[oe] [meta-gnome][scarthgap][PATCH] gimp: add additional patch for CVE-2026-0797

Thu, 05 Mar 2026 11:46:17 -0800 

There is an additional patch for CVE-2026-0797, which is not mentioned
in the CVE advisory, nor in the related issue nor in the related PR, however
both the change, and the commit message shows that this is a continuation
of the original fix, which was incomplete.

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 ...-2026-0797.patch => CVE-2026-0797-1.patch} |  0
 .../gimp/gimp/CVE-2026-0797-2.patch           | 62 +++++++++++++++++++
 meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb  |  3 +-
 3 files changed, 64 insertions(+), 1 deletion(-)
 rename meta-gnome/recipes-gimp/gimp/gimp/{CVE-2026-0797.patch => 
CVE-2026-0797-1.patch} (100%)
 create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-2.patch

diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch 
b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-1.patch
similarity index 100%
rename from meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch
rename to meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-1.patch
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-2.patch 
b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-2.patch
new file mode 100644
index 0000000000..e3766240ef
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-2.patch
@@ -0,0 +1,62 @@
+From 48cf2ffa1630af389fe12653f7e57529c2744664 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <[email protected]>
+Date: Sat, 27 Dec 2025 05:24:03 +0000
+Subject: [PATCH] plug-ins: Additional fread () checks in ICO plug-in
+
+From: Alx Sa <[email protected]>
+
+A continuation of c54bf22a that adds checks to the
+initial header loading as well, to prevent reading
+beyond the file size.
+
+CVE: CVE-2026-0797
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/gimp/-/commit/905ce4b48782c5e71c79714b7ba7f6ebe4d0329d]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ plug-ins/file-ico/ico-load.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
+index 7eb9cb7..5068b10 100644
+--- a/plug-ins/file-ico/ico-load.c
++++ b/plug-ins/file-ico/ico-load.c
+@@ -437,16 +437,20 @@ ico_read_icon (FILE    *fp,
+   palette = NULL;
+ 
+   data.header_size = header_size;
+-  ico_read_int32 (fp, &data.width, 1);
+-  ico_read_int32 (fp, &data.height, 1);
+-  ico_read_int16 (fp, &data.planes, 1);
+-  ico_read_int16 (fp, &data.bpp, 1);
+-  ico_read_int32 (fp, &data.compression, 1);
+-  ico_read_int32 (fp, &data.image_size, 1);
+-  ico_read_int32 (fp, &data.x_res, 1);
+-  ico_read_int32 (fp, &data.y_res, 1);
+-  ico_read_int32 (fp, &data.used_clrs, 1);
+-  ico_read_int32 (fp, &data.important_clrs, 1);
++  if (ico_read_int32 (fp, &data.width, 1)   != 4     ||
++      ico_read_int32 (fp, &data.height, 1)  != 4     ||
++      ico_read_int16 (fp, &data.planes, 1)  != 2     ||
++      ico_read_int16 (fp, &data.bpp, 1) != 2         ||
++      ico_read_int32 (fp, &data.compression, 1) != 4 ||
++      ico_read_int32 (fp, &data.image_size, 1) != 4  ||
++      ico_read_int32 (fp, &data.x_res, 1) != 4       ||
++      ico_read_int32 (fp, &data.y_res, 1) != 4       ||
++      ico_read_int32 (fp, &data.used_clrs, 1) != 4   ||
++      ico_read_int32 (fp, &data.important_clrs, 1) != 4)
++    {
++      D(("skipping image: invalid header\n"));
++      return FALSE;
++    }
+ 
+   D(("  header size %i, "
+      "w %i, h %i, planes %i, size %i, bpp %i, used %i, imp %i.\n",
+@@ -509,7 +513,7 @@ ico_read_icon (FILE    *fp,
+ 
+   /* Read in and_map. It's padded out to 32 bits per line: */
+   and_map = ico_alloc_map (w, h, 1, &length);
+-  if (! ico_read_int8 (fp, and_map, length) != length)
++  if (ico_read_int8 (fp, and_map, length) != length)
+     {
+       D(("skipping image: too large\n"));
+       return FALSE;
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb 
b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
index 4e0dd76744..c9bbc128c6 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
@@ -54,7 +54,8 @@ SRC_URI = 
"https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
            file://CVE-2025-2760-1.patch \
            file://CVE-2025-2760-2.patch \
            file://CVE-2025-2761.patch \
-           file://CVE-2026-0797.patch \
+           file://CVE-2026-0797-1.patch \
+           file://CVE-2026-0797-2.patch \
            file://CVE-2026-2044.patch \
            file://CVE-2026-2045.patch \
            file://CVE-2026-2048.patch \

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#124893): 
https://lists.openembedded.org/g/openembedded-devel/message/124893
Mute This Topic: https://lists.openembedded.org/mt/118158411/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to