pool/gimp
SHA256
19
0
Fork 4
Code Issues Pull Requests 2 Activity

Synch with factory #5

Open
mgorse wants to merge 4 commits from mgorse/gimp:leap-16.1 into leap-16.1
pull from: mgorse/gimp:leap-16.1
merge into: pool:leap-16.1
Conversation 3 Commits 4 Files Changed 9 +113 -318
9 changed files with 113 additions and 318 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
gimp-3.0.6.tar.xz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b
size 27197880

BIN
gimp-3.0.8.tar.xz LFS Normal file
View File

Binary file not shown.

63
gimp-CVE-2025-14422.patch
View File

@@ -1,63 +0,0 @@
From 4ff2d773d58064e6130495de498e440f4a6d5edb Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sun, 23 Nov 2025 16:43:51 +0000
Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273
Resolves #15286
Adds a check to the memory allocation
in pnm_load_raw () with g_size_checked_mul ()
to see if the size would go out of bounds.
If so, we don't try to allocate and load the
image.
---
plug-ins/common/file-pnm.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
index 32a33a4f35..9d349e967e 100644
--- a/plug-ins/common/file-pnm.c
+++ b/plug-ins/common/file-pnm.c
@@ -674,7 +674,7 @@ load_image (GFile *file,
GError **error)
{
GInputStream *input;
- GeglBuffer *buffer;
+ GeglBuffer *buffer = NULL;
GimpImage * volatile image = NULL;
GimpLayer *layer;
char buf[BUFLEN + 4]; /* buffer for random things like scanning */
@@ -708,6 +708,9 @@ load_image (GFile *file,
g_object_unref (input);
g_free (pnminfo);
+ if (buffer)
+ g_object_unref (buffer);
+
if (image)
gimp_image_delete (image);
@@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan,
const Babl *format = NULL;
gint bpc;
guchar *data, *d;
+ gsize data_size;
gushort *s;
gint x, y, i;
gint start, end, scanlines;
@@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan,
bpc = 1;
/* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */
- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc);
+ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) ||
+ ! g_size_checked_mul (&data_size, data_size, info->np) ||
+ ! g_size_checked_mul (&data_size, data_size, bpc))
+ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value."));
+
+ data = g_new (guchar, data_size);
input = pnmscanner_input (scan);
--
2.52.0

