import Oracle_OSS gimp-3.0.4-1.el9_7.4

This commit is contained in:
AlmaLinux RelEng Bot 2026-03-10 12:28:57 -04:00
parent f04b88bc85
commit 5949b6b690
6 changed files with 417 additions and 1 deletions

View File

@ -0,0 +1,91 @@
From c54bf22acb04b83ae38ed50add58f300e898dd81 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Fri, 26 Dec 2025 15:49:45 +0000
Subject: [PATCH] plug-ins: Add more fread () checks in ICO loading
Resolves #15555
This patch adds some guards for ico_read_int8 (),
which was used for loading palettes and maps
without verifying that it returned the same number
of bytes as what it tried to read in.
---
plug-ins/file-ico/ico-load.c | 33 ++++++++++++++++++++++++++-------
1 file changed, 26 insertions(+), 7 deletions(-)
diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
index 818cf23cd31..68637cbd745 100644
--- a/plug-ins/file-ico/ico-load.c
+++ b/plug-ins/file-ico/ico-load.c
@@ -69,7 +69,9 @@ ico_read_int32 (FILE *fp,
total = count;
if (count > 0)
{
- ico_read_int8 (fp, (guint8 *) data, count * 4);
+ if (ico_read_int8 (fp, (guint8 *) data, count * 4) != (count * 4))
+ return FALSE;
+
for (i = 0; i < count; i++)
data[i] = GUINT32_FROM_LE (data[i]);
}
@@ -88,7 +90,9 @@ ico_read_int16 (FILE *fp,
total = count;
if (count > 0)
{
- ico_read_int8 (fp, (guint8 *) data, count * 2);
+ if (ico_read_int8 (fp, (guint8 *) data, count * 2) != (count * 2))
+ return FALSE;
+
for (i = 0; i < count; i++)
data[i] = GUINT16_FROM_LE (data[i]);
}
@@ -109,8 +113,8 @@ ico_read_int8 (FILE *fp,
while (count > 0)
{
bytes = fread ((gchar *) data, sizeof (gchar), count, fp);
- if (bytes <= 0) /* something bad happened */
- break;
+ if (bytes != count) /* something bad happened */
+ return -1;
count -= bytes;
data += bytes;
@@ -489,16 +493,31 @@ ico_read_icon (FILE *fp,
data.used_clrs, data.bpp));
palette = g_new0 (guint32, data.used_clrs);
- ico_read_int8 (fp, (guint8 *) palette, data.used_clrs * 4);
+ if (ico_read_int8 (fp,
+ (guint8 *) palette,
+ data.used_clrs * 4) != (data.used_clrs * 4))
+ {
+ D(("skipping image: too large\n"));
+ return FALSE;
+ }
+
}
xor_map = ico_alloc_map (w, h, data.bpp, &length);
- ico_read_int8 (fp, xor_map, length);
+ if (ico_read_int8 (fp, xor_map, length) != length)
+ {
+ D(("skipping image: too large\n"));
+ return FALSE;
+ }
D((" length of xor_map: %i\n", length));
/* Read in and_map. It's padded out to 32 bits per line: */
and_map = ico_alloc_map (w, h, 1, &length);
- ico_read_int8 (fp, and_map, length);
+ if (! ico_read_int8 (fp, and_map, length) != length)
+ {
+ D(("skipping image: too large\n"));
+ return FALSE;
+ }
D((" length of and_map: %i\n", length));
dest_vec = (guint32 *) buf;
--
GitLab

