import Oracle_OSS gimp-3.0.4-1.el9_7.4
This commit is contained in:
parent
f04b88bc85
commit
5949b6b690
91
SOURCES/gimp-3.0.4-CVE-2026-0797.patch
Normal file
91
SOURCES/gimp-3.0.4-CVE-2026-0797.patch
Normal file
@ -0,0 +1,91 @@
|
||||
From c54bf22acb04b83ae38ed50add58f300e898dd81 Mon Sep 17 00:00:00 2001
|
||||
From: Alx Sa <cmyk.student@gmail.com>
|
||||
Date: Fri, 26 Dec 2025 15:49:45 +0000
|
||||
Subject: [PATCH] plug-ins: Add more fread () checks in ICO loading
|
||||
|
||||
Resolves #15555
|
||||
|
||||
This patch adds some guards for ico_read_int8 (),
|
||||
which was used for loading palettes and maps
|
||||
without verifying that it returned the same number
|
||||
of bytes as what it tried to read in.
|
||||
---
|
||||
plug-ins/file-ico/ico-load.c | 33 ++++++++++++++++++++++++++-------
|
||||
1 file changed, 26 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
|
||||
index 818cf23cd31..68637cbd745 100644
|
||||
--- a/plug-ins/file-ico/ico-load.c
|
||||
+++ b/plug-ins/file-ico/ico-load.c
|
||||
@@ -69,7 +69,9 @@ ico_read_int32 (FILE *fp,
|
||||
total = count;
|
||||
if (count > 0)
|
||||
{
|
||||
- ico_read_int8 (fp, (guint8 *) data, count * 4);
|
||||
+ if (ico_read_int8 (fp, (guint8 *) data, count * 4) != (count * 4))
|
||||
+ return FALSE;
|
||||
+
|
||||
for (i = 0; i < count; i++)
|
||||
data[i] = GUINT32_FROM_LE (data[i]);
|
||||
}
|
||||
@@ -88,7 +90,9 @@ ico_read_int16 (FILE *fp,
|
||||
total = count;
|
||||
if (count > 0)
|
||||
{
|
||||
- ico_read_int8 (fp, (guint8 *) data, count * 2);
|
||||
+ if (ico_read_int8 (fp, (guint8 *) data, count * 2) != (count * 2))
|
||||
+ return FALSE;
|
||||
+
|
||||
for (i = 0; i < count; i++)
|
||||
data[i] = GUINT16_FROM_LE (data[i]);
|
||||
}
|
||||
@@ -109,8 +113,8 @@ ico_read_int8 (FILE *fp,
|
||||
while (count > 0)
|
||||
{
|
||||
bytes = fread ((gchar *) data, sizeof (gchar), count, fp);
|
||||
- if (bytes <= 0) /* something bad happened */
|
||||
- break;
|
||||
+ if (bytes != count) /* something bad happened */
|
||||
+ return -1;
|
||||
|
||||
count -= bytes;
|
||||
data += bytes;
|
||||
@@ -489,16 +493,31 @@ ico_read_icon (FILE *fp,
|
||||
data.used_clrs, data.bpp));
|
||||
|
||||
palette = g_new0 (guint32, data.used_clrs);
|
||||
- ico_read_int8 (fp, (guint8 *) palette, data.used_clrs * 4);
|
||||
+ if (ico_read_int8 (fp,
|
||||
+ (guint8 *) palette,
|
||||
+ data.used_clrs * 4) != (data.used_clrs * 4))
|
||||
+ {
|
||||
+ D(("skipping image: too large\n"));
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
}
|
||||
|
||||
xor_map = ico_alloc_map (w, h, data.bpp, &length);
|
||||
- ico_read_int8 (fp, xor_map, length);
|
||||
+ if (ico_read_int8 (fp, xor_map, length) != length)
|
||||
+ {
|
||||
+ D(("skipping image: too large\n"));
|
||||
+ return FALSE;
|
||||
+ }
|
||||
D((" length of xor_map: %i\n", length));
|
||||
|
||||
/* Read in and_map. It's padded out to 32 bits per line: */
|
||||
and_map = ico_alloc_map (w, h, 1, &length);
|
||||
- ico_read_int8 (fp, and_map, length);
|
||||
+ if (! ico_read_int8 (fp, and_map, length) != length)
|
||||
+ {
|
||||
+ D(("skipping image: too large\n"));
|
||||
+ return FALSE;
|
||||
+ }
|
||||
D((" length of and_map: %i\n", length));
|
||||
|
||||
dest_vec = (guint32 *) buf;
|
||||
--
|
||||
GitLab
|
||||
|
||||
|
||||
26
SOURCES/gimp-3.0.4-CVE-2026-2044.patch
Normal file
26
SOURCES/gimp-3.0.4-CVE-2026-2044.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 112a5e038f0646eae5ae314988ec074433d2b365 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriele Barbero <barbero.gabriele03@gmail.com>
|
||||
Date: Fri, 5 Dec 2025 19:13:01 +0100
|
||||
Subject: [PATCH] ZDI-CAN-28158: use g_malloc0 instead of g_malloc
|
||||
|
||||
To avoid accessing uninitialized memory, replace calls to g_malloc with
|
||||
g_malloc0 which initializes the allocated memory to zero.
