pool/gimp
SHA256
19
0
Fork 4
Code Issues Pull Requests 1 Activity

Add CVE fixes #4

Manually merged
anag_factory merged 2 commits from mgorse/gimp:leap-16.0 into leap-16.0 2026-01-21 14:06:41 +01:00
Conversation 14 Commits 2 Files Changed 6 +283
6 changed files with 283 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
gimp-CVE-2025-14422.patch Normal file
View File

@@ -0,0 +1,63 @@
From 4ff2d773d58064e6130495de498e440f4a6d5edb Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sun, 23 Nov 2025 16:43:51 +0000
Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273
Resolves #15286
Adds a check to the memory allocation
in pnm_load_raw () with g_size_checked_mul ()
to see if the size would go out of bounds.
If so, we don't try to allocate and load the
image.
---
plug-ins/common/file-pnm.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
index 32a33a4f35..9d349e967e 100644
--- a/plug-ins/common/file-pnm.c
+++ b/plug-ins/common/file-pnm.c
@@ -674,7 +674,7 @@ load_image (GFile *file,
GError **error)
{
GInputStream *input;
- GeglBuffer *buffer;
+ GeglBuffer *buffer = NULL;
GimpImage * volatile image = NULL;
GimpLayer *layer;
char buf[BUFLEN + 4]; /* buffer for random things like scanning */
@@ -708,6 +708,9 @@ load_image (GFile *file,
g_object_unref (input);
g_free (pnminfo);
+ if (buffer)
+ g_object_unref (buffer);
+
if (image)
gimp_image_delete (image);
@@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan,
const Babl *format = NULL;
gint bpc;
guchar *data, *d;
+ gsize data_size;
gushort *s;
gint x, y, i;
gint start, end, scanlines;
@@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan,
bpc = 1;
/* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */
- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc);
+ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) ||
+ ! g_size_checked_mul (&data_size, data_size, info->np) ||
+ ! g_size_checked_mul (&data_size, data_size, bpc))
+ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value."));
+
+ data = g_new (guchar, data_size);
input = pnmscanner_input (scan);
--
2.52.0

103
gimp-CVE-2025-14423.patch Normal file
View File

@@ -0,0 +1,103 @@
From 481cdbbb97746be1145ec3a633c567a68633c521 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sun, 23 Nov 2025 04:22:49 +0000
Subject: [PATCH] plug-ins: Fix ZDI-CAN-28311
Resolves #15292
The IFF specification states that EHB format images
have exactly 32 colors in their palette. However, it
is possible for images in the wild to place an incorrect
palette size. This patch checks for this, and either limits
the palette size or breaks accordingly.
---
plug-ins/common/file-iff.c | 32 ++++++++++++++++++++++----------
1 file changed, 22 insertions(+), 10 deletions(-)
diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c
index d144a96a4c..f0879470c2 100644
--- a/plug-ins/common/file-iff.c
+++ b/plug-ins/common/file-iff.c
@@ -337,7 +337,7 @@ load_image (GFile *file,
width = bitMapHeader->w;
height = bitMapHeader->h;
nPlanes = bitMapHeader->nPlanes;
- row_length = (width + 15) / 16;
+ row_length = ((width + 15) / 16) * 2;
pixel_size = nPlanes / 8;
aspect_x = bitMapHeader->xAspect;
aspect_y = bitMapHeader->yAspect;
@@ -375,6 +375,18 @@ load_image (GFile *file,
{
/* EHB mode adds 32 more colors. Each are half the RGB values
* of the first 32 colors */
+ if (palette_size < 32)
+ {
+ g_set_error (error, G_FILE_ERROR,
+ g_file_error_from_errno (errno),
+ _("Invalid ILBM colormap size"));
+ return NULL;
+ }
+ else if (palette_size > 32)
+ {
+ palette_size = 32;
+ }
+
for (gint j = 0; j < palette_size * 2; j++)
{
gint offset_index = j + 32;
@@ -386,7 +398,7 @@ load_image (GFile *file,
gimp_cmap[offset_index * 3 + 2] =
colorMap->colorRegister[j].blue / 2;
}
- /* EHB mode always has 64 colors */
+ /* EHB mode always has 64 colors in total */
palette_size = 64;
}
}
@@ -447,7 +459,7 @@ load_image (GFile *file,
{
guchar *pixel_row;
- pixel_row = g_malloc (width * pixel_size * sizeof (guchar));
+ pixel_row = g_malloc0 (width * pixel_size);
/* PBM uses one byte per pixel index */
if (ILBM_imageIsPBM (true_image))
@@ -459,7 +471,7 @@ load_image (GFile *file,
else
deleave_rgb_row (bitplanes, pixel_row, width, nPlanes, pixel_size);
- bitplanes += (row_length * 2 * nPlanes);
+ bitplanes += (row_length * nPlanes);
gegl_buffer_set (buffer, GEGL_RECTANGLE (0, y_height, width, 1), 0,
NULL, pixel_row, GEGL_AUTO_ROWSTRIDE);
@@ -528,7 +540,7 @@ deleave_ham_row (const guchar *gimp_cmap,
/* Deleave rows */
for (gint i = 0; i < row_length; i++)
{
- for (gint j = 0; j < 8; j++)
+ for (gint j = 0; j < nPlanes; j++)
{
guint8 bitmask = (1 << (8 - j)) - (1 << (7 - j));
guint8 control = 0;
@@ -590,11 +602,11 @@ deleave_ham_row (const guchar *gimp_cmap,
}
static void
-deleave_rgb_row (IFF_UByte *bitplanes,
- guchar *pixel_row,
- gint width,
- gint nPlanes,
- gint pixel_size)
+deleave_rgb_row (IFF_UByte *bitplanes,
+ guchar *pixel_row,
+ gint width,
+ gint nPlanes,
+ gint pixel_size)
{
gint row_length = ((width + 15) / 16) * 2;
gint current_pixel = 0;
--
2.52.0

31
gimp-CVE-2025-14424.patch Normal file
View File

@@ -0,0 +1,31 @@
From 5cc55d078b7fba995cef77d195fac325ee288ddd Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Thu, 13 Nov 2025 18:26:51 -0500
Subject: [PATCH] app: fix #15288 crash when loading malformed xcf
ZDI-CAN-28376 vulnerability
Add extra tests to not crash on a NULL g_class.
---
app/core/gimpitemlist.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/app/core/gimpitemlist.c b/app/core/gimpitemlist.c
index 93dfc83427..5aeb4916d8 100644
--- a/app/core/gimpitemlist.c
+++ b/app/core/gimpitemlist.c
@@ -345,7 +345,10 @@ gimp_item_list_named_new (GimpImage *image,
g_return_val_if_fail (GIMP_IS_IMAGE (image), NULL);
for (iter = items; iter; iter = iter->next)
- g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL);
+ {
+ g_return_val_if_fail (iter->data && ((GTypeInstance*) (iter->data))->g_class, NULL);
+ g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL);
+ }
if (! items)
{
--
2.52.0

69
gimp-CVE-2025-14425.patch Normal file
View File

@@ -0,0 +1,69 @@
From cd1c88a0364ad1444c06536731972a99bd8643fd Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Wed, 12 Nov 2025 13:25:44 +0000
Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images
Resolves #15285
Per the report, it's possible to exceed the size of the pixel buffer
with a high precision_scaled value, as we size it to the width * bpp.
This patch includes precision_scaled in the allocation calculation.
It also adds a g_size_checked_mul () check to ensure there's no
overflow, and moves the pixel and buffer memory freeing to occur
in the out section so that it always runs even on failure.
---
diff -urp gimp-3.0.6.orig/plug-ins/common/file-jp2-load.c gimp-3.0.6/plug-ins/common/file-jp2-load.c
--- gimp-3.0.6.orig/plug-ins/common/file-jp2-load.c 2025-10-05 12:14:02.000000000 -0500
+++ gimp-3.0.6/plug-ins/common/file-jp2-load.c 2026-01-16 13:01:30.366333187 -0600
@@ -1045,14 +1045,15 @@ load_image (GimpProcedure *procedure
GimpColorProfile *profile = NULL;
GimpImage *gimp_image = NULL;
GimpLayer *layer;
+ GeglBuffer *buffer = NULL;
+ guchar *pixels = NULL;
+ gsize pixels_size;
GimpImageType image_type;
GimpImageBaseType base_type;
gint width;
gint height;
gint num_components;
- GeglBuffer *buffer;
gint i, j, k, it;
- guchar *pixels;
const Babl *file_format;
gint bpp;
GimpPrecision image_precision;
@@ -1318,7 +1319,15 @@ load_image (GimpProcedure *procedure
bpp = babl_format_get_bytes_per_pixel (file_format);
buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
- pixels = g_new0 (guchar, width * bpp);
+
+ if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8))))
+ {
+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
+ _("Defined row size is too large in JP2 image '%s'."),
+ gimp_file_get_utf8_name (file));
+ goto out;
+ }
+ pixels = g_new0 (guchar, pixels_size);
for (i = 0; i < height; i++)
{
@@ -1344,13 +1353,13 @@ load_image (GimpProcedure *procedure
gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0,
file_format, pixels, GEGL_AUTO_ROWSTRIDE);
}
-
- g_free (pixels);
-
- g_object_unref (buffer);
gimp_progress_update (1.0);
out:
+ if (pixels)
+ g_free (pixels);
+ if (buffer)
+ g_object_unref (buffer);
if (profile)
g_object_unref (profile);
if (image)

9
gimp.changes
View File

@@ -1,3 +1,12 @@
-------------------------------------------------------------------
Fri Jan 16 17:52:35 UTC 2026 - Michael Gorse <mgorse@suse.com>
- Add CVE fixes:
+ gimp-CVE-2025-14422.patch (bsc#1255293 CVE-2025-14422)
+ gimp-CVE-2025-14423.patch (bsc#1255294 CVE-2025-14423)
+ gimp-CVE-2025-14424.patch (bsc#1255295 CVE-2025-14424)
+ gimp-CVE-2025-14425.patch (bsc#1255296 CVE-2025-14425)
-------------------------------------------------------------------
Wed Jan 7 06:06:45 UTC 2026 - Xiaoguang Wang <xiaoguang.wang@suse.com>

8
gimp.spec
View File

@@ -102,6 +102,14 @@ Patch2: gimp-2.99.19-external-help-browser.patch
Patch3: gimp-2.99.19-no-phone-home-default.patch
# PATCH-FIX-UPSTREAM gimp-CVE-2025-15059.patch CVE-2025-15059 bsc#1255766 xwang@suse.com -- vulnerability in file-psp
Patch4: gimp-CVE-2025-15059.patch
# PATCH-FIX-UPSTREAM gimp-CVE-2025-14422.patch bsc#1255293 mgorse@suse.com -- fix an overflow in the pnm parser.
Patch5: gimp-CVE-2025-14422.patch
# PATCH-FIX-UPSTREAM gimp-CVE-2025-14423.patch bsc#1255294 mgorse@suse.com -- fix an overflow parsing LBM files.
Patch6: gimp-CVE-2025-14423.patch
# PATCH-FIX-UPSTREAM gimp-CVE-2025-14424.patch bsc#1255295 mgorse@suse.com -- fix a use after free in the XCF parser.
Patch7: gimp-CVE-2025-14424.patch
# PATCH-FIX-UPSTREAM gimp-CVE-2025-14425.patch bsc#1255296 mgorse@suse.com -- fix an overflow when reading jp2 files.
Patch8: gimp-CVE-2025-14425.patch
%if %{with debug_in_build_gimp}
BuildRequires: gdb
%endif