[meta-gnome,whinlatter,04/17] gimp: patch CVE-2025-14422

Message ID	20260105100237.3081345-4-skandigraun@gmail.com
State	Under Review
Delegated to:	Anuj Mittal
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][whinlatter][PATCH 04/17] gimp: patch CVE-2025-14422 Date: Mon, 5 Jan 2026 11:02:24 +0100 Message-ID: <20260105100237.3081345-4-skandigraun@gmail.com> In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-networking,whinlatter,01/17] civetweb: ignore CVE-2025-9648 \| expand [meta-networking,whinlatter,01/17] civetweb: ignore CVE-2025-9648 [meta-networking,whinlatter,02/17] fetchmail: patch CVE-2025-61962 [meta-oe,whinlatter,03/17] freerdp3: ignore CVE-2025-68118 [meta-gnome,whinlatter,04/17] gimp: patch CVE-2025-14422 [meta-gnome,whinlatter,05/17] gimp: patch CVE-2025-14423 [meta-gnome,whinlatter,06/17] gimp: patch CVE-2025-14424 [meta-gnome,whinlatter,07/17] gimp: patch CVE-2025-14425 [meta-oe,whinlatter,08/17] imagemagick: upgrade 7.1.2-8 -> 7.1.2-12 [meta-oe,whinlatter,09/17] libcoap: ignore CVE-2025-50518 [meta-oe,whinlatter,10/17] libwebsockets: fix CVE-2025-11677 [meta-oe,whinlatter,11/17] libwebsockets: fix CVE-2025-11678 [meta-networking,whinlatter,12/17] openvpn: upgrade 2.6.16 -> 2.6.17 [meta-oe,whinlatter,13/17] php: upgrade 8.4.15 -> 8.4.16 [meta-oe,whinlatter,14/17] postgresql: upgrade 17.6 -> 17.7 [meta-python,whinlatter,15/17] python3-configobj: ignore CVE-2023-26112 [meta-python,whinlatter,16/17] python3-django: upgrade 4.2.26 -> 4.2.27 [meta-python,whinlatter,17/17] python3-django: upgrade 5.2.8 -> 5.2.9

Message ID

20260105100237.3081345-4-skandigraun@gmail.com

State

Under Review

Delegated to:

Anuj Mittal

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-gnome][whinlatter][PATCH 04/17] gimp: patch CVE-2025-14422
Date: Mon,  5 Jan 2026 11:02:24 +0100
Message-ID: <20260105100237.3081345-4-skandigraun@gmail.com>
In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com>
References: <20260105100237.3081345-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-networking,whinlatter,01/17] civetweb: ignore CVE-2025-9648 | expand

Commit Message

Gyorgy Sarvari Jan. 5, 2026, 10:02 a.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422

Pick the patch referenced by the NVD report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a0b41204afe57f9b2b3f2e8ff496be72d04e0eb7)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../gimp/gimp/CVE-2025-14422.patch            | 66 +++++++++++++++++++
 meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb    | 12 ++--
 2 files changed, 73 insertions(+), 5 deletions(-)
 create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch

Comments

Ankur Tyagi Jan. 6, 2026, 4:42 a.m. UTC | #1

Hi Gyorgy,

This is causing following build failures on qemuarm with musl and clang

mozjs:
| /usr/src/debug/mozjs-128/128.5.2/mozglue/misc/StackWalk.cpp:810:(.text._ZL15unwind_callbackP15_Unwind_ContextPv+0x4):
undefined reference to `_Unwind_GetIP'
| arm-poky-linux-musleabi-clang++: error: linker command failed with
exit code 1 (use -v to see invocation)

