diff mbox series

[meta-gnome,walnascar] gimp: patch CVE-2025-5473

Message ID 20251008150254.442766-1-skandigraun@gmail.com
State New
Headers show
Series [meta-gnome,walnascar] gimp: patch CVE-2025-5473 | expand

Commit Message

Gyorgy Sarvari Oct. 8, 2025, 3:02 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-5473

Pick the patch that resolved the relevant upstream bugreport:
https://gitlab.gnome.org/GNOME/gimp/-/issues/13910

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 ...01-plug-ins-ZDI-CAN-26752-mitigation.patch | 38 +++++++++++++++++++
 meta-gnome/recipes-gimp/gimp/gimp_3.0.2.bb    |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/0001-plug-ins-ZDI-CAN-26752-mitigation.patch
diff mbox series

Patch

diff --git a/meta-gnome/recipes-gimp/gimp/gimp/0001-plug-ins-ZDI-CAN-26752-mitigation.patch b/meta-gnome/recipes-gimp/gimp/gimp/0001-plug-ins-ZDI-CAN-26752-mitigation.patch
new file mode 100644
index 0000000000..6cc35a88dd
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/0001-plug-ins-ZDI-CAN-26752-mitigation.patch
@@ -0,0 +1,38 @@ 
+From 9df9326e291876d4447558f710976d4830d19d2f Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 3 May 2025 14:13:46 +0000
+Subject: [PATCH] plug-ins: ZDI-CAN-26752 mitigation
+
+Resolves #13910
+Since ICO can store PNGs, it's possible to create an
+icon that's much larger than the stated image size and
+cause a buffer overflow.
+This patch adds a check to make sure the width * height * 4
+calculation does not overflow in addition to making sure it
+doesn't exceed the maximum allowed size for that icon.
+
+CVE: CVE-2025-5473
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/c855d1df60ebaf5ef8d02807d448eb088f147a2b]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/file-ico/ico-load.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
+index 9a22299..818cf23 100644
+--- a/plug-ins/file-ico/ico-load.c
++++ b/plug-ins/file-ico/ico-load.c
+@@ -299,7 +299,11 @@ ico_read_png (FILE    *fp,
+   png_read_info (png_ptr, info);
+   png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type,
+                 NULL, NULL, NULL);
+-  if (w*h*4 > maxsize)
++  /* Check for overflow */
++  if ((w * h * 4) < w       ||
++      (w * h * 4) < h       ||
++      (w * h * 4) < (w * h) ||
++      (w * h * 4) > maxsize)
+     {
+       png_destroy_read_struct (&png_ptr, &info, NULL);
+       return FALSE;
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.2.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.2.bb
index b1e61bf4ec..4b2733aa37 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.2.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.2.bb
@@ -61,6 +61,7 @@  SRC_URI += "file://0001-gimp-cross-compile-fix-for-bz2.patch"
 SRC_URI += "file://0002-meson.build-reproducibility-fix.patch"
 SRC_URI += "file://0001-meson.build-dont-check-for-lgi.patch"
 SRC_URI += "file://0001-meson.build-require-iso-codes-native.patch"
+SRC_URI += "file://0001-plug-ins-ZDI-CAN-26752-mitigation.patch"
 SRC_URI[sha256sum] = "546ddc30cb2d0e79123c7fcb4d78211e1ee7a6aace91a6a0ad8cbcbf6ea571a2"
 
 PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib"