[oe] [meta-gnome][scarthgap][PATCH 4/7] gimp: patch CVE-2026-2044

Thu, 05 Mar 2026 03:07:24 -0800 

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-2044

Pick the patch referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../gimp/gimp/CVE-2026-2044.patch             | 28 +++++++++++++++++++
 meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb  |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2044.patch

diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2044.patch 
b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2044.patch
new file mode 100644
index 0000000000..102dc155da
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2044.patch
@@ -0,0 +1,28 @@
+From af312f516e23521e1d03255263b22ef4b99761d5 Mon Sep 17 00:00:00 2001
+From: Gabriele Barbero <[email protected]>
+Date: Fri, 5 Dec 2025 19:13:01 +0100
+Subject: [PATCH] ZDI-CAN-28158: use g_malloc0 instead of g_malloc
+
+To avoid accessing uninitialized memory, replace calls to g_malloc with
+g_malloc0 which initializes the allocated memory to zero.
+
+CVE: CVE-2026-2044
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/gimp/-/commit/112a5e038f0646eae5ae314988ec074433d2b365]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ plug-ins/common/file-pnm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
+index f514c2b..c82720c 100644
+--- a/plug-ins/common/file-pnm.c
++++ b/plug-ins/common/file-pnm.c
+@@ -571,7 +571,7 @@ load_image (GFile   *file,
+     return -1;
+ 
+   /* allocate the necessary structures */
+-  pnminfo = g_new (PNMInfo, 1);
++  pnminfo = g_new0 (PNMInfo, 1);
+ 
+   scan = NULL;
+   /* set error handling */
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb 
b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
index 9a969bde7c..4f273a7cbb 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
@@ -55,6 +55,7 @@ SRC_URI = 
"https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
            file://CVE-2025-2760-2.patch \
            file://CVE-2025-2761.patch \
            file://CVE-2026-0797.patch \
+           file://CVE-2026-2044.patch \
            "
 SRC_URI[sha256sum] = 
"50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"
 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#124869): 
https://lists.openembedded.org/g/openembedded-devel/message/124869
Mute This Topic: https://lists.openembedded.org/mt/118149896/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to