diff --git a/gimp-CVE-2025-14422.patch b/gimp-CVE-2025-14422.patch new file mode 100644 index 0000000..618ad4c --- /dev/null +++ b/gimp-CVE-2025-14422.patch @@ -0,0 +1,63 @@ +From 4ff2d773d58064e6130495de498e440f4a6d5edb Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Sun, 23 Nov 2025 16:43:51 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273 + +Resolves #15286 +Adds a check to the memory allocation +in pnm_load_raw () with g_size_checked_mul () +to see if the size would go out of bounds. +If so, we don't try to allocate and load the +image. +--- + plug-ins/common/file-pnm.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c +index 32a33a4f35..9d349e967e 100644 +--- a/plug-ins/common/file-pnm.c ++++ b/plug-ins/common/file-pnm.c +@@ -674,7 +674,7 @@ load_image (GFile *file, + GError **error) + { + GInputStream *input; +- GeglBuffer *buffer; ++ GeglBuffer *buffer = NULL; + GimpImage * volatile image = NULL; + GimpLayer *layer; + char buf[BUFLEN + 4]; /* buffer for random things like scanning */ +@@ -708,6 +708,9 @@ load_image (GFile *file, + g_object_unref (input); + g_free (pnminfo); + ++ if (buffer) ++ g_object_unref (buffer); ++ + if (image) + gimp_image_delete (image); + +@@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan, + const Babl *format = NULL; + gint bpc; + guchar *data, *d; ++ gsize data_size; + gushort *s; + gint x, y, i; + gint start, end, scanlines; +@@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan, + bpc = 1; + + /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */ +- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc); ++ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) || ++ ! g_size_checked_mul (&data_size, data_size, info->np) || ++ ! g_size_checked_mul (&data_size, data_size, bpc)) ++ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value.")); ++ ++ data = g_new (guchar, data_size); + + input = pnmscanner_input (scan); + +-- +2.52.0 + diff --git a/gimp-CVE-2025-14423.patch b/gimp-CVE-2025-14423.patch new file mode 100644 index 0000000..30c0bfc --- /dev/null +++ b/gimp-CVE-2025-14423.patch @@ -0,0 +1,103 @@ +From 481cdbbb97746be1145ec3a633c567a68633c521 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Sun, 23 Nov 2025 04:22:49 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-28311 + +Resolves #15292 +The IFF specification states that EHB format images +have exactly 32 colors in their palette. However, it +is possible for images in the wild to place an incorrect +palette size. This patch checks for this, and either limits +the palette size or breaks accordingly. +--- + plug-ins/common/file-iff.c | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c +index d144a96a4c..f0879470c2 100644 +--- a/plug-ins/common/file-iff.c ++++ b/plug-ins/common/file-iff.c +@@ -337,7 +337,7 @@ load_image (GFile *file, + width = bitMapHeader->w; + height = bitMapHeader->h; + nPlanes = bitMapHeader->nPlanes; +- row_length = (width + 15) / 16; ++ row_length = ((width + 15) / 16) * 2; + pixel_size = nPlanes / 8; + aspect_x = bitMapHeader->xAspect; + aspect_y = bitMapHeader->yAspect; +@@ -375,6 +375,18 @@ load_image (GFile *file, + { + /* EHB mode adds 32 more colors. Each are half the RGB values + * of the first 32 colors */ ++ if (palette_size < 32) ++ { ++ g_set_error (error, G_FILE_ERROR, ++ g_file_error_from_errno (errno), ++ _("Invalid ILBM colormap size")); ++ return NULL; ++ } ++ else if (palette_size > 32) ++ { ++ palette_size = 32; ++ } ++ + for (gint j = 0; j < palette_size * 2; j++) + { + gint offset_index = j + 32; +@@ -386,7 +398,7 @@ load_image (GFile *file, + gimp_cmap[offset_index * 3 + 2] = + colorMap->colorRegister[j].blue / 2; + } +- /* EHB mode always has 64 colors */ ++ /* EHB mode always has 64 colors in total */ + palette_size = 64; + } + } +@@ -447,7 +459,7 @@ load_image (GFile *file, + { + guchar *pixel_row; + +- pixel_row = g_malloc (width * pixel_size * sizeof (guchar)); ++ pixel_row = g_malloc0 (width * pixel_size); + + /* PBM uses one byte per pixel index */ + if (ILBM_imageIsPBM (true_image)) +@@ -459,7 +471,7 @@ load_image (GFile *file, + else + deleave_rgb_row (bitplanes, pixel_row, width, nPlanes, pixel_size); + +- bitplanes += (row_length * 2 * nPlanes); ++ bitplanes += (row_length * nPlanes); + + gegl_buffer_set (buffer, GEGL_RECTANGLE (0, y_height, width, 1), 0, + NULL, pixel_row, GEGL_AUTO_ROWSTRIDE); +@@ -528,7 +540,7 @@ deleave_ham_row (const guchar *gimp_cmap, + /* Deleave rows */ + for (gint i = 0; i < row_length; i++) + { +- for (gint j = 0; j < 8; j++) ++ for (gint j = 0; j < nPlanes; j++) + { + guint8 bitmask = (1 << (8 - j)) - (1 << (7 - j)); + guint8 control = 0; +@@ -590,11 +602,11 @@ deleave_ham_row (const guchar *gimp_cmap, + } + + static void +-deleave_rgb_row (IFF_UByte *bitplanes, +- guchar *pixel_row, +- gint width, +- gint nPlanes, +- gint pixel_size) ++deleave_rgb_row (IFF_UByte *bitplanes, ++ guchar *pixel_row, ++ gint width, ++ gint nPlanes, ++ gint pixel_size) + { + gint row_length = ((width + 15) / 16) * 2; + gint current_pixel = 0; +-- +2.52.0 + diff --git a/gimp-CVE-2025-14424.patch b/gimp-CVE-2025-14424.patch new file mode 100644 index 0000000..48483e5 --- /dev/null +++ b/gimp-CVE-2025-14424.patch @@ -0,0 +1,31 @@ +From 5cc55d078b7fba995cef77d195fac325ee288ddd Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Thu, 13 Nov 2025 18:26:51 -0500 +Subject: [PATCH] app: fix #15288 crash when loading malformed xcf + +ZDI-CAN-28376 vulnerability + +Add extra tests to not crash on a NULL g_class. +--- + app/core/gimpitemlist.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/app/core/gimpitemlist.c b/app/core/gimpitemlist.c +index 93dfc83427..5aeb4916d8 100644 +--- a/app/core/gimpitemlist.c ++++ b/app/core/gimpitemlist.c +@@ -345,7 +345,10 @@ gimp_item_list_named_new (GimpImage *image, + g_return_val_if_fail (GIMP_IS_IMAGE (image), NULL); + + for (iter = items; iter; iter = iter->next) +- g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL); ++ { ++ g_return_val_if_fail (iter->data && ((GTypeInstance*) (iter->data))->g_class, NULL); ++ g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL); ++ } + + if (! items) + { +-- +2.52.0 + diff --git a/gimp-CVE-2025-14425.patch b/gimp-CVE-2025-14425.patch new file mode 100644 index 0000000..f833a76 --- /dev/null +++ b/gimp-CVE-2025-14425.patch @@ -0,0 +1,69 @@ +From cd1c88a0364ad1444c06536731972a99bd8643fd Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Wed, 12 Nov 2025 13:25:44 +0000 +Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images + +Resolves #15285 +Per the report, it's possible to exceed the size of the pixel buffer +with a high precision_scaled value, as we size it to the width * bpp. +This patch includes precision_scaled in the allocation calculation. +It also adds a g_size_checked_mul () check to ensure there's no +overflow, and moves the pixel and buffer memory freeing to occur +in the out section so that it always runs even on failure. +--- +diff -urp gimp-3.0.6.orig/plug-ins/common/file-jp2-load.c gimp-3.0.6/plug-ins/common/file-jp2-load.c +--- gimp-3.0.6.orig/plug-ins/common/file-jp2-load.c 2025-10-05 12:14:02.000000000 -0500 ++++ gimp-3.0.6/plug-ins/common/file-jp2-load.c 2026-01-16 13:01:30.366333187 -0600 +@@ -1045,14 +1045,15 @@ load_image (GimpProcedure *procedure + GimpColorProfile *profile = NULL; + GimpImage *gimp_image = NULL; + GimpLayer *layer; ++ GeglBuffer *buffer = NULL; ++ guchar *pixels = NULL; ++ gsize pixels_size; + GimpImageType image_type; + GimpImageBaseType base_type; + gint width; + gint height; + gint num_components; +- GeglBuffer *buffer; + gint i, j, k, it; +- guchar *pixels; + const Babl *file_format; + gint bpp; + GimpPrecision image_precision; +@@ -1318,7 +1319,15 @@ load_image (GimpProcedure *procedure + bpp = babl_format_get_bytes_per_pixel (file_format); + + buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); +- pixels = g_new0 (guchar, width * bpp); ++ ++ if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8)))) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("Defined row size is too large in JP2 image '%s'."), ++ gimp_file_get_utf8_name (file)); ++ goto out; ++ } ++ pixels = g_new0 (guchar, pixels_size); + + for (i = 0; i < height; i++) + { +@@ -1344,13 +1353,13 @@ load_image (GimpProcedure *procedure + gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0, + file_format, pixels, GEGL_AUTO_ROWSTRIDE); + } +- +- g_free (pixels); +- +- g_object_unref (buffer); + gimp_progress_update (1.0); + + out: ++ if (pixels) ++ g_free (pixels); ++ if (buffer) ++ g_object_unref (buffer); + if (profile) + g_object_unref (profile); + if (image) diff --git a/gimp.changes b/gimp.changes index 33ab4df..448e5b9 100644 --- a/gimp.changes +++ b/gimp.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Jan 16 17:52:35 UTC 2026 - Michael Gorse + +- Add CVE fixes: + + gimp-CVE-2025-14422.patch (bsc#1255293 CVE-2025-14422) + + gimp-CVE-2025-14423.patch (bsc#1255294 CVE-2025-14423) + + gimp-CVE-2025-14424.patch (bsc#1255295 CVE-2025-14424) + + gimp-CVE-2025-14425.patch (bsc#1255296 CVE-2025-14425) + ------------------------------------------------------------------- Wed Jan 7 06:06:45 UTC 2026 - Xiaoguang Wang diff --git a/gimp.spec b/gimp.spec index 7d0368d..c208c05 100644 --- a/gimp.spec +++ b/gimp.spec @@ -102,6 +102,14 @@ Patch2: gimp-2.99.19-external-help-browser.patch Patch3: gimp-2.99.19-no-phone-home-default.patch # PATCH-FIX-UPSTREAM gimp-CVE-2025-15059.patch CVE-2025-15059 bsc#1255766 xwang@suse.com -- vulnerability in file-psp Patch4: gimp-CVE-2025-15059.patch +# PATCH-FIX-UPSTREAM gimp-CVE-2025-14422.patch bsc#1255293 mgorse@suse.com -- fix an overflow in the pnm parser. +Patch5: gimp-CVE-2025-14422.patch +# PATCH-FIX-UPSTREAM gimp-CVE-2025-14423.patch bsc#1255294 mgorse@suse.com -- fix an overflow parsing LBM files. +Patch6: gimp-CVE-2025-14423.patch +# PATCH-FIX-UPSTREAM gimp-CVE-2025-14424.patch bsc#1255295 mgorse@suse.com -- fix a use after free in the XCF parser. +Patch7: gimp-CVE-2025-14424.patch +# PATCH-FIX-UPSTREAM gimp-CVE-2025-14425.patch bsc#1255296 mgorse@suse.com -- fix an overflow when reading jp2 files. +Patch8: gimp-CVE-2025-14425.patch %if %{with debug_in_build_gimp} BuildRequires: gdb %endif