From patchwork Thu Mar 5 11:07:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82555 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 905A2F30939 for ; Thu, 5 Mar 2026 11:07:21 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.41962.1772708836468065582 for ; Thu, 05 Mar 2026 03:07:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=YSXKxIzb; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4837f27cf2dso72203585e9.2 for ; Thu, 05 Mar 2026 03:07:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772708835; x=1773313635; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=mu4Iq2G7KwmzAMuRRuuKVQgwEHuVJJ9bHtQzkvOfjXQ=; b=YSXKxIzbqb9HTMJvzRd7zE8GO7CY/2kw/DuF8uO2TLMSje1EIy6m+ghHZvGyGUZ3b7 1CwAXFECLIyJcoijy7Nls/UfRC4UsdOIHEmOwSLGKuswlfuD0CWLcjTJD7yuah5BCROz OfUbxU6hv51zDFyf3VlmbLT+JvNBLwxmxCqmyyda9/QnRgQl4sgxXBTd/kWVs2iGODTb TLtZMTqa9aWIShJoyctj52XWel5HAJbIlf3/BwbfJ7eMWI2tvVMG2khEgnzP6LCWuxBi hLEtYKpHSWIvXP8T2nGkI6l7yUXy8Ll6YtN9nIxZXKL+zgES/NG2ho7DuIaYIUt76Rs5 Oaug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772708835; x=1773313635; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=mu4Iq2G7KwmzAMuRRuuKVQgwEHuVJJ9bHtQzkvOfjXQ=; b=e4sPwRrvRyglc7utmZ7u/CJIeLlEEZjPkoaKkpPJ51ttKxK5VN0KVKLWTVh6+6zGou a4FdsGU4tiED5PnYvABvlWBUQ8aKvrhnKfOuTiZSfyuaEjWP3KXwpsEwpdKRSggvQ0p3 xj48jzNw/6yQ3mYqrp8RGQOVrcSKibfgr37wAQNI3nAn8WyPTYCmpj509sy3dw1dv+Wt JU0vjljJMYP9RBy3pfwxTIQxPQkoYfI2Ddjx/U77AoqL1EqCPKNkXpT68DIrE9mRdVDz +qTEop547E2qKp+RLlmUozrNew/G6u0Dwb09k5G9qXEfWv3NmNjz5x4PR6HXL7lAHTs5 E1QQ== X-Gm-Message-State: AOJu0YyubxJzLd/xCdHDYVtkayUy8IyiOGDVlH3VpMD9v6ey+DU/ndiq bLKbxpU97tLFa61KUm2j0fHPsK8huBh13hLl80RtQOLdVcZgjvf48EC7j6tF1g== X-Gm-Gg: ATEYQzwILUGjkzbPyGQSaFNp/3Da1C6qOg8/g9m3Shd+5HjjGeVZj7pKpTLc8SJWUFE rVCTnGHBoYy2CuzqWA8CxY9bsyHluWxx/6w5Yo016U4B9376IplNa5uvh0BwQMDZQqlsFs7/YGl V3YrATIMoMUECKGcPfynQfB0RnFw/+/fnqsu89JJ1+3l/uKvbjS9cAl4H8cRmJrNWCjczoWS5+C rXMcTLkSHEkgWN4ou1B/voW5LqgFsSNHJp2+Wbbm+cKQzpMfJaIjlpl7VXnpLYVo5thNmkKZqIQ m5dRfVgnp6SMVRJVDnmfiQc7rf6Dkl2rpa7ID5QXY5YI8/xautkFEcb/8hEO4raYehAra2z8odK zVuuKOtDJra93WSdkq5hp7vSa68SupuJoxQ3PnWG99qNTYdvVDkbTFwHTagl/KdMpvPW3YqaPnW I0y4Y4ltmn2jpWry0/pWB+ X-Received: by 2002:a05:600c:4e8b:b0:477:6d96:b3c8 with SMTP id 5b1f17b1804b1-48519896e5fmr97423035e9.23.1772708834395; Thu, 05 Mar 2026 03:07:14 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851faeaec0sm32269505e9.11.2026.03.05.03.07.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 03:07:13 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][scarthgap][PATCH 1/7] gimp: patch CVE-2025-2760 Date: Thu, 5 Mar 2026 12:07:07 +0100 Message-ID: <20260305110713.2893128-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 11:07:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124866 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2760 Use the fixes from Debian. Signed-off-by: Gyorgy Sarvari --- .../gimp/gimp/CVE-2025-2760-1.patch | 38 +++++++++ .../gimp/gimp/CVE-2025-2760-2.patch | 84 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 2 + 3 files changed, 124 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch new file mode 100644 index 0000000000..d5871958b4 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch @@ -0,0 +1,38 @@ +From e4e21387f773598915a2399b348d019fd9c26ad6 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Thu, 5 Mar 2026 09:06:34 +0100 +Subject: [PATCH] CVE-2025-2760 + +https://gitlab.gnome.org/GNOME/gimp/-/issues/12790#note_2328950 + +Gimp stopped supporting 2.10.x series (in favor of 3.x), and they do not +plan to fix this in the old version. This patch is taken from Debian, +and is a backport of the fix from 3.x series. + +CVE: CVE-2025-2760 +Upstream-Status: Inappropriate [unsupported version. Debian ref: https://sources.debian.org/patches/gimp/2.10.34-1+deb12u8/CVE-2025-2760.patch/] + +Signed-off-by: Gyorgy Sarvari +--- + plug-ins/file-dds/ddsread.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c +index dcb4449..da35a0b 100644 +--- a/plug-ins/file-dds/ddsread.c ++++ b/plug-ins/file-dds/ddsread.c +@@ -934,6 +934,14 @@ load_layer (FILE *fp, + if (width < 1) width = 1; + if (height < 1) height = 1; + ++ if (width <= 0 ||height <= 0 || d->gimp_bpp <= 0 || ++ (gsize) width > G_MAXSIZE / height || ++ (gsize) width * height > G_MAXSIZE / d->gimp_bpp) ++ { ++ g_message ("Invalid dimensions in header."); ++ return 0; ++ } ++ + switch (d->bpp) + { + case 1: diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch new file mode 100644 index 0000000000..196ae11376 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch @@ -0,0 +1,84 @@ +From f7a458d072c266a4b2ae48de9ecec1706faad170 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Thu, 5 Mar 2026 09:07:19 +0100 +Subject: [PATCH] plug-ins/dds: fix #12790 for 32-bit + +with 2.10 backport bits by Sylvain Beucler + +Gimp stopped supporting 2.10.x series (in favor of 3.x), and they do not +plan to fix this in the old version. This patch is taken from Debian, +and is a backport of the fix from 3.x series. + +CVE: CVE-2025-2760 +Upstream-Status: Inappropriate [unsupported version. Debian ref: https://sources.debian.org/patches/gimp/2.10.34-1+deb12u8/CVE-2025-2760-32bit-followup.patch/] +Signed-off-by: Gyorgy Sarvari +--- + plug-ins/file-dds/ddsread.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c +index da35a0b..e0b53f6 100644 +--- a/plug-ins/file-dds/ddsread.c ++++ b/plug-ins/file-dds/ddsread.c +@@ -169,26 +169,33 @@ read_dds (gchar *filename, + /* a lot of DDS images out there don't have this for some reason -_- */ + if (hdr.pitch_or_linsize == 0) + { ++ gboolean valid = TRUE; + if (hdr.pixelfmt.flags & DDPF_FOURCC) /* assume linear size */ + { +- hdr.pitch_or_linsize = ((hdr.width + 3) >> 2) * ((hdr.height + 3) >> 2); ++ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, (hdr.width + 3) >> 2, (hdr.height + 3) >> 2); + switch (GETL32(hdr.pixelfmt.fourcc)) + { + case FOURCC ('D','X','T','1'): + case FOURCC ('A','T','I','1'): + case FOURCC ('B','C','4','U'): + case FOURCC ('B','C','4','S'): +- hdr.pitch_or_linsize *= 8; ++ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, 8); + break; + default: +- hdr.pitch_or_linsize *= 16; ++ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, 16); + break; + } + } + else /* assume pitch */ + { +- hdr.pitch_or_linsize = hdr.height * hdr.width * (hdr.pixelfmt.bpp >> 3); ++ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.height, hdr.width); ++ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, hdr.pixelfmt.bpp >> 3); + } ++ if (!valid) { ++ fclose (fp); ++ g_message ("Image size is too big to handle.\n"); ++ return GIMP_PDB_EXECUTION_ERROR; ++ } + } + + if (hdr.pixelfmt.flags & DDPF_FOURCC) +@@ -1217,14 +1224,19 @@ load_layer (FILE *fp, + { + unsigned char *dst; + +- dst = g_malloc (width * height * d->gimp_bpp); +- memset (dst, 0, width * height * d->gimp_bpp); ++ dst = g_malloc ((gsize) width * height * d->gimp_bpp); ++ memset (dst, 0, (gsize) width * height * d->gimp_bpp); + + if (d->gimp_bpp == 4) + { +- for (y = 0; y < height; ++y) ++ guchar *dst_line; ++ ++ dst_line = dst; ++ for (y = 0; y < height; ++y) { + for (x = 0; x < width; ++x) +- dst[y * (width * 4) + (x * 4) + 3] = 255; ++ dst_line[(x * 4) + 3] = 255; ++ dst_line += width * 4; ++ } + } + + dxt_decompress (dst, buf, format, size, width, height, d->gimp_bpp, diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index 95a6dfd7c8..afb1cd69e5 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb @@ -51,6 +51,8 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ file://CVE-2025-14425.patch \ file://CVE-2025-5473.patch \ file://CVE-2025-15059.patch \ + file://CVE-2025-2760-1.patch \ + file://CVE-2025-2760-2.patch \ " SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e" From patchwork Thu Mar 5 11:07:08 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82556 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0613AF30944 for ; Thu, 5 Mar 2026 11:07:22 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.41720.1772708836936146079 for ; Thu, 05 Mar 2026 03:07:17 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=TdAZAMSI; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-48372efa020so70220685e9.2 for ; Thu, 05 Mar 2026 03:07:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772708835; x=1773313635; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Q0QVSjAY/97AJbT/R2eFzf1+ldJPRgBqB76tDwzlxNg=; b=TdAZAMSIs13GHX6GUCGacORUdi17rsHUskePNkldvfRVkhPglBlyKYRhaWVyi9OGf3 Dba6TC/7zh3epsMiab7sy4MCDYXj0+OfjLFkQztKy3jEsHrf+P9UXjRgVfX3UFLbA3hz kbDdeouKX/DWJV1FFcy3kYc6QEBvCnX/RS9yZrx8+D8O8YoZqnfGfXmHGQ2U8t2feXba qND6tIHVrbN32L24ot3uRgwjLMa7LP8YXWdd+O0Z0lM4ypeAStcsgkUs/w/l9DJMb1/V ukprIMWapWXWFxMDmfpHgMkLB59JDS4T7q+flthY1B+PfsP09oWyFsDPttyHbrYsyRmy ntug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772708835; x=1773313635; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Q0QVSjAY/97AJbT/R2eFzf1+ldJPRgBqB76tDwzlxNg=; b=oRDCmNnBM0QfLt7euVeYnzB0P/gpTyJKvcp/oDRfDCecejZWY2IodFOcw0MurCjgWa iN+NawTMubTAApX5Po6LNHtTbb0ee9WrS2mXUGgAYD/OzNj+NtIPcqg3GQ9PIyNOSUTQ YID/ZSFiLnyrRfzmT1D9CWU9SCMEzQ8NyRYLQCqjyExZsLj4uBtpki1jbISYIbv7HVht IeiyZ9cpQzOpeAMyolqf3StAy5QXVDK5UdOilW/TeYd0ReMthS7lFNtMjhLFx4WRbozG jZklgi/luWd26/pW2mHLMAAiyF60t8lbSQg8dozkUc8ZCulJdHYJ9KMqm859BBphaVdw 7Bug== X-Gm-Message-State: AOJu0YxYdo74t1FcH0LPbrF2KlFqiEEL1s0roPL13o1ffke1VyR2l9Kk tIR7T+TZyvbiq0GaqPPRb0vjyJuMYf0P4dWdKRaCmU0VKCUIelEivygGHR4kJQ== X-Gm-Gg: ATEYQzwnf2imn8DbWv4MpOSF+8+uxd9MeNXJ1HJ0liFNobhl9cxBRZYaelb8nRn+Q1V xpZ4u6rmGeU3R/UFv+0fVyzlzbrerhY3vlecZo5fCqEafVng3qQk4n03B1XjQW5fBgOf0CsxNdU /8mriK9d+kGzTfJKAIMQkyVcjAWl4vUglYwdW7UgGVuN2gtaEMlIt6Kky77TX/guGUF7XG1MwtU c8EWcXOS8vPCi6x5WAREWAakrRWD9i7o6wWmGBslxqg1wjHwMtC8Z+phdGOqEmrRJQfA3UjTnx1 rs56O9iuAyxnDknYDH3AaoEAjG79lHlNhkjeOKMEIrQFTBJ2Wqd8EDHe3QS/lnhn0glskpCaATC nnW5tffrxaOwnNINjRDx5/DCMf6aLYkhKp9Tc/iGplFeV3FKCJZPuy5Ja5wOivryYFedM58PxMm eSdROywFnN+xy9mCNhsJY4 X-Received: by 2002:a05:600c:138a:b0:45d:f81d:eae7 with SMTP id 5b1f17b1804b1-4851989ca9cmr101619575e9.28.1772708835129; Thu, 05 Mar 2026 03:07:15 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851faeaec0sm32269505e9.11.2026.03.05.03.07.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 03:07:14 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][scarthgap][PATCH 2/7] gimp: patch CVE-2025-2761 Date: Thu, 5 Mar 2026 12:07:08 +0100 Message-ID: <20260305110713.2893128-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305110713.2893128-1-skandigraun@gmail.com> References: <20260305110713.2893128-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 11:07:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124867 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2761 Pick the patch from the relevant upstream bug[1]. [1]: https://gitlab.gnome.org/GNOME/gimp/-/issues/13073 Signed-off-by: Gyorgy Sarvari --- .../gimp/gimp/CVE-2025-2761.patch | 34 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2761.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2761.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2761.patch new file mode 100644 index 0000000000..670f6d9269 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2761.patch @@ -0,0 +1,34 @@ +From 658a8a07b831b82bd9e9592c18f21e4d4d7392af Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Mon, 10 Mar 2025 04:07:44 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-25100 for FLI plug-in + +Resolves #13073 +This patch adds a check to make sure we're not +writing beyond the bounds of the "pos" array. +This is the same check that we do earlier when +writing pos[xc++], but it was left off of the last +write command. Since "n" will be 0 if we get to the +end of the array, it prevents us from writing beyond +that. + +CVE: CVE-2025-2761 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/0806bc76ca74543d20e1307ccf6aebd26395c56c] +Signed-off-by: Gyorgy Sarvari +--- + plug-ins/file-fli/fli.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c +index c2e28e4..209b5ec 100644 +--- a/plug-ins/file-fli/fli.c ++++ b/plug-ins/file-fli/fli.c +@@ -1026,7 +1026,7 @@ fli_read_lc_2 (FILE *f, + xc += len << 1; + } + } +- if (lpf) ++ if (lpf && xc < n) + pos[xc] = lpn; + yc++; + } diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index afb1cd69e5..a04b3d0e4c 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb @@ -53,6 +53,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ file://CVE-2025-15059.patch \ file://CVE-2025-2760-1.patch \ file://CVE-2025-2760-2.patch \ + file://CVE-2025-2761.patch \ " SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e" From patchwork Thu Mar 5 11:07:09 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82557 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 21F98F30946 for ; Thu, 5 Mar 2026 11:07:22 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.41721.1772708837589081637 for ; Thu, 05 Mar 2026 03:07:17 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=EDtLeDEY; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-483bd7354efso104509965e9.2 for ; Thu, 05 Mar 2026 03:07:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772708836; x=1773313636; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=4XUHbAVOImGCT02EnjZ/XAspnL+AugD9I8jBCH9xnO0=; b=EDtLeDEY5ftYmoOPNXAyuXZG9MdaZJNdRIq8cL0gB76an6UQZlA9B5N3xRRkzHVF70 uGrtc9+lx/bAEABsqQkN2trwZds4nn8sj1qrnspnuHCtfpWDN/OKZo2kWJTCVm5hN2jD eeqzf/wAl3D3BjJnPSkoHGlaQkR26gbCo5VozzbYJLrmzYgXzM1JsUsGCwtOmR9NSiXH q0jMb+uzyojZ6NW8Vb/sgeX+eKoJTSb4zM0owob8z8ZIVyZcuJnQWmLVudQNZJc9QXYm FVxNViT5nYZ2vE04IBTiRcsQCaRS6+fKRK9phxbF3hgiHFmmrlm7VPiL3WLvvAg1HBdY smBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772708836; x=1773313636; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=4XUHbAVOImGCT02EnjZ/XAspnL+AugD9I8jBCH9xnO0=; b=cjTWUlO0BJrmXbSAXh9TuNaMen6+2W+ic1wnljfgajIv8VPOQo9ZxZ35EtQfw5ZJvA 8t+v8afghXaecoHKJ11dpwt4PwDb8Hvg6koJYR5Z3efHsobVG6qGcxeHl3HY0VUDEycH IkL060PofKdZ1X6PR/fCQ14EQD9fSIXVecenf6fglM3LZvf2UUfhqE+2NKOnUi8HcgZY 4b3duQeL/n/8+jzgOWvxL9Tu1z8FBk0d4PQwCYuDh44X0ndpDRNUk/4Sp8ID/ieXv/kS fmYsnqR+ON0TB3HIwMMTZDqttL8tsoAWSDLDGRRxxAxGfHXqDP5wVtZfTstzashX5T1j 6YaA== X-Gm-Message-State: AOJu0YxM2qvG0HuCMdAGN/dUw0E/Pg4CIur3K4rl3JmaHQyZbhkegPVk K9Pl1pfuFTw/rBOkZJCrngZcOemrt/c3FJNYIQjPXW7Aj9BXtOmMZKw2gAr9zA== X-Gm-Gg: ATEYQzxLqSXDa6j7UVJHKMHIQspmMZrBla0cz1oqrunxIgY6CV6YNuQy7lrEwySIBct dfQRkC9Fmv15fS908J8FQ+tYmPCsgX14CzYFR2Egn4s/CsGjmQpyCPvyba6BcPOCvdRxaJGHomr aGRSlo/QQMhdlrQihcrnUeE9+xTY7LV3uhqUy+DmEcNuwGrMRZuS+BKBpEbQ+b0pTXTCWQvYLCl 0QtTpv3tDtbP89G4tyS8Ds6BNwiuXN3UKxyN64Q3oChbhQESjd4QGdPm+9PpcimYjpUC0GZtfJg y7CLutMvhVtMeyYR8YIKVLJy9WW1UO9B0OBENqPgm5yOGZs3TY257HCWObLoeyZe46qIzgmrFI7 AzzgpsfPkaZMFt83tNpte20IQ2FLDXa+NAWhpvLrpHNrElZLFNCvb/4Qa++M5aJ2WNUdo8dfUni avTQlhZ8JgRwgt4JPYox/J X-Received: by 2002:a05:600c:4503:b0:480:1b65:b744 with SMTP id 5b1f17b1804b1-485198992cdmr93777105e9.28.1772708835864; Thu, 05 Mar 2026 03:07:15 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851faeaec0sm32269505e9.11.2026.03.05.03.07.