6 files changed, 2 insertions, 322 deletions
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/0001-gimp-cross-compile-fix-for-bz2.patch b/meta-gnome/recipes-gimp/gimp/gimp/0001-gimp-cross-compile-fix-for-bz2.patch
deleted file mode 100644
index 380e425f25..0000000000
--- a/meta-gnome/recipes-gimp/gimp/gimp/0001-gimp-cross-compile-fix-for-bz2.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From a7e40e19d17404cf5ec4135fc1becd5a90f5e1e1 Mon Sep 17 00:00:00 2001
-From: Markus Volk <f_l_k@t-online.de>
-Date: Wed, 25 Dec 2024 07:27:04 +0100
-Subject: [PATCH] gimp: cross-compile fix for bz2
-autotools bzip2 build does not create pkgconfig files so looking for the dependency fails.
-Signed-off-by: Markus Volk <f_l_k@t-online.de>
-Upstream-Status: Inappropriate [can probably be removed once bzip2 is built with meson or cmake]
---
- meson.build | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/meson.build b/meson.build
-index 4e48f8c64c..d5dce47015 100644
--- a/meson.build
-+++ b/meson.build
-@@ -777,7 +777,7 @@ zlib = dependency('zlib')
- zlib = dependency('zlib')
- 
- # Compiler-provided headers can't be found in crossroads environment
-if not meson.is_cross_build()
-+if true
-   bz2 = cc.find_library('bz2')
- else
-   bz2 = dependency('bzip2')
-- 
-2.47.1
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch
deleted file mode 100644
index 420e013916..0000000000
--- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 0a941cab81396d65a8ab547847f8c542039e214f Mon Sep 17 00:00:00 2001
-From: Gyorgy Sarvari <skandigraun@gmail.com>
-Date: Sun, 23 Nov 2025 16:43:51 +0000
-Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273
-From: Alx Sa <cmyk.student@gmail.com>
-Resolves #15286
-Adds a check to the memory allocation
-in pnm_load_raw () with g_size_checked_mul ()
-to see if the size would go out of bounds.
-If so, we don't try to allocate and load the
-image.
-CVE: CVE-2025-14422
-Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2d773d58064e6130495de498e440f4a6d5edb]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
- plug-ins/common/file-pnm.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
-index 32a33a4..9d349e9 100644
--- a/plug-ins/common/file-pnm.c
-+++ b/plug-ins/common/file-pnm.c
-@@ -674,7 +674,7 @@ load_image (GFile   *file,
-             GError **error)
- {
-   GInputStream    *input;
-  GeglBuffer      *buffer;
-+  GeglBuffer      *buffer    = NULL;
-   GimpImage * volatile image = NULL;
-   GimpLayer       *layer;
-   char             buf[BUFLEN + 4];  /* buffer for random things like scanning */
-@@ -708,6 +708,9 @@ load_image (GFile   *file,
-       g_object_unref (input);
-       g_free (pnminfo);
- 
-+      if (buffer)
-+        g_object_unref (buffer);
-+
-       if (image)
-         gimp_image_delete (image);
- 
-@@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan,
-   const Babl   *format = NULL;
-   gint          bpc;
-   guchar       *data, *d;
-+  gsize         data_size;
-   gushort      *s;
-   gint          x, y, i;
-   gint          start, end, scanlines;
-@@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan,
-     bpc = 1;
- 
-   /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */
-  data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc);
-+  if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) ||
-+      ! g_size_checked_mul (&data_size, data_size, info->np)             ||
-+      ! g_size_checked_mul (&data_size, data_size, bpc))
-+    CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value."));
-+
-+  data = g_new (guchar, data_size);
- 
-   input = pnmscanner_input (scan);
- 
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch
deleted file mode 100644
index 50a0adfe89..0000000000
--- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From a83e8c4ad8ffbce40aa9f9a0f49880e802ef7da1 Mon Sep 17 00:00:00 2001
-From: Gyorgy Sarvari <skandigraun@gmail.com>
-Date: Sun, 23 Nov 2025 04:22:49 +0000
-Subject: [PATCH] plug-ins: Fix ZDI-CAN-28311
-From: Alx Sa <cmyk.student@gmail.com>
-Resolves #15292
-The IFF specification states that EHB format images
-have exactly 32 colors in their palette. However, it
-is possible for images in the wild to place an incorrect
-palette size. This patch checks for this, and either limits
-the palette size or breaks accordingly.