|
||||
---
|
||||
plug-ins/common/file-pnm.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
|
||||
index 9d349e967e7..65619be59de 100644
|
||||
--- a/plug-ins/common/file-pnm.c
|
||||
+++ b/plug-ins/common/file-pnm.c
|
||||
@@ -693,7 +693,7 @@ load_image (GFile *file,
|
||||
return NULL;
|
||||
|
||||
/* allocate the necessary structures */
|
||||
- pnminfo = g_new (PNMInfo, 1);
|
||||
+ pnminfo = g_new0 (PNMInfo, 1);
|
||||
|
||||
pnminfo->tupltype = NULL;
|
||||
|
||||
--
|
||||
GitLab
|
||||
35
SOURCES/gimp-3.0.4-CVE-2026-2045.patch
Normal file
35
SOURCES/gimp-3.0.4-CVE-2026-2045.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 68b27dfb1cbd9b3f22d7fa624dbab8647ee5f275 Mon Sep 17 00:00:00 2001
|
||||
From: Jacob Boerema <jgboerema@gmail.com>
|
||||
Date: Thu, 15 Jan 2026 10:12:07 -0500
|
||||
Subject: [PATCH] plug-ins: fix #15293 security issue ZDI-CAN-28265
|
||||
|
||||
Just like we did in commit 4eb106f2bff2d9b8e518aa455a884c6f38d70c6a
|
||||
we need to make sure that the offset in the colormap is valid before
|
||||
using it, before using it to compute the RGB values.
|
||||
---
|
||||
plug-ins/common/file-xwd.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
|
||||
index 77d9ea5d9f3..a016c55cd8a 100644
|
||||
--- a/plug-ins/common/file-xwd.c
|
||||
+++ b/plug-ins/common/file-xwd.c
|
||||
@@ -1712,7 +1712,15 @@ load_xwd_f2_d16_b16 (GFile *file,
|
||||
|
||||
for (j = 0; j < ncols; j++)
|
||||
{
|
||||
- cm = ColorMap + xwdcolmap[j].l_pixel * 3;
|
||||
+ goffset offset = xwdcolmap[j].l_pixel * 3;
|
||||
+
|
||||
+ if (offset+2 >= maxval)
|
||||
+ {
|
||||
+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
|
||||
+ _("Invalid colormap offset. Possibly corrupt image."));
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ cm = ColorMap + offset;
|
||||
*(cm++) = (xwdcolmap[j].l_red >> 8);
|
||||
*(cm++) = (xwdcolmap[j].l_green >> 8);
|
||||
*cm = (xwdcolmap[j].l_blue >> 8);
|
||||
--
|
||||
GitLab
|
||||
161
SOURCES/gimp-3.0.4-CVE-2026-2047.patch
Normal file
161
SOURCES/gimp-3.0.4-CVE-2026-2047.patch
Normal file
@ -0,0 +1,161 @@
|
||||
From dd2faac351f1ff2588529fedc606e6a5f815577c Mon Sep 17 00:00:00 2001
|
||||
From: Alx Sa <cmyk.student@gmail.com>
|
||||
Date: Sat, 17 Jan 2026 16:59:17 +0000
|
||||
Subject: [PATCH] plug-ins: Resolve ZDI-CAN-28530 for ICNS load
|
||||
|
||||
Our ICNS importer did not verify that the ICNS resource
|
||||
data size was defined as larger than 0. Therefore, it
|
||||
was possible to create a malicious file that would infinitely
|
||||
load since the file cursor would not advance. This patch
|
||||
adds a check for the icon size being 0, and stops the loop
|
||||
if this is encountered.
|
||||
|
||||
Additionally, there is no header defined limit for the number of
|
||||
icons in an ICNS file. This patch switches from using a hardcoded
|
||||
256 icon limit to using GLists to dynamically add icons as we read
|
||||
them in.
|
||||
---
|
||||
plug-ins/file-icns/file-icns-load.c | 59 ++++++++++++++++++++---------
|
||||
1 file changed, 42 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/plug-ins/file-icns/file-icns-load.c b/plug-ins/file-icns/file-icns-load.c
|
||||
index f2298c056e1..9b5b7fc7743 100644
|
||||
--- a/plug-ins/file-icns/file-icns-load.c
|
||||
+++ b/plug-ins/file-icns/file-icns-load.c
|
||||
@@ -40,7 +40,7 @@
|
||||
|
||||
IcnsResource * resource_load (FILE *file);
|
||||
|
||||
-IcnsResource * resource_find (IcnsResource *list,
|
||||
+IcnsResource * resource_find (GList *resources,
|
||||
gchar *type,
|
||||
gint max);
|
||||
|
||||
@@ -118,14 +118,18 @@ resource_load (FILE *file)
|
||||
}
|
||||
|
||||
IcnsResource *
|
||||
-resource_find (IcnsResource *list,
|
||||
+resource_find (GList *resources,
|
||||
gchar *type,
|
||||
gint max)
|
||||
{
|
||||
- for (gint i = 0; i < max; i++)
|
||||
+ GList *list;
|
||||
+
|
||||
+ for (list = resources; list; list = g_list_next (list))
|
||||
{
|
||||
- if (! strncmp (list[i].type, type, 4))
|
||||
- return &list[i];
|
||||
+ IcnsResource *res = list->data;
|
||||
+
|
||||
+ if (! strncmp (res->type, type, 4))
|
||||
+ return res;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
@@ -145,10 +149,14 @@ resource_get_next (IcnsResource *icns,
|
||||
res->cursor = sizeof (IcnsResourceHeader);
|
||||
res->data = &(icns->data[icns->cursor]);
|
||||
|
||||
+ if (! res->size)
|
||||
+ return FALSE;
|
||||
+
|
||||
icns->cursor += res->size;
|
||||
if (icns->cursor > icns->size)
|
||||
{
|
||||
gchar typestring[5];
|
||||
+
|
||||
fourcc_get_string (icns->type, typestring);
|
||||
g_message ("icns resource_get_next: resource too big! type '%s', size %u\n",
|
||||
typestring, icns->size);
|
||||
@@ -162,18 +170,25 @@ GimpImage *
|
||||
icns_load (IcnsResource *icns,
|
||||
GFile *file)
|
||||
{
|
||||
- IcnsResource *resources;
|
||||
+ GList *resources;
|
||||
+ IcnsResource *resource;
|
||||
guint nResources;
|
||||
gfloat current_resources = 0;
|
||||
GimpImage *image;
|
||||
|
||||
- resources = g_new (IcnsResource, 256);
|
||||
+ resources = NULL;
|
||||
+ resource = g_new (IcnsResource, 1);
|
||||
|
||||
/* Largest .icns icon is 1024 x 1024 */
|
||||
image = gimp_image_new (1024, 1024, GIMP_RGB);
|
||||
|
||||
nResources = 0;
|
||||
- while (resource_get_next (icns, &resources[nResources++])) {}
|
||||
+ while (resource_get_next (icns, resource))
|
||||
+ {
|
||||
+ resources = g_list_append (resources, resource);
|
||||
+
|
||||
+ resource = g_new (IcnsResource, 1);
|
||||
+ }
|
||||
|
||||
for (gint i = 0; iconTypes[i].type; i++)
|
||||
{
|
||||
@@ -192,7 +207,8 @@ icns_load (IcnsResource *icns,
|
||||
}
|
||||
|
||||
gimp_image_resize_to_layers (image);
|
||||
- g_free (resources);
|
||||
+ g_list_free_full (resources, g_free);
|
||||
+ g_free (resource);
|
||||
return image;
|
||||
}
|
||||
|
||||
@@ -585,7 +601,8 @@ icns_load_thumbnail_image (GFile *file,
|
||||
FILE *fp;
|
||||
GimpImage *image = NULL;
|
||||
IcnsResource *icns;
|
||||
- IcnsResource *resources;
|
||||
+ GList *resources;
|
||||
+ IcnsResource *resource;
|
||||
IcnsResource *mask = NULL;
|
||||
guint i;
|
||||
gint match = -1;
|
||||
@@ -610,15 +627,22 @@ icns_load_thumbnail_image (GFile *file,
|
||||
fclose (fp);
|
||||
|
||||
if (! icns)
|
||||
- {
|
||||
- g_message ("Invalid or corrupt icns resource file.");
|
||||
- return NULL;
|
||||
- }
|
||||
+ {
|
||||
+ g_message ("Invalid or corrupt icns resource file.");
|
||||
+ return NULL;
|
||||
+ }
|
||||
|
||||
image = gimp_image_new (1024, 1024, GIMP_RGB);
|
||||
|
||||
- resources = g_new (IcnsResource, 256);
|
||||
- while (resource_get_next (icns, &resources[nResources++])) {}
|
||||
+ resources = NULL;
|
||||
+ resource = g_new (IcnsResource, 1);
|
||||
+
|
||||
+ while (resource_get_next (icns, resource))
|
||||
+ {
|
||||
+ resources = g_list_append (resources, resource);
|
||||
+
|
||||
+ resource = g_new (IcnsResource, 1);
|
||||
+ }
|
||||
|
||||
*width = 0;
|
||||
*height = 0;
|
||||
@@ -671,7 +695,8 @@ icns_load_thumbnail_image (GFile *file,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- g_free (resources);
|
||||
+ g_list_free_full (resources, g_free);
|
||||
+ g_free (resource);
|
||||
|
||||
gimp_progress_update (1.0);
|
||||
|
||||
--
|
||||
GitLab
|
||||
86
SOURCES/gimp-3.0.4-CVE-2026-2048.patch
Normal file
86
SOURCES/gimp-3.0.4-CVE-2026-2048.patch
Normal file
@ -0,0 +1,86 @@
|
||||
From 57712677007793118388c5be6fb8231f22a2b341 Mon Sep 17 00:00:00 2001
|
||||
From: Alx Sa <cmyk.student@gmail.com>
|
||||
Date: Wed, 31 Dec 2025 14:45:15 +0000
|
||||
Subject: [PATCH] plug-ins: Add OoB check for loading XWD
|
||||
|
||||
Resolves #15554
|
||||
This patch adds a check for if our pointer arithmetic
|
||||
exceeds the memory allocated for the dest array. If so,
|
||||
we throw an error rather than access memory outside
|
||||
the bounds.
|
||||
---
|
||||
plug-ins/common/file-xwd.c | 31 ++++++++++++++++++++++++++++---
|
||||
1 file changed, 28 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
|
||||
index c4c41e5bea7..77d9ea5d9f3 100644
|
||||
--- a/plug-ins/common/file-xwd.c
|
||||
+++ b/plug-ins/common/file-xwd.c
|
||||
@@ -2241,6 +2241,7 @@ load_xwd_f1_d24_b1 (GFile *file,
|
||||
guint32 redmask, greenmask, bluemask;
|
||||
guint redshift, greenshift, blueshift;
|
||||
guint32 g;
|
||||
+ guint32 maxval;
|
||||
guchar redmap[256], greenmap[256], bluemap[256];
|
||||
guchar bit_reverse[256];
|
||||
guchar *xwddata, *xwdin, *data;
|
||||
@@ -2332,7 +2333,8 @@ load_xwd_f1_d24_b1 (GFile *file,
|
||||
&layer, &buffer);
|
||||
|
||||
tile_height = gimp_tile_height ();
|
||||
- data = g_malloc (tile_height * width * bytes_per_pixel);
|
||||
+ data = g_malloc (tile_height * width * bytes_per_pixel);
|
||||
+ maxval = tile_height * width * bytes_per_pixel;