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 03:07:15 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][scarthgap][PATCH 3/7] gimp: patch CVE-2026-0797 Date: Thu, 5 Mar 2026 12:07:09 +0100 Message-ID: <20260305110713.2893128-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305110713.2893128-1-skandigraun@gmail.com> References: <20260305110713.2893128-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 11:07:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124868 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0797 The patch referenced in the NVD report looks incorrect. This change in this patch was taken from the related upstream issue[1]. [1]: https://gitlab.gnome.org/GNOME/gimp/-/issues/15555 Signed-off-by: Gyorgy Sarvari --- .../gimp/gimp/CVE-2026-0797.patch | 91 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 1 + 2 files changed, 92 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch new file mode 100644 index 0000000000..46e83ac30c --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch @@ -0,0 +1,91 @@ +From b00dbb729ef8218ffadc3ddeee6841b8ffb1b7ea Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Fri, 26 Dec 2025 15:49:45 +0000 +Subject: [PATCH] plug-ins: Add more fread () checks in ICO loading + +Resolves #15555 + +This patch adds some guards for ico_read_int8 (), +which was used for loading palettes and maps +without verifying that it returned the same number +of bytes as what it tried to read in. + +CVE: CVE-2026-0797 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/09e72ef32bf47dea047b044dba789557f334b7d5] +Signed-off-by: Gyorgy Sarvari +--- + plug-ins/file-ico/ico-load.c | 33 ++++++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c +index c144b6e..7eb9cb7 100644 +--- a/plug-ins/file-ico/ico-load.c ++++ b/plug-ins/file-ico/ico-load.c +@@ -69,7 +69,9 @@ ico_read_int32 (FILE *fp, + total = count; + if (count > 0) + { +- ico_read_int8 (fp, (guint8 *) data, count * 4); ++ if (ico_read_int8 (fp, (guint8 *) data, count * 4) != (count * 4)) ++ return FALSE; ++ + for (i = 0; i < count; i++) + data[i] = GUINT32_FROM_LE (data[i]); + } +@@ -88,7 +90,9 @@ ico_read_int16 (FILE *fp, + total = count; + if (count > 0) + { +- ico_read_int8 (fp, (guint8 *) data, count * 2); ++ if (ico_read_int8 (fp, (guint8 *) data, count * 2) != (count * 2)) ++ return FALSE; ++ + for (i = 0; i < count; i++) + data[i] = GUINT16_FROM_LE (data[i]); + } +@@ -109,8 +113,8 @@ ico_read_int8 (FILE *fp, + while (count > 0) + { + bytes = fread ((gchar *) data, sizeof (gchar), count, fp); +- if (bytes <= 0) /* something bad happened */ +- break; ++ if (bytes != count) /* something bad happened */ ++ return -1; + + count -= bytes; + data += bytes; +@@ -485,16 +489,31 @@ ico_read_icon (FILE *fp, + data.used_clrs, data.bpp)); + + palette = g_new0 (guint32, data.used_clrs); +- ico_read_int8 (fp, (guint8 *) palette, data.used_clrs * 4); ++ if (ico_read_int8 (fp, ++ (guint8 *) palette, ++ data.used_clrs * 4) != (data.used_clrs * 4)) ++ { ++ D(("skipping image: too large\n")); ++ return FALSE; ++ } ++ + } + + xor_map = ico_alloc_map (w, h, data.bpp, &length); +- ico_read_int8 (fp, xor_map, length); ++ if (ico_read_int8 (fp, xor_map, length) != length) ++ { ++ D(("skipping image: too large\n")); ++ return FALSE; ++ } + D((" length of xor_map: %i\n", length)); + + /* Read in and_map. It's padded out to 32 bits per line: */ + and_map = ico_alloc_map (w, h, 1, &length); +- ico_read_int8 (fp, and_map, length); ++ if (! ico_read_int8 (fp, and_map, length) != length) ++ { ++ D(("skipping image: too large\n")); ++ return FALSE; ++ } + D((" length of and_map: %i\n", length)); + + dest_vec = (guint32 *) buf; diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index a04b3d0e4c..9a969bde7c 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb @@ -54,6 +54,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ file://CVE-2025-2760-1.patch \ file://CVE-2025-2760-2.patch \ file://CVE-2025-2761.patch \ + file://CVE-2026-0797.patch \ " SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e" From patchwork Thu Mar 5 11:07:10 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82560 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F1BAF30948 for ; Thu, 5 Mar 2026 11:07:22 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.41722.1772708838399258447 for ; Thu, 05 Mar 2026 03:07:18 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=kV2GfVlB; spf=pass (domain: gmail.com, ip: 