Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gimp for openSUSE:Factory checked in at 2025-09-29 16:30:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gimp (Old) and /work/SRC/openSUSE:Factory/.gimp.new.11973 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gimp" Mon Sep 29 16:30:45 2025 rev:156 rq:1307201 version:3.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/gimp/gimp.changes 2025-08-21 16:57:42.277889171 +0200 +++ /work/SRC/openSUSE:Factory/.gimp.new.11973/gimp.changes 2025-09-29 16:30:48.510849929 +0200 @@ -1,0 +2,6 @@ +Thu Sep 25 10:29:33 UTC 2025 - Alynx Zhou <[email protected]> + +- Add gimp-CVE-2025-10924.patch: Fix integer overflow while parsing + FF files. (CVE-2025-10924, bsc#1250499) + +------------------------------------------------------------------- New: ---- gimp-CVE-2025-10924.patch ----------(New B)---------- New: - Add gimp-CVE-2025-10924.patch: Fix integer overflow while parsing FF files. (CVE-2025-10924, bsc#1250499) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gimp.spec ++++++ --- /var/tmp/diff_new_pack.0a6HMy/_old 2025-09-29 16:30:49.414887819 +0200 +++ /var/tmp/diff_new_pack.0a6HMy/_new 2025-09-29 16:30:49.418887986 +0200 @@ -100,6 +100,8 @@ Patch1: gimp-2.99.19-cm-system-monitor-profile-by-default.patch Patch2: gimp-2.99.19-external-help-browser.patch Patch3: gimp-2.99.19-no-phone-home-default.patch +# PATCH-FIX-UPSTREAM gimp-CVE-2025-10924.patch CVE-2025-10924 bsc#1250499 [email protected] -- Fix integer overflow while parsing FF files +Patch4: gimp-CVE-2025-10924.patch %if %{with debug_in_build_gimp} BuildRequires: gdb %endif ++++++ gimp-CVE-2025-10924.patch ++++++ >From 53b18653bca9404efeab953e75960b1cf7dedbed Mon Sep 17 00:00:00 2001 From: Alx Sa <[email protected]> Date: Wed, 3 Sep 2025 22:10:34 +0000 Subject: [PATCH] plug-ins: Fix ZDI-CAN-27836 ZDI-CAN-27836: GIMP FF File Parsing Integer Overflow Remote Code Execution Vulnerability This patch increases the row_size data type to gsize and checks if it would overflow based on the width given. It also makes sure the image size does not exceed GIMP's image size limits. --- plug-ins/common/file-farbfeld.c | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/plug-ins/common/file-farbfeld.c b/plug-ins/common/file-farbfeld.c index f610fa439a..921e4e35cc 100644 --- a/plug-ins/common/file-farbfeld.c +++ b/plug-ins/common/file-farbfeld.c @@ -261,7 +261,7 @@ load_image (GFile *file, guchar magic_number[8]; guint32 width; guint32 height; - guint32 row_size; + gsize row_size; const Babl *format = babl_format ("R'G'B'A u16"); FILE *fp; @@ -282,13 +282,24 @@ load_image (GFile *file, { g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), _("Failed to read Farbfeld header")); + fclose (fp); return NULL; } /* Header information is stored in Big-Endian format */ width = GUINT32_FROM_BE (width); height = GUINT32_FROM_BE (height); - row_size = width * sizeof (guint16) * 4; + + if (width > GIMP_MAX_IMAGE_SIZE || + height > GIMP_MAX_IMAGE_SIZE || + ! g_size_checked_mul (&row_size, width, (sizeof (guint16) * 4))) + { + g_set_error (error, GIMP_PLUG_IN_ERROR, 0, + _("Image dimensions too large: width %d x height %d"), + width, height); + fclose (fp); + return NULL; + } image = gimp_image_new_with_precision (width, height, GIMP_RGB, GIMP_PRECISION_U16_NON_LINEAR); @@ -298,12 +309,19 @@ load_image (GFile *file, gimp_image_get_default_new_layer_mode (image)); gimp_image_insert_layer (image, layer, NULL, 0); - buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); + pixels = g_try_malloc (row_size); + if (pixels == NULL) + { + g_set_error (error, GIMP_PLUG_IN_ERROR, 0, + _("There was not enough memory to complete the " + "operation.")); + fclose (fp); + return NULL; + } + buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); for (gint i = 0; i < height; i++) { - pixels = g_malloc (row_size); - if (! fread (pixels, row_size, 1, fp)) { g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), @@ -318,9 +336,8 @@ load_image (GFile *file, gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0, format, pixels, GEGL_AUTO_ROWSTRIDE); - - g_free (pixels); } + g_free (pixels); fclose (fp); g_object_unref (buffer); -- GitLab