libjxl:
FAILED: [code=1] lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o
/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot-native/usr/bin/arm-poky-linux-musleabi/arm-poky-linux-musleabi-clang++
--sysroot=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot
-DFJXL_ENABLE_AVX512=0 -DJXL_INTERNAL_LIBRARY_BUILD
-D__DATE__=\"redacted\" -D__TIMESTAMP__=\"redacted\"
-D__TIME__=\"redacted\"
-I/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1
-isystem /yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/build/lib/include
-mthumb -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a15
--dyld-prefix=/usr -fstack-protector-strong  -O2 -D_FORTIFY_SOURCE=2
-Wformat -Wformat-security -Werror=format-security -D_TIME_BITS=64
-D_FILE_OFFSET_BITS=64
--sysroot=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot
 -O2 -g   -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1=/usr/src/debug/libjxl/0.11.1
 -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/build=/usr/src/debug/libjxl/0.11.1
 -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot=
 -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot-native=
 -pipe -fvisibility-inlines-hidden -fno-rtti -DNDEBUG -std=c++17 -fPIC
-fvisibility=hidden -fvisibility-inlines-hidden
-fmacro-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1=.
"-DHWY_DISABLED_TARGETS=(HWY_SSSE3|HWY_AVX3|HWY_AVX3_SPR|HWY_AVX3_ZEN4)"
-funwind-tables -Xclang -mrelax-all -fno-omit-frame-pointer
-Wno-builtin-macro-redefined -Wall -fmerge-all-constants
-fno-builtin-fwrite -fno-builtin-fread -Wextra -Wc++11-compat
-Warray-bounds -Wformat-security -Wimplicit-fallthrough -Wno-register
-Wno-unused-function -Wno-unused-parameter -Wnon-virtual-dtor
-Woverloaded-virtual -Wvla -Wdeprecated-increment-bool
-Wfloat-overflow-conversion -Wfloat-zero-conversion
-Wfor-loop-analysis -Wgnu-redeclared-enum -Winfinite-recursion
-Wliteral-conversion -Wno-c++98-compat
-Wno-unused-command-line-argument -Wprivate-header -Wself-assign
-Wstring-conversion -Wtautological-overlap-compare
-Wthread-safety-analysis -Wundefined-func-template -Wunreachable-code
-Wunused-comparison -fsized-deallocation -fno-exceptions -fmath-errno
-fnew-alignment=8 -fno-cxx-exceptions -fno-slp-vectorize
-fno-vectorize -disable-free -disable-llvm-verifier
-DJPEGXL_ENABLE_SKCMS=1 -DJPEGXL_ENABLE_TRANSCODE_JPEG=1
-DJPEGXL_ENABLE_BOXES=1 -MD -MT
lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o -MF
lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o.d -o
lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o -c
/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1/lib/jxl/convolve_separable5.cc
error: out of range pc-relative fixup value
1 error generated.
ninja: build stopped: subcommand failed.

It builds on qemux86 with musl and clang though.

Having said that, I don't think the problem is due to your patch as
gimp fails to build on qemuarm with musl and clang even without your
patches.

So this needs to be investigated separately.

cheers
Ankur

On Mon, Jan 5, 2026 at 11:02 PM Gyorgy Sarvari via
lists.openembedded.org <skandigraun=gmail.com@lists.openembedded.org>
wrote:
>
> Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422
>
> Pick the patch referenced by the NVD report.
>
> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> (cherry picked from commit a0b41204afe57f9b2b3f2e8ff496be72d04e0eb7)
> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> ---
>  .../gimp/gimp/CVE-2025-14422.patch            | 66 +++++++++++++++++++
>  meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb    | 12 ++--
>  2 files changed, 73 insertions(+), 5 deletions(-)
>  create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch
>
> diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch
> new file mode 100644
> index 0000000000..420e013916
> --- /dev/null
> +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch
> @@ -0,0 +1,66 @@
> +From 0a941cab81396d65a8ab547847f8c542039e214f Mon Sep 17 00:00:00 2001
> +From: Gyorgy Sarvari <skandigraun@gmail.com>
> +Date: Sun, 23 Nov 2025 16:43:51 +0000
> +Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273
> +
> +From: Alx Sa <cmyk.student@gmail.com>
> +
> +Resolves #15286
> +Adds a check to the memory allocation
> +in pnm_load_raw () with g_size_checked_mul ()
> +to see if the size would go out of bounds.
> +If so, we don't try to allocate and load the
> +image.
> +
> +CVE: CVE-2025-14422
> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2d773d58064e6130495de498e440f4a6d5edb]
> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> +---
> + plug-ins/common/file-pnm.c | 13 +++++++++++--
> + 1 file changed, 11 insertions(+), 2 deletions(-)
> +
> +diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
> +index 32a33a4..9d349e9 100644
> +--- a/plug-ins/common/file-pnm.c
> ++++ b/plug-ins/common/file-pnm.c
> +@@ -674,7 +674,7 @@ load_image (GFile   *file,
> +             GError **error)
> + {
> +   GInputStream    *input;
> +-  GeglBuffer      *buffer;
> ++  GeglBuffer      *buffer    = NULL;
> +   GimpImage * volatile image = NULL;
> +   GimpLayer       *layer;
> +   char             buf[BUFLEN + 4];  /* buffer for random things like scanning */
> +@@ -708,6 +708,9 @@ load_image (GFile   *file,
> +       g_object_unref (input);
> +       g_free (pnminfo);
> +
> ++      if (buffer)
> ++        g_object_unref (buffer);
> ++
> +       if (image)
> +         gimp_image_delete (image);
> +
> +@@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan,
> +   const Babl   *format = NULL;
> +   gint          bpc;
> +   guchar       *data, *d;
> ++  gsize         data_size;
> +   gushort      *s;
> +   gint          x, y, i;
> +   gint          start, end, scanlines;
> +@@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan,
> +     bpc = 1;
> +
> +   /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */
> +-  data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc);
> ++  if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) ||
> ++      ! g_size_checked_mul (&data_size, data_size, info->np)             ||
> ++      ! g_size_checked_mul (&data_size, data_size, bpc))
> ++    CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value."));
> ++
> ++  data = g_new (guchar, data_size);
> +
> +   input = pnmscanner_input (scan);
> +
> diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
> index 9f38cdcd03..f529930dff 100644
> --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
> +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
> @@ -56,11 +56,13 @@ GIDOCGEN_MESON_OPTION = "gi-docgen"
>  GIDOCGEN_MESON_ENABLE_FLAG = "enabled"
>  GIDOCGEN_MESON_DISABLE_FLAG = "disabled"
>
> -SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz"
> -SRC_URI += "file://0001-gimp-cross-compile-fix-for-bz2.patch"
> -SRC_URI += "file://0002-meson.build-reproducibility-fix.patch"
> -SRC_URI += "file://0001-meson.build-dont-check-for-lgi.patch"
> -SRC_URI += "file://0001-meson.build-require-iso-codes-native.patch"
> +SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
> +           file://0001-gimp-cross-compile-fix-for-bz2.patch \
> +           file://0002-meson.build-reproducibility-fix.patch \
> +           file://0001-meson.build-dont-check-for-lgi.patch \
> +           file://0001-meson.build-require-iso-codes-native.patch \
> +           file://CVE-2025-14422.patch \
> +           "
>  SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"
>
>  PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#123135): https://lists.openembedded.org/g/openembedded-devel/message/123135
> Mute This Topic: https://lists.openembedded.org/mt/117084023/3619737
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ankur.tyagi85@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Gyorgy Sarvari Jan. 6, 2026, 8:58 a.m. UTC | #2

I don't really see the relation between these and the gimp patches...

For mozjs you could take a look at this[1] patch - I believe it solves
the same problem.
For libjxl, Khem has commited a line some time ago[2] that touches
CFLAGS. Try to do the same, but for CXXFLAGS.

[1]:
https://github.com/OSSystems/meta-browser/blob/master/meta-firefox/recipes-browser/firefox/firefox/0001-add-musl-support.patch
[2]:
https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-multimedia/libjxl/libjxl_0.11.1.bb#n47

On 1/6/26 05:42, Ankur Tyagi wrote:
> Hi Gyorgy,
>
> This is causing following build failures on qemuarm with musl and clang
>
> mozjs:
> | /usr/src/debug/mozjs-128/128.5.2/mozglue/misc/StackWalk.cpp:810:(.text._ZL15unwind_callbackP15_Unwind_ContextPv+0x4):
> undefined reference to `_Unwind_GetIP'
> | arm-poky-linux-musleabi-clang++: error: linker command failed with
> exit code 1 (use -v to see invocation)
>
> libjxl:
> FAILED: [code=1] lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o
> /yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot-native/usr/bin/arm-poky-linux-musleabi/arm-poky-linux-musleabi-clang++
> --sysroot=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot
> -DFJXL_ENABLE_AVX512=0 -DJXL_INTERNAL_LIBRARY_BUILD
> -D__DATE__=\"redacted\" -D__TIMESTAMP__=\"redacted\"
> -D__TIME__=\"redacted\"
> -I/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1
> -isystem /yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/build/lib/include
> -mthumb -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a15
> --dyld-prefix=/usr -fstack-protector-strong  -O2 -D_FORTIFY_SOURCE=2
> -Wformat -Wformat-security -Werror=format-security -D_TIME_BITS=64
> -D_FILE_OFFSET_BITS=64
> --sysroot=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot
>  -O2 -g   -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1=/usr/src/debug/libjxl/0.11.1
>  -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/build=/usr/src/debug/libjxl/0.11.1
>  -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot=
>  -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot-native=
>  -pipe -fvisibility-inlines-hidden -fno-rtti -DNDEBUG -std=c++17 -fPIC
> -fvisibility=hidden -fvisibility-inlines-hidden
> -fmacro-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1=.
> "-DHWY_DISABLED_TARGETS=(HWY_SSSE3|HWY_AVX3|HWY_AVX3_SPR|HWY_AVX3_ZEN4)"
> -funwind-tables -Xclang -mrelax-all -fno-omit-frame-pointer
> -Wno-builtin-macro-redefined -Wall -fmerge-all-constants
> -fno-builtin-fwrite -fno-builtin-fread -Wextra -Wc++11-compat
> -Warray-bounds -Wformat-security -Wimplicit-fallthrough -Wno-register
> -Wno-unused-function -Wno-unused-parameter -Wnon-virtual-dtor
> -Woverloaded-virtual -Wvla -Wdeprecated-increment-bool
> -Wfloat-overflow-conversion -Wfloat-zero-conversion
> -Wfor-loop-analysis -Wgnu-redeclared-enum -Winfinite-recursion
> -Wliteral-conversion -Wno-c++98-compat
> -Wno-unused-command-line-argument -Wprivate-header -Wself-assign
> -Wstring-conversion -Wtautological-overlap-compare
> -Wthread-safety-analysis -Wundefined-func-template -Wunreachable-code
> -Wunused-comparison -fsized-deallocation -fno-exceptions -fmath-errno
> -fnew-alignment=8 -fno-cxx-exceptions -fno-slp-vectorize
> -fno-vectorize -disable-free -disable-llvm-verifier
> -DJPEGXL_ENABLE_SKCMS=1 -DJPEGXL_ENABLE_TRANSCODE_JPEG=1
> -DJPEGXL_ENABLE_BOXES=1 -MD -MT
> lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o -MF
> lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o.d -o
> lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o -c
> /yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1/lib/jxl/convolve_separable5.cc
> error: out of range pc-relative fixup value
> 1 error generated.
> ninja: build stopped: subcommand failed.
>
> It builds on qemux86 with musl and clang though.
>
> Having said that, I don't think the problem is due to your patch as
> gimp fails to build on qemuarm with musl and clang even without your
> patches.
>
> So this needs to be investigated separately.
>
> cheers
> Ankur
>
> On Mon, Jan 5, 2026 at 11:02 PM Gyorgy Sarvari via
> lists.openembedded.org <skandigraun=gmail.com@lists.openembedded.org>
> wrote:
>> Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422
>>
>> Pick the patch referenced by the NVD report.
>>
>> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
>> (cherry picked from commit a0b41204afe57f9b2b3f2e8ff496be72d04e0eb7)
>> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
>> ---
>>  .../gimp/gimp/CVE-2025-14422.patch            | 66 +++++++++++++++++++
>>  meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb    | 12 ++--
>>  2 files changed, 73 insertions(+), 5 deletions(-)
>>  create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch
>>
>> diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch
>> new file mode 100644
>> index 0000000000..420e013916
>> --- /dev/null
>> +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch
>> @@ -0,0 +1,66 @@
>> +From 0a941cab81396d65a8ab547847f8c542039e214f Mon Sep 17 00:00:00 2001
>> +From: Gyorgy Sarvari <skandigraun@gmail.com>
>> +Date: Sun, 23 Nov 2025 16:43:51 +0000
>> +Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273
>> +
>> +From: Alx Sa <cmyk.student@gmail.com>
>> +
>> +Resolves #15286
>> +Adds a check to the memory allocation
>> +in pnm_load_raw () with g_size_checked_mul ()
>> +to see if the size would go out of bounds.
>> +If so, we don't try to allocate and load the
>> +image.
>> +
>> +CVE: CVE-2025-14422
>> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2d773d58064e6130495de498e440f4a6d5edb]
>> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
>> +---
>> + plug-ins/common/file-pnm.c | 13 +++++++++++--
>> + 1 file changed, 11 insertions(+), 2 deletions(-)
>> +
>> +diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
>> +index 32a33a4..9d349e9 100644
>> +--- a/plug-ins/common/file-pnm.c
>> ++++ b/plug-ins/common/file-pnm.c
>> +@@ -674,7 +674,7 @@ load_image (GFile   *file,
>> +             GError **error)
>> + {
>> +   GInputStream    *input;
>> +-  GeglBuffer      *buffer;
>> ++  GeglBuffer      *buffer    = NULL;
>> +   GimpImage * volatile image = NULL;
>> +   GimpLayer       *layer;
>> +   char             buf[BUFLEN + 4];  /* buffer for random things like scanning */
>> +@@ -708,6 +708,9 @@ load_image (GFile   *file,
>> +       g_object_unref (input);
>> +       g_free (pnminfo);
>> +
>> ++      if (buffer)
>> ++        g_object_unref (buffer);
>> ++
>> +       if (image)
>> +         gimp_image_delete (image);
>> +
>> +@@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan,
>> +   const Babl   *format = NULL;
>> +   gint          bpc;
>> +   guchar       *data, *d;
>> ++  gsize         data_size;
>> +   gushort      *s;
>> +   gint          x, y, i;
>> +   gint          start, end, scanlines;
>> +@@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan,
>> +     bpc = 1;
>> +
>> +   /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */
>> +-  data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc);
>> ++  if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) ||
>> ++      ! g_size_checked_mul (&data_size, data_size, info->np)             ||
>> ++      ! g_size_checked_mul (&data_size, data_size, bpc))
>> ++    CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value."));
>> ++
>> ++  data = g_new (guchar, data_size);
>> +
>> +   input = pnmscanner_input (scan);
>> +
>> diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
>> index 9f38cdcd03..f529930dff 100644
>> --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
>> +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
>> @@ -56,11 +56,13 @@ GIDOCGEN_MESON_OPTION = "gi-docgen"
>>  GIDOCGEN_MESON_ENABLE_FLAG = "enabled"
>>  GIDOCGEN_MESON_DISABLE_FLAG = "disabled"
>>
>> -SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz"
>> -SRC_URI += "file://0001-gimp-cross-compile-fix-for-bz2.patch"
>> -SRC_URI += "file://0002-meson.build-reproducibility-fix.patch"
>> -SRC_URI += "file://0001-meson.build-dont-check-for-lgi.patch"
>> -SRC_URI += "file://0001-meson.build-require-iso-codes-native.patch"
>> +SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
>> +           file://0001-gimp-cross-compile-fix-for-bz2.patch \
>> +           file://0002-meson.build-reproducibility-fix.patch \
>> +           file://0001-meson.build-dont-check-for-lgi.patch \
>> +           file://0001-meson.build-require-iso-codes-native.patch \
>> +           file://CVE-2025-14422.patch \
>> +           "
>>  SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"
>>
>>  PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib"
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#123135): https://lists.openembedded.org/g/openembedded-devel/message/123135
>> Mute This Topic: https://lists.openembedded.org/mt/117084023/3619737
>> Group Owner: openembedded-devel+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ankur.tyagi85@gmail.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>

