pool/gimp
SHA256
19
0
Fork 4
Code Issues Pull Requests 3 Activity

CVE-2025-15059: Add gimp-CVE-2025-15059.patch #3

Open
xiaoguang_wang wants to merge 1 commits from xiaoguang_wang/gimp:leap-16.0 into leap-16.0
pull from: xiaoguang_wang/gimp:leap-16.0
merge into: pool:leap-16.0
Conversation 4 Commits 1 Files Changed 3 +46
3 changed files with 46 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
gimp-CVE-2025-15059.patch Normal file
View File

@@ -0,0 +1,38 @@
From 03575ac8cbb0ef3103b0a15d6598475088dcc15e Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Sat, 20 Dec 2025 10:10:48 -0500
Subject: [PATCH] plug-ins: fix #15284 ZDI-CAN-28232 vulnerability in file-psp
We were not checking whether channel types were valid for grayscale
images. Using a blue color channel caused an invalid computation of
the offset which could cause us to access an invalid memory location.
Now we separate RGB from non-RGB images when checking which channels
are valid, and if not return with an error.
---
plug-ins/common/file-psp.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index f00251c573..3f6970561f 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -2171,11 +2171,12 @@ read_layer_block (FILE *f,
}
else
{
- if (channel_type > PSP_CHANNEL_BLUE)
+ if ((ia->base_type == GIMP_RGB && channel_type > PSP_CHANNEL_BLUE) ||
+ (ia->base_type != GIMP_RGB && channel_type >= PSP_CHANNEL_RED))
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
- _("Invalid channel type %d in channel information chunk"),
- channel_type);
+ _("Invalid channel type %d in channel information chunk"),
+ channel_type);
return NULL;
}
--
2.51.0

6
gimp.changes
View File

@@ -1,3 +1,9 @@
-------------------------------------------------------------------
Wed Jan 7 06:06:45 UTC 2026 - Xiaoguang Wang <xiaoguang.wang@suse.com>
- Add gimp-CVE-2025-15059.patch: vulnerability in file-psp
(CVE-2025-15059, ZDI-CAN-28232, bsc#1255766).
-------------------------------------------------------------------
Mon May 19 06:52:00 UTC 2025 - Paolo Stivanin <info@paolostivanin.com>

2
gimp.spec
View File

@@ -100,6 +100,8 @@ Source2: openSUSE.gpl
Patch1: gimp-2.99.19-cm-system-monitor-profile-by-default.patch
Patch2: gimp-2.99.19-external-help-browser.patch
Patch3: gimp-2.99.19-no-phone-home-default.patch
# PATCH-FIX-UPSTREAM gimp-CVE-2025-15059.patch CVE-2025-15059 bsc#1255766 xwang@suse.com -- vulnerability in file-psp
Patch4: gimp-CVE-2025-15059.patch
%if %{with debug_in_build_gimp}
BuildRequires: gdb
%endif