[meta-gnome,kirkstone,2/3] gimp: patch CVE-2023-44442

Message ID	20260309182100.717697-2-skandigraun@gmail.com
State	New
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.221.50, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][kirkstone][PATCH 2/3] gimp: patch CVE-2023-44442 Date: Mon, 9 Mar 2026 19:20:59 +0100 Message-ID: <20260309182100.717697-2-skandigraun@gmail.com> In-Reply-To: <20260309182100.717697-1-skandigraun@gmail.com> References: <20260309182100.717697-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-gnome,kirkstone,1/3] gimp: patch CVE-2023-44441 \| expand [meta-gnome,kirkstone,1/3] gimp: patch CVE-2023-44441 [meta-gnome,kirkstone,2/3] gimp: patch CVE-2023-44442 [meta-gnome,kirkstone,3/3] gimp: patch CVE-2023-44443 and CVE-2023-44444

Message ID

20260309182100.717697-2-skandigraun@gmail.com

State

New

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-gnome][kirkstone][PATCH 2/3] gimp: patch CVE-2023-44442
Date: Mon,  9 Mar 2026 19:20:59 +0100
Message-ID: <20260309182100.717697-2-skandigraun@gmail.com>
In-Reply-To: <20260309182100.717697-1-skandigraun@gmail.com>
References: <20260309182100.717697-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-gnome,kirkstone,1/3] gimp: patch CVE-2023-44441 | expand

Commit Message

Gyorgy Sarvari March 9, 2026, 6:20 p.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-44442

Backport the patch that resolved the related upstream issue[1].

[1]: https://gitlab.gnome.org/GNOME/gimp/-/issues/10101

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../gimp/gimp/CVE-2023-44442.patch            | 28 +++++++++++++++++++
 meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb  |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2023-44442.patch

diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2023-44442.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2023-44442.patch
new file mode 100644
index 0000000000..8b51b35792
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2023-44442.patch
@@ -0,0 +1,28 @@ 
+From a4f550be80f2f771927e2df9ae09e3f3354d22f1 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Fri, 29 Sep 2023 20:39:29 +0000
+Subject: [PATCH] plug-ins: Fix vulnerability in file-psd
+
+Resolves #10101.
+This patch adds a missing break statement after an error condition
+is detected to prevent the code from continuing afterwards.
+
+CVE: CVE-2023-44442
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/file-psd/psd-util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plug-ins/file-psd/psd-util.c b/plug-ins/file-psd/psd-util.c
+index 5686bb7..8514b07 100644
+--- a/plug-ins/file-psd/psd-util.c
++++ b/plug-ins/file-psd/psd-util.c
+@@ -518,6 +518,7 @@ decode_packbits (const gchar *src,
+             {
+               IFDBG(2) g_debug ("Overrun in packbits replicate of %d chars", n - unpack_left);
+               error_code = 2;
++              break;
+             }
+           memset (dst, *src, n);
+           src++;
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb
index 124760651d..ff34bfa6fd 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.30.bb
@@ -49,6 +49,7 @@  SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
            file://CVE-2022-32990-2.patch \
            file://CVE-2022-32990-3.patch \
            file://CVE-2023-44441.patch \
+           file://CVE-2023-44442.patch \
            "
 SRC_URI[sha256sum] = "88815daa76ed7d4277eeb353358bafa116cd2fcd2c861d95b95135c1d52b67dc"

[meta-gnome,kirkstone,2/3] gimp: patch CVE-2023-44442

Commit Message

Patch