rpms/gimp
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Import CS

Browse Source
This commit is contained in:
eabdullin 2026-05-19 14:45:41 +03:00
parent 14ec2c4c32
commit 45caa182ca
7 changed files with 18 additions and 628 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

196
SOURCES/gimp-CVE-2026-4150.patch
View File

@ -1,196 +0,0 @@
From 00afdabdadeb5457fd897878b1e5aebc3780af10 Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Fri, 6 Mar 2026 10:01:09 -0500
Subject: [PATCH] plug-ins: fix #15967 integer overflow in psd-load
Reported as ZDI-CAN-28807
With large row and column sizes 32-bit int values are not large
enough to hold the product and thus can cause overflow.
While we are at it, we not only fix the location from the report, but
also other occurrences that could overflow.
- We change certain variables to gsize to make sure they can hold a
64-bit value.
- Other intermediate results are promoted to (gsize) to make sure that
the product is computed as gsize.
- Move some i,j variables to the loops where they are used.
(cherry picked from commit 7e1241f75147bf6e705a31c81e4d5efab1df1668)
---
plug-ins/file-psd/psd-load.c | 44 ++++++++++++++++--------------------
1 file changed, 20 insertions(+), 24 deletions(-)
diff --git a/plug-ins/file-psd/psd-load.c b/plug-ins/file-psd/psd-load.c
index 0ec888c2ec9..676f3da9b41 100644
--- a/plug-ins/file-psd/psd-load.c
+++ b/plug-ins/file-psd/psd-load.c
@@ -2813,14 +2813,13 @@ add_merged_image (GimpImage *image,
guint16 bps;
guint32 *rle_pack_len[MAX_CHANNELS];
guint32 alpha_id;
- gint32 layer_size;
+ gsize layer_size;
GimpLayer *layer = NULL;
GimpChannel *channel = NULL;
gint16 alpha_opacity;
gint cidx; /* Channel index */
gint rowi; /* Row index */
gint offset;
- gint i;
gboolean alpha_visible;
gboolean alpha_channel = FALSE;
GeglBuffer *buffer;
@@ -2975,11 +2974,11 @@ add_merged_image (GimpImage *image,
image_type = get_gimp_image_type (img_a->base_type,
img_a->transparency || alpha_channel);
- layer_size = img_a->columns * img_a->rows;
+ layer_size = (gsize) img_a->columns * img_a->rows;
pixels = g_malloc (layer_size * base_channels * bps);
for (cidx = 0; cidx < base_channels; ++cidx)
{
- for (i = 0; i < layer_size; ++i)
+ for (gint64 i = 0; i < layer_size; ++i)
{
memcpy (&pixels[((i * base_channels) + cidx) * bps],
&chn_a[cidx].data[i * bps], bps);
@@ -3051,7 +3050,7 @@ add_merged_image (GimpImage *image,
{
gfloat *data = iter->items[0].data;
- for (i = 0; i < iter->length; i++)
+ for (gint i = 0; i < iter->length; i++)
{
gint c;
@@ -3103,7 +3102,7 @@ add_merged_image (GimpImage *image,
/* Draw channels */
IFDBG(2) g_debug ("Number of channels: %d", extra_channels);
- for (i = 0; i < extra_channels; ++i)
+ for (gint i = 0; i < extra_channels; ++i)
{
/* Alpha channel name */
alpha_name = NULL;
@@ -3144,8 +3143,8 @@ add_merged_image (GimpImage *image,
}
cidx = base_channels + i;
- pixels = g_realloc (pixels, chn_a[cidx].columns * chn_a[cidx].rows * bps);
- memcpy (pixels, chn_a[cidx].data, chn_a[cidx].columns * chn_a[cidx].rows * bps);
+ pixels = g_realloc (pixels, (gsize) chn_a[cidx].columns * chn_a[cidx].rows * bps);
+ memcpy (pixels, chn_a[cidx].data, (gsize) chn_a[cidx].columns * chn_a[cidx].rows * bps);
channel = gimp_channel_new (image, alpha_name,
chn_a[cidx].columns, chn_a[cidx].rows,
alpha_opacity, alpha_rgb);
@@ -3332,7 +3331,6 @@ read_channel_data (PSDchannel *channel,
gchar *raw_data = NULL;
gchar *src;
guint32 readline_len;
- gint i, j;
if (bps == 1)
readline_len = ((channel->columns + 7) / 8);
@@ -3364,7 +3362,7 @@ read_channel_data (PSDchannel *channel,
break;
case PSD_COMP_RLE:
- for (i = 0; i < channel->rows; ++i)
+ for (gint i = 0; i < channel->rows; ++i)
{
src = gegl_scratch_alloc (rle_pack_len[i]);
/* FIXME check for over-run
@@ -3433,12 +3431,11 @@ read_channel_data (PSDchannel *channel,
case 32:
{
guint32 *data;
- guint64 pos;
if (compression == PSD_COMP_ZIP_PRED)
{
IFDBG(3) g_debug ("Converting 32 bit predictor data");
- channel->data = (gchar *) g_malloc0 (channel->rows * channel->columns * 4);
+ channel->data = (gchar *) g_malloc0 ((gsize) channel->rows * channel->columns * 4);
decode_32_bit_predictor (raw_data, channel->data,
channel->rows, channel->columns);
}
@@ -3450,7 +3447,7 @@ read_channel_data (PSDchannel *channel,
}
data = (guint32*) channel->data;
- for (pos = 0; pos < channel->rows * channel->columns; ++pos)
+ for (gsize pos = 0; pos < (gsize) channel->rows * channel->columns; ++pos)
data[pos] = GUINT32_FROM_BE (data[pos]);
break;
@@ -3463,14 +3460,14 @@ read_channel_data (PSDchannel *channel,
channel->data = raw_data;
raw_data = NULL;
- for (i = 0; i < channel->rows * channel->columns; ++i)
+ for (gsize i = 0; i < (gsize) channel->rows * channel->columns; ++i)
data[i] = GUINT16_FROM_BE (data[i]);
if (compression == PSD_COMP_ZIP_PRED)
{
IFDBG(3) g_debug ("Converting 16 bit predictor data");
- for (i = 0; i < channel->rows; ++i)
- for (j = 1; j < channel->columns; ++j)
+ for (gsize i = 0; i < channel->rows; ++i)
+ for (gsize j = 1; j < channel->columns; ++j)
data[i * channel->columns + j] += data[i * channel->columns + j - 1];
}
break;
@@ -3483,14 +3480,14 @@ read_channel_data (PSDchannel *channel,
if (compression == PSD_COMP_ZIP_PRED)
{
IFDBG(3) g_debug ("Converting 8 bit predictor data");
- for (i = 0; i < channel->rows; ++i)
- for (j = 1; j < channel->columns; ++j)
+ for (gsize i = 0; i < channel->rows; ++i)
+ for (gsize j = 1; j < channel->columns; ++j)
channel->data[i * channel->columns + j] += channel->data[i * channel->columns + j - 1];
}
break;
case 1:
- channel->data = (gchar *) g_malloc (channel->rows * channel->columns);
+ channel->data = (gchar *) g_malloc ((gsize) channel->rows * channel->columns);
convert_1_bit (raw_data, channel->data, channel->rows, channel->columns);
break;
@@ -3540,7 +3537,7 @@ decode_32_bit_predictor (gchar *src,
/* restore byte order */
dstpos = 0;
- for (row = 0; row < rows * rowsize; row += rowsize)
+ for (row = 0; row < (gsize) rows * rowsize; row += rowsize)
{
guint64 offset;
@@ -3567,18 +3564,17 @@ convert_1_bit (const gchar *src,
Rows are padded out to a byte boundary.
*/
guint32 row_pos = 0;
- gint i, j;
IFDBG(3) g_debug ("Start 1 bit conversion");
- for (i = 0; i < rows * ((columns + 7) / 8); ++i)
+ for (gsize i = 0; i < (gsize) rows * ((columns + 7) / 8); ++i)
{
guchar mask = 0x80;
- for (j = 0; j < 8 && row_pos < columns; ++j)
+ for (gint j = 0; j < 8 && row_pos < columns; ++j)
{
*dst = (*src & mask) ? 0 : 1;
IFDBG(4) g_debug ("byte %d, bit %d, offset %d, src %d, dst %d",
- i , j, row_pos, *src, *dst);
+ (gint) i , j, row_pos, *src, *dst);
dst++;
mask >>= 1;
row_pos++;
--
GitLab

59
SOURCES/gimp-CVE-2026-4151.patch
View File

@ -1,59 +0,0 @@
From 09e5459de913172fc51da3bd6b6adc533acd368e Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Thu, 5 Mar 2026 23:58:45 +0000
Subject: [PATCH] plug-ins: Resolve ZDI-CAN-28813 in ANI loading
Resolves #15968
It is possible to cause a buffer overflow in our ANI
loading code by setting the Name or Artist metadata
files to 0xFFFFFFFF. This patch changes our allocation
code to use g_try_new0 () instead of g_new0 (), and
verifies if it is NULL before trying to read data into it.
---
plug-ins/file-ico/ico-load.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
index 29ad4c5eb59..e20d79a713f 100644
--- a/plug-ins/file-ico/ico-load.c
+++ b/plug-ins/file-ico/ico-load.c
@@ -893,7 +893,16 @@ ani_load_image (GFile *file,
if (inam)
g_free (inam);
- inam = g_new0 (gchar, size + 1);
+ inam = g_try_new0 (gchar, size + 1);
+ if (inam == NULL)
+ {
+ fclose (fp);
+ g_set_error (error, G_FILE_ERROR,
+ g_file_error_from_errno (errno),
+ _("Invalid ANI metadata"));
+ return NULL;
+ }
+
n_read = fread (inam, sizeof (gchar), size, fp);
inam[size] = '\0';
}
@@ -924,7 +933,16 @@ ani_load_image (GFile *file,
if (iart)
g_free (iart);
- iart = g_new0 (gchar, size + 1);
+ iart = g_try_new0 (gchar, size + 1);
+ if (iart == NULL)
+ {
+ fclose (fp);
+ g_set_error (error, G_FILE_ERROR,
+ g_file_error_from_errno (errno),
+ _("Invalid ANI metadata"));
+ return NULL;
+ }
+
n_read = fread (iart, sizeof (gchar), size, fp);
iart[size] = '\0';
}
--
GitLab

55
SOURCES/gimp-CVE-2026-4152.patch
View File

@ -1,55 +0,0 @@
From f64c9c23ba3c37dc7b875a9fb477c23953b4666e Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Thu, 12 Mar 2026 13:48:45 +0000
Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28863
Resolves #15969
It is possible to set the number of color components
in the JPEG 2000 file separate from the color space,
and OpenJPEG reports that value as-is. This can result
in a buffer overflow if the num_components variable is
larger than the number of channels in the color space.
This patch adds a check to make sure num_components
is within range. If it's larger, then we clamp it to the maximum
value for that color model.
---
plug-ins/common/file-jp2-load.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c
index cb420f9cb37..5c99a093d49 100644
--- a/plug-ins/common/file-jp2-load.c
+++ b/plug-ins/common/file-jp2-load.c
@@ -1563,16 +1563,22 @@ load_image (GimpProcedure *procedure,
base_type = GIMP_GRAY;
image_type = GIMP_GRAY_IMAGE;
- if (num_components == 2)
- image_type = GIMP_GRAYA_IMAGE;
+ if (num_components >= 2)
+ {
+ image_type = GIMP_GRAYA_IMAGE;
+ num_components = 2;
+ }
}
else if (image->color_space == OPJ_CLRSPC_SRGB)
{
base_type = GIMP_RGB;
image_type = GIMP_RGB_IMAGE;
- if (num_components == 4)
- image_type = GIMP_RGBA_IMAGE;
+ if (num_components >= 4)
+ {
+ image_type = GIMP_RGBA_IMAGE;
+ num_components = 4;
+ }
}
else
{
--
GitLab

62
SOURCES/gimp-CVE-2026-4153.patch
View File

@ -1,62 +0,0 @@
From 98cb1371fd4e22cca75017ea3252dc32fc218712 Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Sat, 7 Mar 2026 15:55:04 -0500
Subject: [PATCH] plug-ins: fix #15970 buffer overflow in file-psp
Reported as ZDI-CAN-28874.
For psp images with bit depth 1 or 4 bits and small widths, it was
possible to overflow the buffer because these bit depths are stored
in multiples of 4 bytes per line.
Because these formats are converted to regular RGB, this means that for
small widths, more bytes are needed than expected when we are upscaling
to 8-bit.
To fix this, we compute the line size when depth < 8, and adjust
line width if that value is larger.
---
plug-ins/common/file-psp.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index 286cbed2bb7..763dd994fcd 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -2127,7 +2127,23 @@ read_layer_block (FILE *f,
if (can_handle_layer)
{
- pixel = g_malloc0 (height * width * bytespp);
+ gint line_width = width * bytespp;
+
+ if (ia->depth < 8)
+ {
+ gint min_line_width = (((width * ia->depth + 7) / 8) + (ia->depth - 1)) / 4 * 4;
+
+ /* For small widths, when depth is 1, or 4, the number of bytes
+ * used can be larger than the width * bytespp. Adjust for that. */
+ if (min_line_width > line_width)
+ {
+ IFDBG(3) g_message ("Adjusting line width from %d to %d\n",
+ line_width, min_line_width);
+ line_width = min_line_width;
+ }
+ }
+
+ pixel = g_malloc0 (height * line_width);
if (null_layer)
{
pixels = NULL;
@@ -2136,7 +2152,7 @@ read_layer_block (FILE *f,
{
pixels = g_new (guchar *, height);
for (i = 0; i < height; i++)
- pixels[i] = pixel + width * bytespp * i;
+ pixels[i] = pixel + line_width * i;
}
buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
--
GitLab

90
SOURCES/gimp-CVE-2026-4154.patch
View File

@ -1,90 +0,0 @@
From 2e7ed91793792d9e980b2df4c829e9aa60459253 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Fri, 6 Mar 2026 13:54:44 +0000
Subject: [PATCH] plug-in: Resolve ZDI-CAN-28901 for file-xpm
Resolves #15971
It was possible to set a XPM image to have a width and/or height
that is larger than what GIMP can create an image for. In addition to
causing gimp_image_new () to fail, it can also lead to buffer overflow
when allocating space to read in the image.
This patch adds a GError parameter to parse_image (), then uses it to
pass up an error for either oversized images or buffer overflows.
---
plug-ins/common/file-xpm.c | 32 ++++++++++++++++++++++++++++----
1 file changed, 28 insertions(+), 4 deletions(-)
diff --git a/plug-ins/common/file-xpm.c b/plug-ins/common/file-xpm.c
index ba02961f1c0..71a0b19e8d3 100644
--- a/plug-ins/common/file-xpm.c
+++ b/plug-ins/common/file-xpm.c
@@ -125,7 +125,8 @@ static GimpImage * load_image (GFile *file,
static guchar * parse_colors (XpmImage *xpm_image);
static void parse_image (GimpImage *image,
XpmImage *xpm_image,
- guchar *cmap);
+ guchar *cmap,
+ GError **error);
static gboolean export_image (GFile *file,
GimpImage *image,
GimpDrawable *drawable,
@@ -385,12 +386,28 @@ load_image (GFile *file,
cmap = parse_colors (&xpm_image);
+ if (xpm_image.width > GIMP_MAX_IMAGE_SIZE)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("Unsupported or invalid image width: %d"),
+ xpm_image.width);
+ return NULL;
+ }
+
+ if (xpm_image.height > GIMP_MAX_IMAGE_SIZE)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("Unsupported or invalid image height: %d"),
+ xpm_image.height);
+ return NULL;
+ }
+
image = gimp_image_new (xpm_image.width,
xpm_image.height,
GIMP_RGB);
/* fill it */
- parse_image (image, &xpm_image, cmap);
+ parse_image (image, &xpm_image, cmap, error);
g_free (cmap);
@@ -472,7 +489,8 @@ parse_colors (XpmImage *xpm_image)
static void
parse_image (GimpImage *image,
XpmImage *xpm_image,
- guchar *cmap)
+ guchar *cmap,
+ GError **error)
{
GeglBuffer *buffer;
gint tile_height;
@@ -498,7 +516,13 @@ parse_image (GimpImage *image,
tile_height = gimp_tile_height ();
- buf = g_new (guchar, tile_height * xpm_image->width * 4);
+ buf = g_try_new (guchar, tile_height * xpm_image->width * 4);
+ if (buf == NULL)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ "%s", _("XPM file invalid"));
+ return;
+ }
src = xpm_image->data;
for (i = 0; i < xpm_image->height; i += tile_height)
--
GitLab