-CVE: CVE-2025-14423
-Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/481cdbbb97746be1145ec3a633c567a68633c521]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
- plug-ins/common/file-iff.c | 32 ++++++++++++++++++++++----------
- 1 file changed, 22 insertions(+), 10 deletions(-)
-diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c
-index d144a96..f087947 100644
--- a/plug-ins/common/file-iff.c
-+++ b/plug-ins/common/file-iff.c
-@@ -337,7 +337,7 @@ load_image (GFile        *file,
-       width      = bitMapHeader->w;
-       height     = bitMapHeader->h;
-       nPlanes    = bitMapHeader->nPlanes;
-      row_length = (width + 15) / 16;
-+      row_length = ((width + 15) / 16) * 2;
-       pixel_size = nPlanes / 8;
-       aspect_x   = bitMapHeader->xAspect;
-       aspect_y   = bitMapHeader->yAspect;
-@@ -375,6 +375,18 @@ load_image (GFile        *file,
-             {
-               /* EHB mode adds 32 more colors. Each are half the RGB values
-                * of the first 32 colors */
-+              if (palette_size < 32)
-+                {
-+                  g_set_error (error, G_FILE_ERROR,
-+                               g_file_error_from_errno (errno),
-+                               _("Invalid ILBM colormap size"));
-+                  return NULL;
-+                }
-+              else if (palette_size > 32)
-+                {
-+                  palette_size = 32;
-+                }
-+
-               for (gint j = 0; j < palette_size * 2; j++)
-                 {
-                   gint offset_index = j + 32;
-@@ -386,7 +398,7 @@ load_image (GFile        *file,
-                   gimp_cmap[offset_index * 3 + 2] =
-                     colorMap->colorRegister[j].blue / 2;
-                 }
-              /* EHB mode always has 64 colors */
-+              /* EHB mode always has 64 colors in total */
-               palette_size = 64;
-             }
-         }
-@@ -447,7 +459,7 @@ load_image (GFile        *file,
-         {
-           guchar *pixel_row;
- 
-          pixel_row = g_malloc (width * pixel_size * sizeof (guchar));
-+          pixel_row = g_malloc0 (width * pixel_size);
- 
-           /* PBM uses one byte per pixel index */
-           if (ILBM_imageIsPBM (true_image))
-@@ -459,7 +471,7 @@ load_image (GFile        *file,
-           else
-             deleave_rgb_row (bitplanes, pixel_row, width, nPlanes, pixel_size);
- 
-          bitplanes += (row_length * 2 * nPlanes);
-+          bitplanes += (row_length * nPlanes);
- 
-           gegl_buffer_set (buffer, GEGL_RECTANGLE (0, y_height, width, 1), 0,
-                            NULL, pixel_row, GEGL_AUTO_ROWSTRIDE);
-@@ -528,7 +540,7 @@ deleave_ham_row (const guchar *gimp_cmap,
-   /* Deleave rows */
-   for (gint i = 0; i < row_length; i++)
-     {
-      for (gint j = 0; j < 8; j++)
-+      for (gint j = 0; j < nPlanes; j++)
-         {
-           guint8 bitmask = (1 << (8 - j)) - (1 << (7 - j));
-           guint8 control = 0;
-@@ -590,11 +602,11 @@ deleave_ham_row (const guchar *gimp_cmap,
- }
- 
- static void
-deleave_rgb_row (IFF_UByte  *bitplanes,
-                     guchar *pixel_row,
-                     gint    width,
-                     gint    nPlanes,
-                     gint    pixel_size)
-+deleave_rgb_row (IFF_UByte *bitplanes,
-+                 guchar    *pixel_row,
-+                 gint       width,
-+                 gint       nPlanes,
-+                 gint       pixel_size)
- {
-   gint row_length    = ((width + 15) / 16) * 2;
-   gint current_pixel = 0;
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14424.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14424.patch
deleted file mode 100644
index e7821d3109..0000000000
--- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14424.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d30875b606085316b1cb7ac1da0d26e5bac0cf2c Mon Sep 17 00:00:00 2001
-From: Gyorgy Sarvari <skandigraun@gmail.com>
-Date: Thu, 13 Nov 2025 18:26:51 -0500
-Subject: [PATCH] app: fix #15288 crash when loading malformed xcf
-From: Jacob Boerema <jgboerema@gmail.com>
-ZDI-CAN-28376 vulnerability
-Add extra tests to not crash on a NULL g_class.
