diff --git a/meta-gnome/recipes-gimp/gimp/gimp/0001-plug-ins-ZDI-CAN-26752-mitigation.patch b/meta-gnome/recipes-gimp/gimp/gimp/0001-plug-ins-ZDI-CAN-26752-mitigation.patch new file mode 100644 index 0000000000..6cc35a88dd --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/0001-plug-ins-ZDI-CAN-26752-mitigation.patch @@ -0,0 +1,38 @@ +From 9df9326e291876d4447558f710976d4830d19d2f Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Sat, 3 May 2025 14:13:46 +0000 +Subject: [PATCH] plug-ins: ZDI-CAN-26752 mitigation + +Resolves #13910 +Since ICO can store PNGs, it's possible to create an +icon that's much larger than the stated image size and +cause a buffer overflow. +This patch adds a check to make sure the width * height * 4 +calculation does not overflow in addition to making sure it +doesn't exceed the maximum allowed size for that icon. + +CVE: CVE-2025-5473 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/c855d1df60ebaf5ef8d02807d448eb088f147a2b] + +Signed-off-by: Gyorgy Sarvari +--- + plug-ins/file-ico/ico-load.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c +index 9a22299..818cf23 100644 +--- a/plug-ins/file-ico/ico-load.c ++++ b/plug-ins/file-ico/ico-load.c +@@ -299,7 +299,11 @@ ico_read_png (FILE *fp, + png_read_info (png_ptr, info); + png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type, + NULL, NULL, NULL); +- if (w*h*4 > maxsize) ++ /* Check for overflow */ ++ if ((w * h * 4) < w || ++ (w * h * 4) < h || ++ (w * h * 4) < (w * h) || ++ (w * h * 4) > maxsize) + { + png_destroy_read_struct (&png_ptr, &info, NULL); + return FALSE; diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.2.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.2.bb index f30cc9f2ed..76ff226314 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.2.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.2.bb @@ -61,6 +61,7 @@ SRC_URI += "file://0001-gimp-cross-compile-fix-for-bz2.patch" SRC_URI += "file://0002-meson.build-reproducibility-fix.patch" SRC_URI += "file://0001-meson.build-dont-check-for-lgi.patch" SRC_URI += "file://0001-meson.build-require-iso-codes-native.patch" +SRC_URI += "file://0001-plug-ins-ZDI-CAN-26752-mitigation.patch" SRC_URI[sha256sum] = "546ddc30cb2d0e79123c7fcb4d78211e1ee7a6aace91a6a0ad8cbcbf6ea571a2" PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib"