| Message ID | 20260428070240.2691024-1-vanusuri@mvista.com |
|---|---|
| State | Under Review |
| Delegated to: | Fabien Thomas |
| Headers | show |
| Series | [scarthgap] gdk-pixbuf: Fix CVE-2026-5201 | expand |
On Tue Apr 28, 2026 at 9:02 AM CEST, Vijay Anusuri via lists.openembedded.org wrote: > Pick patch according to [1] > > [1] https://security-tracker.debian.org/tracker/CVE-2026-5201 > [2] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/304 > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch | 44 +++++++++++++++++++ > .../gdk-pixbuf/gdk-pixbuf_2.42.12.bb | 1 + > 2 files changed, 45 insertions(+) > create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch > > diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch > new file mode 100644 > index 0000000000..97e0dddb62 > --- /dev/null > +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch > @@ -0,0 +1,44 @@ > +From 6cce9311e70b969cbcc6e3e1e74ae1756ed02d5b Mon Sep 17 00:00:00 2001 > +From: Matthias Clasen <mclasen@redhat.com> > +Date: Mon, 30 Mar 2026 12:21:56 -0400 > +Subject: [PATCH] jpeg: Reject unsupported number of components > + > +This condition was already checked for incremental loading. > +This commit adds the same check in the nonincremental > +code path. > + > +Closes: #304 > + > +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/6cce9311e70b969cbcc6e3e1e74ae1756ed02d5b] > +CVE: CVE-2026-5201 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + gdk-pixbuf/io-jpeg.c | 12 ++++++++++++ > + 1 file changed, 12 insertions(+) > + > +diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c > +index 9ee1d21..d419812 100644 > +--- a/gdk-pixbuf/io-jpeg.c > ++++ b/gdk-pixbuf/io-jpeg.c > +@@ -625,6 +625,18 @@ gdk_pixbuf__real_jpeg_image_load (FILE *f, struct jpeg_decompress_struct *cinfo, > + cinfo->do_fancy_upsampling = FALSE; > + cinfo->do_block_smoothing = FALSE; > + > ++ /* Reject unsupported component counts */ > ++ if (cinfo->output_components != 3 && cinfo->output_components != 4 && > ++ !(cinfo->output_components == 1 && > ++ cinfo->out_color_space == JCS_GRAYSCALE)) { > ++ g_set_error (error, > ++ GDK_PIXBUF_ERROR, > ++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, > ++ _("Unsupported number of color components (%d)"), > ++ cinfo->output_components); > ++ goto out; > ++ } > ++ > + pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, > + cinfo->out_color_components == 4 ? TRUE : FALSE, > + 8, > +-- > +2.43.0 > + > diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb > index 7c58fe1e1d..2f0de425b5 100644 > --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb > +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb > @@ -22,6 +22,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \ > file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \ > file://CVE-2025-7345.patch \ > file://CVE-2025-6199.patch \ > + file://CVE-2026-5201.patch \ > " > > SRC_URI[sha256sum] = "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7" Hi Vijay Thanks for this patch, but unfortunately I have to put it on hold. The fix is merged in the upstream project gtk-pixbuf from the version 2.44.6, and the oe-core master branch is currently using gtk-pixbuf 2.44.5. You'll need to either submit to master a backport of this patch or bump to 2.44.6 before I can approve it here. Thank you.
Hi Fabien, Already AUH succeeded for gdk-pixbuf upgrade to 2.44.6 https://lists.openembedded.org/g/openembedded-core/message/235274 If you want me to submit the upgrade patch, i will send it . Thanks & Regards, Vijay On Thu, Apr 30, 2026 at 7:13 PM Fabien Thomas <fabien.thomas@smile.fr> wrote: > On Tue Apr 28, 2026 at 9:02 AM CEST, Vijay Anusuri via > lists.openembedded.org wrote: > > Pick patch according to [1] > > > > [1] https://security-tracker.debian.org/tracker/CVE-2026-5201 > > [2] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/304 > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > --- > > .../gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch | 44 +++++++++++++++++++ > > .../gdk-pixbuf/gdk-pixbuf_2.42.12.bb | 1 + > > 2 files changed, 45 insertions(+) > > create mode 100644 > meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch > > > > diff --git > a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch > b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch > > new file mode 100644 > > index 0000000000..97e0dddb62 > > --- /dev/null > > +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch > > @@ -0,0 +1,44 @@ > > +From 6cce9311e70b969cbcc6e3e1e74ae1756ed02d5b Mon Sep 17 00:00:00 2001 > > +From: Matthias Clasen <mclasen@redhat.com> > > +Date: Mon, 30 Mar 2026 12:21:56 -0400 > > +Subject: [PATCH] jpeg: Reject unsupported number of components > > + > > +This condition was already checked for incremental loading. > > +This commit adds the same check in the nonincremental > > +code path. > > + > > +Closes: #304 > > + > > +Upstream-Status: Backport [ > https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/6cce9311e70b969cbcc6e3e1e74ae1756ed02d5b > ] > > +CVE: CVE-2026-5201 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + gdk-pixbuf/io-jpeg.c | 12 ++++++++++++ > > + 1 file changed, 12 insertions(+) > > + > > +diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c > > +index 9ee1d21..d419812 100644 > > +--- a/gdk-pixbuf/io-jpeg.c > > ++++ b/gdk-pixbuf/io-jpeg.c > > +@@ -625,6 +625,18 @@ gdk_pixbuf__real_jpeg_image_load (FILE *f, struct > jpeg_decompress_struct *cinfo, > > + cinfo->do_fancy_upsampling = FALSE; > > + cinfo->do_block_smoothing = FALSE; > > + > > ++ /* Reject unsupported component counts */ > > ++ if (cinfo->output_components != 3 && cinfo->output_components != 4 > && > > ++ !(cinfo->output_components == 1 && > > ++ cinfo->out_color_space == JCS_GRAYSCALE)) { > > ++ g_set_error (error, > > ++ GDK_PIXBUF_ERROR, > > ++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, > > ++ _("Unsupported number of color components > (%d)"), > > ++ cinfo->output_components); > > ++ goto out; > > ++ } > > ++ > > + pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, > > + cinfo->out_color_components == 4 ? TRUE : > FALSE, > > + 8, > > +-- > > +2.43.0 > > + > > diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb > b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb > > index 7c58fe1e1d..2f0de425b5 100644 > > --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb > > +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb > > @@ -22,6 +22,7 @@ SRC_URI = > "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \ > > > file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \ > > file://CVE-2025-7345.patch \ > > file://CVE-2025-6199.patch \ > > + file://CVE-2026-5201.patch \ > > " > > > > SRC_URI[sha256sum] = > "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7" > > Hi Vijay > > Thanks for this patch, but unfortunately I have to put it on hold. > > The fix is merged in the upstream project gtk-pixbuf from the version > 2.44.6, > and the oe-core master branch is currently using gtk-pixbuf 2.44.5. > > You'll need to either submit to master a backport of this patch or > bump to 2.44.6 before I can approve it here. > > Thank you. > > -- > Fabien Thomas > Smile ECS > >
On Thu Apr 30, 2026 at 3:49 PM CEST, Vijay Anusuri wrote: > Hi Fabien, > > Already AUH succeeded for gdk-pixbuf upgrade to 2.44.6 > https://lists.openembedded.org/g/openembedded-core/message/235274 > > If you want me to submit the upgrade patch, i will send it . Oh my bad, you're right, I missed it. It's ok then. Thanks, > > Thanks & Regards, > Vijay > > > > On Thu, Apr 30, 2026 at 7:13 PM Fabien Thomas <fabien.thomas@smile.fr> > wrote: > >> On Tue Apr 28, 2026 at 9:02 AM CEST, Vijay Anusuri via >> lists.openembedded.org wrote: >> > Pick patch according to [1] >> > >> > [1] https://security-tracker.debian.org/tracker/CVE-2026-5201 >> > [2] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/304 >> > >> > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> >> > --- >> > .../gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch | 44 +++++++++++++++++++ >> > .../gdk-pixbuf/gdk-pixbuf_2.42.12.bb | 1 + >> > 2 files changed, 45 insertions(+) >> > create mode 100644 >> meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch >> > >> > diff --git >> a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch >> b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch >> > new file mode 100644 >> > index 0000000000..97e0dddb62 >> > --- /dev/null >> > +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch >> > @@ -0,0 +1,44 @@ >> > +From 