gimp: patch CVE-2025-14425

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14425 Patch referenced by the nvd report is for the file "file-jp2.c" which was renamed from "file-jp2-load.c" by commit[1] in the later versions. [1] 19c57a9765 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-02 02:49:12 +00:00 · 2026-01-12 18:34:38 +13:00 · 2026-01-12 18:34:38 +13:00 · 69cb161b5d
commit 69cb161b5d
parent a7ef3041ba
2 changed files with 71 additions and 0 deletions
--- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch
@ -0,0 +1,70 @@
+From 012406d60ca09239403ce989cf9e793b82e47e74 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Wed, 12 Nov 2025 13:25:44 +0000
+Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images
+
+Resolves #15285
+Per the report, it's possible to exceed the size of the pixel buffer
+with a high precision_scaled value, as we size it to the width * bpp.
+This patch includes precision_scaled in the allocation calculation.
+It also adds a g_size_checked_mul () check to ensure there's no
+overflow, and moves the pixel and buffer memory freeing to occur
+in the out section so that it always runs even on failure.
+
+CVE: CVE-2025-14425
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/cd1c88a0364ad1444c06536731972a99bd8643fd]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ plug-ins/common/file-jp2-load.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c
+index 9ab43b5349..d29278a4d2 100644
+--- a/plug-ins/common/file-jp2-load.c
+++ b/plug-ins/common/file-jp2-load.c
+@@ -1055,9 +1055,10 @@ load_image (const gchar       *filename,
+   gint               width;
+   gint               height;
+   gint               num_components;
+-  GeglBuffer        *buffer;
+  GeglBuffer        *buffer = NULL;
+   gint               i, j, k, it;
+-  guchar            *pixels;
+  guchar            *pixels = NULL;
+  gsize              pixels_size;
+   const Babl        *file_format;
+   gint               bpp;
+   GimpPrecision      image_precision;
+@@ -1298,7 +1299,14 @@ load_image (const gchar       *filename,
+   bpp = babl_format_get_bytes_per_pixel (file_format);
+ 
+   buffer = gimp_drawable_get_buffer (layer_ID);
+-  pixels = g_new0 (guchar, width * bpp);
+  if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8))))
+    {
+      g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
+                   _("Defined row size is too large in JP2 image '%s'."),
+                   gimp_file_get_utf8_name (filename));
+      goto out;
+    }
+  pixels = g_new0 (guchar, pixels_size);
+ 
+   for (i = 0; i < height; i++)
+     {
+@@ -1325,12 +1333,13 @@ load_image (const gchar       *filename,
+                          file_format, pixels, GEGL_AUTO_ROWSTRIDE);
+     }
+ 
+-  g_free (pixels);
+-
+-  g_object_unref (buffer);
+   gimp_progress_update (1.0);
+ 
+  out:
+  if (pixels)
+    g_free (pixels);
+  if (buffer)
+    g_object_unref (buffer);
+   if (profile)
+     g_object_unref (profile);
+   if (image)
--- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
@ -48,6 +48,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
           file://0001-configure-Keep-first-line-of-compiler-version-string.patch \
           file://0001-libtool-Do-not-add-build-time-library-paths-to-LD_LI.patch \
           file://CVE-2025-14422.patch \
+           file://CVE-2025-14425.patch \
 "
 SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"