[meta-gnome,scarthgap,4/6] gimp: patch CVE-2025-14425

Message ID	20260112053440.3694238-4-ankur.tyagi85@gmail.com
State	New
Headers	show Return-Path: <ankur.tyagi85@gmail.com> ip: 209.85.210.41, mailfrom: ankur.tyagi85@gmail.com) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi <ankur.tyagi85@gmail.com> Subject: [oe][meta-gnome][scarthgap][PATCH 4/6] gimp: patch CVE-2025-14425 Date: Mon, 12 Jan 2026 18:34:38 +1300 Message-ID: <20260112053440.3694238-4-ankur.tyagi85@gmail.com> In-Reply-To: <20260112053440.3694238-1-ankur.tyagi85@gmail.com> References: <20260112053440.3694238-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-gnome,scarthgap,1/6] gimp: upgrade 2.10.36 -> 2.10.38 \| expand [meta-gnome,scarthgap,1/6] gimp: upgrade 2.10.36 -> 2.10.38 [meta-gnome,scarthgap,2/6] gimp: ignore CVE-2007-3741 [meta-gnome,scarthgap,3/6] gimp: patch CVE-2025-14422 [meta-gnome,scarthgap,4/6] gimp: patch CVE-2025-14425 [meta-gnome,scarthgap,5/6] gimp: ignore CVE-2025-48796 [meta-gnome,scarthgap,6/6] gimp: patch CVE-2025-5473

Message ID

20260112053440.3694238-4-ankur.tyagi85@gmail.com

State

New

Headers

From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-gnome][scarthgap][PATCH 4/6] gimp: patch CVE-2025-14425
Date: Mon, 12 Jan 2026 18:34:38 +1300
Message-ID: <20260112053440.3694238-4-ankur.tyagi85@gmail.com>
In-Reply-To: <20260112053440.3694238-1-ankur.tyagi85@gmail.com>
References: <20260112053440.3694238-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-gnome,scarthgap,1/6] gimp: upgrade 2.10.36 -> 2.10.38 | expand

Commit Message

Ankur Tyagi Jan. 12, 2026, 5:34 a.m. UTC

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14425

Patch referenced by the nvd report is for the file "file-jp2.c" which was
renamed from "file-jp2-load.c" by commit[1] in the later versions.
[1] https://gitlab.gnome.org/GNOME/gimp/-/commit/19c57a9765ac3451c9cde94ccb06bec5ae06fbd8

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../gimp/gimp/CVE-2025-14425.patch            | 70 +++++++++++++++++++
 meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb  |  1 +
 2 files changed, 71 insertions(+)
 create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch

diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch
new file mode 100644
index 0000000000..459516ec9e
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch
@@ -0,0 +1,70 @@ 
+From 012406d60ca09239403ce989cf9e793b82e47e74 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Wed, 12 Nov 2025 13:25:44 +0000
+Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images
+
+Resolves #15285
+Per the report, it's possible to exceed the size of the pixel buffer
+with a high precision_scaled value, as we size it to the width * bpp.
+This patch includes precision_scaled in the allocation calculation.
+It also adds a g_size_checked_mul () check to ensure there's no
+overflow, and moves the pixel and buffer memory freeing to occur
+in the out section so that it always runs even on failure.
+
+CVE: CVE-2025-14425
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/cd1c88a0364ad1444c06536731972a99bd8643fd]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ plug-ins/common/file-jp2-load.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c
+index 9ab43b5349..d29278a4d2 100644
+--- a/plug-ins/common/file-jp2-load.c
++++ b/plug-ins/common/file-jp2-load.c
+@@ -1055,9 +1055,10 @@ load_image (const gchar       *filename,
+   gint               width;
+   gint               height;
+   gint               num_components;
+-  GeglBuffer        *buffer;
++  GeglBuffer        *buffer = NULL;
+   gint               i, j, k, it;
+-  guchar            *pixels;
++  guchar            *pixels = NULL;
++  gsize              pixels_size;
+   const Babl        *file_format;
+   gint               bpp;
+   GimpPrecision      image_precision;
+@@ -1298,7 +1299,14 @@ load_image (const gchar       *filename,
+   bpp = babl_format_get_bytes_per_pixel (file_format);
+ 
+   buffer = gimp_drawable_get_buffer (layer_ID);
+-  pixels = g_new0 (guchar, width * bpp);
++  if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8))))
++    {
++      g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
++                   _("Defined row size is too large in JP2 image '%s'."),
++                   gimp_file_get_utf8_name (filename));
++      goto out;
++    }
++  pixels = g_new0 (guchar, pixels_size);
+ 
+   for (i = 0; i < height; i++)
+     {
+@@ -1325,12 +1333,13 @@ load_image (const gchar       *filename,
+                          file_format, pixels, GEGL_AUTO_ROWSTRIDE);
+     }
+ 
+-  g_free (pixels);
+-
+-  g_object_unref (buffer);
+   gimp_progress_update (1.0);
+ 
+  out:
++  if (pixels)
++    g_free (pixels);
++  if (buffer)
++    g_object_unref (buffer);
+   if (profile)
+     g_object_unref (profile);
+   if (image)
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
index 096f40f79d..68daac776d 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
@@ -48,6 +48,7 @@  SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
            file://0001-configure-Keep-first-line-of-compiler-version-string.patch \
            file://0001-libtool-Do-not-add-build-time-library-paths-to-LD_LI.patch \
            file://CVE-2025-14422.patch \
+           file://CVE-2025-14425.patch \
 "
 SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"