View File

@ -0,0 +1,26 @@
From 112a5e038f0646eae5ae314988ec074433d2b365 Mon Sep 17 00:00:00 2001
From: Gabriele Barbero <barbero.gabriele03@gmail.com>
Date: Fri, 5 Dec 2025 19:13:01 +0100
Subject: [PATCH] ZDI-CAN-28158: use g_malloc0 instead of g_malloc
To avoid accessing uninitialized memory, replace calls to g_malloc with
g_malloc0 which initializes the allocated memory to zero.
---
plug-ins/common/file-pnm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
index 9d349e967e7..65619be59de 100644
--- a/plug-ins/common/file-pnm.c
+++ b/plug-ins/common/file-pnm.c
@@ -693,7 +693,7 @@ load_image (GFile *file,
return NULL;
/* allocate the necessary structures */
- pnminfo = g_new (PNMInfo, 1);
+ pnminfo = g_new0 (PNMInfo, 1);
pnminfo->tupltype = NULL;
--
GitLab

View File

@ -0,0 +1,35 @@
From 68b27dfb1cbd9b3f22d7fa624dbab8647ee5f275 Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Thu, 15 Jan 2026 10:12:07 -0500
Subject: [PATCH] plug-ins: fix #15293 security issue ZDI-CAN-28265
Just like we did in commit 4eb106f2bff2d9b8e518aa455a884c6f38d70c6a
we need to make sure that the offset in the colormap is valid before
using it, before using it to compute the RGB values.
---
plug-ins/common/file-xwd.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
index 77d9ea5d9f3..a016c55cd8a 100644
--- a/plug-ins/common/file-xwd.c
+++ b/plug-ins/common/file-xwd.c
@@ -1712,7 +1712,15 @@ load_xwd_f2_d16_b16 (GFile *file,
for (j = 0; j < ncols; j++)
{
- cm = ColorMap + xwdcolmap[j].l_pixel * 3;
+ goffset offset = xwdcolmap[j].l_pixel * 3;
+
+ if (offset+2 >= maxval)
+ {
+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
+ _("Invalid colormap offset. Possibly corrupt image."));
+ return NULL;
+ }
+ cm = ColorMap + offset;
*(cm++) = (xwdcolmap[j].l_red >> 8);
*(cm++) = (xwdcolmap[j].l_green >> 8);
*cm = (xwdcolmap[j].l_blue >> 8);
--
GitLab

