Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2761
Pick the patch from the relevant upstream bug[1]. [1]: https://gitlab.gnome.org/GNOME/gimp/-/issues/13073 Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../gimp/gimp/CVE-2025-2761.patch | 34 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2761.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2761.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2761.patch new file mode 100644 index 0000000000..670f6d9269 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2761.patch @@ -0,0 +1,34 @@ +From 658a8a07b831b82bd9e9592c18f21e4d4d7392af Mon Sep 17 00:00:00 2001 +From: Alx Sa <[email protected]> +Date: Mon, 10 Mar 2025 04:07:44 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-25100 for FLI plug-in + +Resolves #13073 +This patch adds a check to make sure we're not +writing beyond the bounds of the "pos" array. +This is the same check that we do earlier when +writing pos[xc++], but it was left off of the last +write command. Since "n" will be 0 if we get to the +end of the array, it prevents us from writing beyond +that. + +CVE: CVE-2025-2761 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/0806bc76ca74543d20e1307ccf6aebd26395c56c] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + plug-ins/file-fli/fli.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c +index c2e28e4..209b5ec 100644 +--- a/plug-ins/file-fli/fli.c ++++ b/plug-ins/file-fli/fli.c +@@ -1026,7 +1026,7 @@ fli_read_lc_2 (FILE *f, + xc += len << 1; + } + } +- if (lpf) ++ if (lpf && xc < n) + pos[xc] = lpn; + yc++; + } diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index afb1cd69e5..a04b3d0e4c 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb @@ -53,6 +53,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ file://CVE-2025-15059.patch \ file://CVE-2025-2760-1.patch \ file://CVE-2025-2760-2.patch \ + file://CVE-2025-2761.patch \ " SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124867): https://lists.openembedded.org/g/openembedded-devel/message/124867 Mute This Topic: https://lists.openembedded.org/mt/118149894/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
