gimp: patch CVE-2025-2760

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2760 Use the fixes from Debian. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-02 02:49:12 +00:00 · 2026-03-05 12:07:07 +01:00 · 2026-03-05 12:07:07 +01:00 · 50d7ec475b
commit 50d7ec475b
parent 42d1f2f681
3 changed files with 124 additions and 0 deletions
--- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch
@ -0,0 +1,38 @@
+From e4e21387f773598915a2399b348d019fd9c26ad6 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 5 Mar 2026 09:06:34 +0100
+Subject: [PATCH] CVE-2025-2760
+
+https://gitlab.gnome.org/GNOME/gimp/-/issues/12790#note_2328950
+
+Gimp stopped supporting 2.10.x series (in favor of 3.x), and they do not
+plan to fix this in the old version. This patch is taken from Debian,
+and is a backport of the fix from 3.x series.
+
+CVE: CVE-2025-2760
+Upstream-Status: Inappropriate [unsupported version. Debian ref: https://sources.debian.org/patches/gimp/2.10.34-1+deb12u8/CVE-2025-2760.patch/]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/file-dds/ddsread.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index dcb4449..da35a0b 100644
+--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
+@@ -934,6 +934,14 @@ load_layer (FILE            *fp,
+   if (width < 1) width = 1;
+   if (height < 1) height = 1;
+ 
+  if (width <= 0 ||height <= 0 || d->gimp_bpp <= 0 ||
+      (gsize) width > G_MAXSIZE / height           ||
+      (gsize) width * height > G_MAXSIZE / d->gimp_bpp)
+    { 
+      g_message ("Invalid dimensions in header.");
+      return 0;
+    }
+  
+   switch (d->bpp)
+     {
+     case 1:
--- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch
@ -0,0 +1,84 @@
+From f7a458d072c266a4b2ae48de9ecec1706faad170 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 5 Mar 2026 09:07:19 +0100
+Subject: [PATCH] plug-ins/dds: fix #12790 for 32-bit
+
+with 2.10 backport bits by Sylvain Beucler <beuc@debian.org>
+
+Gimp stopped supporting 2.10.x series (in favor of 3.x), and they do not
+plan to fix this in the old version. This patch is taken from Debian,
+and is a backport of the fix from 3.x series.
+
+CVE: CVE-2025-2760
+Upstream-Status: Inappropriate [unsupported version. Debian ref: https://sources.debian.org/patches/gimp/2.10.34-1+deb12u8/CVE-2025-2760-32bit-followup.patch/]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/file-dds/ddsread.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index da35a0b..e0b53f6 100644
+--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
+@@ -169,26 +169,33 @@ read_dds (gchar    *filename,
+   /* a lot of DDS images out there don't have this for some reason -_- */
+   if (hdr.pitch_or_linsize == 0)
+     {
+      gboolean valid = TRUE;
+       if (hdr.pixelfmt.flags & DDPF_FOURCC) /* assume linear size */
+         {
+-          hdr.pitch_or_linsize = ((hdr.width + 3) >> 2) * ((hdr.height + 3) >> 2);
+          valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, (hdr.width + 3) >> 2, (hdr.height + 3) >> 2);
+           switch (GETL32(hdr.pixelfmt.fourcc))
+             {
+             case FOURCC ('D','X','T','1'):
+             case FOURCC ('A','T','I','1'):
+             case FOURCC ('B','C','4','U'):
+             case FOURCC ('B','C','4','S'):
+-              hdr.pitch_or_linsize *= 8;
+              valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, 8);
+               break;
+             default:
+-              hdr.pitch_or_linsize *= 16;
+              valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, 16);
+               break;
+             }
+         }
+       else /* assume pitch */
+         {
+-          hdr.pitch_or_linsize = hdr.height * hdr.width * (hdr.pixelfmt.bpp >> 3);
+          valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.height, hdr.width);
+          valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, hdr.pixelfmt.bpp >> 3);
+         }
+      if (!valid) {
+        fclose (fp);
+        g_message ("Image size is too big to handle.\n");
+        return GIMP_PDB_EXECUTION_ERROR;
+      }
+     }
+ 
+   if (hdr.pixelfmt.flags & DDPF_FOURCC)
+@@ -1217,14 +1224,19 @@ load_layer (FILE            *fp,
+     {
+       unsigned char *dst;
+ 
+-      dst = g_malloc (width * height * d->gimp_bpp);
+-      memset (dst, 0, width * height * d->gimp_bpp);
+      dst = g_malloc ((gsize) width * height * d->gimp_bpp);
+      memset (dst, 0, (gsize) width * height * d->gimp_bpp);
+ 
+       if (d->gimp_bpp == 4)
+         {
+-          for (y = 0; y < height; ++y)
+          guchar *dst_line;
+
+          dst_line = dst;
+          for (y = 0; y < height; ++y) {
+             for (x = 0; x < width; ++x)
+-              dst[y * (width * 4) + (x * 4) + 3] = 255;
+              dst_line[(x * 4) + 3] = 255;
+            dst_line += width * 4;
+          }
+         }
+ 
+       dxt_decompress (dst, buf, format, size, width, height, d->gimp_bpp,
--- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
@ -51,6 +51,8 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
           file://CVE-2025-14425.patch \
           file://CVE-2025-5473.patch \
           file://CVE-2025-15059.patch \
+           file://CVE-2025-2760-1.patch \
+           file://CVE-2025-2760-2.patch \
           "
 SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"