From: Ankur Tyagi <[email protected]> Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14425
Patch referenced by the nvd report is for the file "file-jp2.c" which was renamed from "file-jp2-load.c" by commit[1] in the later versions. [1] https://gitlab.gnome.org/GNOME/gimp/-/commit/19c57a9765ac3451c9cde94ccb06bec5ae06fbd8 Signed-off-by: Ankur Tyagi <[email protected]> --- .../gimp/gimp/CVE-2025-14425.patch | 70 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 1 + 2 files changed, 71 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch new file mode 100644 index 0000000000..459516ec9e --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch @@ -0,0 +1,70 @@ +From 012406d60ca09239403ce989cf9e793b82e47e74 Mon Sep 17 00:00:00 2001 +From: Alx Sa <[email protected]> +Date: Wed, 12 Nov 2025 13:25:44 +0000 +Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images + +Resolves #15285 +Per the report, it's possible to exceed the size of the pixel buffer +with a high precision_scaled value, as we size it to the width * bpp. +This patch includes precision_scaled in the allocation calculation. +It also adds a g_size_checked_mul () check to ensure there's no +overflow, and moves the pixel and buffer memory freeing to occur +in the out section so that it always runs even on failure. + +CVE: CVE-2025-14425 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/cd1c88a0364ad1444c06536731972a99bd8643fd] +Signed-off-by: Ankur Tyagi <[email protected]> +--- + plug-ins/common/file-jp2-load.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c +index 9ab43b5349..d29278a4d2 100644 +--- a/plug-ins/common/file-jp2-load.c ++++ b/plug-ins/common/file-jp2-load.c +@@ -1055,9 +1055,10 @@ load_image (const gchar *filename, + gint width; + gint height; + gint num_components; +- GeglBuffer *buffer; ++ GeglBuffer *buffer = NULL; + gint i, j, k, it; +- guchar *pixels; ++ guchar *pixels = NULL; ++ gsize pixels_size; + const Babl *file_format; + gint bpp; + GimpPrecision image_precision; +@@ -1298,7 +1299,14 @@ load_image (const gchar *filename, + bpp = babl_format_get_bytes_per_pixel (file_format); + + buffer = gimp_drawable_get_buffer (layer_ID); +- pixels = g_new0 (guchar, width * bpp); ++ if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8)))) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("Defined row size is too large in JP2 image '%s'."), ++ gimp_file_get_utf8_name (filename)); ++ goto out; ++ } ++ pixels = g_new0 (guchar, pixels_size); + + for (i = 0; i < height; i++) + { +@@ -1325,12 +1333,13 @@ load_image (const gchar *filename, + file_format, pixels, GEGL_AUTO_ROWSTRIDE); + } + +- g_free (pixels); +- +- g_object_unref (buffer); + gimp_progress_update (1.0); + + out: ++ if (pixels) ++ g_free (pixels); ++ if (buffer) ++ g_object_unref (buffer); + if (profile) + g_object_unref (profile); + if (image) diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index 096f40f79d..68daac776d 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb @@ -48,6 +48,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ file://0001-configure-Keep-first-line-of-compiler-version-string.patch \ file://0001-libtool-Do-not-add-build-time-library-paths-to-LD_LI.patch \ file://CVE-2025-14422.patch \ + file://CVE-2025-14425.patch \ " SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123353): https://lists.openembedded.org/g/openembedded-devel/message/123353 Mute This Topic: https://lists.openembedded.org/mt/117219566/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
