Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gimp for openSUSE:Factory checked in at 2026-01-18 22:18:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gimp (Old) and /work/SRC/openSUSE:Factory/.gimp.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gimp" Sun Jan 18 22:18:31 2026 rev:162 rq:1327775 version:3.0.6 Changes: -------- --- /work/SRC/openSUSE:Factory/gimp/gimp.changes 2026-01-08 15:26:27.658644388 +0100 +++ /work/SRC/openSUSE:Factory/.gimp.new.1928/gimp.changes 2026-01-18 22:19:05.488169271 +0100 @@ -1,0 +2,9 @@ +Fri Jan 16 17:52:35 UTC 2026 - Michael Gorse <[email protected]> + +- Add CVE fixes: + + gimp-CVE-2025-14422.patch (bsc#1255293 CVE-2025-14422) + + gimp-CVE-2025-14423.patch (bsc#1255294 CVE-2025-14423) + + gimp-CVE-2025-14424.patch (bsc#1255295 CVE-2025-14424) + + gimp-CVE-2025-14425.patch (bsc#1255296 CVE-2025-14425) + +------------------------------------------------------------------- New: ---- gimp-CVE-2025-14422.patch gimp-CVE-2025-14423.patch gimp-CVE-2025-14424.patch gimp-CVE-2025-14425.patch ----------(New B)---------- New:- Add CVE fixes: + gimp-CVE-2025-14422.patch (bsc#1255293 CVE-2025-14422) + gimp-CVE-2025-14423.patch (bsc#1255294 CVE-2025-14423) New: + gimp-CVE-2025-14422.patch (bsc#1255293 CVE-2025-14422) + gimp-CVE-2025-14423.patch (bsc#1255294 CVE-2025-14423) + gimp-CVE-2025-14424.patch (bsc#1255295 CVE-2025-14424) New: + gimp-CVE-2025-14423.patch (bsc#1255294 CVE-2025-14423) + gimp-CVE-2025-14424.patch (bsc#1255295 CVE-2025-14424) + gimp-CVE-2025-14425.patch (bsc#1255296 CVE-2025-14425) New: + gimp-CVE-2025-14424.patch (bsc#1255295 CVE-2025-14424) + gimp-CVE-2025-14425.patch (bsc#1255296 CVE-2025-14425) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gimp.spec ++++++ --- /var/tmp/diff_new_pack.9lDjIz/_old 2026-01-18 22:19:07.556254244 +0100 +++ /var/tmp/diff_new_pack.9lDjIz/_new 2026-01-18 22:19:07.576255066 +0100 @@ -102,6 +102,14 @@ Patch3: gimp-2.99.19-no-phone-home-default.patch # PATCH-FIX-UPSTREAM gimp-CVE-2025-15059.patch CVE-2025-15059 bsc#1255766 [email protected] -- vulnerability in file-psp Patch4: gimp-CVE-2025-15059.patch +# PATCH-FIX-UPSTREAM gimp-CVE-2025-14422.patch bsc#1255293 [email protected] -- fix an overflow in the pnm parser. +Patch5: gimp-CVE-2025-14422.patch +# PATCH-FIX-UPSTREAM gimp-CVE-2025-14423.patch bsc#1255294 [email protected] -- fix an overflow parsing LBM files. +Patch6: gimp-CVE-2025-14423.patch +# PATCH-FIX-UPSTREAM gimp-CVE-2025-14424.patch bsc#1255295 [email protected] -- fix a use after free in the XCF parser. +Patch7: gimp-CVE-2025-14424.patch +# PATCH-FIX-UPSTREAM gimp-CVE-2025-14425.patch bsc#1255296 [email protected] -- fix an overflow when reading jp2 files. +Patch8: gimp-CVE-2025-14425.patch %if %{with debug_in_build_gimp} BuildRequires: gdb %endif ++++++ gimp-CVE-2025-14422.patch ++++++ >From 4ff2d773d58064e6130495de498e440f4a6d5edb Mon Sep 17 00:00:00 2001 From: Alx Sa <[email protected]> Date: Sun, 23 Nov 2025 16:43:51 +0000 Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273 Resolves #15286 Adds a check to the memory allocation in pnm_load_raw () with g_size_checked_mul () to see if the size would go out of bounds. If so, we don't try to allocate and load the image. --- plug-ins/common/file-pnm.