Bug#1116470: gegl: diff for NMU version 1:0.4.62-3.1

Salvatore Bonaccorso Sat, 18 Oct 2025 08:32:25 -0700

Control: tags 1116470 + patch
Control: tags 1116470 + pending


Dear maintainer,

I've prepared an NMU for gegl (versioned as 1:0.4.62-3.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should cancel it (or superseed it, or we can reschedule to have
uploaded earlier).

Regards,
Salvatore

diffstat for gegl-0.4.62 gegl-0.4.62

 changelog                                |    8 +++++
 patches/rgbe-fix-430-zdi-can-27803.patch |   47 +++++++++++++++++++++++++++++++
 patches/series                           |    1 
 3 files changed, 56 insertions(+)

diff -Nru gegl-0.4.62/debian/changelog gegl-0.4.62/debian/changelog
--- gegl-0.4.62/debian/changelog	2025-09-08 10:20:17.000000000 +0200
+++ gegl-0.4.62/debian/changelog	2025-10-03 17:37:16.000000000 +0200
@@ -1,3 +1,11 @@
+gegl (1:0.4.62-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * ZDI-CAN-27803: GIMP HDR File Parsing Heap-based Buffer Overflow Remote
+    Code Execution Vulnerability (CVE-2025-10921) (Closes: #1116470)
+
+ -- Salvatore Bonaccorso <[email protected]>  Fri, 03 Oct 2025 17:37:16 +0200
+
 gegl (1:0.4.62-3) unstable; urgency=medium
 
   * Team upload
diff -Nru gegl-0.4.62/debian/patches/rgbe-fix-430-zdi-can-27803.patch gegl-0.4.62/debian/patches/rgbe-fix-430-zdi-can-27803.patch
--- gegl-0.4.62/debian/patches/rgbe-fix-430-zdi-can-27803.patch	1970-01-01 01:00:00.000000000 +0100
+++ gegl-0.4.62/debian/patches/rgbe-fix-430-zdi-can-27803.patch	2025-10-03 17:36:56.000000000 +0200
@@ -0,0 +1,47 @@
+From: Jacob Boerema <[email protected]>
+Date: Thu, 4 Sep 2025 13:36:56 -0400
+Subject: rgbe: fix #430 zdi-can-27803
+Origin: https://gitlab.gnome.org/GNOME/gegl/-/commit/0e68b7471dabf2800d780819c19bd5e6462f565f
+Bug: https://gitlab.gnome.org/GNOME/gegl/-/issues/430
+Bug-Debian: https://bugs.debian.org/1116470
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-10921
+
+HDR File Parsing Heap-based Buffer Overflow Remote Code Execution
+Vulnerability.
+
+Now checks if linesize isn't larger than size allocated and returns
+FALSE with a warning if it is.
+---
+ libs/rgbe/rgbe.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/libs/rgbe/rgbe.c b/libs/rgbe/rgbe.c
+index eedde2660eb0..9ef8fb520480 100644
+--- a/libs/rgbe/rgbe.c
++++ b/libs/rgbe/rgbe.c
+@@ -624,6 +624,7 @@ rgbe_read_new_rle (const rgbe_file *file,
+ {
+   const guint8 *data;
+   guint16       linesize;
++  guint32       max_size;
+   guint         i;
+   guint         component;
+   gfloat       *pixoffset[RGBE_NUM_RGBE] =
+@@ -646,6 +647,14 @@ rgbe_read_new_rle (const rgbe_file *file,
+   data     = (guint8 *)g_mapped_file_get_contents (file->file) + *cursor;
+   g_return_val_if_fail (data[OFFSET_R] == 2 && data[OFFSET_G] == 2, FALSE);
+   linesize = (data[OFFSET_B] << 8) | data[OFFSET_E];
++  max_size = file->header.x_axis.size * file->header.y_axis.size * RGBE_NUM_RGBE;
++
++  if (RGBE_NUM_RGBE * linesize > max_size)
++    {
++      g_warning ("Invalid linesize %u is larger than maximum %u\n",
++                 RGBE_NUM_RGBE * linesize, max_size);
++      return FALSE;
++    }
+ 
+   data += RGBE_NUM_RGBE;
+ 
+-- 
+2.51.0
+
diff -Nru gegl-0.4.62/debian/patches/series gegl-0.4.62/debian/patches/series
--- gegl-0.4.62/debian/patches/series	2025-09-08 10:20:17.000000000 +0200
+++ gegl-0.4.62/debian/patches/series	2025-10-03 17:35:48.000000000 +0200
@@ -1 +1,2 @@
 debian/docs-Exclude-remote-image-from-API-reference.patch
+rgbe-fix-430-zdi-can-27803.patch

Bug#1116470: gegl: diff for NMU version 1:0.4.62-3.1

Reply via email to