128
SOURCES/gimp-CVE-2026-4887.patch
View File

@ -1,128 +0,0 @@
From aabce89271a9943a43bda9225aa43fc524f1c8a4 Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Sun, 8 Mar 2026 15:18:33 -0400
Subject: [PATCH] plug-ins:: fix #15960 PCX buffer overflow
A buffer overflow in the PCX reader was reported.
The +1 was added in commit da217088d0fab77b7a696e782f6e2fb3b597f48f
to allow loading where the images have an off by 1 value. However,
this leaves the problem that allocated buffers may be 1 byte too small.
Because we prefer to keep loading as many images as possible, we choose
not to return an error. Instead we allocate 1 extra byte for the
line buffers.
In addition to that, we add check for valid values of bpp and error
out early when invalid.
If the bytesperline value is off by more than 1, we output a warning
message and use the manually computed value instead.
Additionally add a comment that we need to fix a British English
word in a string after string freeze.
---
plug-ins/common/file-pcx.c | 35 ++++++++++++++++++++++++++---------
1 file changed, 26 insertions(+), 9 deletions(-)
diff --git a/plug-ins/common/file-pcx.c b/plug-ins/common/file-pcx.c
index 3cf1070d2d4..276b568e78b 100644
--- a/plug-ins/common/file-pcx.c
+++ b/plug-ins/common/file-pcx.c
@@ -632,7 +632,7 @@ load_image (GimpProcedure *procedure,
GError **error)
{
GeglBuffer *buffer;
- guint16 offset_x, offset_y, bytesperline;
+ guint16 offset_x, offset_y, bytesperline, computed_bytesperline;
gint32 width, height;
guint16 resolution_x, resolution_y;
GimpImage *image;
@@ -681,13 +681,29 @@ load_image (GimpProcedure *procedure,
height);
return NULL;
}
- if ((bytesperline + 1) < ((width * pcx_header.bpp + 7) / 8) ||
- bytesperline == 0)
+
+ if (pcx_header.bpp != 1 && pcx_header.bpp != 2 && pcx_header.bpp != 4 &&
+ pcx_header.bpp != 8)
{
+ /* FIXME: After string freeze this should be changed to a more descriptive error. */
g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
- _("Invalid number of bytes per line in PCX header"));
+ _("Unusual PCX flavour, giving up"));
return NULL;
}
+
+ /* Some legacy images have incorrect values for bytesperline, that are
+ * off by 1. To be able to load these, we will allow a difference of 1 here.
+ * However, that means we need to allocate 1 more byte than officially
+ * required to make sure we don't cause a buffer overrun.
+ * For larger differences we will compute the value of bytesperline.
+ */
+ computed_bytesperline = (width * pcx_header.bpp + 7) / 8;
+ if (bytesperline + 1 < computed_bytesperline || bytesperline == 0)
+ {
+ g_message (_("Invalid number of bytes per line in PCX header"));
+ bytesperline = (width * pcx_header.bpp + 7) / 8;
+ }
+
if ((resolution_x < 1) || (resolution_x > GIMP_MAX_RESOLUTION) ||
(resolution_y < 1) || (resolution_y > GIMP_MAX_RESOLUTION))
{
@@ -838,6 +854,7 @@ load_image (GimpProcedure *procedure,
}
else
{
+ /* FIXME: flavour is British English, should be flavor. */
g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
_("Unusual PCX flavour, giving up"));
g_object_unref (buffer);
@@ -889,7 +906,7 @@ load_8 (FILE *fp,
guint16 bytes)
{
gint row;
- guchar *line = g_new (guchar, bytes);
+ guchar *line = g_new0 (guchar, bytes + 1);
for (row = 0; row < height; buf += width, ++row)
{
@@ -910,7 +927,7 @@ load_24 (FILE *fp,
guint8 planes)
{
gint x, y, c;
- guchar *line = g_new (guchar, bytes);
+ guchar *line = g_new0 (guchar, bytes + 1);
for (y = 0; y < height; buf += width * planes, ++y)
{
@@ -936,7 +953,7 @@ load_1 (FILE *fp,
guint16 bytes)
{
gint x, y;
- guchar *line = g_new (guchar, bytes);
+ guchar *line = g_new0 (guchar, bytes + 1);
for (y = 0; y < height; buf += width, ++y)
{
@@ -962,7 +979,7 @@ load_4 (FILE *fp,
guint16 bytes)
{
gint x, y, c;
- guchar *line = g_new (guchar, bytes);
+ guchar *line = g_new0 (guchar, bytes + 1);
for (y = 0; y < height; buf += width, ++y)
{
@@ -993,7 +1010,7 @@ load_sub_8 (FILE *fp,
guint16 bytes)
{
gint x, y, c, b;
- guchar *line = g_new (guchar, bytes);
+ guchar *line = g_new0 (guchar, bytes + 1);
gint real_bpp = bpp - 1;
gint current_bit = 0;
--
GitLab

56
SPECS/gimp.spec
View File

@ -66,8 +66,8 @@ Summary: GNU Image Manipulation Program
Name: gimp
Epoch: 2
Version: 3.0.4
%global rel 1
Release: %{rel}%{?dist}.5
%global rel 5
Release: %{rel}%{?dist}
# https://bugzilla.redhat.com/show_bug.cgi?id=2318369
ExcludeArch: s390x
@ -253,24 +253,18 @@ Patch2: gimp-2.10.12-default-font.patch
# Modifications for RHEL-9 enablement
Patch3: gimp-3.0.4-glib.patch
# CVE FIXES
# CVEs
Patch4: gimp-3.0.4-CVE-2025-10920-10925-10934.patch
Patch5: gimp-3.0.4-CVE-2025-14422.patch
Patch6: gimp-3.0.4-CVE-2025-14423.patch
Patch7: gimp-3.0.4-CVE-2025-14424.patch
Patch8: gimp-3.0.4-CVE-2025-14425.patch
Patch5: gimp-3.0.4-CVE-2025-14424.patch
Patch6: gimp-3.0.4-CVE-2025-14425.patch
Patch7: gimp-3.0.4-CVE-2025-14423.patch
Patch8: gimp-3.0.4-CVE-2025-14422.patch
Patch9: gimp-3.0.4-CVE-2025-15059.patch
Patch10: gimp-3.0.4-CVE-2026-0797.patch
Patch11: gimp-3.0.4-CVE-2026-2044.patch
Patch12: gimp-3.0.4-CVE-2026-2045.patch
Patch13: gimp-3.0.4-CVE-2026-2047.patch
Patch14: gimp-3.0.4-CVE-2026-2048.patch
Patch15: gimp-CVE-2026-4150.patch
Patch16: gimp-CVE-2026-4151.patch
Patch17: gimp-CVE-2026-4152.patch
Patch18: gimp-CVE-2026-4153.patch
Patch19: gimp-CVE-2026-4154.patch
Patch20: gimp-CVE-2026-4887.patch
# use external help browser directly if help browser plug-in is not built
Patch100: gimp-3.0.2-external-help-browser.patch
@ -346,23 +340,17 @@ EOF
%patch1 -p1 -b .cm-system-monitor
%patch2 -p1 -b .font-default
%patch3 -p1 -b .glib
%patch4 -p1 -b .CVE-2025-10920-10925-10934
%patch5 -p1 -b .CVE-2025-14422
%patch6 -p1 -b .CVE-2025-14423
%patch7 -p1 -b .CVE-2025-14424
%patch8 -p1 -b .CVE-2025-14425
