2 files changed, 107 insertions, 0 deletions
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch
new file mode 100644
index 0000000000..50a0adfe89
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch
@@ -0,0 +1,106 @@
+From a83e8c4ad8ffbce40aa9f9a0f49880e802ef7da1 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sun, 23 Nov 2025 04:22:49 +0000
+Subject: [PATCH] plug-ins: Fix ZDI-CAN-28311
+From: Alx Sa <cmyk.student@gmail.com>
+Resolves #15292
+The IFF specification states that EHB format images
+have exactly 32 colors in their palette. However, it
+is possible for images in the wild to place an incorrect
+palette size. This patch checks for this, and either limits
+the palette size or breaks accordingly.
+CVE: CVE-2025-14423
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/481cdbbb97746be1145ec3a633c567a68633c521]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/common/file-iff.c | 32 ++++++++++++++++++++++----------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
+diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c
+index d144a96..f087947 100644
+--- a/plug-ins/common/file-iff.c
+++ b/plug-ins/common/file-iff.c
+@@ -337,7 +337,7 @@ load_image (GFile        *file,
+       width      = bitMapHeader->w;
+       height     = bitMapHeader->h;
+       nPlanes    = bitMapHeader->nPlanes;
+-      row_length = (width + 15) / 16;
+      row_length = ((width + 15) / 16) * 2;
+       pixel_size = nPlanes / 8;
+       aspect_x   = bitMapHeader->xAspect;
+       aspect_y   = bitMapHeader->yAspect;
+@@ -375,6 +375,18 @@ load_image (GFile        *file,
+             {
+               /* EHB mode adds 32 more colors. Each are half the RGB values
+                * of the first 32 colors */
+              if (palette_size < 32)
+                {
+                  g_set_error (error, G_FILE_ERROR,
+                               g_file_error_from_errno (errno),
+                               _("Invalid ILBM colormap size"));
+                  return NULL;
+                }
+              else if (palette_size > 32)
+                {
+                  palette_size = 32;
+                }
+
+               for (gint j = 0; j < palette_size * 2; j++)
+                 {
+                   gint offset_index = j + 32;
+@@ -386,7 +398,7 @@ load_image (GFile        *file,
+                   gimp_cmap[offset_index * 3 + 2] =
+                     colorMap->colorRegister[j].blue / 2;
+                 }
+-              /* EHB mode always has 64 colors */
+              /* EHB mode always has 64 colors in total */
+               palette_size = 64;
+             }
+         }
+@@ -447,7 +459,7 @@ load_image (GFile        *file,
+         {
+           guchar *pixel_row;
+ 
+-          pixel_row = g_malloc (width * pixel_size * sizeof (guchar));
+          pixel_row = g_malloc0 (width * pixel_size);
+ 
+           /* PBM uses one byte per pixel index */
+           if (ILBM_imageIsPBM (true_image))
+@@ -459,7 +471,7 @@ load_image (GFile        *file,
+           else
+             deleave_rgb_row (bitplanes, pixel_row, width, nPlanes, pixel_size);
+ 
+-          bitplanes += (row_length * 2 * nPlanes);
+          bitplanes += (row_length * nPlanes);
+ 
+           gegl_buffer_set (buffer, GEGL_RECTANGLE (0, y_height, width, 1), 0,
+                            NULL, pixel_row, GEGL_AUTO_ROWSTRIDE);
+@@ -528,7 +540,7 @@ deleave_ham_row (const guchar *gimp_cmap,
+   /* Deleave rows */
+   for (gint i = 0; i < row_length; i++)
+     {
+-      for (gint j = 0; j < 8; j++)
+      for (gint j = 0; j < nPlanes; j++)
+         {
+           guint8 bitmask = (1 << (8 - j)) - (1 << (7 - j));
+           guint8 control = 0;
+@@ -590,11 +602,11 @@ deleave_ham_row (const guchar *gimp_cmap,
+ }
+ 
+ static void
+-deleave_rgb_row (IFF_UByte  *bitplanes,
+-                     guchar *pixel_row,
+-                     gint    width,
+-                     gint    nPlanes,
+-                     gint    pixel_size)
+deleave_rgb_row (IFF_UByte *bitplanes,
+                 guchar    *pixel_row,
+                 gint       width,
+                 gint       nPlanes,
+                 gint       pixel_size)
+ {
+   gint row_length    = ((width + 15) / 16) * 2;
+   gint current_pixel = 0;
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
index f529930dff..24281e5dfd 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
@@ -62,6 +62,7 @@ SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
           file://0001-meson.build-dont-check-for-lgi.patch \
           file://0001-meson.build-require-iso-codes-native.patch \
           file://CVE-2025-14422.patch \
+           file://CVE-2025-14423.patch \
           "
 SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"

diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch new file mode 100644 index 0000000000..50a0adfe89 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch
@@ -0,0 +1,106 @@
		1	From a83e8c4ad8ffbce40aa9f9a0f49880e802ef7da1 Mon Sep 17 00:00:00 2001
		2	From: Gyorgy Sarvari <skandigraun@gmail.com>
		3	Date: Sun, 23 Nov 2025 04:22:49 +0000
		4	Subject: [PATCH] plug-ins: Fix ZDI-CAN-28311
		5
		6	From: Alx Sa <cmyk.student@gmail.com>
		7
		8	Resolves #15292
		9	The IFF specification states that EHB format images
		10	have exactly 32 colors in their palette. However, it
		11	is possible for images in the wild to place an incorrect
		12	palette size. This patch checks for this, and either limits
		13	the palette size or breaks accordingly.
		14
		15	CVE: CVE-2025-14423
		16	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/481cdbbb97746be1145ec3a633c567a68633c521]
		17	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		18	---
		19	plug-ins/common/file-iff.c \| 32 ++++++++++++++++++++++----------
		20	1 file changed, 22 insertions(+), 10 deletions(-)
		21
		22	diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c
		23	index d144a96..f087947 100644
		24	--- a/plug-ins/common/file-iff.c
		25	+++ b/plug-ins/common/file-iff.c
		26	@@ -337,7 +337,7 @@ load_image (GFile *file,
		27	width = bitMapHeader->w;
		28	height = bitMapHeader->h;
		29	nPlanes = bitMapHeader->nPlanes;
		30	- row_length = (width + 15) / 16;
		31	+ row_length = ((width + 15) / 16) * 2;
		32	pixel_size = nPlanes / 8;
		33	aspect_x = bitMapHeader->xAspect;
		34	aspect_y = bitMapHeader->yAspect;
		35	@@ -375,6 +375,18 @@ load_image (GFile *file,
		36	{
		37	/* EHB mode adds 32 more colors. Each are half the RGB values
		38	* of the first 32 colors */
		39	+ if (palette_size < 32)
		40	+ {
		41	+ g_set_error (error, G_FILE_ERROR,
		42	+ g_file_error_from_errno (errno),
		43	+ _("Invalid ILBM colormap size"));
		44	+ return NULL;
		45	+ }
		46	+ else if (palette_size > 32)
		47	+ {
		48	+ palette_size = 32;
		49	+ }
		50	+
		51	for (gint j = 0; j < palette_size * 2; j++)
		52	{
		53	gint offset_index = j + 32;
		54	@@ -386,7 +398,7 @@ load_image (GFile *file,
		55	gimp_cmap[offset_index * 3 + 2] =
		56	colorMap->colorRegister[j].blue / 2;
		57	}
		58	- /* EHB mode always has 64 colors */
		59	+ /* EHB mode always has 64 colors in total */
		60	palette_size = 64;
		61	}
		62	}
		63	@@ -447,7 +459,7 @@ load_image (GFile *file,
		64	{
		65	guchar *pixel_row;
		66
		67	- pixel_row = g_malloc (width * pixel_size * sizeof (guchar));
		68	+ pixel_row = g_malloc0 (width * pixel_size);
		69
		70	/* PBM uses one byte per pixel index */
		71	if (ILBM_imageIsPBM (true_image))
		72	@@ -459,7 +471,7 @@ load_image (GFile *file,
		73	else
		74	deleave_rgb_row (bitplanes, pixel_row, width, nPlanes, pixel_size);
		75
		76	- bitplanes += (row_length * 2 * nPlanes);
		77	+ bitplanes += (row_length * nPlanes);
		78
		79	gegl_buffer_set (buffer, GEGL_RECTANGLE (0, y_height, width, 1), 0,
		80	NULL, pixel_row, GEGL_AUTO_ROWSTRIDE);
		81	@@ -528,7 +540,7 @@ deleave_ham_row (const guchar *gimp_cmap,
		82	/* Deleave rows */
		83	for (gint i = 0; i < row_length; i++)
		84	{
		85	- for (gint j = 0; j < 8; j++)
		86	+ for (gint j = 0; j < nPlanes; j++)
		87	{
		88	guint8 bitmask = (1 << (8 - j)) - (1 << (7 - j));
		89	guint8 control = 0;
		90	@@ -590,11 +602,11 @@ deleave_ham_row (const guchar *gimp_cmap,
		91	}
		92
		93	static void
		94	-deleave_rgb_row (IFF_UByte *bitplanes,
		95	- guchar *pixel_row,
		96	- gint width,
		97	- gint nPlanes,
		98	- gint pixel_size)
		99	+deleave_rgb_row (IFF_UByte *bitplanes,
		100	+ guchar *pixel_row,
		101	+ gint width,
		102	+ gint nPlanes,
		103	+ gint pixel_size)
		104	{
		105	gint row_length = ((width + 15) / 16) * 2;
		106	gint current_pixel = 0;


diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb index f529930dff..24281e5dfd 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
@@ -62,6 +62,7 @@ SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
62	file://0001-meson.build-dont-check-for-lgi.patch \	62	file://0001-meson.build-dont-check-for-lgi.patch \
63	file://0001-meson.build-require-iso-codes-native.patch \	63	file://0001-meson.build-require-iso-codes-native.patch \
64	file://CVE-2025-14422.patch \	64	file://CVE-2025-14422.patch \
		65	file://CVE-2025-14423.patch \
65	"	66	"
66	SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"	67	SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"
67		68