Ankur Tyagi Jan. 6, 2026, 9:08 a.m. UTC | #3

On Tue, Jan 6, 2026 at 9:58 PM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
>
> I don't really see the relation between these and the gimp patches...

Agree, I also mentioned that the build errors and gimp patches are not related.

> For mozjs you could take a look at this[1] patch - I believe it solves
> the same problem.
> For libjxl, Khem has commited a line some time ago[2] that touches
> CFLAGS. Try to do the same, but for CXXFLAGS.
>

Thanks for the pointers, I'll try them.

> [1]:
> https://github.com/OSSystems/meta-browser/blob/master/meta-firefox/recipes-browser/firefox/firefox/0001-add-musl-support.patch
> [2]:
> https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-multimedia/libjxl/libjxl_0.11.1.bb#n47
>
> On 1/6/26 05:42, Ankur Tyagi wrote:
> > Hi Gyorgy,
> >
> > This is causing following build failures on qemuarm with musl and clang
> >
> > mozjs:
> > | /usr/src/debug/mozjs-128/128.5.2/mozglue/misc/StackWalk.cpp:810:(.text._ZL15unwind_callbackP15_Unwind_ContextPv+0x4):
> > undefined reference to `_Unwind_GetIP'
> > | arm-poky-linux-musleabi-clang++: error: linker command failed with
> > exit code 1 (use -v to see invocation)
> >
> > libjxl:
> > FAILED: [code=1] lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o
> > /yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot-native/usr/bin/arm-poky-linux-musleabi/arm-poky-linux-musleabi-clang++
> > --sysroot=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot
> > -DFJXL_ENABLE_AVX512=0 -DJXL_INTERNAL_LIBRARY_BUILD
> > -D__DATE__=\"redacted\" -D__TIMESTAMP__=\"redacted\"
> > -D__TIME__=\"redacted\"
> > -I/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1
> > -isystem /yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/build/lib/include
> > -mthumb -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a15
> > --dyld-prefix=/usr -fstack-protector-strong  -O2 -D_FORTIFY_SOURCE=2
> > -Wformat -Wformat-security -Werror=format-security -D_TIME_BITS=64
> > -D_FILE_OFFSET_BITS=64
> > --sysroot=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot
> >  -O2 -g   -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1=/usr/src/debug/libjxl/0.11.1
> >  -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/build=/usr/src/debug/libjxl/0.11.1
> >  -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot=
> >  -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot-native=
> >  -pipe -fvisibility-inlines-hidden -fno-rtti -DNDEBUG -std=c++17 -fPIC
> > -fvisibility=hidden -fvisibility-inlines-hidden
> > -fmacro-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1=.
> > "-DHWY_DISABLED_TARGETS=(HWY_SSSE3|HWY_AVX3|HWY_AVX3_SPR|HWY_AVX3_ZEN4)"
> > -funwind-tables -Xclang -mrelax-all -fno-omit-frame-pointer
> > -Wno-builtin-macro-redefined -Wall -fmerge-all-constants
> > -fno-builtin-fwrite -fno-builtin-fread -Wextra -Wc++11-compat
> > -Warray-bounds -Wformat-security -Wimplicit-fallthrough -Wno-register
> > -Wno-unused-function -Wno-unused-parameter -Wnon-virtual-dtor
> > -Woverloaded-virtual -Wvla -Wdeprecated-increment-bool
> > -Wfloat-overflow-conversion -Wfloat-zero-conversion
> > -Wfor-loop-analysis -Wgnu-redeclared-enum -Winfinite-recursion
> > -Wliteral-conversion -Wno-c++98-compat
> > -Wno-unused-command-line-argument -Wprivate-header -Wself-assign
> > -Wstring-conversion -Wtautological-overlap-compare
> > -Wthread-safety-analysis -Wundefined-func-template -Wunreachable-code
> > -Wunused-comparison -fsized-deallocation -fno-exceptions -fmath-errno
> > -fnew-alignment=8 -fno-cxx-exceptions -fno-slp-vectorize
> > -fno-vectorize -disable-free -disable-llvm-verifier
> > -DJPEGXL_ENABLE_SKCMS=1 -DJPEGXL_ENABLE_TRANSCODE_JPEG=1
> > -DJPEGXL_ENABLE_BOXES=1 -MD -MT
> > lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o -MF
> > lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o.d -o
> > lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o -c
> > /yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1/lib/jxl/convolve_separable5.cc
> > error: out of range pc-relative fixup value
> > 1 error generated.
> > ninja: build stopped: subcommand failed.
> >
> > It builds on qemux86 with musl and clang though.
> >
> > Having said that, I don't think the problem is due to your patch as
> > gimp fails to build on qemuarm with musl and clang even without your
> > patches.
> >
> > So this needs to be investigated separately.
> >
> > cheers
> > Ankur
> >
> > On Mon, Jan 5, 2026 at 11:02 PM Gyorgy Sarvari via
> > lists.openembedded.org <skandigraun=gmail.com@lists.openembedded.org>
> > wrote:
> >> Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422
> >>
> >> Pick the patch referenced by the NVD report.
> >>
> >> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> >> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> >> (cherry picked from commit a0b41204afe57f9b2b3f2e8ff496be72d04e0eb7)