209.85.221.49, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-439a89b6fd0so4770962f8f.2 for ; Thu, 05 Mar 2026 03:07:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772708837; x=1773313637; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=y0WfDSOO35W65cDyx2v5pG6zOWLTUIfFkixT2zk6kDI=; b=kV2GfVlBzN9wrRa/YSCLtPkxqYQU3yJSjZuF6w/mjWzpuq2gt6Y4spkT5oBBThqmGp ZtZfUQE3EdGiRIyRzKP3ei0Usn6rPdS/VsATtorEowKdBlQDZflaifUd5MJ0hX+yQV/J 0/E7ngQu4AbkqwSkMn5+qnvt4BS4LCv885piZFexAr0WzcyNweVqWY3NUQyAq8jxo7b6 X5yPWpt04yAMLI+vKv4v+jJu7Al9qXWH3MlshFqua+r5b5+sdk01mQW/4Lwef87Rex1H MAHMQqsU0ItlOwiXuAvTSryFt9a939+l1EP4ohxMkqPkdn5IVYZ4mDPEl49/Ie7nPjCt KigA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772708837; x=1773313637; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=y0WfDSOO35W65cDyx2v5pG6zOWLTUIfFkixT2zk6kDI=; b=pJEI1c7Os8rIdlH1XvpeWTbov53ijzjKz8nQgT69yIIB+SsQOpbG6/NDJNe7JyDqF/ c5qThQyc2Hji+Vj8jP4h6bNBv6B1/iVJ2yPf69XGBaSWq8BqUoOJ3xemmGIA2HgeicQq WQuJoYM6vrGbfEXu9aPbl48AZFacr+OZvpRaPg127BlZz0xHIu6zhXg0E+zPq1U7lEGH KoqGN08lY8+G61Ph9rCdou5jvhkHpEgIcuqjJDNAD1nsq1i+jMPw89S9Q/k2nXs42qYu eetWA4V60T5t1Ry96qoqnoyaz71tY1yvLUyegI60XmuFUBCZBP4vA8qy682IRwrJsz+6 6CaA== X-Gm-Message-State: AOJu0YyKX6aNf6LIiRcYZGNmmIhYn4j847/ansJulozEVKt8fLtSR34c HvgZ35aK71I/WfuNf7czGoeKDeys6IgMeuHiV3PsJjPGH4yFyEGOAuGKNPCgxA== X-Gm-Gg: ATEYQzwToRemAia0GyRPVOVxqFvoWLUOGNzoItn3TxOSIy9edkQFn15dvRl+q82IvDH cA8Ee2hhalqgrLQpFnACravYo7O39nrMVdc6gmKsJq2TEY3WZDLoi57mIPpaJUP+zYicetZN4M4 5DKCSA1X3x6rxf35zkZ8pXJf6wkw5PjEqbP5ZjjCcuesiEwD0kzms4KEMa1H3wP+dlTzKxlF7+y DuoUQOK+ppLbKA+DyZR3/4Mgf/3WbdYAUDj9Rj2Y1WLtFBMAxMYL8be/3yTL4yyYGXVs2gFxLF7 2dTmQoj7Qvwrd0xxDBZkrcqztFxZaRv0lBKzF1MVJkeRKqLVjt4zd2nXeUpn4lirPnkxRDwcQ7f +c7IXxfnM4fIjSjdvtoeViBDuQ31D5pCHNz2SzPfL4HjgDTFI9Gai+tRxEaIo6jPucOHirZhTJ0 86I9BPjMSuK5Bt6/FnuEYN X-Received: by 2002:a05:600c:4e4e:b0:479:1b0f:dfff with SMTP id 5b1f17b1804b1-48519854b39mr98907325e9.10.1772708836566; Thu, 05 Mar 2026 03:07:16 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851faeaec0sm32269505e9.11.2026.03.05.03.07.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 03:07:16 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][scarthgap][PATCH 4/7] gimp: patch CVE-2026-2044 Date: Thu, 5 Mar 2026 12:07:10 +0100 Message-ID: <20260305110713.2893128-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305110713.2893128-1-skandigraun@gmail.com> References: <20260305110713.2893128-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 11:07:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124869 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-2044 Pick the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari --- .../gimp/gimp/CVE-2026-2044.patch | 28 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 1 + 2 files changed, 29 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2044.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2044.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2044.patch new file mode 100644 index 0000000000..102dc155da --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2044.patch @@ -0,0 +1,28 @@ +From af312f516e23521e1d03255263b22ef4b99761d5 Mon Sep 17 00:00:00 2001 +From: Gabriele Barbero +Date: Fri, 5 Dec 2025 19:13:01 +0100 +Subject: [PATCH] ZDI-CAN-28158: use g_malloc0 instead of g_malloc + +To avoid accessing uninitialized memory, replace calls to g_malloc with +g_malloc0 which initializes the allocated memory to zero. + +CVE: CVE-2026-2044 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/112a5e038f0646eae5ae314988ec074433d2b365] +Signed-off-by: Gyorgy Sarvari +--- + plug-ins/common/file-pnm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c +index f514c2b..c82720c 100644 +--- a/plug-ins/common/file-pnm.c ++++ b/plug-ins/common/file-pnm.c +@@ -571,7 +571,7 @@ load_image (GFile *file, + return -1; + + /* allocate the necessary structures */ +- pnminfo = g_new (PNMInfo, 1); ++ pnminfo = g_new0 (PNMInfo, 1); + + scan = NULL; + /* set error handling */ diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index 9a969bde7c..4f273a7cbb 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb @@ -55,6 +55,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ file://CVE-2025-2760-2.patch \ file://CVE-2025-2761.patch \ file://CVE-2026-0797.patch \ + file://CVE-2026-2044.patch \ " SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e" From patchwork Thu Mar 5 11:07:11 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82558 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E676CF30942 for ; Thu, 5 Mar 2026 11:07:21 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.41963.1772708838931057632 for ; Thu, 05 Mar 2026 03:07:19 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jOYiwgcX; spf=pass (domain: gmail.com, ip: 209.85.128.47, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-4806cc07ce7so90093295e9.1 for ; Thu, 05 Mar 2026 03:07:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772708837; x=1773313637; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=pFYNgj+q4y5Uu3WkTr7jwQhukXovHOwqJGOQViiG/0I=; b=jOYiwgcXTaR7sj9wWeJGpR6MecNBe/Y1vrB8nAj7PS0HQqebxKDOIij045/ajbDEek K4aop7qdpaA2c7/U8vtwRx2Nn3JShCWMB18KKO4zM6UjOfjkWYBrfod/wT/WtPA3tcbT iBeqwbBh9COuZ4ZNHrisu1eL8eEui2u9/p6whEkh4N76xdujvYYznLBwtNa9TlWbsK98 +7wWt2Y+F5tNWdZ7bfwLbicKXOMCiQra2bG2xKEfVRwMTBKqwvGqy7D2XOT9uIxeCsMv fwvDP08Ept/NKdvtof0snKctUY9Dew/EbG+WvWBjDVgdTAK9sTDViaFDvg6dFX9WyRFZ lvjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772708837; x=1773313637; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=pFYNgj+q4y5Uu3WkTr7jwQhukXovHOwqJGOQViiG/0I=; b=ufLkYJOOgYKpfYapgbUURuAP595N6Y/1i5GMp5QDQEbTGMA0aiIdGzB3M5sKAXsIOO zGpxkyWji3VedJmtudvMLzXEM0bdGtRqguJBANIQqa6kMQsD/++2jrth6xkkhA24Bjx1 aN9IIRbnl/svTx3YDz7bMTmulrd+6IWGj/ISpwGP5jNX8hialc1e999J+eMSO/aFnplW XXnB4tDMJGu4D2qxNn7LpKeAcgxrRAYIgvKImjfJQVB9NIMJHFiWHo/yxjK797t4b9Ya I8wTZjuTkH9qa14FCHfPpiJnAo8mha1D3mybpGWpEjzPNogl/KWa3aT3Y5Z9chhC3mm6 C//A== X-Gm-Message-State: AOJu0YyXhX7gFVekWsiMf92+3zF30yiZRQEbussMwhQxapJ/hX/okLud LWQS3tK6tsWaAB34Og5WdXEiGz0N/XbV6oj5gJNrROcbC9aTfhAZJUYthOEyoA== X-Gm-Gg: ATEYQzzC1mSn44wicPo/Lq93soT/ZDD+z40roYfAX8EnNq6/11I+aIkm1lK15INwmzq J6JM255qaEfIJ/SgVsxuzm52+yEGfBkjwJqbYMGy31XZ9c5ZqGDSDMuQUoejlv5lLOLlNMOgRwL 8fJNhoYxTruT0v9qF2jesKR+1r2cnBOh2SwKz8WLlXm48cdLO2SNZkO4VEKyLJf2sXf0iyU3Wsr tsBa9pGMvb4QXZwp/Bcu11qfq1YxWpEQDyRoog+tj/a5Z8VqrKLwq4pcXgYXB1KBWn+C7sfvGSR FHkotJ163qfvYaZhzMFLbqXBN6c1zNTb8eHWN4KB/S3F1w6vPk8NIo+09eTJ0wQBQNvjj4lfZHD 4QkL1bbN/qSEXoETq2luBw2HkHZG1opz0OtzxS6P2FtNn8kw2q4jg8G3DMUr8wxDYBr+l6/eUC0 7yHyGgSkZ37jcl1hDnLPxArSXoabMbhtc= X-Received: by 2002:a05:600c:c166:b0:482:ef72:5781 with SMTP id 5b1f17b1804b1-48519895787mr77804015e9.25.1772708837231; Thu, 05 Mar 2026 03:07:17 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851faeaec0sm32269505e9.11.2026.03.05.03.07.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 03:07:16 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][scarthgap][PATCH 5/7] gimp: patch CVE-2026-2045 Date: Thu, 5 Mar 2026 12:07:11 +0100 Message-ID: <20260305110713.2893128-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305110713.2893128-1-skandigraun@gmail.com> References: <20260305110713.2893128-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 11:07:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124870 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-2045 Pick the patch associated with the relevant upstream issue[1]. [1]: https://gitlab.gnome.org/GNOME/gimp/-/issues/15293 Signed-off-by: Gyorgy Sarvari --- .../gimp/gimp/CVE-2026-2045.patch | 36 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2045.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2045.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2045.patch new file mode 100644 index 0000000000..c084b5704f --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2045.patch @@ -0,0 +1,36 @@ +From 584e67bdd529ab37b50eeba7e62e975af8c6d617 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Thu, 15 Jan 2026 10:12:07 -0500 +Subject: [PATCH] plug-ins: fix #15293 security issue ZDI-CAN-28265 + +Just like we did in commit 4eb106f2bff2d9b8e518aa455a884c6f38d70c6a +we need to make sure that the offset in the colormap is valid before +using it, before using it to compute the RGB values. + +CVE: CVE-2026-2045 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/68b27dfb1cbd9b3f22d7fa624dbab8647ee5f275] +Signed-off-by: Gyorgy Sarvari +--- + plug-ins/common/file-xwd.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c +index 53e4cd2..8ab11c0 100644 +--- a/plug-ins/common/file-xwd.c ++++ b/plug-ins/common/file-xwd.c +@@ -1624,7 +1624,14 @@ load_xwd_f2_d16_b16 (const gchar *filename, + + for (j = 0; j < ncols; j++) + { +- cm = ColorMap + xwdcolmap[j].l_pixel * 3; ++ goffset offset = xwdcolmap[j].l_pixel * 3; ++ ++ if (offset+2 >= maxval) ++ { ++ g_message (_("Invalid colormap offset. Possibly corrupt image.")); ++ return NULL; ++ } ++ cm = ColorMap + offset; + *(cm++) = (xwdcolmap[j].l_red >> 8); + *(cm++) = (xwdcolmap[j].l_green >> 8); + *cm = (xwdcolmap[j].l_blue >> 8); diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index 4f273a7cbb..d38160a864 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb @@ -56,6 +56,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ file://CVE-2025-2761.patch \ file://CVE-2026-0797.patch \ file://CVE-2026-2044.patch \ + file://CVE-2026-2045.patch \ " SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e" From patchwork Thu Mar 5 11:07:12 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82559 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9196EF30947 for ; Thu, 5 Mar 2026 11:07:22 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.41725.1772708839682940976 for ; Thu, 05 Mar 2026 03:07:19 