103
gimp-CVE-2025-14423.patch
View File

@@ -1,103 +0,0 @@
From 481cdbbb97746be1145ec3a633c567a68633c521 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sun, 23 Nov 2025 04:22:49 +0000
Subject: [PATCH] plug-ins: Fix ZDI-CAN-28311
Resolves #15292
The IFF specification states that EHB format images
have exactly 32 colors in their palette. However, it
is possible for images in the wild to place an incorrect
palette size. This patch checks for this, and either limits
the palette size or breaks accordingly.
---
plug-ins/common/file-iff.c | 32 ++++++++++++++++++++++----------
1 file changed, 22 insertions(+), 10 deletions(-)
diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c
index d144a96a4c..f0879470c2 100644
--- a/plug-ins/common/file-iff.c
+++ b/plug-ins/common/file-iff.c
@@ -337,7 +337,7 @@ load_image (GFile *file,
width = bitMapHeader->w;
height = bitMapHeader->h;
nPlanes = bitMapHeader->nPlanes;
- row_length = (width + 15) / 16;
+ row_length = ((width + 15) / 16) * 2;
pixel_size = nPlanes / 8;
aspect_x = bitMapHeader->xAspect;
aspect_y = bitMapHeader->yAspect;
@@ -375,6 +375,18 @@ load_image (GFile *file,
{
/* EHB mode adds 32 more colors. Each are half the RGB values
* of the first 32 colors */
+ if (palette_size < 32)
+ {
+ g_set_error (error, G_FILE_ERROR,
+ g_file_error_from_errno (errno),
+ _("Invalid ILBM colormap size"));
+ return NULL;
+ }
+ else if (palette_size > 32)
+ {
+ palette_size = 32;
+ }
+
for (gint j = 0; j < palette_size * 2; j++)
{
gint offset_index = j + 32;
@@ -386,7 +398,7 @@ load_image (GFile *file,
gimp_cmap[offset_index * 3 + 2] =
colorMap->colorRegister[j].blue / 2;
}
- /* EHB mode always has 64 colors */
+ /* EHB mode always has 64 colors in total */
palette_size = 64;
}
}
@@ -447,7 +459,7 @@ load_image (GFile *file,
{
guchar *pixel_row;
- pixel_row = g_malloc (width * pixel_size * sizeof (guchar));
+ pixel_row = g_malloc0 (width * pixel_size);
/* PBM uses one byte per pixel index */
if (ILBM_imageIsPBM (true_image))
@@ -459,7 +471,7 @@ load_image (GFile *file,
else
deleave_rgb_row (bitplanes, pixel_row, width, nPlanes, pixel_size);
- bitplanes += (row_length * 2 * nPlanes);
+ bitplanes += (row_length * nPlanes);
gegl_buffer_set (buffer, GEGL_RECTANGLE (0, y_height, width, 1), 0,
NULL, pixel_row, GEGL_AUTO_ROWSTRIDE);
@@ -528,7 +540,7 @@ deleave_ham_row (const guchar *gimp_cmap,
/* Deleave rows */
for (gint i = 0; i < row_length; i++)
{
- for (gint j = 0; j < 8; j++)
+ for (gint j = 0; j < nPlanes; j++)
{
guint8 bitmask = (1 << (8 - j)) - (1 << (7 - j));
guint8 control = 0;
@@ -590,11 +602,11 @@ deleave_ham_row (const guchar *gimp_cmap,
}
static void
-deleave_rgb_row (IFF_UByte *bitplanes,
- guchar *pixel_row,
- gint width,
- gint nPlanes,
- gint pixel_size)
+deleave_rgb_row (IFF_UByte *bitplanes,
+ guchar *pixel_row,
+ gint width,
+ gint nPlanes,
+ gint pixel_size)
{
gint row_length = ((width + 15) / 16) * 2;
gint current_pixel = 0;
--
2.52.0

31
gimp-CVE-2025-14424.patch
View File

@@ -1,31 +0,0 @@
From 5cc55d078b7fba995cef77d195fac325ee288ddd Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Thu, 13 Nov 2025 18:26:51 -0500
Subject: [PATCH] app: fix #15288 crash when loading malformed xcf
ZDI-CAN-28376 vulnerability
Add extra tests to not crash on a NULL g_class.
---
app/core/gimpitemlist.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/app/core/gimpitemlist.c b/app/core/gimpitemlist.c
index 93dfc83427..5aeb4916d8 100644
--- a/app/core/gimpitemlist.c
+++ b/app/core/gimpitemlist.c
@@ -345,7 +345,10 @@ gimp_item_list_named_new (GimpImage *image,
g_return_val_if_fail (GIMP_IS_IMAGE (image), NULL);
for (iter = items; iter; iter = iter->next)
- g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL);
+ {
+ g_return_val_if_fail (iter->data && ((GTypeInstance*) (iter->data))->g_class, NULL);
+ g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL);
+ }
if (! items)
{
--
2.52.0

69
gimp-CVE-2025-14425.patch
View File

@@ -1,69 +0,0 @@
From cd1c88a0364ad1444c06536731972a99bd8643fd Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Wed, 12 Nov 2025 13:25:44 +0000
Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images
Resolves #15285
Per the report, it's possible to exceed the size of the pixel buffer
with a high precision_scaled value, as we size it to the width * bpp.
This patch includes precision_scaled in the allocation calculation.
It also adds a g_size_checked_mul () check to ensure there's no
overflow, and moves the pixel and buffer memory freeing to occur
in the out section so that it always runs even on failure.
---
diff -urp gimp-3.0.6.orig/plug-ins/common/file-jp2-load.c gimp-3.0.6/plug-ins/common/file-jp2-load.c
--- gimp-3.0.6.orig/plug-ins/common/file-jp2-load.c 2025-10-05 12:14:02.000000000 -0500
+++ gimp-3.0.6/plug-ins/common/file-jp2-load.c 2026-01-16 13:01:30.366333187 -0600
@@ -1045,14 +1045,15 @@ load_image (GimpProcedure *procedure
GimpColorProfile *profile = NULL;
GimpImage *gimp_image = NULL;
GimpLayer *layer;
+ GeglBuffer *buffer = NULL;
+ guchar *pixels = NULL;
+ gsize pixels_size;
GimpImageType image_type;
GimpImageBaseType base_type;
gint width;
gint height;
gint num_components;
- GeglBuffer *buffer;
gint i, j, k, it;
- guchar *pixels;
const Babl *file_format;
gint bpp;
GimpPrecision image_precision;
@@ -1318,7 +1319,15 @@ load_image (GimpProcedure *procedure
bpp = babl_format_get_bytes_per_pixel (file_format);
buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
- pixels = g_new0 (guchar, width * bpp);
+
+ if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8))))
+ {
+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
+ _("Defined row size is too large in JP2 image '%s'."),
+ gimp_file_get_utf8_name (file));
+ goto out;
+ }
+ pixels = g_new0 (guchar, pixels_size);
for (i = 0; i < height; i++)
{
@@ -1344,13 +1353,13 @@ load_image (GimpProcedure *procedure
gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0,
file_format, pixels, GEGL_AUTO_ROWSTRIDE);
}
-
- g_free (pixels);
-
- g_object_unref (buffer);
gimp_progress_update (1.0);
out:
+ if (pixels)
+ g_free (pixels);
+ if (buffer)
+ g_object_unref (buffer);
if (profile)
g_object_unref (profile);
if (image)

38
gimp-CVE-2025-15059.patch
View File

@@ -1,38 +0,0 @@
From 03575ac8cbb0ef3103b0a15d6598475088dcc15e Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Sat, 20 Dec 2025 10:10:48 -0500
Subject: [PATCH] plug-ins: fix #15284 ZDI-CAN-28232 vulnerability in file-psp
We were not checking whether channel types were valid for grayscale
images. Using a blue color channel caused an invalid computation of
the offset which could cause us to access an invalid memory location.
Now we separate RGB from non-RGB images when checking which channels
are valid, and if not return with an error.
---
plug-ins/common/file-psp.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index f00251c573..3f6970561f 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -2171,11 +2171,12 @@ read_layer_block (FILE *f,
}
else
{
- if (channel_type > PSP_CHANNEL_BLUE)
+ if ((ia->base_type == GIMP_RGB && channel_type > PSP_CHANNEL_BLUE) ||
+ (ia->base_type != GIMP_RGB && channel_type >= PSP_CHANNEL_RED))
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
- _("Invalid channel type %d in channel information chunk"),
- channel_type);
+ _("Invalid channel type %d in channel information chunk"),
+ channel_type);
return NULL;
}
--
2.51.0

105
gimp.changes
View File

@@ -1,3 +1,108 @@
-------------------------------------------------------------------
Sun Jan 25 03:00:53 UTC 2026 - Marcus Rueckert <mrueckert@suse.de>
- Update to 3.0.8
- Font Loading Performance
- Improvements in start-up time for users with a large number
of fonts was backported from our 3.2 RC2 release. As a
result, we now wait to load images until fonts are
initialized - this prevents some occasional odd displays and
other issues when an XCF file tried to access a partially
loaded font.
- Assorted updates and fixes
- Daniel Plakhotich helped us identify an issue when exporting
a lossless WEBP image could be affected by lossy settings
(such as Quality being less than 100%). Weve updated our
WEBP plug-in to prevent this from happening.
- Thanks to Jehans efforts, the standard gimp-3.0 executable
can now be run with a --no-interface flag instead of
requiring users to call gimp-console-3.0 even on devices with
no display. The --show-debug-menu flag is now visible as
well.
- programmer_ceds improved our flatpak by adding safe guards to
show the correct configuration directory regardless of
whether XDG_CONFIG_HOME is defined on the users system. This
should make it much easier for flatpak users to install and
use third party plug-ins.
- We fixed a rare but possible crash when using the Equalize
filter on images with NaN values. Images that contain these
are usually created from scientific or mapping data, so
youre unlikely to come across them in standard editing.
- Jeremy Bicha fixed an internal issue where the wrong version
number could be used when installing minor releases (such as
the 3.2 release candidates and upcoming 3.2 stable release).
- As noted in our 3.2RC2 news post, we have updated our SVG
import code to improve the rendered path.
- Further improvements have been made to our non-destructive
filter code to improve stability, especially when copying and
pasting layers and images with filters attached to them. Some
issues related to applying NDE filters on Quick Masks have
also been corrected.
- An unintended Search pop-up that appeared when typing while
the Channels dockable was selected has been turned off.
- When saving XCFs for GIMP 2.10 compatibility, we
unintentionally saved Grid color using the new color format.
This caused errors when reopening the XCF in 2.10. This
problem has now been fixed! If you encounter any other XCF
incompatibility, please let us know.
- Themes and UX
- The Navigation and Selection Editor dockables no longer show
a large bright texture when no image is actively selected.
This was especially noticeable on dark themes.
- When a layer has no active filters, the Fx column had the
same “checkbox” outline when hovered over as the lock column.
This led to confusion about clicking it to add filters. We
have removed the outline on hover as a small step to help
address this.
- Ondřej Míchal fixed alignment and cut-off issues with the
buttons on our Transform tool overlays. All buttons should
now be properly centered and visible.
- The options for filling layers with colors when resizing the
canvas will be turned off when not relevant (such as when you
set layers to not be resized).
- More GUI elements such as dialog header icons will now
respond to your icon size preferences.
- Ondřej Míchal has continued his work to update our UI with
the more usable Spin Scale widget. He has also updated the
widget itself to improve how it works for users and
developers alike.
- Security fixes
- Jacob Boerema and Gabriele Barbero continued to patch
potential security issues related to some of our file format
plug-ins. In addition to existing fixes mentioned in the
release candidate news posts, the following exploits are now
prevented: ZDI-CAN-28232 ZDI-CAN-28265 ZDI-CAN-28530
ZDI-CAN-28591 ZDI-CAN-28599
- Another potential issue related to ICO files with incorrect
metadata was reported by Dhiraj. It does not have a CVE
number yet, but it has been fixed for GIMP 3.0.8. Jacob
Boerema also fixed a potential issue with loading Creator
blocks in Paintshop Pro PSP images.
- API
- For plug-in and script developers, a few new public APIs were
backported to GIMP 3.0.8. gimp_cairo_surface_get_buffer ()
allows you to retrieve a GEGL buffer from a Cairo surface
(such as a text layer). Note that this deprecates
gimp_cairo_surface_create_buffer ().
- gimp_config_set_xcf_version () and
gimp_config_get_xcf_version () can be used to specify a
particular XCF version for a configuration. This will allow
you to have that data serialized/deserialized for certain
versions of GIMP if there were differences (such as the Grid
colors mentioned above).
- Fixes were made for retrieving image metadata via scripting.
GimpMetadata is now a visible child of GExiv2Metadata, so you
can use standard gexiv2 functions to retrieve information
from it.
- Original thumbnail metadata is also now removed on export to
prevent potential issues when exporting into a new format.
- drop patches included in the update
gimp-CVE-2025-14422.patch (bsc#1255293 CVE-2025-14422)
gimp-CVE-2025-14423.patch (bsc#1255294 CVE-2025-14423)
gimp-CVE-2025-14424.patch (bsc#1255295 CVE-2025-14424)
gimp-CVE-2025-14425.patch (bsc#1255296 CVE-2025-14425)
gimp-CVE-2025-15059.patch (bsc#1255766 CVE-2025-15059)
-------------------------------------------------------------------
Fri Jan 16 17:52:35 UTC 2026 - Michael Gorse <mgorse@suse.com>

16
gimp.spec
View File

@@ -85,7 +85,7 @@
%define pkg_name gimp
Name: gimp
Version: 3.0.6
Version: 3.0.8
Release: 0
%global pkg_version %{version}
Summary: The GNU Image Manipulation Program
@@ -100,16 +100,6 @@ Source2: openSUSE.gpl
Patch1: gimp-2.99.19-cm-system-monitor-profile-by-default.patch
Patch2: gimp-2.99.19-external-help-browser.patch
Patch3: gimp-2.99.19-no-phone-home-default.patch
# PATCH-FIX-UPSTREAM gimp-CVE-2025-15059.patch CVE-2025-15059 bsc#1255766 xwang@suse.com -- vulnerability in file-psp
Patch4: gimp-CVE-2025-15059.patch
# PATCH-FIX-UPSTREAM gimp-CVE-2025-14422.patch bsc#1255293 mgorse@suse.com -- fix an overflow in the pnm parser.
Patch5: gimp-CVE-2025-14422.patch
# PATCH-FIX-UPSTREAM gimp-CVE-2025-14423.patch bsc#1255294 mgorse@suse.com -- fix an overflow parsing LBM files.
Patch6: gimp-CVE-2025-14423.patch
# PATCH-FIX-UPSTREAM gimp-CVE-2025-14424.patch bsc#1255295 mgorse@suse.com -- fix a use after free in the XCF parser.
Patch7: gimp-CVE-2025-14424.patch
# PATCH-FIX-UPSTREAM gimp-CVE-2025-14425.patch bsc#1255296 mgorse@suse.com -- fix an overflow when reading jp2 files.
Patch8: gimp-CVE-2025-14425.patch
%if %{with debug_in_build_gimp}
BuildRequires: gdb
%endif
@@ -152,6 +142,7 @@ BuildRequires: /usr/bin/gtk-update-icon-cache
BuildRequires: qoi-devel
BuildRequires: xdg-utils
BuildRequires: libbacktrace-devel
BuildRequires: pkgconfig(bash-completion)
BuildRequires: pkgconfig(cfitsio)
BuildRequires: pkgconfig(libjxl) >= %{libjxl_version}
BuildRequires: pkgconfig(OpenEXR) >= %{OpenEXR_version}
@@ -210,6 +201,7 @@ BuildRequires: python3 >= 3.6.0
BuildRequires: python3-gobject
BuildRequires: typelib-1_0-Babl-0_1 >= %{babl_version}
BuildRequires: typelib-1_0-Gegl-0_4 >= %{gegl_version}
BuildRequires: typelib-1_0-GExiv2-0_10 >= %{gexiv2_version}
%requires_eq gegl-0_4
Requires: gjs
# Explicitly declare the libgimp versions for upgrade purposes
@@ -225,6 +217,7 @@ Requires: shared-mime-info
Requires: xdg-utils
Requires: typelib-1_0-Babl-0_1 >= %{babl_version}
Requires: typelib-1_0-Gegl-0_4 >= %{gegl_version}
Requires: typelib-1_0-GExiv2-0_10 >= %{gexiv2_version}
Recommends: %{name}-plugins-python3 = %{version}
Recommends: iso-codes
Suggests: AdobeICCProfiles
@@ -481,6 +474,7 @@ install -m 644 -c macros.gimp \
%exclude %{_libdir}/gimp/3.0/plug-ins/file-aa
%{_libdir}/girepository-1.0/Gimp-3.0.typelib
%{_libdir}/girepository-1.0/GimpUi-3.0.typelib
%{_datadir}/bash-completion/completions/gimp-3.0
%files plugin-aa
%{_libdir}/gimp/3.0/plug-ins/file-aa