6cce9311e70b969cbcc6e3e1e74ae1756ed02d5b Mon Sep 17 00:00:00 2001 >> > +From: Matthias Clasen <mclasen@redhat.com> >> > +Date: Mon, 30 Mar 2026 12:21:56 -0400 >> > +Subject: [PATCH] jpeg: Reject unsupported number of components >> > + >> > +This condition was already checked for incremental loading. >> > +This commit adds the same check in the nonincremental >> > +code path. >> > + >> > +Closes: #304 >> > + >> > +Upstream-Status: Backport [ >> https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/6cce9311e70b969cbcc6e3e1e74ae1756ed02d5b >> ] >> > +CVE: CVE-2026-5201 >> > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> >> > +--- >> > + gdk-pixbuf/io-jpeg.c | 12 ++++++++++++ >> > + 1 file changed, 12 insertions(+) >> > + >> > +diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c >> > +index 9ee1d21..d419812 100644 >> > +--- a/gdk-pixbuf/io-jpeg.c >> > ++++ b/gdk-pixbuf/io-jpeg.c >> > +@@ -625,6 +625,18 @@ gdk_pixbuf__real_jpeg_image_load (FILE *f, struct >> jpeg_decompress_struct *cinfo, >> > + cinfo->do_fancy_upsampling = FALSE; >> > + cinfo->do_block_smoothing = FALSE; >> > + >> > ++ /* Reject unsupported component counts */ >> > ++ if (cinfo->output_components != 3 && cinfo->output_components != 4 >> && >> > ++ !(cinfo->output_components == 1 && >> > ++ cinfo->out_color_space == JCS_GRAYSCALE)) { >> > ++ g_set_error (error, >> > ++ GDK_PIXBUF_ERROR, >> > ++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, >> > ++ _("Unsupported number of color components >> (%d)"), >> > ++ cinfo->output_components); >> > ++ goto out; >> > ++ } >> > ++ >> > + pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, >> > + cinfo->out_color_components == 4 ? TRUE : >> FALSE, >> > + 8, >> > +-- >> > +2.43.0 >> > + >> > diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb >> b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb >> > index 7c58fe1e1d..2f0de425b5 100644 >> > --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb >> > +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb >> > @@ -22,6 +22,7 @@ SRC_URI = >> "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \ >> > >> file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \ >> > file://CVE-2025-7345.patch \ >> > file://CVE-2025-6199.patch \ >> > + file://CVE-2026-5201.patch \ >> > " >> > >> > SRC_URI[sha256sum] = >> "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7" >> >> Hi Vijay >> >> Thanks for this patch, but unfortunately I have to put it on hold. >> >> The fix is merged in the upstream project gtk-pixbuf from the version >> 2.44.6, >> and the oe-core master branch is currently using gtk-pixbuf 2.44.5. >> >> You'll need to either submit to master a backport of this patch or >> bump to 2.44.6 before I can approve it here. >> >> Thank you. >> >> -- >> Fabien Thomas >> Smile ECS >> >>
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch new file mode 100644 index 0000000000..97e0dddb62 --- /dev/null +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch @@ -0,0 +1,44 @@ +From 6cce9311e70b969cbcc6e3e1e74ae1756ed02d5b Mon Sep 17 00:00:00 2001 +From: Matthias Clasen <mclasen@redhat.com> +Date: Mon, 30 Mar 2026 12:21:56 -0400 +Subject: [PATCH] jpeg: Reject unsupported number of components + +This condition was already checked for incremental loading. +This commit adds the same check in the nonincremental +code path. + +Closes: #304 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/6cce9311e70b969cbcc6e3e1e74ae1756ed02d5b] +CVE: CVE-2026-5201 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + gdk-pixbuf/io-jpeg.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c +index 9ee1d21..d419812 100644 +--- a/gdk-pixbuf/io-jpeg.c ++++ b/gdk-pixbuf/io-jpeg.c +@@ -625,6 +625,18 @@ gdk_pixbuf__real_jpeg_image_load (FILE *f, struct jpeg_decompress_struct *cinfo, + cinfo->do_fancy_upsampling = FALSE; + cinfo->do_block_smoothing = FALSE; + ++ /* Reject unsupported component counts */ ++ if (cinfo->output_components != 3 && cinfo->output_components != 4 && ++ !(cinfo->output_components == 1 && ++ cinfo->out_color_space == JCS_GRAYSCALE)) { ++ g_set_error (error, ++ GDK_PIXBUF_ERROR, ++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, ++ _("Unsupported number of color components (%d)"), ++ cinfo->output_components); ++ goto out; ++ } ++ + pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, + cinfo->out_color_components == 4 ? TRUE : FALSE, + 8, +-- +2.43.0 + diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb index 7c58fe1e1d..2f0de425b5 100644 --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb @@ -22,6 +22,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \ file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \ file://CVE-2025-7345.patch \ file://CVE-2025-6199.patch \ + file://CVE-2026-5201.patch \ " SRC_URI[sha256sum] = "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7"
Pick patch according to [1] [1] https://security-tracker.debian.org/tracker/CVE-2026-5201 [2] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/304 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> --- .../gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch | 44 +++++++++++++++++++ .../gdk-pixbuf/gdk-pixbuf_2.42.12.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch