new file mode 100644
@@ -0,0 +1,66 @@
+From 0a941cab81396d65a8ab547847f8c542039e214f Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sun, 23 Nov 2025 16:43:51 +0000
+Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273
+
+From: Alx Sa <cmyk.student@gmail.com>
+
+Resolves #15286
+Adds a check to the memory allocation
+in pnm_load_raw () with g_size_checked_mul ()
+to see if the size would go out of bounds.
+If so, we don't try to allocate and load the
+image.
+
+CVE: CVE-2025-14422
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2d773d58064e6130495de498e440f4a6d5edb]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/common/file-pnm.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
+index 32a33a4..9d349e9 100644
+--- a/plug-ins/common/file-pnm.c
++++ b/plug-ins/common/file-pnm.c
+@@ -674,7 +674,7 @@ load_image (GFile *file,
+ GError **error)
+ {
+ GInputStream *input;
+- GeglBuffer *buffer;
++ GeglBuffer *buffer = NULL;
+ GimpImage * volatile image = NULL;
+ GimpLayer *layer;
+ char buf[BUFLEN + 4]; /* buffer for random things like scanning */
+@@ -708,6 +708,9 @@ load_image (GFile *file,
+ g_object_unref (input);
+ g_free (pnminfo);
+
++ if (buffer)
++ g_object_unref (buffer);
++
+ if (image)
+ gimp_image_delete (image);
+
+@@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan,
+ const Babl *format = NULL;
+ gint bpc;
+ guchar *data, *d;
++ gsize data_size;
+ gushort *s;
+ gint x, y, i;
+ gint start, end, scanlines;
+@@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan,
+ bpc = 1;
+
+ /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */
+- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc);
++ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) ||
++ ! g_size_checked_mul (&data_size, data_size, info->np) ||
++ ! g_size_checked_mul (&data_size, data_size, bpc))
++ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value."));
++
++ data = g_new (guchar, data_size);
+
+ input = pnmscanner_input (scan);
+
@@ -56,11 +56,13 @@ GIDOCGEN_MESON_OPTION = "gi-docgen"
GIDOCGEN_MESON_ENABLE_FLAG = "enabled"
GIDOCGEN_MESON_DISABLE_FLAG = "disabled"
-SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz"
-SRC_URI += "file://0001-gimp-cross-compile-fix-for-bz2.patch"
-SRC_URI += "file://0002-meson.build-reproducibility-fix.patch"
-SRC_URI += "file://0001-meson.build-dont-check-for-lgi.patch"
-SRC_URI += "file://0001-meson.build-require-iso-codes-native.patch"
+SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
+ file://0001-gimp-cross-compile-fix-for-bz2.patch \
+ file://0002-meson.build-reproducibility-fix.patch \
+ file://0001-meson.build-dont-check-for-lgi.patch \
+ file://0001-meson.build-require-iso-codes-native.patch \
+ file://CVE-2025-14422.patch \
+ "
SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"
PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib"
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../gimp/gimp/CVE-2025-14422.patch | 66 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb | 12 ++-- 2 files changed, 73 insertions(+), 5 deletions(-) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch