gimp: patch CVE-2025-5473

Detail: https://nvd.nist.gov/vuln/detail/CVE-2025-5473 Backport commit associated with the resolution of issue[1]. [1] https://gitlab.gnome.org/GNOME/gimp/-/issues/13910 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-18 23:53:03 +00:00 · 2026-01-12 18:34:40 +13:00 · 2026-01-12 18:34:40 +13:00 · 7d35bbae28
commit 7d35bbae28
parent f11e20ad6e
2 changed files with 39 additions and 0 deletions
--- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch
@ -0,0 +1,38 @@
+From 9e4ebb38ba85661ee62361f218d6c35ace502395 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 3 May 2025 14:13:46 +0000
+Subject: [PATCH] plug-ins: ZDI-CAN-26752 mitigation
+
+Resolves #13910
+Since ICO can store PNGs, it's possible to create an
+icon that's much larger than the stated image size and
+cause a buffer overflow.
+This patch adds a check to make sure the width * height * 4
+calculation does not overflow in addition to making sure it
+doesn't exceed the maximum allowed size for that icon.
+
+CVE: CVE-2025-5473
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/c855d1df60ebaf5ef8d02807d448eb088f147a2b]
+(cherry picked from commit c855d1df60ebaf5ef8d02807d448eb088f147a2b)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ plug-ins/file-ico/ico-load.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
+index f44b805905..c144b6e2cd 100644
+--- a/plug-ins/file-ico/ico-load.c
+++ b/plug-ins/file-ico/ico-load.c
+@@ -295,7 +295,11 @@ ico_read_png (FILE    *fp,
+   png_read_info (png_ptr, info);
+   png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type,
+                 NULL, NULL, NULL);
+-  if (w*h*4 > maxsize)
+  /* Check for overflow */
+  if ((w * h * 4) < w       ||
+      (w * h * 4) < h       ||
+      (w * h * 4) < (w * h) ||
+      (w * h * 4) > maxsize)
+     {
+       png_destroy_read_struct (&png_ptr, &info, NULL);
+       return FALSE;
--- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
@ -49,6 +49,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
           file://0001-libtool-Do-not-add-build-time-library-paths-to-LD_LI.patch \
           file://CVE-2025-14422.patch \
           file://CVE-2025-14425.patch \
+           file://CVE-2025-5473.patch \
 "
 SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"