%patch4 -p1 -b .CVE-2025-fixes
%patch5 -p1 -b .CVE-2025-14424
%patch6 -p1 -b .CVE-2025-14425
%patch7 -p1 -b .CVE-2025-14423
%patch8 -p1 -b .CVE-2025-14422
%patch9 -p1 -b .CVE-2025-15059
%patch10 -p1 -b .CVE-2026-0797
%patch11 -p1 -b .CVE-2026-2044
%patch12 -p1 -b .CVE-2026-2045
%patch13 -p1 -b .CVE-2026-2047
%patch14 -p1 -b .CVE-2026-2048
%patch15 -p1 -b .CVE-2026-4150
%patch16 -p1 -b .CVE-2026-4151
%patch17 -p1 -b .CVE-2026-4152
%patch18 -p1 -b .CVE-2026-4153
%patch19 -p1 -b .CVE-2026-4154
%patch20 -p1 -b .CVE-2026-4887
%patch100 -p1 -b .external-help-browser
@ -678,31 +666,23 @@ done
%endif
%changelog
* Mon May 11 2026 Josef Ridky <jridky@redhat.com> - 2:3.0.4-1.5
- fix CVE-2026-4150
- fix CVE-2026-4151
- fix CVE-2026-4152
- fix CVE-2026-4153
- fix CVE-2026-4154
- fix CVE-2026-4887
* Mon Mar 09 2026 Josef Ridky <jridky@redhat.com> - 2:3.0.4-1.4
* Fri Mar 06 2026 Josef Ridky <jridky@redhat.com> - 2:3.0.4-5
- fix CVE-2026-0797
- fix CVE-2026-2044
- fix CVE-2026-2045
- fix CVE-2026-2047
- fix CVE-2026-2048
* Thu Feb 12 2026 Josef Ridky <jridky@redhat.com> - 2:3.0.4-1.3
* Tue Feb 10 2026 Josef Ridky <jridky@redhat.com> - 2:3.0.4-4
- fix CVE-2025-15059
* Tue Jan 20 2026 Josef Ridky <jridky@redhat.com> - 2:3.0.4-1.2
- fix CVE-2025-14422
- fix CVE-2025-14423
* Tue Jan 20 2026 Josef Ridky <jridky@redhat.com> - 2:3.0.4-3
- fix CVE-2025-14424
- fix CVE-2025-14425
- fix CVE-2025-14423
- fix CVE-2025-14422
* Mon Nov 24 2025 Josef Ridky <jridky@redhat.com> - 2:3.0.4-1.1
* Thu Nov 20 2025 Josef Ridky <jridky@redhat.com> - 2:3.0.4-2
- fix CVE-2025-10920
- fix CVE-2025-10921
- fix CVE-2025-10922