Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422
Backport the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../gimp/gimp/CVE-2025-14422.patch | 66 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb | 1 + 2 files changed, 67 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch new file mode 100644 index 0000000000..3ac4e16b6f --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch @@ -0,0 +1,66 @@ +From 03104e43a71f89678ea40c45dfaad6e1f570f0cc Mon Sep 17 00:00:00 2001 +From: Alx Sa <[email protected]> +Date: Sun, 23 Nov 2025 16:43:51 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273 + +Resolves #15286 +Adds a check to the memory allocation +in pnm_load_raw () with g_size_checked_mul () +to see if the size would go out of bounds. +If so, we don't try to allocate and load the +image. + +(cherry picked from commit 4ff2d773d58064e6130495de498e440f4a6d5edb) + +CVE: CVE-2025-14422 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/1ac19bec2d5938af92e4687ed6721b97514e6644] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + plug-ins/common/file-pnm.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c +index 2132eec..dda44c0 100644 +--- a/plug-ins/common/file-pnm.c ++++ b/plug-ins/common/file-pnm.c +@@ -554,7 +554,7 @@ load_image (GFile *file, + GError **error) + { + GInputStream *input; +- GeglBuffer *buffer; ++ GeglBuffer *buffer = NULL; + gint32 volatile image_ID = -1; + gint32 layer_ID; + char buf[BUFLEN + 4]; /* buffer for random things like scanning */ +@@ -584,6 +584,9 @@ load_image (GFile *file, + g_object_unref (input); + g_free (pnminfo); + ++ if (buffer) ++ g_object_unref (buffer); ++ + if (image_ID != -1) + gimp_image_delete (image_ID); + +@@ -819,6 +822,7 @@ pnm_load_raw (PNMScanner *scan, + GInputStream *input; + gint bpc; + guchar *data, *d; ++ gsize data_size; + gushort *s; + gint x, y, i; + gint start, end, scanlines; +@@ -829,7 +833,12 @@ pnm_load_raw (PNMScanner *scan, + bpc = 1; + + /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */ +- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc); ++ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) || ++ ! g_size_checked_mul (&data_size, data_size, info->np) || ++ ! g_size_checked_mul (&data_size, data_size, bpc)) ++ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value.")); ++ ++ data = g_new (guchar, data_size); + + input = pnmscanner_input (scan); + diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb index 07c9fcf666..c8db9938e4 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb @@ -51,6 +51,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ file://CVE-2023-44441.patch \ file://CVE-2023-44442.patch \ file://CVE-2023-44443_CVE-2023-44444.patch \ + file://CVE-2025-14422.patch \ " SRC_URI[sha256sum] = "88815daa76ed7d4277eeb353358bafa116cd2fcd2c861d95b95135c1d52b67dc"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#125017): https://lists.openembedded.org/g/openembedded-devel/message/125017 Mute This Topic: https://lists.openembedded.org/mt/118237115/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