|
||||
|
||||
ncols = xwdhdr->l_colormap_entries;
|
||||
if (xwdhdr->l_ncolors < ncols)
|
||||
@@ -2357,6 +2359,8 @@ load_xwd_f1_d24_b1 (GFile *file,
|
||||
|
||||
for (tile_start = 0; tile_start < height; tile_start += tile_height)
|
||||
{
|
||||
+ guint current_dest = 0;
|
||||
+
|
||||
memset (data, 0, width*tile_height*bytes_per_pixel);
|
||||
|
||||
tile_end = tile_start + tile_height - 1;
|
||||
@@ -2384,7 +2388,18 @@ load_xwd_f1_d24_b1 (GFile *file,
|
||||
else /* 3 bytes per pixel */
|
||||
{
|
||||
fromright = xwdhdr->l_pixmap_depth-1-plane;
|
||||
- dest += 2 - fromright/8;
|
||||
+
|
||||
+ current_dest += 2 - fromright / 8;
|
||||
+ if (current_dest < maxval)
|
||||
+ {
|
||||
+ dest += 2 - fromright / 8;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ err = 1;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
outmask = (1 << (fromright % 8));
|
||||
}
|
||||
|
||||
@@ -2439,7 +2454,17 @@ load_xwd_f1_d24_b1 (GFile *file,
|
||||
|
||||
if (g & inmask)
|
||||
*dest |= outmask;
|
||||
- dest += bytes_per_pixel;
|
||||
+
|
||||
+ current_dest += bytes_per_pixel;
|
||||
+ if (current_dest < maxval)
|
||||
+ {
|
||||
+ dest += bytes_per_pixel;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ err = 1;
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
inmask >>= 1;
|
||||
}
|
||||
--
|
||||
GitLab
|
||||
@ -67,7 +67,7 @@ Name: gimp
|
||||
Epoch: 2
|
||||
Version: 3.0.4
|
||||
%global rel 1
|
||||
Release: %{rel}%{?dist}.3
|
||||
Release: %{rel}%{?dist}.4
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2318369
|
||||
ExcludeArch: s390x
|
||||
|
||||
@ -260,6 +260,11 @@ Patch6: gimp-3.0.4-CVE-2025-14423.patch
|
||||
Patch7: gimp-3.0.4-CVE-2025-14424.patch
|
||||
Patch8: gimp-3.0.4-CVE-2025-14425.patch
|
||||
Patch9: gimp-3.0.4-CVE-2025-15059.patch
|
||||
Patch10: gimp-3.0.4-CVE-2026-0797.patch
|
||||
Patch11: gimp-3.0.4-CVE-2026-2044.patch
|
||||
Patch12: gimp-3.0.4-CVE-2026-2045.patch
|
||||
Patch13: gimp-3.0.4-CVE-2026-2047.patch
|
||||
Patch14: gimp-3.0.4-CVE-2026-2048.patch
|
||||
|
||||
# use external help browser directly if help browser plug-in is not built
|
||||
Patch100: gimp-3.0.2-external-help-browser.patch
|
||||
@ -341,6 +346,11 @@ EOF
|
||||
%patch7 -p1 -b .CVE-2025-14424
|
||||
%patch8 -p1 -b .CVE-2025-14425
|
||||
%patch9 -p1 -b .CVE-2025-15059
|
||||
%patch10 -p1 -b .CVE-2026-0797
|
||||
%patch11 -p1 -b .CVE-2026-2044
|
||||
%patch12 -p1 -b .CVE-2026-2045
|
||||
%patch13 -p1 -b .CVE-2026-2047
|
||||
%patch14 -p1 -b .CVE-2026-2048
|
||||
|
||||
%patch100 -p1 -b .external-help-browser
|
||||
|
||||
@ -656,6 +666,13 @@ done
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Mar 09 2026 Josef Ridky <jridky@redhat.com> - 2:3.0.4-1.4
|
||||
- fix CVE-2026-0797
|
||||
- fix CVE-2026-2044
|
||||
- fix CVE-2026-2045
|
||||
- fix CVE-2026-2047
|
||||
- fix CVE-2026-2048
|
||||
|
||||
* Thu Feb 12 2026 Josef Ridky <jridky@redhat.com> - 2:3.0.4-1.3
|
||||
- fix CVE-2025-15059
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user