_free (pixels);
		68	-
		69	- g_object_unref (buffer);
		70	gimp_progress_update (1.0);
		71
		72	out:
		73	+ if (pixels)
		74	+ g_free (pixels);
		75	+ if (buffer)
		76	+ g_object_unref (buffer);
		77	if (profile)
		78	g_object_unref (profile);
		79	if (image)


diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb index bc55aed06f..fa192555bc 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
@@ -64,6 +64,7 @@ SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
64	file://CVE-2025-14422.patch \	64	file://CVE-2025-14422.patch \
65	file://CVE-2025-14423.patch \	65	file://CVE-2025-14423.patch \
66	file://CVE-2025-14424.patch \	66	file://CVE-2025-14424.patch \
		67	file://CVE-2025-14425.patch \
67	"	68	"
68	SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"	69	SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"
69		70