2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch
new file mode 100644
index 0000000000..a8f23d3501
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch
@@ -0,0 +1,55 @@
+From 4af78023ce7d3b5e3cec422a59bb4f48fa4f5886 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Fri, 11 Jul 2025 11:02:05 -0400
+Subject: [PATCH] jpeg: Be more careful with chunked icc data
+We we inadvertendly trusting the sequence numbers not to lie.
+If they do we would report a larger data size than we actually
+allocated, leading to out of bounds memory access in base64
+encoding later on.
+This has been assigned CVE-2025-7345.
+Fixes: #249
+CVE: CVE-2025-7345
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4af78023ce7d3b5e3cec422a59bb4f48fa4f5886]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ gdk-pixbuf/io-jpeg.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
+index 3841fc0..9ee1d21 100644
+--- a/gdk-pixbuf/io-jpeg.c
+++ b/gdk-pixbuf/io-jpeg.c
+@@ -356,6 +356,7 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
+                context->icc_profile = g_new (gchar, chunk_size);
+                /* copy the segment data to the profile space */
+                memcpy (context->icc_profile, marker->data + 14, chunk_size);
+                ret = TRUE;
+                goto out;
+        }
+@@ -377,12 +378,15 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
+        /* copy the segment data to the profile space */
+        memcpy (context->icc_profile + offset, marker->data + 14, chunk_size);
+-       /* it's now this big plus the new data we've just copied */
+-       context->icc_profile_size += chunk_size;
+        context->icc_profile_size = MAX (context->icc_profile_size, offset + chunk_size);
+        /* success */
+        ret = TRUE;
+ out:
+        if (!ret) {
+                g_free (context->icc_profile);
+                context->icc_profile = NULL;
+        }
+        return ret;
+ }
+--
+2.40.0
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
index 96487a284a..48f3c778c9 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
           file://run-ptest \
           file://fatal-loader.patch \
           file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \
+           file://CVE-2025-7345.patch \
           "
 SRC_URI[sha256sum] = "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7"

diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch new file mode 100644 index 0000000000..a8f23d3501 --- /dev/null +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch
@@ -0,0 +1,55 @@
		1	From 4af78023ce7d3b5e3cec422a59bb4f48fa4f5886 Mon Sep 17 00:00:00 2001
		2	From: Matthias Clasen <mclasen@redhat.com>
		3	Date: Fri, 11 Jul 2025 11:02:05 -0400
		4	Subject: [PATCH] jpeg: Be more careful with chunked icc data
		5
		6	We we inadvertendly trusting the sequence numbers not to lie.
		7	If they do we would report a larger data size than we actually
		8	allocated, leading to out of bounds memory access in base64
		9	encoding later on.
		10
		11	This has been assigned CVE-2025-7345.
		12
		13	Fixes: #249
		14
		15	CVE: CVE-2025-7345
		16
		17	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4af78023ce7d3b5e3cec422a59bb4f48fa4f5886]
		18
		19	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		20	---
		21	gdk-pixbuf/io-jpeg.c \| 8 ++++++--
		22	1 file changed, 6 insertions(+), 2 deletions(-)
		23
		24	diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
		25	index 3841fc0..9ee1d21 100644
		26	--- a/gdk-pixbuf/io-jpeg.c
		27	+++ b/gdk-pixbuf/io-jpeg.c
		28	@@ -356,6 +356,7 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
		29	context->icc_profile = g_new (gchar, chunk_size);
		30	/* copy the segment data to the profile space */
		31	memcpy (context->icc_profile, marker->data + 14, chunk_size);
		32	+ ret = TRUE;
		33	goto out;
		34	}
		35
		36	@@ -377,12 +378,15 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
		37	/* copy the segment data to the profile space */
		38	memcpy (context->icc_profile + offset, marker->data + 14, chunk_size);
		39
		40	- /* it's now this big plus the new data we've just copied */
		41	- context->icc_profile_size += chunk_size;
		42	+ context->icc_profile_size = MAX (context->icc_profile_size, offset + chunk_size);
		43
		44	/* success */
		45	ret = TRUE;
		46	out:
		47	+ if (!ret) {
		48	+ g_free (context->icc_profile);
		49	+ context->icc_profile = NULL;
		50	+ }
		51	return ret;
		52	}
		53
		54	--
		55	2.40.0


diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb index 96487a284a..48f3c778c9 100644 --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
20	file://run-ptest \	20	file://run-ptest \
21	file://fatal-loader.patch \	21	file://fatal-loader.patch \
22	file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \	22	file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \
		23	file://CVE-2025-7345.patch \
23	"	24	"
24		25
25	SRC_URI[sha256sum] = "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7"	26	SRC_URI[sha256sum] = "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7"