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c index 32a33a4f35..9d349e967e 100644 --- a/plug-ins/common/file-pnm.c +++ b/plug-ins/common/file-pnm.c @@ -674,7 +674,7 @@ load_image (GFile *file, GError **error) { GInputStream *input; - GeglBuffer *buffer; + GeglBuffer *buffer = NULL; GimpImage * volatile image = NULL; GimpLayer *layer; char buf[BUFLEN + 4]; /* buffer for random things like scanning */ @@ -708,6 +708,9 @@ load_image (GFile *file, g_object_unref (input); g_free (pnminfo); + if (buffer) + g_object_unref (buffer); + if (image) gimp_image_delete (image); @@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan, const Babl *format = NULL; gint bpc; guchar *data, *d; + gsize data_size; gushort *s; gint x, y, i; gint start, end, scanlines; @@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan, bpc = 1; /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */ - data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc); + if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) || + ! g_size_checked_mul (&data_size, data_size, info->np) || + ! g_size_checked_mul (&data_size, data_size, bpc)) + CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value.")); + + data = g_new (guchar, data_size); input = pnmscanner_input (scan); -- 2.52.0 ++++++ gimp-CVE-2025-14423.patch ++++++ >From 481cdbbb97746be1145ec3a633c567a68633c521 Mon Sep 17 00:00:00 2001 From: Alx Sa <[email protected]> Date: Sun, 23 Nov 2025 04:22:49 +0000 Subject: [PATCH] plug-ins: Fix ZDI-CAN-28311 Resolves #15292 The IFF specification states that EHB format images have exactly 32 colors in their palette. However, it is possible for images in the wild to place an incorrect palette size. This patch checks for this, and either limits the palette size or breaks accordingly. --- plug-ins/common/file-iff.c | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c index d144a96a4c..f0879470c2 100644 --- a/plug-ins/common/file-iff.c +++ b/plug-ins/common/file-iff.c @@ -337,7 +337,7 @@ load_image (GFile *file, width = bitMapHeader->w; height = bitMapHeader->h; nPlanes = bitMapHeader->nPlanes; - row_length = (width + 15) / 16; + row_length = ((width + 15) / 16) * 2; pixel_size = nPlanes / 8; aspect_x = bitMapHeader->xAspect; aspect_y = bitMapHeader->yAspect; @@ -375,6 +375,18 @@ load_image (GFile *file, { /* EHB mode adds 32 more colors. Each are half the RGB values * of the first 32 colors */ + if (palette_size < 32) + { + g_set_error (error, G_FILE_ERROR, + g_file_error_from_errno (errno), + _("Invalid ILBM colormap size")); + return NULL; + } + else if (palette_size > 32) + { + palette_size = 32; + } + for (gint j = 0; j < palette_size * 2; j++) { gint offset_index = j + 32; @@ -386,7 +398,7 @@ load_image (GFile *file, gimp_cmap[offset_index * 3 + 2] = colorMap->colorRegister[j].blue / 2; } - /* EHB mode always has 64 colors */ + /* EHB mode always has 64 colors in total */ palette_size = 64; } } @@ -447,7 +459,7 @@ load_image (GFile *file, { guchar *pixel_row; - pixel_row = g_malloc (width * pixel_size * sizeof (guchar)); + pixel_row = g_malloc0 (width * pixel_size); /* PBM uses one byte per pixel index */ if (ILBM_imageIsPBM (true_image)) @@ -459,7 +471,7 @@ load_image (GFile *file, else deleave_rgb_row (bitplanes, pixel_row, width, nPlanes, pixel_size); - bitplanes += (row_length * 2 * nPlanes); + bitplanes += (row_length * nPlanes); gegl_buffer_set (buffer, GEGL_RECTANGLE (0, y_height, width, 1), 0, NULL, pixel_row, GEGL_AUTO_ROWSTRIDE); @@ -528,7 +540,7 @@ deleave_ham_row (const guchar *gimp_cmap, /* Deleave rows */ for (gint i = 0; i < row_length; i++) { - for (gint j = 0; j < 8; j++) + for (gint j = 0; j < nPlanes; j++) { guint8 bitmask = (1 << (8 - j)) - (1 << (7 - j)); guint8 control = 0; @@ -590,11 +602,11 @@ deleave_ham_row (const guchar *gimp_cmap, } static void -deleave_rgb_row (IFF_UByte *bitplanes, - guchar *pixel_row, - gint width, - gint nPlanes, - gint pixel_size) +deleave_rgb_row (IFF_UByte *bitplanes, + guchar *pixel_row, + gint width, + gint nPlanes, + gint pixel_size) { gint row_length = ((width + 15) / 16) * 2; gint current_pixel = 0; -- 2.52.0 ++++++ gimp-CVE-2025-14424.patch ++++++ >From 5cc55d078b7fba995cef77d195fac325ee288ddd Mon Sep 17 00:00:00 2001 From: Jacob Boerema <[email protected]> Date: Thu, 13 Nov 2025 18:26:51 -0500 Subject: [PATCH] app: fix #15288 crash when loading malformed xcf ZDI-CAN-28376 vulnerability Add extra tests to not crash on a NULL g_class. --- app/core/gimpitemlist.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/app/core/gimpitemlist.c b/app/core/gimpitemlist.c index 93dfc83427..5aeb4916d8 100644 --- a/app/core/gimpitemlist.c +++ b/app/core/gimpitemlist.c @@ -345,7 +345,10 @@ gimp_item_list_named_new (GimpImage *image, g_return_val_if_fail (GIMP_IS_IMAGE (image), NULL); for (iter = items; iter; iter = iter->next) - g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL); + { + g_return_val_if_fail (iter->data && ((GTypeInstance*) (iter->data))->g_class, NULL); + g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL); + } if (! items) { -- 2.52.0 ++++++ gimp-CVE-2025-14425.patch ++++++ >From cd1c88a0364ad1444c06536731972a99bd8643fd Mon Sep 17 00:00:00 2001 From: Alx Sa <[email protected]> Date: Wed, 12 Nov 2025 13:25:44 +0000 Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images Resolves #15285 Per the report, it's possible to exceed the size of the pixel buffer with a high precision_scaled value, as we size it to the width * bpp. This patch includes precision_scaled in the allocation calculation. It also adds a g_size_checked_mul () check to ensure there's no overflow, and moves the pixel and buffer memory freeing to occur in the out section so that it always runs even on failure. --- diff -urp gimp-3.0.6.orig/plug-ins/common/file-jp2-load.c gimp-3.0.6/plug-ins/common/file-jp2-load.c --- gimp-3.0.6.orig/plug-ins/common/file-jp2-load.c 2025-10-05 12:14:02.000000000 -0500 +++ gimp-3.0.6/plug-ins/common/file-jp2-load.c 2026-01-16 13:01:30.366333187 -0600 @@ -1045,14 +1045,15 @@ load_image (GimpProcedure *procedure GimpColorProfile *profile = NULL; GimpImage *gimp_image = NULL; GimpLayer *layer; + GeglBuffer *buffer = NULL; + guchar *pixels = NULL; + gsize pixels_size; GimpImageType image_type; GimpImageBaseType base_type; gint width; gint height; gint num_components; - GeglBuffer *buffer; gint i, j, k, it; - guchar *pixels; const Babl *file_format; gint bpp; GimpPrecision image_precision; @@ -1318,7 +1319,15 @@ load_image (GimpProcedure *procedure bpp = babl_format_get_bytes_per_pixel (file_format); buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); - pixels = g_new0 (guchar, width * bpp); + + if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8)))) + { + g_set_error (error, GIMP_PLUG_IN_ERROR, 0, + _("Defined row size is too large in JP2 image '%s'."), + gimp_file_get_utf8_name (file)); + goto out; + } + pixels = g_new0 (guchar, pixels_size); for (i = 0; i < height; i++) { @@ -1344,13 +1353,13 @@ load_image (GimpProcedure *procedure gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0, file_format, pixels, GEGL_AUTO_ROWSTRIDE); } - - g_free (pixels); - - g_object_unref (buffer); gimp_progress_update (1.0); out: + if (pixels) + g_free (pixels); + if (buffer) + g_object_unref (buffer); if (profile) g_object_unref (profile); if (image)
