Import from CS git
This commit is contained in:
parent
13d6512d26
commit
9b89e2e572
124
SOURCES/gimp-CVE-2025-48797.patch
Normal file
124
SOURCES/gimp-CVE-2025-48797.patch
Normal file
@ -0,0 +1,124 @@
|
||||
diff -urNp a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
|
||||
--- a/plug-ins/common/file-tga.c 2025-06-14 14:36:28.298535906 +0200
|
||||
+++ b/plug-ins/common/file-tga.c 2025-06-14 14:50:52.545808264 +0200
|
||||
@@ -555,7 +555,7 @@ load_image (const gchar *filename,
|
||||
switch (info.imageType)
|
||||
{
|
||||
case TGA_TYPE_MAPPED:
|
||||
- if (info.bpp != 8)
|
||||
+ if (info.bpp != 8 || !info.colorMapLength)
|
||||
{
|
||||
g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
|
||||
gimp_filename_to_utf8 (filename),
|
||||
@@ -870,32 +870,46 @@ apply_colormap (guchar *dest,
|
||||
guint width,
|
||||
const guchar *cmap,
|
||||
gboolean alpha,
|
||||
- guint16 index)
|
||||
+ guint16 colorMapIndex,
|
||||
+ guint16 colorMapLength)
|
||||
{
|
||||
guint x;
|
||||
+ gint errcnt = 0;
|
||||
|
||||
- if (alpha)
|
||||
- {
|
||||
- for (x = 0; x < width; x++)
|
||||
- {
|
||||
- *(dest++) = cmap[(*src - index) * 4];
|
||||
- *(dest++) = cmap[(*src - index) * 4 + 1];
|
||||
- *(dest++) = cmap[(*src - index) * 4 + 2];
|
||||
- *(dest++) = cmap[(*src - index) * 4 + 3];
|
||||
-
|
||||
- src++;
|
||||
- }
|
||||
- }
|
||||
- else
|
||||
+ for (x = 0; x < width; x++)
|
||||
{
|
||||
- for (x = 0; x < width; x++)
|
||||
- {
|
||||
- *(dest++) = cmap[(*src - index) * 3];
|
||||
- *(dest++) = cmap[(*src - index) * 3 + 1];
|
||||
- *(dest++) = cmap[(*src - index) * 3 + 2];
|
||||
+ guchar entryIndex = src[x] - colorMapIndex;
|
||||
|
||||
- src++;
|
||||
- }
|
||||
+ if (src[x] < colorMapIndex || entryIndex >= colorMapLength) {
|
||||
+ /* On Windows the error console can run out of resources when
|
||||
+ * producing a huge amount of messages. This can happen when using
|
||||
+ * fuzzed test images. This causes unresponsiveness at first and
|
||||
+ * finally crashes GIMP. Eventually this needs to be fixed at the
|
||||
+ * source, but for now let's limit the error messages to 10
|
||||
+ * per line (this function is called once per read_line). */
|
||||
+ if (errcnt < 10)
|
||||
+ {
|
||||
+ g_message ("Unsupported colormap entry: %u",
|
||||
+ src[x]);
|
||||
+ }
|
||||
+ else if (errcnt == 10)
|
||||
+ {
|
||||
+ g_message ("Too many colormap errors. Image may be corrupt.");
|
||||
+ }
|
||||
+ errcnt++;
|
||||
+ entryIndex = 0;
|
||||
+ }
|
||||
+
|
||||
+ if (alpha) {
|
||||
+ *(dest++) = cmap[entryIndex * 4];
|
||||
+ *(dest++) = cmap[entryIndex * 4 + 1];
|
||||
+ *(dest++) = cmap[entryIndex * 4 + 2];
|
||||
+ *(dest++) = cmap[entryIndex * 4 + 3];
|
||||
+ } else {
|
||||
+ *(dest++) = cmap[entryIndex * 3];
|
||||
+ *(dest++) = cmap[entryIndex * 3 + 1];
|
||||
+ *(dest++) = cmap[entryIndex * 3 + 2];
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -951,7 +965,7 @@ read_line (FILE *fp,
|
||||
gboolean has_alpha = (info->alphaBits > 0);
|
||||
|
||||
apply_colormap (row, buffer, info->width, convert_cmap, has_alpha,
|
||||
- info->colorMapIndex);
|
||||
+ info->colorMapIndex, info->colorMapLength);
|
||||
}
|
||||
else if (info->imageType == TGA_TYPE_MAPPED)
|
||||
{
|
||||
@@ -961,7 +975,7 @@ read_line (FILE *fp,
|
||||
}
|
||||
else
|
||||
{
|
||||
- memcpy (row, buffer, info->width * drawable->bpp);
|
||||