View File

@ -0,0 +1,161 @@
From dd2faac351f1ff2588529fedc606e6a5f815577c Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 17 Jan 2026 16:59:17 +0000
Subject: [PATCH] plug-ins: Resolve ZDI-CAN-28530 for ICNS load
Our ICNS importer did not verify that the ICNS resource
data size was defined as larger than 0. Therefore, it
was possible to create a malicious file that would infinitely
load since the file cursor would not advance. This patch
adds a check for the icon size being 0, and stops the loop
if this is encountered.
Additionally, there is no header defined limit for the number of
icons in an ICNS file. This patch switches from using a hardcoded
256 icon limit to using GLists to dynamically add icons as we read
them in.
---
plug-ins/file-icns/file-icns-load.c | 59 ++++++++++++++++++++---------
1 file changed, 42 insertions(+), 17 deletions(-)
diff --git a/plug-ins/file-icns/file-icns-load.c b/plug-ins/file-icns/file-icns-load.c
index f2298c056e1..9b5b7fc7743 100644
--- a/plug-ins/file-icns/file-icns-load.c
+++ b/plug-ins/file-icns/file-icns-load.c
@@ -40,7 +40,7 @@
IcnsResource * resource_load (FILE *file);
-IcnsResource * resource_find (IcnsResource *list,
+IcnsResource * resource_find (GList *resources,
gchar *type,
gint max);
@@ -118,14 +118,18 @@ resource_load (FILE *file)
}
IcnsResource *
-resource_find (IcnsResource *list,
+resource_find (GList *resources,
gchar *type,
gint max)
{
- for (gint i = 0; i < max; i++)
+ GList *list;
+
+ for (list = resources; list; list = g_list_next (list))
{
- if (! strncmp (list[i].type, type, 4))
- return &list[i];
+ IcnsResource *res = list->data;
+
+ if (! strncmp (res->type, type, 4))
+ return res;
}
return NULL;
}
@@ -145,10 +149,14 @@ resource_get_next (IcnsResource *icns,
res->cursor = sizeof (IcnsResourceHeader);
res->data = &(icns->data[icns->cursor]);
+ if (! res->size)
+ return FALSE;
+
icns->cursor += res->size;
if (icns->cursor > icns->size)
{
gchar typestring[5];
+
fourcc_get_string (icns->type, typestring);
g_message ("icns resource_get_next: resource too big! type '%s', size %u\n",
typestring, icns->size);
@@ -162,18 +170,25 @@ GimpImage *
icns_load (IcnsResource *icns,
GFile *file)
{
- IcnsResource *resources;
+ GList *resources;
+ IcnsResource *resource;
guint nResources;
gfloat current_resources = 0;
GimpImage *image;
- resources = g_new (IcnsResource, 256);
+ resources = NULL;
+ resource = g_new (IcnsResource, 1);
/* Largest .icns icon is 1024 x 1024 */
image = gimp_image_new (1024, 1024, GIMP_RGB);
nResources = 0;
- while (resource_get_next (icns, &resources[nResources++])) {}
+ while (resource_get_next (icns, resource))
+ {
+ resources = g_list_append (resources, resource);
+
+ resource = g_new (IcnsResource, 1);
+ }
for (gint i = 0; iconTypes[i].type; i++)
{
@@ -192,7 +207,8 @@ icns_load (IcnsResource *icns,
}
gimp_image_resize_to_layers (image);
- g_free (resources);
+ g_list_free_full (resources, g_free);
+ g_free (resource);
return image;
}
@@ -585,7 +601,8 @@ icns_load_thumbnail_image (GFile *file,
FILE *fp;
GimpImage *image = NULL;
IcnsResource *icns;
- IcnsResource *resources;
+ GList *resources;
+ IcnsResource *resource;
IcnsResource *mask = NULL;
guint i;
gint match = -1;
@@ -610,15 +627,22 @@ icns_load_thumbnail_image (GFile *file,
fclose (fp);
if (! icns)
- {
- g_message ("Invalid or corrupt icns resource file.");
- return NULL;
- }
+ {
+ g_message ("Invalid or corrupt icns resource file.");
+ return NULL;
+ }
image = gimp_image_new (1024, 1024, GIMP_RGB);
- resources = g_new (IcnsResource, 256);
- while (resource_get_next (icns, &resources[nResources++])) {}
+ resources = NULL;
+ resource = g_new (IcnsResource, 1);
+
+ while (resource_get_next (icns, resource))
+ {
+ resources = g_list_append (resources, resource);
+
+ resource = g_new (IcnsResource, 1);
+ }
*width = 0;
*height = 0;
@@ -671,7 +695,8 @@ icns_load_thumbnail_image (GFile *file,
return NULL;
}
- g_free (resources);
+ g_list_free_full (resources, g_free);
+ g_free (resource);
gimp_progress_update (1.0);
--
GitLab

