From: Ankur Tyagi <[email protected]> Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422
Signed-off-by: Ankur Tyagi <[email protected]> --- .../gimp/gimp/CVE-2025-14422.patch | 64 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 4 +- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch new file mode 100644 index 0000000000..acaf5f199b --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch @@ -0,0 +1,64 @@ +From bea9e174a3c4c02338f6c64bab05e6a8c667c09f Mon Sep 17 00:00:00 2001 +From: Alx Sa <[email protected]> +Date: Sun, 23 Nov 2025 16:43:51 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273 + +Resolves #15286 +Adds a check to the memory allocation +in pnm_load_raw () with g_size_checked_mul () +to see if the size would go out of bounds. +If so, we don't try to allocate and load the +image. + +CVE: CVE-2025-14422 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2d773d58064e6130495de498e440f4a6d5edb] +Signed-off-by: Ankur Tyagi <[email protected]> +--- + plug-ins/common/file-pnm.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c +index 2132eeccf4..f514c2b1d7 100644 +--- a/plug-ins/common/file-pnm.c ++++ b/plug-ins/common/file-pnm.c +@@ -554,7 +554,7 @@ load_image (GFile *file, + GError **error) + { + GInputStream *input; +- GeglBuffer *buffer; ++ GeglBuffer *buffer = NULL; + gint32 volatile image_ID = -1; + gint32 layer_ID; + char buf[BUFLEN + 4]; /* buffer for random things like scanning */ +@@ -584,6 +584,9 @@ load_image (GFile *file, + g_object_unref (input); + g_free (pnminfo); + ++ if (buffer) ++ g_object_unref (buffer); ++ + if (image_ID != -1) + gimp_image_delete (image_ID); + +@@ -819,6 +822,7 @@ pnm_load_raw (PNMScanner *scan, + GInputStream *input; + gint bpc; + guchar *data, *d; ++ gsize data_size; + gushort *s; + gint x, y, i; + gint start, end, scanlines; +@@ -829,7 +833,12 @@ pnm_load_raw (PNMScanner *scan, + bpc = 1; + + /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */ +- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc); ++ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) || ++ ! g_size_checked_mul (&data_size, data_size, info->np) || ++ ! g_size_checked_mul (&data_size, data_size, bpc)) ++ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value.")); ++ ++ data = g_new (guchar, data_size); + + input = pnmscanner_input (scan); + diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index 32b51dcdb5..096f40f79d 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb @@ -46,7 +46,9 @@ SHPV = "${@gnome_verdir("${PV}")}" SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ file://0001-configure-Keep-first-line-of-compiler-version-string.patch \ - file://0001-libtool-Do-not-add-build-time-library-paths-to-LD_LI.patch" + file://0001-libtool-Do-not-add-build-time-library-paths-to-LD_LI.patch \ + file://CVE-2025-14422.patch \ +" SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e" EXTRA_OECONF = "--disable-python \
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123352): https://lists.openembedded.org/g/openembedded-devel/message/123352 Mute This Topic: https://lists.openembedded.org/mt/117219565/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