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WK/2aC8y; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-48069a48629so83068515e9.0 for ; Thu, 05 Mar 2026 03:07:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772708838; x=1773313638; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZltBdkvp4av8GZx0Ur4DBd5mMdQ+QptQoEhmCHwU9e0=; b=WK/2aC8yvOLqfhY71tvRCAqxAW/oMEGNe3fj8RfKouqIrxHML1P9KwZ8x9swJBKumZ hDKVY5KDunYZkGjkfXfleLNf1fmsXqJwC5MOAPgAIAuNlnRNwuiurETgp8Vab0CWCvB4 q2PurM9NKZ+odz4z8uV3ZbrtKFSfNiGy4AmPaEkWptzLkb3hJD63XsFPQAtpclh3CFP8 AdQ3utYEXFkMjVNDtMVafxlqMvLNi8fPxUiqkMEz15yEmvTMDUMP4OhK3abrYXvf/Q83 7gp9ZjHZi/cypKVN5UvlZ/cbkGONvmzmB+y/QTNB7dwpxhxwSqjnSX3Ic4KMh71N3kCv FaWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772708838; x=1773313638; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ZltBdkvp4av8GZx0Ur4DBd5mMdQ+QptQoEhmCHwU9e0=; b=fm51oNtqXSI2Z6sg3xhF7tjgGE1Lwm2jd1HOiqSJWeHm6rt3cngIfrclavM92SJw2N OhZwXIe51IBseNGPRXIPM7vfBtrOeFoWFE/NBNqIRR2nRFTdKwnvYwsM75+ICRoXjnUm TSdgYFCiBLbjAtLZGZLriLhwekLlMQ1ZjmntuljIw8aVbswS1ZOIO34BMc/rAD01r5m/ BdsGeYqlRLKuiDnU5CRKmM1OeLqwNjbiZrLM30oMv7olxRnA7vUN24JgUAElzN5yq5Kb c41zcu6fMZlJ8jL/FMcDar/8jHDLYtaKslW6M+fLQNqn4F31iSBsEi32eQR0Xxg14l4t ErUg== X-Gm-Message-State: AOJu0YzdMzY+joZpJ6UnZXrhy28iswJ9m4WBOGbtjqq4JzV6Xq9Lljib MYJm4nKeWG38TgpIOCB9tKxALo4mKJsXg6DfV6G9CxnfOuA6dcYs4diS2LOrmw== X-Gm-Gg: ATEYQzxJRtJlzxJYDtpcXVyt2l++9hXEvJddSraezDxpIoapupbSTRkr3gF+5zd2n1i NwB5fI4AfxsFMhmFcjrBdsGZFS3avYVxYxDuKR12CHKWtmB9wTFU0cBg9dNyLZQ1pxfqLAx0zcT iC3Ji93LlJhTdQZFx8hvlg3YxcQ+wkJmQJjXwZZz/M8SPUyc0haw4QMDIn7lFfxCrwfNM8bUkrJ XPZvES5yf+DEYYC1gv3z0tNEfWdkvzm94mNcnIIgvnMLivGctcrTS4zbTBsRU6UGt3xyYctg4Kl 59mZtYn6wvM/jj2upncU8ztdQ4vDNIjylCEzAjNUCJ2Ip6ZB15KabSVHcnqMeJVFf75uqsMOYhj 9nb/7E/LbsGcSMSPZwoAXlQ4H08u3ujt6kqzBGzUBpafZ045suBkoANdfTrJJNI41DrPo7IfRpn WsH7Mu/5M41gdexnQn6ULl X-Received: by 2002:a05:600c:81c8:b0:483:7eea:b185 with SMTP id 5b1f17b1804b1-48519880904mr97537265e9.16.1772708837863; Thu, 05 Mar 2026 03:07:17 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851faeaec0sm32269505e9.11.2026.03.05.03.07.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 03:07:17 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][scarthgap][PATCH 6/7] gimp: ignore CVE-2026-2047 Date: Thu, 5 Mar 2026 12:07:12 +0100 Message-ID: <20260305110713.2893128-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305110713.2893128-1-skandigraun@gmail.com> References: <20260305110713.2893128-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 11:07:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124871 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-2047 The vulnerability exists in ICNS importer, which was first introduced in version 3.0 [1], and the code is not present in the recipe version. Due to this, ignore this CVE. [1]: https://gitlab.gnome.org/GNOME/gimp/-/commit/00232e17875d4676a2c797a429db23b1a9815db8 Signed-off-by: Gyorgy Sarvari --- meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index d38160a864..8b3dd4aa5f 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb @@ -86,3 +86,4 @@ CVE_STATUS[CVE-2007-3741] = "not-applicable-platform: This only applies for Mand CVE_STATUS[CVE-2025-48796] = "cpe-incorrect: The current version (2.10.38) is not affected." CVE_STATUS[CVE-2025-14423] = "cpe-incorrect: The vulnerability was introduced in v3.0" CVE_STATUS[CVE-2025-14424] = "cpe-incorrect: The vulnerability was introduced in v3.0" +CVE_STATUS[CVE-2025-2047] = "cpe-incorrect: The vulnerability was introduced in v3.0" From patchwork Thu Mar 5 11:07:13 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82554 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9DD8DF3093E for ; Thu, 5 Mar 2026 11:07:21 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.41965.1772708840341375321 for ; Thu, 05 Mar 2026 03:07:20 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Eq+5f8gC; spf=pass (domain: gmail.com, ip: 209.85.128.46, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-4806f3fc50bso85643415e9.0 for ; Thu, 05 Mar 2026 03:07:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772708839; x=1773313639; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=vDI0bW06nbyMTWrCjrUOfdg4P+Sg+1qIIQxOksLBg/A=; b=Eq+5f8gCkZGIfm8q0oD6rj/SV9EAOBRs1J+7NcS77ka46HgkBqzTRzi1hbBfrqTmRi EP15aB6llQ/zoUv6QBU36dwdbxJEC12lnFhWWAQTaf5urGdz189f49uJqU/uRfffHZ2X cI3pKaU3k1wC+6A+xEiFTZGo4GqF7WwVfEraJzq4lo3ySYtZ1Z3rh6i9cadbkakrsm8I 7Sx085CRaw8jdEhnOI8tMSVPYNIu79cZ+xbJ9ZZWlcHM0w8E4Ul6jbOIXFhLNwRt3z5t kWPIbYZPKKGJcXwaDMFgcJDJ+LNdnSxWsuMBofq0RBg68GUmvV/fxJ6xLayZ83G2iPmU nArQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772708839; x=1773313639; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=vDI0bW06nbyMTWrCjrUOfdg4P+Sg+1qIIQxOksLBg/A=; b=wigVfU91dfOEbghWIQ8IpXBB9mwAM+SEUWvvMaB94NAG5wjd/qCr2TORTCcTX1oCgt