View File

@ -0,0 +1,86 @@
From 57712677007793118388c5be6fb8231f22a2b341 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Wed, 31 Dec 2025 14:45:15 +0000
Subject: [PATCH] plug-ins: Add OoB check for loading XWD
Resolves #15554
This patch adds a check for if our pointer arithmetic
exceeds the memory allocated for the dest array. If so,
we throw an error rather than access memory outside
the bounds.
---
plug-ins/common/file-xwd.c | 31 ++++++++++++++++++++++++++++---
1 file changed, 28 insertions(+), 3 deletions(-)
diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
index c4c41e5bea7..77d9ea5d9f3 100644
--- a/plug-ins/common/file-xwd.c
+++ b/plug-ins/common/file-xwd.c
@@ -2241,6 +2241,7 @@ load_xwd_f1_d24_b1 (GFile *file,
guint32 redmask, greenmask, bluemask;
guint redshift, greenshift, blueshift;
guint32 g;
+ guint32 maxval;
guchar redmap[256], greenmap[256], bluemap[256];
guchar bit_reverse[256];
guchar *xwddata, *xwdin, *data;
@@ -2332,7 +2333,8 @@ load_xwd_f1_d24_b1 (GFile *file,
&layer, &buffer);
tile_height = gimp_tile_height ();
- data = g_malloc (tile_height * width * bytes_per_pixel);
+ data = g_malloc (tile_height * width * bytes_per_pixel);
+ maxval = tile_height * width * bytes_per_pixel;
ncols = xwdhdr->l_colormap_entries;
if (xwdhdr->l_ncolors < ncols)
@@ -2357,6 +2359,8 @@ load_xwd_f1_d24_b1 (GFile *file,
for (tile_start = 0; tile_start < height; tile_start += tile_height)
{
+ guint current_dest = 0;
+
memset (data, 0, width*tile_height*bytes_per_pixel);
tile_end = tile_start + tile_height - 1;
@@ -2384,7 +2388,18 @@ load_xwd_f1_d24_b1 (GFile *file,
else /* 3 bytes per pixel */
{
fromright = xwdhdr->l_pixmap_depth-1-plane;
- dest += 2 - fromright/8;
+
+ current_dest += 2 - fromright / 8;
+ if (current_dest < maxval)
+ {
+ dest += 2 - fromright / 8;
+ }
+ else
+ {
+ err = 1;
+ break;
+ }
+
outmask = (1 << (fromright % 8));
}
@@ -2439,7 +2454,17 @@ load_xwd_f1_d24_b1 (GFile *file,
if (g & inmask)
*dest |= outmask;
- dest += bytes_per_pixel;
+
+ current_dest += bytes_per_pixel;
+ if (current_dest < maxval)
+ {
+ dest += bytes_per_pixel;
+ }
+ else
+ {
+ err = 1;
+ break;
+ }
inmask >>= 1;
}
--
GitLab

View File

@ -67,7 +67,7 @@ Name: gimp
Epoch: 2
Version: 3.0.4
%global rel 1
Release: %{rel}%{?dist}.3
Release: %{rel}%{?dist}.4
# https://bugzilla.redhat.com/show_bug.cgi?id=2318369
ExcludeArch: s390x
@ -260,6 +260,11 @@ Patch6: gimp-3.0.4-CVE-2025-14423.patch
Patch7: gimp-3.0.4-CVE-2025-14424.patch
Patch8: gimp-3.0.4-CVE-2025-14425.patch
Patch9: gimp-3.0.4-CVE-2025-15059.patch
Patch10: gimp-3.0.4-CVE-2026-0797.patch
Patch11: gimp-3.0.4-CVE-2026-2044.patch
Patch12: gimp-3.0.4-CVE-2026-2045.patch
Patch13: gimp-3.0.4-CVE-2026-2047.patch
Patch14: gimp-3.0.4-CVE-2026-2048.patch
# use external help browser directly if help browser plug-in is not built
Patch100: gimp-3.0.2-external-help-browser.patch
@ -341,6 +346,11 @@ EOF
%patch7 -p1 -b .CVE-2025-14424
%patch8 -p1 -b .CVE-2025-14425
%patch9 -p1 -b .CVE-2025-15059
%patch10 -p1 -b .CVE-2026-0797
%patch11 -p1 -b .CVE-2026-2044
%patch12 -p1 -b .CVE-2026-2045
%patch13 -p1 -b .CVE-2026-2047
%patch14 -p1 -b .CVE-2026-2048
%patch100 -p1 -b .external-help-browser
@ -656,6 +666,13 @@ done
%endif
%changelog
* Mon Mar 09 2026 Josef Ridky <jridky@redhat.com> - 2:3.0.4-1.4
- fix CVE-2026-0797
- fix CVE-2026-2044
- fix CVE-2026-2045
- fix CVE-2026-2047
- fix CVE-2026-2048
* Thu Feb 12 2026 Josef Ridky <jridky@redhat.com> - 2:3.0.4-1.3
- fix CVE-2025-15059