> >> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> >> ---
> >>  .../gimp/gimp/CVE-2025-14422.patch            | 66 +++++++++++++++++++
> >>  meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb    | 12 ++--
> >>  2 files changed, 73 insertions(+), 5 deletions(-)
> >>  create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch
> >>
> >> diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch
> >> new file mode 100644
> >> index 0000000000..420e013916
> >> --- /dev/null
> >> +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch
> >> @@ -0,0 +1,66 @@
> >> +From 0a941cab81396d65a8ab547847f8c542039e214f Mon Sep 17 00:00:00 2001
> >> +From: Gyorgy Sarvari <skandigraun@gmail.com>
> >> +Date: Sun, 23 Nov 2025 16:43:51 +0000
> >> +Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273
> >> +
> >> +From: Alx Sa <cmyk.student@gmail.com>
> >> +
> >> +Resolves #15286
> >> +Adds a check to the memory allocation
> >> +in pnm_load_raw () with g_size_checked_mul ()
> >> +to see if the size would go out of bounds.
> >> +If so, we don't try to allocate and load the
> >> +image.
> >> +
> >> +CVE: CVE-2025-14422
> >> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2d773d58064e6130495de498e440f4a6d5edb]
> >> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> >> +---
> >> + plug-ins/common/file-pnm.c | 13 +++++++++++--
> >> + 1 file changed, 11 insertions(+), 2 deletions(-)
> >> +
> >> +diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
> >> +index 32a33a4..9d349e9 100644
> >> +--- a/plug-ins/common/file-pnm.c
> >> ++++ b/plug-ins/common/file-pnm.c
> >> +@@ -674,7 +674,7 @@ load_image (GFile   *file,
> >> +             GError **error)
> >> + {
> >> +   GInputStream    *input;
> >> +-  GeglBuffer      *buffer;
> >> ++  GeglBuffer      *buffer    = NULL;
> >> +   GimpImage * volatile image = NULL;
> >> +   GimpLayer       *layer;
> >> +   char             buf[BUFLEN + 4];  /* buffer for random things like scanning */
> >> +@@ -708,6 +708,9 @@ load_image (GFile   *file,
> >> +       g_object_unref (input);
> >> +       g_free (pnminfo);
> >> +
> >> ++      if (buffer)
> >> ++        g_object_unref (buffer);
> >> ++
> >> +       if (image)
> >> +         gimp_image_delete (image);
> >> +
> >> +@@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan,
> >> +   const Babl   *format = NULL;
> >> +   gint          bpc;
> >> +   guchar       *data, *d;
> >> ++  gsize         data_size;
> >> +   gushort      *s;
> >> +   gint          x, y, i;
> >> +   gint          start, end, scanlines;
> >> +@@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan,
> >> +     bpc = 1;
> >> +
> >> +   /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */
> >> +-  data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc);
> >> ++  if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) ||
> >> ++      ! g_size_checked_mul (&data_size, data_size, info->np)             ||
> >> ++      ! g_size_checked_mul (&data_size, data_size, bpc))
> >> ++    CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value."));
> >> ++
> >> ++  data = g_new (guchar, data_size);
> >> +
> >> +   input = pnmscanner_input (scan);
> >> +
> >> diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
> >> index 9f38cdcd03..f529930dff 100644
> >> --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
> >> +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
> >> @@ -56,11 +56,13 @@ GIDOCGEN_MESON_OPTION = "gi-docgen"
> >>  GIDOCGEN_MESON_ENABLE_FLAG = "enabled"
> >>  GIDOCGEN_MESON_DISABLE_FLAG = "disabled"
> >>
> >> -SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz"
> >> -SRC_URI += "file://0001-gimp-cross-compile-fix-for-bz2.patch"
> >> -SRC_URI += "file://0002-meson.build-reproducibility-fix.patch"
> >> -SRC_URI += "file://0001-meson.build-dont-check-for-lgi.patch"
> >> -SRC_URI += "file://0001-meson.build-require-iso-codes-native.patch"
> >> +SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
> >> +           file://0001-gimp-cross-compile-fix-for-bz2.patch \
> >> +           file://0002-meson.build-reproducibility-fix.patch \
> >> +           file://0001-meson.build-dont-check-for-lgi.patch \
> >> +           file://0001-meson.build-require-iso-codes-native.patch \
> >> +           file://CVE-2025-14422.patch \
> >> +           "
> >>  SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"
> >>
> >>  PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib"
> >>
> >> -=-=-=-=-=-=-=-=-=-=-=-
> >> Links: You receive all messages sent to this group.
> >> View/Reply Online (#123135): https://lists.openembedded.org/g/openembedded-devel/message/123135
> >> Mute This Topic: https://lists.openembedded.org/mt/117084023/3619737
> >> Group Owner: openembedded-devel+owner@lists.openembedded.org
> >> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ankur.tyagi85@gmail.com]
> >> -=-=-=-=-=-=-=-=-=-=-=-
> >>
>

diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch
new file mode 100644
index 0000000000..420e013916
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch
@@ -0,0 +1,66 @@ 
+From 0a941cab81396d65a8ab547847f8c542039e214f Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sun, 23 Nov 2025 16:43:51 +0000
+Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273
+
+From: Alx Sa <cmyk.student@gmail.com>
+
+Resolves #15286
+Adds a check to the memory allocation
+in pnm_load_raw () with g_size_checked_mul ()
+to see if the size would go out of bounds.
+If so, we don't try to allocate and load the
+image.
+
+CVE: CVE-2025-14422
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2d773d58064e6130495de498e440f4a6d5edb]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/common/file-pnm.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
+index 32a33a4..9d349e9 100644
+--- a/plug-ins/common/file-pnm.c
++++ b/plug-ins/common/file-pnm.c
+@@ -674,7 +674,7 @@ load_image (GFile   *file,
+             GError **error)
+ {
+   GInputStream    *input;
+-  GeglBuffer      *buffer;
++  GeglBuffer      *buffer    = NULL;
+   GimpImage * volatile image = NULL;
+   GimpLayer       *layer;
+   char             buf[BUFLEN + 4];  /* buffer for random things like scanning */
+@@ -708,6 +708,9 @@ load_image (GFile   *file,
+       g_object_unref (input);
+       g_free (pnminfo);
+ 
++      if (buffer)
++        g_object_unref (buffer);
++
+       if (image)
+         gimp_image_delete (image);
+ 
+@@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan,
+   const Babl   *format = NULL;
+   gint          bpc;
+   guchar       *data, *d;
++  gsize         data_size;
+   gushort      *s;
+   gint          x, y, i;
+   gint          start, end, scanlines;
+@@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan,
+     bpc = 1;
+ 
+   /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */
+-  data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc);
++  if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) ||
++      ! g_size_checked_mul (&data_size, data_size, info->np)             ||
++      ! g_size_checked_mul (&data_size, data_size, bpc))
++    CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value."));
++
++  data = g_new (guchar, data_size);
+ 
+   input = pnmscanner_input (scan);
+ 
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
index 9f38cdcd03..f529930dff 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
@@ -56,11 +56,13 @@  GIDOCGEN_MESON_OPTION = "gi-docgen"
 GIDOCGEN_MESON_ENABLE_FLAG = "enabled"
 GIDOCGEN_MESON_DISABLE_FLAG = "disabled"
 
-SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz"
-SRC_URI += "file://0001-gimp-cross-compile-fix-for-bz2.patch"
-SRC_URI += "file://0002-meson.build-reproducibility-fix.patch"
-SRC_URI += "file://0001-meson.build-dont-check-for-lgi.patch"
-SRC_URI += "file://0001-meson.build-require-iso-codes-native.patch"
+SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
+           file://0001-gimp-cross-compile-fix-for-bz2.patch \
+           file://0002-meson.build-reproducibility-fix.patch \
+           file://0001-meson.build-dont-check-for-lgi.patch \
+           file://0001-meson.build-require-iso-codes-native.patch \
+           file://CVE-2025-14422.patch \
+           "
 SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"
 
 PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib"

[meta-gnome,whinlatter,04/17] gimp: patch CVE-2025-14422

Commit Message

Comments

Patch