-CVE: CVE-2025-14424
-Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/5cc55d078b7fba995cef77d195fac325ee288ddd]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
- app/core/gimpitemlist.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-diff --git a/app/core/gimpitemlist.c b/app/core/gimpitemlist.c
-index 6473938..a431519 100644
--- a/app/core/gimpitemlist.c
-+++ b/app/core/gimpitemlist.c
-@@ -345,7 +345,10 @@ gimp_item_list_named_new (GimpImage   *image,
-   g_return_val_if_fail (GIMP_IS_IMAGE (image), NULL);
- 
-   for (iter = items; iter; iter = iter->next)
-    g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL);
-+    {
-+      g_return_val_if_fail (iter->data && ((GTypeInstance*) (iter->data))->g_class, NULL);
-+      g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL);
-+    }
- 
-   if (! items)
-     {
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch
deleted file mode 100644
index 44e9587570..0000000000
--- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 042e27792026460badbe49664c02fe181e95cb2b Mon Sep 17 00:00:00 2001
-From: Gyorgy Sarvari <skandigraun@gmail.com>
-Date: Wed, 12 Nov 2025 13:25:44 +0000
-Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images
-From: Alx Sa <cmyk.student@gmail.com>
-Resolves #15285
-Per the report, it's possible to exceed the size of the pixel buffer
-with a high precision_scaled value, as we size it to the width * bpp.
-This patch includes precision_scaled in the allocation calculation.
-It also adds a g_size_checked_mul () check to ensure there's no
-overflow, and moves the pixel and buffer memory freeing to occur
-in the out section so that it always runs even on failure.
-CVE: CVE-2025-14425
-Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/cd1c88a0364ad1444c06536731972a99bd8643fd]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
- plug-ins/common/file-jp2-load.c | 23 ++++++++++++++++-------
- 1 file changed, 16 insertions(+), 7 deletions(-)
-diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c
-index 064b616..604313a 100644
--- a/plug-ins/common/file-jp2-load.c
-+++ b/plug-ins/common/file-jp2-load.c
-@@ -1045,14 +1045,15 @@ load_image (GimpProcedure     *procedure,
-   GimpColorProfile    *profile    = NULL;
-   GimpImage           *gimp_image = NULL;
-   GimpLayer           *layer;
-+  GeglBuffer          *buffer     = NULL;
-+  guchar              *pixels     = NULL;
-+  gsize                pixels_size;
-   GimpImageType        image_type;
-   GimpImageBaseType    base_type;
-   gint                 width;
-   gint                 height;
-   gint                 num_components;
-  GeglBuffer          *buffer;
-   gint                 i, j, k, it;
-  guchar              *pixels;
-   const Babl          *file_format;
-   gint                 bpp;
-   GimpPrecision        image_precision;
-@@ -1318,7 +1319,15 @@ load_image (GimpProcedure     *procedure,
-   bpp = babl_format_get_bytes_per_pixel (file_format);
- 
-   buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
-  pixels = g_new0 (guchar, width * bpp);
-+
-+  if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8))))
-+    {
-+      g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
-+                   _("Defined row size is too large in JP2 image '%s'."),
-+                   gimp_file_get_utf8_name (file));
-+      goto out;
-+    }
-+  pixels = g_new0 (guchar, pixels_size);
- 
-   for (i = 0; i < height; i++)
-     {
-@@ -1344,13 +1353,13 @@ load_image (GimpProcedure     *procedure,
-         gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0,
