new file mode 100644
@@ -0,0 +1,34 @@
+From 658a8a07b831b82bd9e9592c18f21e4d4d7392af Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Mon, 10 Mar 2025 04:07:44 +0000
+Subject: [PATCH] plug-ins: Fix ZDI-CAN-25100 for FLI plug-in
+
+Resolves #13073
+This patch adds a check to make sure we're not
+writing beyond the bounds of the "pos" array.
+This is the same check that we do earlier when
+writing pos[xc++], but it was left off of the last
+write command. Since "n" will be 0 if we get to the
+end of the array, it prevents us from writing beyond
+that.
+
+CVE: CVE-2025-2761
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/0806bc76ca74543d20e1307ccf6aebd26395c56c]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/file-fli/fli.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c
+index c2e28e4..209b5ec 100644
+--- a/plug-ins/file-fli/fli.c
++++ b/plug-ins/file-fli/fli.c
+@@ -1026,7 +1026,7 @@ fli_read_lc_2 (FILE *f,
+ xc += len << 1;
+ }
+ }
+- if (lpf)
++ if (lpf && xc < n)
+ pos[xc] = lpn;
+ yc++;
+ }
@@ -53,6 +53,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
file://CVE-2025-15059.patch \
file://CVE-2025-2760-1.patch \
file://CVE-2025-2760-2.patch \
+ file://CVE-2025-2761.patch \
"
SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2761 Pick the patch from the relevant upstream bug[1]. [1]: https://gitlab.gnome.org/GNOME/gimp/-/issues/13073 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../gimp/gimp/CVE-2025-2761.patch | 34 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2761.patch