+ memcpy (row, buffer, info->width * info->bytes);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -993,9 +1007,9 @@ ReadImage (FILE *fp,
|
||||
cmap_bytes = (info->colorMapSize + 7 ) / 8;
|
||||
tga_cmap = g_new (guchar, info->colorMapLength * cmap_bytes);
|
||||
|
||||
- if (info->colorMapSize > 24)
|
||||
+ if (info->colorMapSize > 24 || info->alphaBits > 0)
|
||||
{
|
||||
- /* indexed + full alpha => promoted to RGBA */
|
||||
+ /* indexed + full alpha, or alpha exists => promoted to RGBA */
|
||||
itype = GIMP_RGB;
|
||||
dtype = GIMP_RGBA_IMAGE;
|
||||
convert_cmap = g_new (guchar, info->colorMapLength * 4);
|
||||
@@ -1007,13 +1021,6 @@ ReadImage (FILE *fp,
|
||||
dtype = GIMP_RGB_IMAGE;
|
||||
convert_cmap = g_new (guchar, info->colorMapLength * 3);
|
||||
}
|
||||
- else if (info->alphaBits > 0)
|
||||
- {
|
||||
- /* if alpha exists here, promote to RGB */
|
||||
- itype = GIMP_RGB;
|
||||
- dtype = GIMP_RGBA_IMAGE;
|
||||
- convert_cmap = g_new (guchar, info->colorMapLength * 4);
|
||||
- }
|
||||
else
|
||||
{
|
||||
itype = GIMP_INDEXED;
|
||||
78
SOURCES/gimp-CVE-2025-48798.patch
Normal file
78
SOURCES/gimp-CVE-2025-48798.patch
Normal file
@ -0,0 +1,78 @@
|
||||
diff -urNp a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
|
||||
--- a/app/xcf/xcf-load.c 2025-06-14 14:52:18.545874780 +0200
|
||||
+++ b/app/xcf/xcf-load.c 2025-06-14 14:59:52.471067194 +0200
|
||||
@@ -97,7 +97,8 @@ static gboolean xcf_load_layer_pr
|
||||
guint32 *group_layer_flags);
|
||||
static gboolean xcf_load_channel_props (XcfInfo *info,
|
||||
GimpImage *image,
|
||||
- GimpChannel **channel);
|
||||
+ GimpChannel **channel,
|
||||
+ gboolean is_mask);
|
||||
static gboolean xcf_load_prop (XcfInfo *info,
|
||||
PropType *prop_type,
|
||||
guint32 *prop_size);
|
||||
@@ -987,7 +988,8 @@ xcf_load_layer_props (XcfInfo *info,
|
||||
static gboolean
|
||||
xcf_load_channel_props (XcfInfo *info,
|
||||
GimpImage *image,
|
||||
- GimpChannel **channel)
|
||||
+ GimpChannel **channel,
|
||||
+ gboolean is_mask)
|
||||
{
|
||||
PropType prop_type;
|
||||
guint32 prop_size;
|
||||
@@ -1010,6 +1012,36 @@ xcf_load_channel_props (XcfInfo *in
|
||||
{
|
||||
GimpChannel *mask;
|
||||
|
||||
+ if (is_mask)
|
||||
+ {
|
||||
+ /* PROP_SELECTION is not valid for masks, and we have to avoid
|
||||
+ * overwriting the channel.
|
||||
+ */
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ if (*channel == gimp_image_get_mask (image))
|
||||
+ {
|
||||
+ /* PROP_SELECTION was already seen once for this
|
||||
+ * channel. Let's silently ignore the second identical
|
||||
+ * property to avoid a double free.
|
||||
+ */
|
||||
+ continue;
|
||||
+ }
|
||||
+ else if (gimp_image_get_mask (image) != NULL &&
|
||||
+ ! gimp_channel_is_empty (gimp_image_get_mask (image)))
|
||||
+ {
|
||||
+ /* This would happen when PROP_SELECTION was already set
|
||||
+ * on a previous channel. This is a minor case of data
|
||||
+ * loss (we don't know which selection was the right one
|
||||
+ * and we drop the non-first ones), and also means it's
|
||||
+ * a broken XCF, though it's not a major bug either. So
|
||||
+ * let's go with a stderr print.
|
||||
+ */
|
||||
+ g_printerr ("PROP_SELECTION property was set on 2 channels (skipping)\n");
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
/* We're going to delete *channel, Don't leave its pointer
|
||||
* in @info. See bug #767873.
