From 5949b6b690cb31fb393d81746e08de55491e1b4b Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 10 Mar 2026 12:28:57 -0400 Subject: [PATCH] import Oracle_OSS gimp-3.0.4-1.el9_7.4 --- SOURCES/gimp-3.0.4-CVE-2026-0797.patch | 91 ++++++++++++++ SOURCES/gimp-3.0.4-CVE-2026-2044.patch | 26 ++++ SOURCES/gimp-3.0.4-CVE-2026-2045.patch | 35 ++++++ SOURCES/gimp-3.0.4-CVE-2026-2047.patch | 161 +++++++++++++++++++++++++ SOURCES/gimp-3.0.4-CVE-2026-2048.patch | 86 +++++++++++++ SPECS/gimp.spec | 19 ++- 6 files changed, 417 insertions(+), 1 deletion(-) create mode 100644 SOURCES/gimp-3.0.4-CVE-2026-0797.patch create mode 100644 SOURCES/gimp-3.0.4-CVE-2026-2044.patch create mode 100644 SOURCES/gimp-3.0.4-CVE-2026-2045.patch create mode 100644 SOURCES/gimp-3.0.4-CVE-2026-2047.patch create mode 100644 SOURCES/gimp-3.0.4-CVE-2026-2048.patch diff --git a/SOURCES/gimp-3.0.4-CVE-2026-0797.patch b/SOURCES/gimp-3.0.4-CVE-2026-0797.patch new file mode 100644 index 0000000..569e926 --- /dev/null +++ b/SOURCES/gimp-3.0.4-CVE-2026-0797.patch @@ -0,0 +1,91 @@ +From c54bf22acb04b83ae38ed50add58f300e898dd81 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Fri, 26 Dec 2025 15:49:45 +0000 +Subject: [PATCH] plug-ins: Add more fread () checks in ICO loading + +Resolves #15555 + +This patch adds some guards for ico_read_int8 (), +which was used for loading palettes and maps +without verifying that it returned the same number +of bytes as what it tried to read in. +--- + plug-ins/file-ico/ico-load.c | 33 ++++++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c +index 818cf23cd31..68637cbd745 100644 +--- a/plug-ins/file-ico/ico-load.c ++++ b/plug-ins/file-ico/ico-load.c +@@ -69,7 +69,9 @@ ico_read_int32 (FILE *fp, + total = count; + if (count > 0) + { +- ico_read_int8 (fp, (guint8 *) data, count * 4); ++ if (ico_read_int8 (fp, (guint8 *) data, count * 4) != (count * 4)) ++ return FALSE; ++ + for (i = 0; i < count; i++) + data[i] = GUINT32_FROM_LE (data[i]); + } +@@ -88,7 +90,9 @@ ico_read_int16 (FILE *fp, + total = count; + if (count > 0) + { +- ico_read_int8 (fp, (guint8 *) data, count * 2); ++ if (ico_read_int8 (fp, (guint8 *) data, count * 2) != (count * 2)) ++ return FALSE; ++ + for (i = 0; i < count; i++) + data[i] = GUINT16_FROM_LE (data[i]); + } +@@ -109,8 +113,8 @@ ico_read_int8 (FILE *fp, + while (count > 0) + { + bytes = fread ((gchar *) data, sizeof (gchar), count, fp); +- if (bytes <= 0) /* something bad happened */ +- break; ++ if (bytes != count) /* something bad happened */ ++ return -1; + + count -= bytes; + data += bytes; +@@ -489,16 +493,31 @@ ico_read_icon (FILE *fp, + data.used_clrs, data.bpp)); + + palette = g_new0 (guint32, data.used_clrs); +- ico_read_int8 (fp, (guint8 *) palette, data.used_clrs * 4); ++ if (ico_read_int8 (fp, ++ (guint8 *) palette, ++ data.used_clrs * 4) != (data.used_clrs * 4)) ++ { ++ D(("skipping image: too large\n")); ++ return FALSE; ++ } ++ + } + + xor_map = ico_alloc_map (w, h, data.bpp, &length); +- ico_read_int8 (fp, xor_map, length); ++ if (ico_read_int8 (fp, xor_map, length) != length) ++ { ++ D(("skipping image: too large\n")); ++ return FALSE; ++ } + D((" length of xor_map: %i\n", length)); + + /* Read in and_map. It's padded out to 32 bits per line: */ + and_map = ico_alloc_map (w, h, 1, &length); +- ico_read_int8 (fp, and_map, length); ++ if (! ico_read_int8 (fp, and_map, length) != length) ++ { ++ D(("skipping image: too large\n")); ++ return FALSE; ++ } + D((" length of and_map: %i\n", length)); + + dest_vec = (guint32 *) buf; +-- +GitLab + + diff --git a/SOURCES/gimp-3.0.4-CVE-2026-2044.patch b/SOURCES/gimp-3.0.4-CVE-2026-2044.patch new file mode 100644 index 0000000..d448289 --- /dev/null +++ b/SOURCES/gimp-3.0.4-CVE-2026-2044.patch @@ -0,0 +1,26 @@ +From 112a5e038f0646eae5ae314988ec074433d2b365 Mon Sep 17 00:00:00 2001 +From: Gabriele Barbero +Date: Fri, 5 Dec 2025 19:13:01 +0100 +Subject: [PATCH] ZDI-CAN-28158: use g_malloc0 instead of g_malloc + +To avoid accessing uninitialized memory, replace calls to g_malloc with +g_malloc0 which initializes the allocated memory to zero. +--- + plug-ins/common/file-pnm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c +index 9d349e967e7..65619be59de 100644 +--- a/plug-ins/common/file-pnm.c ++++ b/plug-ins/common/file-pnm.c +@@ -693,7 +693,7 @@ load_image (GFile *file, + return NULL; + + /* allocate the necessary structures */ +- pnminfo = g_new (PNMInfo, 1); ++ pnminfo = g_new0 (PNMInfo, 1); + + pnminfo->tupltype = NULL; + +-- +GitLab diff --git a/SOURCES/gimp-3.0.4-CVE-2026-2045.patch b/SOURCES/gimp-3.0.4-CVE-2026-2045.patch new file mode 100644 index 0000000..ee36a7c --- /dev/null +++ b/SOURCES/gimp-3.0.4-CVE-2026-2045.patch @@ -0,0 +1,35 @@ +From 68b27dfb1cbd9b3f22d7fa624dbab8647ee5f275 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Thu, 15 Jan 2026 10:12:07 -0500 +Subject: [PATCH] plug-ins: fix #15293 security issue ZDI-CAN-28265 + +Just like we did in commit 4eb106f2bff2d9b8e518aa455a884c6f38d70c6a +we need to make sure that the offset in the colormap is valid before +using it, before using it to compute the RGB values. +--- + plug-ins/common/file-xwd.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c +index 77d9ea5d9f3..a016c55cd8a 100644 +--- a/plug-ins/common/file-xwd.c ++++ b/plug-ins/common/file-xwd.c +@@ -1712,7 +1712,15 @@ load_xwd_f2_d16_b16 (GFile *file, + + for (j = 0; j < ncols; j++) + { +- cm = ColorMap + xwdcolmap[j].l_pixel * 3; ++ goffset offset = xwdcolmap[j].l_pixel * 3; ++ ++ if (offset+2 >= maxval) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("Invalid colormap offset. Possibly corrupt image.")); ++ return NULL; ++ } ++ cm = ColorMap + offset; + *(cm++) = (xwdcolmap[j].l_red >> 8); + *(cm++) = (xwdcolmap[j].l_green >> 8); + *cm = (xwdcolmap[j].l_blue >> 8); +-- +GitLab diff --git a/SOURCES/gimp-3.0.4-CVE-2026-2047.patch b/SOURCES/gimp-3.0.4-CVE-2026-2047.patch new file mode 100644 index 0000000..d98fbff --- /dev/null +++ b/SOURCES/gimp-3.0.4-CVE-2026-2047.patch @@ -0,0 +1,161 @@ +From dd2faac351f1ff2588529fedc606e6a5f815577c Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Sat, 17 Jan 2026 16:59:17 +0000 +Subject: [PATCH] plug-ins: Resolve ZDI-CAN-28530 for ICNS load + +Our ICNS importer did not verify that the ICNS resource +data size was defined as larger than 0. Therefore, it +was possible to create a malicious file that would infinitely +load since the file cursor would not advance. This patch +adds a check for the icon size being 0, and stops the loop +if this is encountered. + +Additionally, there is no header defined limit for the number of +icons in an ICNS file. This patch switches from using a hardcoded +256 icon limit to using GLists to dynamically add icons as we read +them in. +--- + plug-ins/file-icns/file-icns-load.c | 59 ++++++++++++++++++++--------- + 1 file changed, 42 insertions(+), 17 deletions(-) + +diff --git a/plug-ins/file-icns/file-icns-load.c b/plug-ins/file-icns/file-icns-load.c +index f2298c056e1..9b5b7fc7743 100644 +--- a/plug-ins/file-icns/file-icns-load.c ++++ b/plug-ins/file-icns/file-icns-load.c +@@ -40,7 +40,7 @@ + + IcnsResource * resource_load (FILE *file); + +-IcnsResource * resource_find (IcnsResource *list, ++IcnsResource * resource_find (GList *resources, + gchar *type, + gint max); + +@@ -118,14 +118,18 @@ resource_load (FILE *file) + } + + IcnsResource * +-resource_find (IcnsResource *list, ++resource_find (GList *resources, + gchar *type, + gint max) + { +- for (gint i = 0; i < max; i++) ++ GList *list; ++ ++ for (list = resources; list; list = g_list_next (list)) + { +- if (! strncmp (list[i].type, type, 4)) +- return &list[i]; ++ IcnsResource *res = list->data; ++ ++ if (! strncmp (res->type, type, 4)) ++ return res; + } + return NULL; + } +@@ -145,10 +149,14 @@ resource_get_next (IcnsResource *icns, + res->cursor = sizeof (IcnsResourceHeader); + res->data = &(icns->data[icns->cursor]); + ++ if (! res->size) ++ return FALSE; ++ + icns->cursor += res->size; + if (icns->cursor > icns->size) + { + gchar typestring[5]; ++ + fourcc_get_string (icns->type, typestring); + g_message ("icns resource_get_next: resource too big! type '%s', size %u\n", + typestring, icns->size); +@@ -162,18 +170,25 @@ GimpImage * + icns_load (IcnsResource *icns, + GFile *file) + { +- IcnsResource *resources; ++ GList *resources; ++ IcnsResource *resource; + guint nResources; + gfloat current_resources = 0; + GimpImage *image; + +- resources = g_new (IcnsResource, 256); ++ resources = NULL; ++ resource = g_new (IcnsResource, 1); + + /* Largest .icns icon is 1024 x 1024 */ + image = gimp_image_new (1024, 1024, GIMP_RGB); + + nResources = 0; +- while (resource_get_next (icns, &resources[nResources++])) {} ++ while (resource_get_next (icns, resource)) ++ { ++ resources = g_list_append (resources, resource); ++ ++ resource = g_new (IcnsResource, 1); ++ } + + for (gint i = 0; iconTypes[i].type; i++) + { +@@ -192,7 +207,8 @@ icns_load (IcnsResource *icns, + } + + gimp_image_resize_to_layers (image); +- g_free (resources); ++ g_list_free_full (resources, g_free); ++ g_free (resource); + return image; + } + +@@ -585,7 +601,8 @@ icns_load_thumbnail_image (GFile *file, + FILE *fp; + GimpImage *image = NULL; + IcnsResource *icns; +- IcnsResource *resources; ++ GList *resources; ++ IcnsResource *resource; + IcnsResource *mask = NULL; + guint i; + gint match = -1; +@@ -610,15 +627,22 @@ icns_load_thumbnail_image (GFile *file, + fclose (fp); + + if (! icns) +- { +- g_message ("Invalid or corrupt icns resource file."); +- return NULL; +- } ++ { ++ g_message ("Invalid or corrupt icns resource file."); ++ return NULL; ++ } + + image = gimp_image_new (1024, 1024, GIMP_RGB); + +- resources = g_new (IcnsResource, 256); +- while (resource_get_next (icns, &resources[nResources++])) {} ++ resources = NULL; ++ resource = g_new (IcnsResource, 1); ++ ++ while (resource_get_next (icns, resource)) ++ { ++ resources = g_list_append (resources, resource); ++ ++ resource = g_new (IcnsResource, 1); ++ } + + *width = 0; + *height = 0; +@@ -671,7 +695,8 @@ icns_load_thumbnail_image (GFile *file, + return NULL; + } + +- g_free (resources); ++ g_list_free_full (resources, g_free); ++ g_free (resource); + + gimp_progress_update (1.0); + +-- +GitLab diff --git a/SOURCES/gimp-3.0.4-CVE-2026-2048.patch b/SOURCES/gimp-3.0.4-CVE-2026-2048.patch new file mode 100644 index 0000000..9d6b9aa --- /dev/null +++ b/SOURCES/gimp-3.0.4-CVE-2026-2048.patch @@ -0,0 +1,86 @@ +From 57712677007793118388c5be6fb8231f22a2b341 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Wed, 31 Dec 2025 14:45:15 +0000 +Subject: [PATCH] plug-ins: Add OoB check for loading XWD + +Resolves #15554 +This patch adds a check for if our pointer arithmetic +exceeds the memory allocated for the dest array. If so, +we throw an error rather than access memory outside +the bounds. +--- + plug-ins/common/file-xwd.c | 31 ++++++++++++++++++++++++++++--- + 1 file changed, 28 insertions(+), 3 deletions(-) + +diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c +index c4c41e5bea7..77d9ea5d9f3 100644 +--- a/plug-ins/common/file-xwd.c ++++ b/plug-ins/common/file-xwd.c +@@ -2241,6 +2241,7 @@ load_xwd_f1_d24_b1 (GFile *file, + guint32 redmask, greenmask, bluemask; + guint redshift, greenshift, blueshift; + guint32 g; ++ guint32 maxval; + guchar redmap[256], greenmap[256], bluemap[256]; + guchar bit_reverse[256]; + guchar *xwddata, *xwdin, *data; +@@ -2332,7 +2333,8 @@ load_xwd_f1_d24_b1 (GFile *file, + &layer, &buffer); + + tile_height = gimp_tile_height (); +- data = g_malloc (tile_height * width * bytes_per_pixel); ++ data = g_malloc (tile_height * width * bytes_per_pixel); ++ maxval = tile_height * width * bytes_per_pixel; + + ncols = xwdhdr->l_colormap_entries; + if (xwdhdr->l_ncolors < ncols) +@@ -2357,6 +2359,8 @@ load_xwd_f1_d24_b1 (GFile *file, + + for (tile_start = 0; tile_start < height; tile_start += tile_height) + { ++ guint current_dest = 0; ++ + memset (data, 0, width*tile_height*bytes_per_pixel); + + tile_end = tile_start + tile_height - 1; +@@ -2384,7 +2388,18 @@ load_xwd_f1_d24_b1 (GFile *file, + else /* 3 bytes per pixel */ + { + fromright = xwdhdr->l_pixmap_depth-1-plane; +- dest += 2 - fromright/8; ++ ++ current_dest += 2 - fromright / 8; ++ if (current_dest < maxval) ++ { ++ dest += 2 - fromright / 8; ++ } ++ else ++ { ++ err = 1; ++ break; ++ } ++ + outmask = (1 << (fromright % 8)); + } + +@@ -2439,7 +2454,17 @@ load_xwd_f1_d24_b1 (GFile *file, + + if (g & inmask) + *dest |= outmask; +- dest += bytes_per_pixel; ++ ++ current_dest += bytes_per_pixel; ++ if (current_dest < maxval) ++ { ++ dest += bytes_per_pixel; ++ } ++ else ++ { ++ err = 1; ++ break; ++ } + + inmask >>= 1; + } +-- +GitLab diff --git a/SPECS/gimp.spec b/SPECS/gimp.spec index 0b1f025..621e083 100644 --- a/SPECS/gimp.spec +++ b/SPECS/gimp.spec @@ -67,7 +67,7 @@ Name: gimp Epoch: 2 Version: 3.0.4 %global rel 1 -Release: %{rel}%{?dist}.3 +Release: %{rel}%{?dist}.4 # https://bugzilla.redhat.com/show_bug.cgi?id=2318369 ExcludeArch: s390x @@ -260,6 +260,11 @@ Patch6: gimp-3.0.4-CVE-2025-14423.patch Patch7: gimp-3.0.4-CVE-2025-14424.patch Patch8: gimp-3.0.4-CVE-2025-14425.patch Patch9: gimp-3.0.4-CVE-2025-15059.patch +Patch10: gimp-3.0.4-CVE-2026-0797.patch +Patch11: gimp-3.0.4-CVE-2026-2044.patch +Patch12: gimp-3.0.4-CVE-2026-2045.patch +Patch13: gimp-3.0.4-CVE-2026-2047.patch +Patch14: gimp-3.0.4-CVE-2026-2048.patch # use external help browser directly if help browser plug-in is not built Patch100: gimp-3.0.2-external-help-browser.patch @@ -341,6 +346,11 @@ EOF %patch7 -p1 -b .CVE-2025-14424 %patch8 -p1 -b .CVE-2025-14425 %patch9 -p1 -b .CVE-2025-15059 +%patch10 -p1 -b .CVE-2026-0797 +%patch11 -p1 -b .CVE-2026-2044 +%patch12 -p1 -b .CVE-2026-2045 +%patch13 -p1 -b .CVE-2026-2047 +%patch14 -p1 -b .CVE-2026-2048 %patch100 -p1 -b .external-help-browser @@ -656,6 +666,13 @@ done %endif %changelog +* Mon Mar 09 2026 Josef Ridky - 2:3.0.4-1.4 +- fix CVE-2026-0797 +- fix CVE-2026-2044 +- fix CVE-2026-2045 +- fix CVE-2026-2047 +- fix CVE-2026-2048 + * Thu Feb 12 2026 Josef Ridky - 2:3.0.4-1.3 - fix CVE-2025-15059