diff --git a/SOURCES/gimp-CVE-2026-4150.patch b/SOURCES/gimp-CVE-2026-4150.patch deleted file mode 100644 index 34eb599..0000000 --- a/SOURCES/gimp-CVE-2026-4150.patch +++ /dev/null @@ -1,196 +0,0 @@ -From 00afdabdadeb5457fd897878b1e5aebc3780af10 Mon Sep 17 00:00:00 2001 -From: Jacob Boerema -Date: Fri, 6 Mar 2026 10:01:09 -0500 -Subject: [PATCH] plug-ins: fix #15967 integer overflow in psd-load - -Reported as ZDI-CAN-28807 -With large row and column sizes 32-bit int values are not large -enough to hold the product and thus can cause overflow. - -While we are at it, we not only fix the location from the report, but -also other occurrences that could overflow. -- We change certain variables to gsize to make sure they can hold a -64-bit value. -- Other intermediate results are promoted to (gsize) to make sure that -the product is computed as gsize. -- Move some i,j variables to the loops where they are used. - -(cherry picked from commit 7e1241f75147bf6e705a31c81e4d5efab1df1668) ---- - plug-ins/file-psd/psd-load.c | 44 ++++++++++++++++-------------------- - 1 file changed, 20 insertions(+), 24 deletions(-) - -diff --git a/plug-ins/file-psd/psd-load.c b/plug-ins/file-psd/psd-load.c -index 0ec888c2ec9..676f3da9b41 100644 ---- a/plug-ins/file-psd/psd-load.c -+++ b/plug-ins/file-psd/psd-load.c -@@ -2813,14 +2813,13 @@ add_merged_image (GimpImage *image, - guint16 bps; - guint32 *rle_pack_len[MAX_CHANNELS]; - guint32 alpha_id; -- gint32 layer_size; -+ gsize layer_size; - GimpLayer *layer = NULL; - GimpChannel *channel = NULL; - gint16 alpha_opacity; - gint cidx; /* Channel index */ - gint rowi; /* Row index */ - gint offset; -- gint i; - gboolean alpha_visible; - gboolean alpha_channel = FALSE; - GeglBuffer *buffer; -@@ -2975,11 +2974,11 @@ add_merged_image (GimpImage *image, - image_type = get_gimp_image_type (img_a->base_type, - img_a->transparency || alpha_channel); - -- layer_size = img_a->columns * img_a->rows; -+ layer_size = (gsize) img_a->columns * img_a->rows; - pixels = g_malloc (layer_size * base_channels * bps); - for (cidx = 0; cidx < base_channels; ++cidx) - { -- for (i = 0; i < layer_size; ++i) -+ for (gint64 i = 0; i < layer_size; ++i) - { - memcpy (&pixels[((i * base_channels) + cidx) * bps], - &chn_a[cidx].data[i * bps], bps); -@@ -3051,7 +3050,7 @@ add_merged_image (GimpImage *image, - { - gfloat *data = iter->items[0].data; - -- for (i = 0; i < iter->length; i++) -+ for (gint i = 0; i < iter->length; i++) - { - gint c; - -@@ -3103,7 +3102,7 @@ add_merged_image (GimpImage *image, - - /* Draw channels */ - IFDBG(2) g_debug ("Number of channels: %d", extra_channels); -- for (i = 0; i < extra_channels; ++i) -+ for (gint i = 0; i < extra_channels; ++i) - { - /* Alpha channel name */ - alpha_name = NULL; -@@ -3144,8 +3143,8 @@ add_merged_image (GimpImage *image, - } - - cidx = base_channels + i; -- pixels = g_realloc (pixels, chn_a[cidx].columns * chn_a[cidx].rows * bps); -- memcpy (pixels, chn_a[cidx].data, chn_a[cidx].columns * chn_a[cidx].rows * bps); -+ pixels = g_realloc (pixels, (gsize) chn_a[cidx].columns * chn_a[cidx].rows * bps); -+ memcpy (pixels, chn_a[cidx].data, (gsize) chn_a[cidx].columns * chn_a[cidx].rows * bps); - channel = gimp_channel_new (image, alpha_name, - chn_a[cidx].columns, chn_a[cidx].rows, - alpha_opacity, alpha_rgb); -@@ -3332,7 +3331,6 @@ read_channel_data (PSDchannel *channel, - gchar *raw_data = NULL; - gchar *src; - guint32 readline_len; -- gint i, j; - - if (bps == 1) - readline_len = ((channel->columns + 7) / 8); -@@ -3364,7 +3362,7 @@ read_channel_data (PSDchannel *channel, - break; - - case PSD_COMP_RLE: -- for (i = 0; i < channel->rows; ++i) -+ for (gint i = 0; i < channel->rows; ++i) - { - src = gegl_scratch_alloc (rle_pack_len[i]); - /* FIXME check for over-run -@@ -3433,12 +3431,11 @@ read_channel_data (PSDchannel *channel, - case 32: - { - guint32 *data; -- guint64 pos; - - if (compression == PSD_COMP_ZIP_PRED) - { - IFDBG(3) g_debug ("Converting 32 bit predictor data"); -- channel->data = (gchar *) g_malloc0 (channel->rows * channel->columns * 4); -+ channel->data = (gchar *) g_malloc0 ((gsize) channel->rows * channel->columns * 4); - decode_32_bit_predictor (raw_data, channel->data, - channel->rows, channel->columns); - } -@@ -3450,7 +3447,7 @@ read_channel_data (PSDchannel *channel, - } - - data = (guint32*) channel->data; -- for (pos = 0; pos < channel->rows * channel->columns; ++pos) -+ for (gsize pos = 0; pos < (gsize) channel->rows * channel->columns; ++pos) - data[pos] = GUINT32_FROM_BE (data[pos]); - - break; -@@ -3463,14 +3460,14 @@ read_channel_data (PSDchannel *channel, - channel->data = raw_data; - raw_data = NULL; - -- for (i = 0; i < channel->rows * channel->columns; ++i) -+ for (gsize i = 0; i < (gsize) channel->rows * channel->columns; ++i) - data[i] = GUINT16_FROM_BE (data[i]); - - if (compression == PSD_COMP_ZIP_PRED) - { - IFDBG(3) g_debug ("Converting 16 bit predictor data"); -- for (i = 0; i < channel->rows; ++i) -- for (j = 1; j < channel->columns; ++j) -+ for (gsize i = 0; i < channel->rows; ++i) -+ for (gsize j = 1; j < channel->columns; ++j) - data[i * channel->columns + j] += data[i * channel->columns + j - 1]; - } - break; -@@ -3483,14 +3480,14 @@ read_channel_data (PSDchannel *channel, - if (compression == PSD_COMP_ZIP_PRED) - { - IFDBG(3) g_debug ("Converting 8 bit predictor data"); -- for (i = 0; i < channel->rows; ++i) -- for (j = 1; j < channel->columns; ++j) -+ for (gsize i = 0; i < channel->rows; ++i) -+ for (gsize j = 1; j < channel->columns; ++j) - channel->data[i * channel->columns + j] += channel->data[i * channel->columns + j - 1]; - } - break; - - case 1: -- channel->data = (gchar *) g_malloc (channel->rows * channel->columns); -+ channel->data = (gchar *) g_malloc ((gsize) channel->rows * channel->columns); - convert_1_bit (raw_data, channel->data, channel->rows, channel->columns); - break; - -@@ -3540,7 +3537,7 @@ decode_32_bit_predictor (gchar *src, - - /* restore byte order */ - dstpos = 0; -- for (row = 0; row < rows * rowsize; row += rowsize) -+ for (row = 0; row < (gsize) rows * rowsize; row += rowsize) - { - guint64 offset; - -@@ -3567,18 +3564,17 @@ convert_1_bit (const gchar *src, - Rows are padded out to a byte boundary. - */ - guint32 row_pos = 0; -- gint i, j; - - IFDBG(3) g_debug ("Start 1 bit conversion"); - -- for (i = 0; i < rows * ((columns + 7) / 8); ++i) -+ for (gsize i = 0; i < (gsize) rows * ((columns + 7) / 8); ++i) - { - guchar mask = 0x80; -- for (j = 0; j < 8 && row_pos < columns; ++j) -+ for (gint j = 0; j < 8 && row_pos < columns; ++j) - { - *dst = (*src & mask) ? 0 : 1; - IFDBG(4) g_debug ("byte %d, bit %d, offset %d, src %d, dst %d", -- i , j, row_pos, *src, *dst); -+ (gint) i , j, row_pos, *src, *dst); - dst++; - mask >>= 1; - row_pos++; --- -GitLab - - diff --git a/SOURCES/gimp-CVE-2026-4151.patch b/SOURCES/gimp-CVE-2026-4151.patch deleted file mode 100644 index 2196b40..0000000 --- a/SOURCES/gimp-CVE-2026-4151.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 09e5459de913172fc51da3bd6b6adc533acd368e Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Thu, 5 Mar 2026 23:58:45 +0000 -Subject: [PATCH] plug-ins: Resolve ZDI-CAN-28813 in ANI loading - -Resolves #15968 -It is possible to cause a buffer overflow in our ANI -loading code by setting the Name or Artist metadata -files to 0xFFFFFFFF. This patch changes our allocation -code to use g_try_new0 () instead of g_new0 (), and -verifies if it is NULL before trying to read data into it. ---- - plug-ins/file-ico/ico-load.c | 22 ++++++++++++++++++++-- - 1 file changed, 20 insertions(+), 2 deletions(-) - -diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c -index 29ad4c5eb59..e20d79a713f 100644 ---- a/plug-ins/file-ico/ico-load.c -+++ b/plug-ins/file-ico/ico-load.c -@@ -893,7 +893,16 @@ ani_load_image (GFile *file, - if (inam) - g_free (inam); - -- inam = g_new0 (gchar, size + 1); -+ inam = g_try_new0 (gchar, size + 1); -+ if (inam == NULL) -+ { -+ fclose (fp); -+ g_set_error (error, G_FILE_ERROR, -+ g_file_error_from_errno (errno), -+ _("Invalid ANI metadata")); -+ return NULL; -+ } -+ - n_read = fread (inam, sizeof (gchar), size, fp); - inam[size] = '\0'; - } -@@ -924,7 +933,16 @@ ani_load_image (GFile *file, - if (iart) - g_free (iart); - -- iart = g_new0 (gchar, size + 1); -+ iart = g_try_new0 (gchar, size + 1); -+ if (iart == NULL) -+ { -+ fclose (fp); -+ g_set_error (error, G_FILE_ERROR, -+ g_file_error_from_errno (errno), -+ _("Invalid ANI metadata")); -+ return NULL; -+ } -+ - n_read = fread (iart, sizeof (gchar), size, fp); - iart[size] = '\0'; - } --- -GitLab - - diff --git a/SOURCES/gimp-CVE-2026-4152.patch b/SOURCES/gimp-CVE-2026-4152.patch deleted file mode 100644 index 82f7bc0..0000000 --- a/SOURCES/gimp-CVE-2026-4152.patch +++ /dev/null @@ -1,55 +0,0 @@ -From f64c9c23ba3c37dc7b875a9fb477c23953b4666e Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Thu, 12 Mar 2026 13:48:45 +0000 -Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28863 - -Resolves #15969 - -It is possible to set the number of color components -in the JPEG 2000 file separate from the color space, -and OpenJPEG reports that value as-is. This can result -in a buffer overflow if the num_components variable is -larger than the number of channels in the color space. - -This patch adds a check to make sure num_components -is within range. If it's larger, then we clamp it to the maximum -value for that color model. ---- - plug-ins/common/file-jp2-load.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c -index cb420f9cb37..5c99a093d49 100644 ---- a/plug-ins/common/file-jp2-load.c -+++ b/plug-ins/common/file-jp2-load.c -@@ -1563,16 +1563,22 @@ load_image (GimpProcedure *procedure, - base_type = GIMP_GRAY; - image_type = GIMP_GRAY_IMAGE; - -- if (num_components == 2) -- image_type = GIMP_GRAYA_IMAGE; -+ if (num_components >= 2) -+ { -+ image_type = GIMP_GRAYA_IMAGE; -+ num_components = 2; -+ } - } - else if (image->color_space == OPJ_CLRSPC_SRGB) - { - base_type = GIMP_RGB; - image_type = GIMP_RGB_IMAGE; - -- if (num_components == 4) -- image_type = GIMP_RGBA_IMAGE; -+ if (num_components >= 4) -+ { -+ image_type = GIMP_RGBA_IMAGE; -+ num_components = 4; -+ } - } - else - { --- -GitLab - - diff --git a/SOURCES/gimp-CVE-2026-4153.patch b/SOURCES/gimp-CVE-2026-4153.patch deleted file mode 100644 index f710fc1..0000000 --- a/SOURCES/gimp-CVE-2026-4153.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 98cb1371fd4e22cca75017ea3252dc32fc218712 Mon Sep 17 00:00:00 2001 -From: Jacob Boerema -Date: Sat, 7 Mar 2026 15:55:04 -0500 -Subject: [PATCH] plug-ins: fix #15970 buffer overflow in file-psp - -Reported as ZDI-CAN-28874. - -For psp images with bit depth 1 or 4 bits and small widths, it was -possible to overflow the buffer because these bit depths are stored -in multiples of 4 bytes per line. -Because these formats are converted to regular RGB, this means that for -small widths, more bytes are needed than expected when we are upscaling -to 8-bit. - -To fix this, we compute the line size when depth < 8, and adjust -line width if that value is larger. ---- - plug-ins/common/file-psp.c | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c -index 286cbed2bb7..763dd994fcd 100644 ---- a/plug-ins/common/file-psp.c -+++ b/plug-ins/common/file-psp.c -@@ -2127,7 +2127,23 @@ read_layer_block (FILE *f, - - if (can_handle_layer) - { -- pixel = g_malloc0 (height * width * bytespp); -+ gint line_width = width * bytespp; -+ -+ if (ia->depth < 8) -+ { -+ gint min_line_width = (((width * ia->depth + 7) / 8) + (ia->depth - 1)) / 4 * 4; -+ -+ /* For small widths, when depth is 1, or 4, the number of bytes -+ * used can be larger than the width * bytespp. Adjust for that. */ -+ if (min_line_width > line_width) -+ { -+ IFDBG(3) g_message ("Adjusting line width from %d to %d\n", -+ line_width, min_line_width); -+ line_width = min_line_width; -+ } -+ } -+ -+ pixel = g_malloc0 (height * line_width); - if (null_layer) - { - pixels = NULL; -@@ -2136,7 +2152,7 @@ read_layer_block (FILE *f, - { - pixels = g_new (guchar *, height); - for (i = 0; i < height; i++) -- pixels[i] = pixel + width * bytespp * i; -+ pixels[i] = pixel + line_width * i; - } - - buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); --- -GitLab - - diff --git a/SOURCES/gimp-CVE-2026-4154.patch b/SOURCES/gimp-CVE-2026-4154.patch deleted file mode 100644 index 024b368..0000000 --- a/SOURCES/gimp-CVE-2026-4154.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 2e7ed91793792d9e980b2df4c829e9aa60459253 Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Fri, 6 Mar 2026 13:54:44 +0000 -Subject: [PATCH] plug-in: Resolve ZDI-CAN-28901 for file-xpm - -Resolves #15971 -It was possible to set a XPM image to have a width and/or height -that is larger than what GIMP can create an image for. In addition to -causing gimp_image_new () to fail, it can also lead to buffer overflow -when allocating space to read in the image. - -This patch adds a GError parameter to parse_image (), then uses it to -pass up an error for either oversized images or buffer overflows. ---- - plug-ins/common/file-xpm.c | 32 ++++++++++++++++++++++++++++---- - 1 file changed, 28 insertions(+), 4 deletions(-) - -diff --git a/plug-ins/common/file-xpm.c b/plug-ins/common/file-xpm.c -index ba02961f1c0..71a0b19e8d3 100644 ---- a/plug-ins/common/file-xpm.c -+++ b/plug-ins/common/file-xpm.c -@@ -125,7 +125,8 @@ static GimpImage * load_image (GFile *file, - static guchar * parse_colors (XpmImage *xpm_image); - static void parse_image (GimpImage *image, - XpmImage *xpm_image, -- guchar *cmap); -+ guchar *cmap, -+ GError **error); - static gboolean export_image (GFile *file, - GimpImage *image, - GimpDrawable *drawable, -@@ -385,12 +386,28 @@ load_image (GFile *file, - - cmap = parse_colors (&xpm_image); - -+ if (xpm_image.width > GIMP_MAX_IMAGE_SIZE) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("Unsupported or invalid image width: %d"), -+ xpm_image.width); -+ return NULL; -+ } -+ -+ if (xpm_image.height > GIMP_MAX_IMAGE_SIZE) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("Unsupported or invalid image height: %d"), -+ xpm_image.height); -+ return NULL; -+ } -+ - image = gimp_image_new (xpm_image.width, - xpm_image.height, - GIMP_RGB); - - /* fill it */ -- parse_image (image, &xpm_image, cmap); -+ parse_image (image, &xpm_image, cmap, error); - - g_free (cmap); - -@@ -472,7 +489,8 @@ parse_colors (XpmImage *xpm_image) - static void - parse_image (GimpImage *image, - XpmImage *xpm_image, -- guchar *cmap) -+ guchar *cmap, -+ GError **error) - { - GeglBuffer *buffer; - gint tile_height; -@@ -498,7 +516,13 @@ parse_image (GimpImage *image, - - tile_height = gimp_tile_height (); - -- buf = g_new (guchar, tile_height * xpm_image->width * 4); -+ buf = g_try_new (guchar, tile_height * xpm_image->width * 4); -+ if (buf == NULL) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ "%s", _("XPM file invalid")); -+ return; -+ } - - src = xpm_image->data; - for (i = 0; i < xpm_image->height; i += tile_height) --- -GitLab - - diff --git a/SOURCES/gimp-CVE-2026-4887.patch b/SOURCES/gimp-CVE-2026-4887.patch deleted file mode 100644 index c73076b..0000000 --- a/SOURCES/gimp-CVE-2026-4887.patch +++ /dev/null @@ -1,128 +0,0 @@ -From aabce89271a9943a43bda9225aa43fc524f1c8a4 Mon Sep 17 00:00:00 2001 -From: Jacob Boerema -Date: Sun, 8 Mar 2026 15:18:33 -0400 -Subject: [PATCH] plug-ins:: fix #15960 PCX buffer overflow - -A buffer overflow in the PCX reader was reported. - -The +1 was added in commit da217088d0fab77b7a696e782f6e2fb3b597f48f -to allow loading where the images have an off by 1 value. However, -this leaves the problem that allocated buffers may be 1 byte too small. - -Because we prefer to keep loading as many images as possible, we choose -not to return an error. Instead we allocate 1 extra byte for the -line buffers. -In addition to that, we add check for valid values of bpp and error -out early when invalid. -If the bytesperline value is off by more than 1, we output a warning -message and use the manually computed value instead. - -Additionally add a comment that we need to fix a British English -word in a string after string freeze. ---- - plug-ins/common/file-pcx.c | 35 ++++++++++++++++++++++++++--------- - 1 file changed, 26 insertions(+), 9 deletions(-) - -diff --git a/plug-ins/common/file-pcx.c b/plug-ins/common/file-pcx.c -index 3cf1070d2d4..276b568e78b 100644 ---- a/plug-ins/common/file-pcx.c -+++ b/plug-ins/common/file-pcx.c -@@ -632,7 +632,7 @@ load_image (GimpProcedure *procedure, - GError **error) - { - GeglBuffer *buffer; -- guint16 offset_x, offset_y, bytesperline; -+ guint16 offset_x, offset_y, bytesperline, computed_bytesperline; - gint32 width, height; - guint16 resolution_x, resolution_y; - GimpImage *image; -@@ -681,13 +681,29 @@ load_image (GimpProcedure *procedure, - height); - return NULL; - } -- if ((bytesperline + 1) < ((width * pcx_header.bpp + 7) / 8) || -- bytesperline == 0) -+ -+ if (pcx_header.bpp != 1 && pcx_header.bpp != 2 && pcx_header.bpp != 4 && -+ pcx_header.bpp != 8) - { -+ /* FIXME: After string freeze this should be changed to a more descriptive error. */ - g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -- _("Invalid number of bytes per line in PCX header")); -+ _("Unusual PCX flavour, giving up")); - return NULL; - } -+ -+ /* Some legacy images have incorrect values for bytesperline, that are -+ * off by 1. To be able to load these, we will allow a difference of 1 here. -+ * However, that means we need to allocate 1 more byte than officially -+ * required to make sure we don't cause a buffer overrun. -+ * For larger differences we will compute the value of bytesperline. -+ */ -+ computed_bytesperline = (width * pcx_header.bpp + 7) / 8; -+ if (bytesperline + 1 < computed_bytesperline || bytesperline == 0) -+ { -+ g_message (_("Invalid number of bytes per line in PCX header")); -+ bytesperline = (width * pcx_header.bpp + 7) / 8; -+ } -+ - if ((resolution_x < 1) || (resolution_x > GIMP_MAX_RESOLUTION) || - (resolution_y < 1) || (resolution_y > GIMP_MAX_RESOLUTION)) - { -@@ -838,6 +854,7 @@ load_image (GimpProcedure *procedure, - } - else - { -+ /* FIXME: flavour is British English, should be flavor. */ - g_set_error (error, GIMP_PLUG_IN_ERROR, 0, - _("Unusual PCX flavour, giving up")); - g_object_unref (buffer); -@@ -889,7 +906,7 @@ load_8 (FILE *fp, - guint16 bytes) - { - gint row; -- guchar *line = g_new (guchar, bytes); -+ guchar *line = g_new0 (guchar, bytes + 1); - - for (row = 0; row < height; buf += width, ++row) - { -@@ -910,7 +927,7 @@ load_24 (FILE *fp, - guint8 planes) - { - gint x, y, c; -- guchar *line = g_new (guchar, bytes); -+ guchar *line = g_new0 (guchar, bytes + 1); - - for (y = 0; y < height; buf += width * planes, ++y) - { -@@ -936,7 +953,7 @@ load_1 (FILE *fp, - guint16 bytes) - { - gint x, y; -- guchar *line = g_new (guchar, bytes); -+ guchar *line = g_new0 (guchar, bytes + 1); - - for (y = 0; y < height; buf += width, ++y) - { -@@ -962,7 +979,7 @@ load_4 (FILE *fp, - guint16 bytes) - { - gint x, y, c; -- guchar *line = g_new (guchar, bytes); -+ guchar *line = g_new0 (guchar, bytes + 1); - - for (y = 0; y < height; buf += width, ++y) - { -@@ -993,7 +1010,7 @@ load_sub_8 (FILE *fp, - guint16 bytes) - { - gint x, y, c, b; -- guchar *line = g_new (guchar, bytes); -+ guchar *line = g_new0 (guchar, bytes + 1); - gint real_bpp = bpp - 1; - gint current_bit = 0; - --- -GitLab - - diff --git a/SPECS/gimp.spec b/SPECS/gimp.spec index 998202e..d661c8b 100644 --- a/SPECS/gimp.spec +++ b/SPECS/gimp.spec @@ -66,8 +66,8 @@ Summary: GNU Image Manipulation Program Name: gimp Epoch: 2 Version: 3.0.4 -%global rel 1 -Release: %{rel}%{?dist}.5 +%global rel 5 +Release: %{rel}%{?dist} # https://bugzilla.redhat.com/show_bug.cgi?id=2318369 ExcludeArch: s390x @@ -253,24 +253,18 @@ Patch2: gimp-2.10.12-default-font.patch # Modifications for RHEL-9 enablement Patch3: gimp-3.0.4-glib.patch -# CVE FIXES +# CVEs Patch4: gimp-3.0.4-CVE-2025-10920-10925-10934.patch -Patch5: gimp-3.0.4-CVE-2025-14422.patch -Patch6: gimp-3.0.4-CVE-2025-14423.patch -Patch7: gimp-3.0.4-CVE-2025-14424.patch -Patch8: gimp-3.0.4-CVE-2025-14425.patch +Patch5: gimp-3.0.4-CVE-2025-14424.patch +Patch6: gimp-3.0.4-CVE-2025-14425.patch +Patch7: gimp-3.0.4-CVE-2025-14423.patch +Patch8: gimp-3.0.4-CVE-2025-14422.patch Patch9: gimp-3.0.4-CVE-2025-15059.patch Patch10: gimp-3.0.4-CVE-2026-0797.patch Patch11: gimp-3.0.4-CVE-2026-2044.patch Patch12: gimp-3.0.4-CVE-2026-2045.patch Patch13: gimp-3.0.4-CVE-2026-2047.patch Patch14: gimp-3.0.4-CVE-2026-2048.patch -Patch15: gimp-CVE-2026-4150.patch -Patch16: gimp-CVE-2026-4151.patch -Patch17: gimp-CVE-2026-4152.patch -Patch18: gimp-CVE-2026-4153.patch -Patch19: gimp-CVE-2026-4154.patch -Patch20: gimp-CVE-2026-4887.patch # use external help browser directly if help browser plug-in is not built Patch100: gimp-3.0.2-external-help-browser.patch @@ -346,23 +340,17 @@ EOF %patch1 -p1 -b .cm-system-monitor %patch2 -p1 -b .font-default %patch3 -p1 -b .glib -%patch4 -p1 -b .CVE-2025-10920-10925-10934 -%patch5 -p1 -b .CVE-2025-14422 -%patch6 -p1 -b .CVE-2025-14423 -%patch7 -p1 -b .CVE-2025-14424 -%patch8 -p1 -b .CVE-2025-14425 +%patch4 -p1 -b .CVE-2025-fixes +%patch5 -p1 -b .CVE-2025-14424 +%patch6 -p1 -b .CVE-2025-14425 +%patch7 -p1 -b .CVE-2025-14423 +%patch8 -p1 -b .CVE-2025-14422 %patch9 -p1 -b .CVE-2025-15059 %patch10 -p1 -b .CVE-2026-0797 %patch11 -p1 -b .CVE-2026-2044 %patch12 -p1 -b .CVE-2026-2045 %patch13 -p1 -b .CVE-2026-2047 %patch14 -p1 -b .CVE-2026-2048 -%patch15 -p1 -b .CVE-2026-4150 -%patch16 -p1 -b .CVE-2026-4151 -%patch17 -p1 -b .CVE-2026-4152 -%patch18 -p1 -b .CVE-2026-4153 -%patch19 -p1 -b .CVE-2026-4154 -%patch20 -p1 -b .CVE-2026-4887 %patch100 -p1 -b .external-help-browser @@ -678,31 +666,23 @@ done %endif %changelog -* Mon May 11 2026 Josef Ridky - 2:3.0.4-1.5 -- fix CVE-2026-4150 -- fix CVE-2026-4151 -- fix CVE-2026-4152 -- fix CVE-2026-4153 -- fix CVE-2026-4154 -- fix CVE-2026-4887 - -* Mon Mar 09 2026 Josef Ridky - 2:3.0.4-1.4 +* Fri Mar 06 2026 Josef Ridky - 2:3.0.4-5 - fix CVE-2026-0797 - fix CVE-2026-2044 - fix CVE-2026-2045 - fix CVE-2026-2047 - fix CVE-2026-2048 -* Thu Feb 12 2026 Josef Ridky - 2:3.0.4-1.3 +* Tue Feb 10 2026 Josef Ridky - 2:3.0.4-4 - fix CVE-2025-15059 -* Tue Jan 20 2026 Josef Ridky - 2:3.0.4-1.2 -- fix CVE-2025-14422 -- fix CVE-2025-14423 +* Tue Jan 20 2026 Josef Ridky - 2:3.0.4-3 - fix CVE-2025-14424 - fix CVE-2025-14425 +- fix CVE-2025-14423 +- fix CVE-2025-14422 -* Mon Nov 24 2025 Josef Ridky - 2:3.0.4-1.1 +* Thu Nov 20 2025 Josef Ridky - 2:3.0.4-2 - fix CVE-2025-10920 - fix CVE-2025-10921 - fix CVE-2025-10922