|
||||
*/
|
||||
@@ -1317,7 +1349,7 @@ xcf_load_channel (XcfInfo *info,
|
||||
return NULL;
|
||||
|
||||
/* read in the channel properties */
|
||||
- if (!xcf_load_channel_props (info, image, &channel))
|
||||
+ if (!xcf_load_channel_props (info, image, &channel, FALSE))
|
||||
goto error;
|
||||
|
||||
xcf_progress_update (info);
|
||||
@@ -1379,7 +1411,7 @@ xcf_load_layer_mask (XcfInfo *info,
|
||||
|
||||
/* read in the layer_mask properties */
|
||||
channel = GIMP_CHANNEL (layer_mask);
|
||||
- if (!xcf_load_channel_props (info, image, &channel))
|
||||
+ if (!xcf_load_channel_props (info, image, &channel, TRUE))
|
||||
goto error;
|
||||
|
||||
xcf_progress_update (info);
|
||||
18
SOURCES/gimp-CVE-2025-5473.patch
Normal file
18
SOURCES/gimp-CVE-2025-5473.patch
Normal file
@ -0,0 +1,18 @@
|
||||
diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
|
||||
index 9a222998bc1..818cf23cd31 100644
|
||||
--- a/plug-ins/file-ico/ico-load.c
|
||||
+++ b/plug-ins/file-ico/ico-load.c
|
||||
@@ -299,7 +299,11 @@ ico_read_png (FILE *fp,
|
||||
png_read_info (png_ptr, info);
|
||||
png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type,
|
||||
NULL, NULL, NULL);
|
||||
- if (w*h*4 > maxsize)
|
||||
+ /* Check for overflow */
|
||||
+ if ((w * h * 4) < w ||
|
||||
+ (w * h * 4) < h ||
|
||||
+ (w * h * 4) < (w * h) ||
|
||||
+ (w * h * 4) > maxsize)
|
||||
{
|
||||
png_destroy_read_struct (&png_ptr, &info, NULL);
|
||||
return FALSE;
|
||||
---
|
||||
@ -75,7 +75,7 @@ Summary: GNU Image Manipulation Program
|
||||
Name: gimp
|
||||
Epoch: 2
|
||||
Version: 2.8.22
|
||||
Release: %{?prerelprefix}26%{dotprerel}%{dotgitrev}%{?dist}
|
||||
Release: %{?prerelprefix}26%{dotprerel}%{dotgitrev}%{?dist}.2
|
||||
|
||||
# Compute some version related macros.
|
||||
# Ugly, need to get quoting percent signs straight.
|
||||
@ -217,6 +217,9 @@ Patch12: gimp-buffer-overflow.patch
|
||||
Patch14: gimp-CVE-2023-44442.patch
|
||||
Patch15: gimp-CVE-2023-44444.patch
|
||||
Patch16: gimp-2.8.22-fix-fclose-leak.patch
|
||||
Patch17: gimp-CVE-2025-48797.patch
|
||||
Patch18: gimp-CVE-2025-48798.patch
|
||||
Patch19: gimp-CVE-2025-5473.patch
|
||||
|
||||
# use external help browser directly if help browser plug-in is not built
|
||||
Patch100: gimp-2.8.6-external-help-browser.patch
|
||||
@ -314,10 +317,13 @@ EOF
|
||||
%patch10 -p1 -b .CVE-2022-30067
|
||||
%patch11 -p1 -b .CVE-2022-32990
|
||||
%patch12 -p1 -b .buffer-overflow
|
||||
#%patch13 -p1 -b .python-path
|
||||
#patch13 -p1 -b .python-path
|
||||
%patch14 -p1 -b .CVE-2023-44442
|
||||
%patch15 -p1 -b .CVE-2023-44444
|
||||
%patch16 -p1 -b .fclose-leak
|
||||
%patch17 -p1 -b .CVE-2025-48797
|
||||
%patch18 -p1 -b .CVE-2025-48798
|
||||
%patch19 -p1 -b .CVE-2025-5473
|
||||
|
||||
%if ! %{with helpbrowser}
|
||||
%patch100 -p1 -b .external-help-browser
|
||||
@ -657,6 +663,13 @@ make check
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sat Jun 14 2025 Josef Ridky <jridky@redhat.com> - 2:2.8.22-26.2
|
||||
- fix CVE-2025-5473 (RHEL-95696)
|
||||
|
||||
* Sat Jun 14 2025 Josef Ridky <jridky@redhat.com> - 2:2.8.22-26.1
|
||||
- fix CVE-2025-48797 (RHEL-93503)
|
||||
- fix CVE-2025-48798 (RHEL-93506)
|
||||
|
||||
* Fri Jan 10 2025 Josef Ridky <jridky@redhat.com> - 2:2.28.22-26
|
||||
- bump spec
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user