helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-02 02:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

gimp: patch CVE-2025-14422

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Ankur Tyagi 2026-01-12 18:34:37 +13:00 committed by Anuj Mittal
parent 7dfdfc0035
commit a7ef3041ba
No known key found for this signature in database
GPG Key ID: 4340AEFE69F5085C
2 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch Normal file
View File

@ -0,0 +1,64 @@
From bea9e174a3c4c02338f6c64bab05e6a8c667c09f Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sun, 23 Nov 2025 16:43:51 +0000
Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273
Resolves #15286
Adds a check to the memory allocation
in pnm_load_raw () with g_size_checked_mul ()
to see if the size would go out of bounds.
If so, we don't try to allocate and load the
image.
CVE: CVE-2025-14422
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2d773d58064e6130495de498e440f4a6d5edb]
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
plug-ins/common/file-pnm.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
index 2132eeccf4..f514c2b1d7 100644
--- a/plug-ins/common/file-pnm.c
+++ b/plug-ins/common/file-pnm.c
@@ -554,7 +554,7 @@ load_image (GFile *file,
GError **error)
{
GInputStream *input;
- GeglBuffer *buffer;
+ GeglBuffer *buffer = NULL;
gint32 volatile image_ID = -1;
gint32 layer_ID;
char buf[BUFLEN + 4]; /* buffer for random things like scanning */
@@ -584,6 +584,9 @@ load_image (GFile *file,
g_object_unref (input);
g_free (pnminfo);
+ if (buffer)
+ g_object_unref (buffer);
+
if (image_ID != -1)
gimp_image_delete (image_ID);
@@ -819,6 +822,7 @@ pnm_load_raw (PNMScanner *scan,
GInputStream *input;
gint bpc;
guchar *data, *d;
+ gsize data_size;
gushort *s;
gint x, y, i;
gint start, end, scanlines;
@@ -829,7 +833,12 @@ pnm_load_raw (PNMScanner *scan,
bpc = 1;
/* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */
- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc);
+ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) ||
+ ! g_size_checked_mul (&data_size, data_size, info->np) ||
+ ! g_size_checked_mul (&data_size, data_size, bpc))
+ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value."));
+
+ data = g_new (guchar, data_size);
input = pnmscanner_input (scan);

4
meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
View File

@ -46,7 +46,9 @@ SHPV = "${@gnome_verdir("${PV}")}"
SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
file://0001-configure-Keep-first-line-of-compiler-version-string.patch \
file://0001-libtool-Do-not-add-build-time-library-paths-to-LD_LI.patch"
file://0001-libtool-Do-not-add-build-time-library-paths-to-LD_LI.patch \
file://CVE-2025-14422.patch \
"
SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"
EXTRA_OECONF = "--disable-python \