-                          file_format, pixels, GEGL_AUTO_ROWSTRIDE);
-     }
-
-  g_free (pixels);
-
-  g_object_unref (buffer);
-   gimp_progress_update (1.0);
- 
-  out:
-+  if (pixels)
-+    g_free (pixels);
-+  if (buffer)
-+    g_object_unref (buffer);
-   if (profile)
-     g_object_unref (profile);
-   if (image)
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb
index fa192555bc..a5e892c508 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb
@@ -46,7 +46,7 @@ DEPENDS:append:libc-musl = " libexecinfo"
 LDFLAGS:append:libc-musl = " -lexecinfo"
-inherit meson gtk-icon-cache mime-xdg pkgconfig gettext gobject-introspection vala
+inherit meson gtk-icon-cache mime-xdg pkgconfig gettext gobject-introspection vala bash-completion
 GIR_MESON_OPTION = 'can-crosscompile-gir'
 VALA_MESON_OPTION = "vala"
@@ -57,16 +57,11 @@ GIDOCGEN_MESON_ENABLE_FLAG = "enabled"
 GIDOCGEN_MESON_DISABLE_FLAG = "disabled"
 SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
-           file://0001-gimp-cross-compile-fix-for-bz2.patch \
           file://0002-meson.build-reproducibility-fix.patch \
           file://0001-meson.build-dont-check-for-lgi.patch \
           file://0001-meson.build-require-iso-codes-native.patch \
-           file://CVE-2025-14422.patch \
-           file://CVE-2025-14423.patch \
-           file://CVE-2025-14424.patch \
-           file://CVE-2025-14425.patch \
           "
-SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"
+SRC_URI[sha256sum] = "feb498acc01b26827cff1ff95aa8fb82cdd6a60d7abf773cfcd19abeafca3386"
 PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib"
 PACKAGECONFIG[alsa] = "-Dalsa=enabled,-Dalsa=disabled,alsa-lib"

diff --git a/meta-gnome/recipes-gimp/gimp/gimp/0001-gimp-cross-compile-fix-for-bz2.patch b/meta-gnome/recipes-gimp/gimp/gimp/0001-gimp-cross-compile-fix-for-bz2.patch deleted file mode 100644 index 380e425f25..0000000000 --- a/meta-gnome/recipes-gimp/gimp/gimp/0001-gimp-cross-compile-fix-for-bz2.patch +++ /dev/null
@@ -1,30 +0,0 @@
1	From a7e40e19d17404cf5ec4135fc1becd5a90f5e1e1 Mon Sep 17 00:00:00 2001
2	From: Markus Volk <f_l_k@t-online.de>
3	Date: Wed, 25 Dec 2024 07:27:04 +0100
4	Subject: [PATCH] gimp: cross-compile fix for bz2
5
6	autotools bzip2 build does not create pkgconfig files so looking for the dependency fails.
7
8	Signed-off-by: Markus Volk <f_l_k@t-online.de>
9
10	Upstream-Status: Inappropriate [can probably be removed once bzip2 is built with meson or cmake]
11	---
12	meson.build \| 2 +-
13	1 file changed, 1 insertion(+), 1 deletion(-)
14
15	diff --git a/meson.build b/meson.build
16	index 4e48f8c64c..d5dce47015 100644
17	--- a/meson.build
18	+++ b/meson.build
19	@@ -777,7 +777,7 @@ zlib = dependency('zlib')
20	zlib = dependency('zlib')
21
22	# Compiler-provided headers can't be found in crossroads environment
23	-if not meson.is_cross_build()
24	+if true
25	bz2 = cc.find_library('bz2')
26	else
27	bz2 = dependency('bzip2')
28	--
29	2.47.1
30


diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch deleted file mode 100644 index 420e013916..0000000000 --- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch +++ /dev/null
@@ -1,66 +0,0 @@
1	From 0a941cab81396d65a8ab547847f8c542039e214f Mon Sep 17 00:00:00 2001
2	From: Gyorgy Sarvari <skandigraun@gmail.com>
3	Date: Sun, 23 Nov 2025 16:43:51 +0000
4	Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273
5
6	From: Alx Sa <cmyk.student@gmail.com>
7
8	Resolves #15286
9	Adds a check to the memory allocation
10	in pnm_load_raw () with g_size_checked_mul ()
11	to see if the size would go out of bounds.
12	If so, we don't try to allocate and load the
13	image.
14
15	CVE: CVE-2025-14422
16	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2d773d58064e6130495de498e440f4a6d5edb]
17	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
18	---
19	plug-ins/common/file-pnm.c \| 13 +++++++++++--
20	1 file changed, 11 insertions(+), 2 deletions(-)
21
22	diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
23	index 32a33a4..9d349e9 100644
24	--- a/plug-ins/common/file-pnm.c
25	+++ b/plug-ins/common/file-pnm.c
26	@@ -674,7 +674,7 @@ load_image (GFile *file,
27	GError **error)
28	{
29	GInputStream *input;
30	- GeglBuffer *buffer;
31	+ GeglBuffer *buffer = NULL;
32	GimpImage * volatile image = NULL;
33	GimpLayer *layer;
34	char buf[BUFLEN + 4]; /* buffer for random things like scanning */
35	@@ -708,6 +708,9 @@ load_image (GFile *file,
36	g_object_unref (input);
37	g_free (pnminfo);
38
39	+ if (buffer)
40	+ g_object_unref (buffer);
41	+
42	if (image)
43	gimp_image_delete (image);
44
45	@@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan,
46	const Babl *format = NULL;
47	gint bpc;
48	guchar data, d;
49	+ gsize data_size;
50	gushort *s;
51	gint x, y, i;
52	gint start, end, scanlines;
53	@@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan,
54	bpc = 1;
55
56	/* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */
57	- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc);
58	+ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) \|\|
59	+ ! g_size_checked_mul (&data_size, data_size, info->np) \|\|
60	+ ! g_size_checked_mul (&data_size, data_size, bpc))
61	+ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value."));
62	+
63	+ data = g_new (guchar, data_size);
64
65	input = pnmscanner_input (scan);
66


diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch deleted file mode 100644 index 50a0adfe89..0000000000 --- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch +++ /dev/null
@@ -1,106 +0,0 @@
1	From a83e8c4ad8ffbce40aa9f9a0f49880e802ef7da1 Mon Sep 17 00:00:00 2001
2	From: Gyorgy Sarvari <skandigraun@gmail.com>
3	Date: Sun, 23 Nov 2025 04:22:49 +0000
4	Subject: [PATCH] plug-ins: Fix ZDI-CAN-28311
5
6	From: Alx Sa <cmyk.student@gmail.com>
7
8	Resolves #15292
9	The IFF specification states that EHB format images
10	have exactly 32 colors in their palette. However, it
11	is possible for images in the wild to place an incorrect
12	palette size. This patch checks for this, and either limits
13	the palette size or breaks accordingly.
14
15	CVE: CVE-2025-14423
16	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/481cdbbb97746be1145ec3a633c567a68633c521]
17	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
18	---
19	plug-ins/common/file-iff.c \| 32 ++++++++++++++++++++++----------
20	1 file changed, 22 insertions(+), 10 deletions(-)
21
22	diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c
23	index d144a96..f087947 100644
24	--- a/plug-ins/common/file-iff.c
25	+++ b/plug-ins/common/file-iff.c
26	@@ -337,7 +337,7 @@ load_image (GFile *file,
27	width = bitMapHeader->w;
28	height = bitMapHeader->h;
29	nPlanes = bitMapHeader->nPlanes;
30	- row_length = (width + 15) / 16;
31	+ row_length = ((width + 15) / 16) * 2;
32	pixel_size = nPlanes / 8;
33	aspect_x = bitMapHeader->xAspect;
34	aspect_y = bitMapHeader->yAspect;
35	@@ -375,6 +375,18 @@ load_image (GFile *file,
36	{
37	/* EHB mode adds 32 more colors. Each are half the RGB values
38	* of the first 32 colors */
39	+ if (palette_size < 32)
40	+ {
41	+ g_set_error (error, G_FILE_ERROR,
42	+ g_file_error_from_errno (errno),
43	+ _("Invalid ILBM colormap size"));
44	+ return NULL;
45	+ }
46	+ else if (palette_size > 32)
47	+ {
48	+ palette_size = 32;
49	+ }
50	+
51	for (gint j = 0; j < palette_size * 2; j++)
52	{
53	gint offset_index = j + 32;
54	@@ -386,7 +398,7 @@ load_image (GFile *file,
55	gimp_cmap[offset_index * 3 + 2] =
56	colorMap->colorRegister[j].blue / 2;
57	}
58	- /* EHB mode always has 64 colors */
59	+ /* EHB mode always has 64 colors in total */
60	palette_size = 64;
61	}
62	}
63	@@ -447,7 +459,7 @@ load_image (GFile *file,
64	{
65	guchar *pixel_row;
66
67	- pixel_row = g_malloc (width * pixel_size * sizeof (guchar));
68	+ pixel_row = g_malloc0 (width * pixel_size);
69
70	/* PBM uses one byte per pixel index */
71	if (ILBM_imageIsPBM (true_image))
72	@@ -459,7 +471,7 @@ load_image (GFile *file,
73	else
74	deleave_rgb_row (bitplanes, pixel_row, width, nPlanes, pixel_size);
75
76	- bitplanes += (row_length * 2 * nPlanes);
77	+ bitplanes += (row_length * nPlanes);
78
79	gegl_buffer_set (buffer, GEGL_RECTANGLE (0, y_height, width, 1), 0,
80	NULL, pixel_row, GEGL_AUTO_ROWSTRIDE);
81	@@ -528,7 +540,7 @@ deleave_ham_row (const guchar *gimp_cmap,
82	/* Deleave rows */
83	for (gint i = 0; i < row_length; i++)
84	{
85	- for (gint j = 0; j < 8; j++)
86	+ for (gint j = 0; j < nPlanes; j++)
87	{
88	guint8 bitmask = (1 << (8 - j)) - (1 << (7 - j));
89	guint8 control = 0;
90	@@ -590,11 +602,11 @@ deleave_ham_row (const guchar *gimp_cmap,
91	}
92
93	static void
94	-deleave_rgb_row (IFF_UByte *bitplanes,
95	- guchar *pixel_row,
96	- gint width,
97	- gint nPlanes,
98	- gint pixel_size)
99	+deleave_rgb_row (IFF_UByte *bitplanes,
100	+ guchar *pixel_row,
101	+ gint width,
102	+ gint nPlanes,
103	+ gint pixel_size)
104	{
105	gint row_length = ((width + 15) / 16) * 2;
106	gint current_pixel = 0;


diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14424.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14424.patch deleted file mode 100644 index e7821d3109..0000000000 --- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14424.patch +++ /dev/null
@@ -1,34 +0,0 @@
1	From d30875b606085316b1cb7ac1da0d26e5bac0cf2c Mon Sep 17 00:00:00 2001
2	From: Gyorgy Sarvari <skandigraun@gmail.com>
3	Date: Thu, 13 Nov 2025 18:26:51 -0500
4	Subject: [PATCH] app: fix #15288 crash when loading malformed xcf
5
6	From: Jacob Boerema <jgboerema@gmail.com>
7
8	ZDI-CAN-28376 vulnerability
9
10	Add extra tests to not crash on a NULL g_class.
11
12	CVE: CVE-2025-14424
13	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/5cc55d078b7fba995cef77d195fac325ee288ddd]
14	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
15	---
16	app/core/gimpitemlist.c \| 5 ++++-
17	1 file changed, 4 insertions(+), 1 deletion(-)
18
19	diff --git a/app/core/gimpitemlist.c b/app/core/gimpitemlist.c
20	index 6473938..a431519 100644
21	--- a/app/core/gimpitemlist.c
22	+++ b/app/core/gimpitemlist.c
23	@@ -345,7 +345,10 @@ gimp_item_list_named_new (GimpImage *image,
24	g_return_val_if_fail (GIMP_IS_IMAGE (image), NULL);
25
26	for (iter = items; iter; iter = iter->next)
27	- g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL);
28	+ {
29	+ g_return_val_if_fail (iter->data && ((GTypeInstance*) (iter->data))->g_class, NULL);
30	+ g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL);
31	+ }
32
33	if (! items)
34	{


diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch deleted file mode 100644 index 44e9587570..0000000000 --- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch +++ /dev/null
@@ -1,79 +0,0 @@
1	From 042e27792026460badbe49664c02fe181e95cb2b Mon Sep 17 00:00:00 2001
2	From: Gyorgy Sarvari <skandigraun@gmail.com>
3	Date: Wed, 12 Nov 2025 13:25:44 +0000
4	Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images
5
6	From: Alx Sa <cmyk.student@gmail.com>
7
8	Resolves #15285
9	Per the report, it's possible to exceed the size of the pixel buffer
10	with a high precision_scaled value, as we size it to the width * bpp.
11	This patch includes precision_scaled in the allocation calculation.
12	It also adds a g_size_checked_mul () check to ensure there's no
13	overflow, and moves the pixel and buffer memory freeing to occur
14	in the out section so that it always runs even on failure.
15
16	CVE: CVE-2025-14425
17	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/cd1c88a0364ad1444c06536731972a99bd8643fd]
18	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
19	---
20	plug-ins/common/file-jp2-load.c \| 23 ++++++++++++++++-------
21	1 file changed, 16 insertions(+), 7 deletions(-)
22
23	diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c
24	index 064b616..604313a 100644
25	--- a/plug-ins/common/file-jp2-load.c
26	+++ b/plug-ins/common/file-jp2-load.c
27	@@ -1045,14 +1045,15 @@ load_image (GimpProcedure *procedure,
28	GimpColorProfile *profile = NULL;
29	GimpImage *gimp_image = NULL;
30	GimpLayer *layer;
31	+ GeglBuffer *buffer = NULL;
32	+ guchar *pixels = NULL;
33	+ gsize pixels_size;
34	GimpImageType image_type;
35	GimpImageBaseType base_type;
36	gint width;
37	gint height;
38	gint num_components;
39	- GeglBuffer *buffer;
40	gint i, j, k, it;
41	- guchar *pixels;
42	const Babl *file_format;
43	gint bpp;
44	GimpPrecision image_precision;
45	@@ -1318,7 +1319,15 @@ load_image (GimpProcedure *procedure,
46	bpp = babl_format_get_bytes_per_pixel (file_format);
47
48	buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
49	- pixels = g_new0 (guchar, width * bpp);
50	+
51	+ if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8))))
52	+ {
53	+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
54	+ _("Defined row size is too large in JP2 image '%s'."),
55	+ gimp_file_get_utf8_name (file));
56	+ goto out;
57	+ }
58	+ pixels = g_new0 (guchar, pixels_size);
59
60	for (i = 0; i < height; i++)
61	{
62	@@ -1344,13 +1353,13 @@ load_image (GimpProcedure *procedure,
63	gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0,
64	file_format, pixels, GEGL_AUTO_ROWSTRIDE);
65	}
66	-
67	- g_free (pixels);
68	-
69	- g_object_unref (buffer);
70	gimp_progress_update (1.0);
71
72	out:
73	+ if (pixels)
74	+ g_free (pixels);
75	+ if (buffer)
76	+ g_object_unref (buffer);
77	if (profile)
78	g_object_unref (profile);
79	if (image)


diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb index fa192555bc..a5e892c508 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb
@@ -46,7 +46,7 @@ DEPENDS:append:libc-musl = " libexecinfo"
46		46
47	LDFLAGS:append:libc-musl = " -lexecinfo"	47	LDFLAGS:append:libc-musl = " -lexecinfo"
48		48
49	inherit meson gtk-icon-cache mime-xdg pkgconfig gettext gobject-introspection vala	49	inherit meson gtk-icon-cache mime-xdg pkgconfig gettext gobject-introspection vala bash-completion
50		50
51	GIR_MESON_OPTION = 'can-crosscompile-gir'	51	GIR_MESON_OPTION = 'can-crosscompile-gir'
52	VALA_MESON_OPTION = "vala"	52	VALA_MESON_OPTION = "vala"
@@ -57,16 +57,11 @@ GIDOCGEN_MESON_ENABLE_FLAG = "enabled"
57	GIDOCGEN_MESON_DISABLE_FLAG = "disabled"	57	GIDOCGEN_MESON_DISABLE_FLAG = "disabled"
58		58
59	SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \	59	SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
60	file://0001-gimp-cross-compile-fix-for-bz2.patch \
61	file://0002-meson.build-reproducibility-fix.patch \	60	file://0002-meson.build-reproducibility-fix.patch \
62	file://0001-meson.build-dont-check-for-lgi.patch \	61	file://0001-meson.build-dont-check-for-lgi.patch \
63	file://0001-meson.build-require-iso-codes-native.patch \	62	file://0001-meson.build-require-iso-codes-native.patch \
64	file://CVE-2025-14422.patch \
65	file://CVE-2025-14423.patch \
66	file://CVE-2025-14424.patch \
67	file://CVE-2025-14425.patch \
68	"	63	"
69	SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"	64	SRC_URI[sha256sum] = "feb498acc01b26827cff1ff95aa8fb82cdd6a60d7abf773cfcd19abeafca3386"
70		65
71	PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib"	66	PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib"
72	PACKAGECONFIG[alsa] = "-Dalsa=enabled,-Dalsa=disabled,alsa-lib"	67	PACKAGECONFIG[alsa] = "-Dalsa=enabled,-Dalsa=disabled,alsa-lib"