yL7s+ZcGgTLcasW9nAtzlapOzeH9HtEXG4X1bddYQjTM1wYnnND4jMHFla5ZexW5LsUo DC2H6HLAkAPwaZ5bD89WTDgh2DbdxjeYOrY/NsVFQC4nVIPQ3BOW17jlAlkGerCgcZoB 6sCEQexerK5/l/plQkTzVdSe11hv5REBK4iUqs2VnZNCf52RsXYk/Tw+gDovd6nU7NJB FDOPHMHygiqaUsE0tMyAkp2WrRdripFH6BYF2bEKbEIrRPpPgE/X++gPNes20OXI+niO jSBA== X-Gm-Message-State: AOJu0YzUuzx2fBdniu0rsEJ6pvBaBfNzN/XsM9LD2OlmkfIFqLDuRNnf dq56D4WupqilOBIRUMFhVYzYJoqe+AtXe/QXpiO4UROumQINdaociQYxNSd9wA== X-Gm-Gg: ATEYQzy6fbpFhZq168cAWd0wejJYG2fS/t1ccu6/bpmrdObhxUw8/2NDHM4Q4gtvEGY jDJ6oPbPnPLY5CnQ0yQqlVCMdjv206zNazQpYyh4rwgavKwWOj6//y/MqEuM2h01YaAseqaI5Ij Hk6zLJROBrFKm+Vw8Xgt/+I+vfxMJrNQxS7bSrmplKtd3h3gvDcC86t5hNcsWej7EY4qzlQXYWa /cchsPpdvQfmD8WlvCDxigR9GSzXlyFiwhE+cTQtfCsohypejtLuql/NPKeHGYJ+wddbY3kN6YW d1kHCTCU9ODTTvMpYwE6DYTz6WHTUJr0HhUrlc0N+id4lsJURlgoF8t+/LCPCVMWSYP64tanTfF rWqqBVuvwe3sr4FyDDlVwdRBakO3b+DvXTp4e3vKMHsBsjmdeZQOFCfE9C6MgLCX63Gp8sAER9U VnB3Xb/hmlNWw8IHjpuB9F X-Received: by 2002:a05:600c:8711:b0:485:1744:6651 with SMTP id 5b1f17b1804b1-4851989048bmr82477255e9.25.1772708838490; Thu, 05 Mar 2026 03:07:18 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851faeaec0sm32269505e9.11.2026.03.05.03.07.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 03:07:18 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][scarthgap][PATCH 7/7] gimp: patch CVE-2026-2048 Date: Thu, 5 Mar 2026 12:07:13 +0100 Message-ID: <20260305110713.2893128-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305110713.2893128-1-skandigraun@gmail.com> References: <20260305110713.2893128-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 11:07:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124872 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-2048 Pick the patch from the relevant upstream issue[1]; [1]: https://gitlab.gnome.org/GNOME/gimp/-/issues/15554 Signed-off-by: Gyorgy Sarvari --- .../gimp/gimp/CVE-2026-2048.patch | 84 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 1 + 2 files changed, 85 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2048.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2048.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2048.patch new file mode 100644 index 0000000000..e0d506b0c3 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2048.patch @@ -0,0 +1,84 @@ +From f8c00176788240744218e43664cba1cec4092822 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Wed, 31 Dec 2025 14:45:15 +0000 +Subject: [PATCH] plug-ins: Add OoB check for loading XWD + +Resolves #15554 +This patch adds a check for if our pointer arithmetic +exceeds the memory allocated for the dest array. If so, +we throw an error rather than access memory outside +the bounds. + +CVE: CVE-2026-2048 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/57712677007793118388c5be6fb8231f22a2b341] +Signed-off-by: Gyorgy Sarvari +--- + plug-ins/common/file-xwd.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c +index 8ab11c0..c84d70e 100644 +--- a/plug-ins/common/file-xwd.c ++++ b/plug-ins/common/file-xwd.c +@@ -2103,6 +2103,7 @@ load_xwd_f1_d24_b1 (const gchar *filename, + gulong redmask, greenmask, bluemask; + guint redshift, greenshift, blueshift; + gulong g; ++ guint32 maxval; + guchar redmap[256], greenmap[256], bluemap[256]; + guchar bit_reverse[256]; + guchar *xwddata, *xwdin, *data; +@@ -2194,6 +2195,7 @@ load_xwd_f1_d24_b1 (const gchar *filename, + + tile_height = gimp_tile_height (); + data = g_malloc (tile_height * width * bytes_per_pixel); ++ maxval = tile_height * width * bytes_per_pixel; + + ncols = xwdhdr->l_colormap_entries; + if (xwdhdr->l_ncolors < ncols) +@@ -2218,6 +2220,8 @@ load_xwd_f1_d24_b1 (const gchar *filename, + + for (tile_start = 0; tile_start < height; tile_start += tile_height) + { ++ guint current_dest = 0; ++ + memset (data, 0, width*tile_height*bytes_per_pixel); + + tile_end = tile_start + tile_height - 1; +@@ -2241,7 +2245,16 @@ load_xwd_f1_d24_b1 (const gchar *filename, + else /* 3 bytes per pixel */ + { + fromright = xwdhdr->l_pixmap_depth-1-plane; +- dest += 2 - fromright/8; ++ current_dest += 2 - fromright / 8; ++ if (current_dest < maxval) ++ { ++ dest += 2 - fromright / 8; ++ } ++ else ++ { ++ err = 1; ++ break; ++ } + outmask = (1 << (fromright % 8)); + } + +@@ -2296,7 +2309,17 @@ load_xwd_f1_d24_b1 (const gchar *filename, + + if (g & inmask) + *dest |= outmask; +- dest += bytes_per_pixel; ++ ++ current_dest += bytes_per_pixel; ++ if (current_dest < maxval) ++ { ++ dest += bytes_per_pixel; ++ } ++ else ++ { ++ err = 1; ++ break; ++ } + + inmask >>= 1; + } diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index 8b3dd4aa5f..4e0dd76744 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb @@ -57,6 +57,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ file://CVE-2026-0797.patch \ file://CVE-2026-2044.patch \ file://CVE-2026-2045.patch \ + file://CVE-2026-2048.patch \ " SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"