diff --git a/SOURCES/gimp-CVE-2025-48797.patch b/SOURCES/gimp-CVE-2025-48797.patch new file mode 100644 index 0000000..6950c8b --- /dev/null +++ b/SOURCES/gimp-CVE-2025-48797.patch @@ -0,0 +1,124 @@ +diff -urNp a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c +--- a/plug-ins/common/file-tga.c 2025-06-14 14:36:28.298535906 +0200 ++++ b/plug-ins/common/file-tga.c 2025-06-14 14:50:52.545808264 +0200 +@@ -555,7 +555,7 @@ load_image (const gchar *filename, + switch (info.imageType) + { + case TGA_TYPE_MAPPED: +- if (info.bpp != 8) ++ if (info.bpp != 8 || !info.colorMapLength) + { + g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)", + gimp_filename_to_utf8 (filename), +@@ -870,32 +870,46 @@ apply_colormap (guchar *dest, + guint width, + const guchar *cmap, + gboolean alpha, +- guint16 index) ++ guint16 colorMapIndex, ++ guint16 colorMapLength) + { + guint x; ++ gint errcnt = 0; + +- if (alpha) +- { +- for (x = 0; x < width; x++) +- { +- *(dest++) = cmap[(*src - index) * 4]; +- *(dest++) = cmap[(*src - index) * 4 + 1]; +- *(dest++) = cmap[(*src - index) * 4 + 2]; +- *(dest++) = cmap[(*src - index) * 4 + 3]; +- +- src++; +- } +- } +- else ++ for (x = 0; x < width; x++) + { +- for (x = 0; x < width; x++) +- { +- *(dest++) = cmap[(*src - index) * 3]; +- *(dest++) = cmap[(*src - index) * 3 + 1]; +- *(dest++) = cmap[(*src - index) * 3 + 2]; ++ guchar entryIndex = src[x] - colorMapIndex; + +- src++; +- } ++ if (src[x] < colorMapIndex || entryIndex >= colorMapLength) { ++ /* On Windows the error console can run out of resources when ++ * producing a huge amount of messages. This can happen when using ++ * fuzzed test images. This causes unresponsiveness at first and ++ * finally crashes GIMP. Eventually this needs to be fixed at the ++ * source, but for now let's limit the error messages to 10 ++ * per line (this function is called once per read_line). */ ++ if (errcnt < 10) ++ { ++ g_message ("Unsupported colormap entry: %u", ++ src[x]); ++ } ++ else if (errcnt == 10) ++ { ++ g_message ("Too many colormap errors. Image may be corrupt."); ++ } ++ errcnt++; ++ entryIndex = 0; ++ } ++ ++ if (alpha) { ++ *(dest++) = cmap[entryIndex * 4]; ++ *(dest++) = cmap[entryIndex * 4 + 1]; ++ *(dest++) = cmap[entryIndex * 4 + 2]; ++ *(dest++) = cmap[entryIndex * 4 + 3]; ++ } else { ++ *(dest++) = cmap[entryIndex * 3]; ++ *(dest++) = cmap[entryIndex * 3 + 1]; ++ *(dest++) = cmap[entryIndex * 3 + 2]; ++ } + } + } + +@@ -951,7 +965,7 @@ read_line (FILE *fp, + gboolean has_alpha = (info->alphaBits > 0); + + apply_colormap (row, buffer, info->width, convert_cmap, has_alpha, +- info->colorMapIndex); ++ info->colorMapIndex, info->colorMapLength); + } + else if (info->imageType == TGA_TYPE_MAPPED) + { +@@ -961,7 +975,7 @@ read_line (FILE *fp, + } + else + { +- memcpy (row, buffer, info->width * drawable->bpp); ++ memcpy (row, buffer, info->width * info->bytes); + } + } + +@@ -993,9 +1007,9 @@ ReadImage (FILE *fp, + cmap_bytes = (info->colorMapSize + 7 ) / 8; + tga_cmap = g_new (guchar, info->colorMapLength * cmap_bytes); + +- if (info->colorMapSize > 24) ++ if (info->colorMapSize > 24 || info->alphaBits > 0) + { +- /* indexed + full alpha => promoted to RGBA */ ++ /* indexed + full alpha, or alpha exists => promoted to RGBA */ + itype = GIMP_RGB; + dtype = GIMP_RGBA_IMAGE; + convert_cmap = g_new (guchar, info->colorMapLength * 4); +@@ -1007,13 +1021,6 @@ ReadImage (FILE *fp, + dtype = GIMP_RGB_IMAGE; + convert_cmap = g_new (guchar, info->colorMapLength * 3); + } +- else if (info->alphaBits > 0) +- { +- /* if alpha exists here, promote to RGB */ +- itype = GIMP_RGB; +- dtype = GIMP_RGBA_IMAGE; +- convert_cmap = g_new (guchar, info->colorMapLength * 4); +- } + else + { + itype = GIMP_INDEXED; diff --git a/SOURCES/gimp-CVE-2025-48798.patch b/SOURCES/gimp-CVE-2025-48798.patch new file mode 100644 index 0000000..2f42ab7 --- /dev/null +++ b/SOURCES/gimp-CVE-2025-48798.patch @@ -0,0 +1,78 @@ +diff -urNp a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c +--- a/app/xcf/xcf-load.c 2025-06-14 14:52:18.545874780 +0200 ++++ b/app/xcf/xcf-load.c 2025-06-14 14:59:52.471067194 +0200 +@@ -97,7 +97,8 @@ static gboolean xcf_load_layer_pr + guint32 *group_layer_flags); + static gboolean xcf_load_channel_props (XcfInfo *info, + GimpImage *image, +- GimpChannel **channel); ++ GimpChannel **channel, ++ gboolean is_mask); + static gboolean xcf_load_prop (XcfInfo *info, + PropType *prop_type, + guint32 *prop_size); +@@ -987,7 +988,8 @@ xcf_load_layer_props (XcfInfo *info, + static gboolean + xcf_load_channel_props (XcfInfo *info, + GimpImage *image, +- GimpChannel **channel) ++ GimpChannel **channel, ++ gboolean is_mask) + { + PropType prop_type; + guint32 prop_size; +@@ -1010,6 +1012,36 @@ xcf_load_channel_props (XcfInfo *in + { + GimpChannel *mask; + ++ if (is_mask) ++ { ++ /* PROP_SELECTION is not valid for masks, and we have to avoid ++ * overwriting the channel. ++ */ ++ continue; ++ } ++ ++ if (*channel == gimp_image_get_mask (image)) ++ { ++ /* PROP_SELECTION was already seen once for this ++ * channel. Let's silently ignore the second identical ++ * property to avoid a double free. ++ */ ++ continue; ++ } ++ else if (gimp_image_get_mask (image) != NULL && ++ ! gimp_channel_is_empty (gimp_image_get_mask (image))) ++ { ++ /* This would happen when PROP_SELECTION was already set ++ * on a previous channel. This is a minor case of data ++ * loss (we don't know which selection was the right one ++ * and we drop the non-first ones), and also means it's ++ * a broken XCF, though it's not a major bug either. So ++ * let's go with a stderr print. ++ */ ++ g_printerr ("PROP_SELECTION property was set on 2 channels (skipping)\n"); ++ continue; ++ } ++ + /* We're going to delete *channel, Don't leave its pointer + * in @info. See bug #767873. + */ +@@ -1317,7 +1349,7 @@ xcf_load_channel (XcfInfo *info, + return NULL; + + /* read in the channel properties */ +- if (!xcf_load_channel_props (info, image, &channel)) ++ if (!xcf_load_channel_props (info, image, &channel, FALSE)) + goto error; + + xcf_progress_update (info); +@@ -1379,7 +1411,7 @@ xcf_load_layer_mask (XcfInfo *info, + + /* read in the layer_mask properties */ + channel = GIMP_CHANNEL (layer_mask); +- if (!xcf_load_channel_props (info, image, &channel)) ++ if (!xcf_load_channel_props (info, image, &channel, TRUE)) + goto error; + + xcf_progress_update (info); diff --git a/SOURCES/gimp-CVE-2025-5473.patch b/SOURCES/gimp-CVE-2025-5473.patch new file mode 100644 index 0000000..d33f906 --- /dev/null +++ b/SOURCES/gimp-CVE-2025-5473.patch @@ -0,0 +1,18 @@ +diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c +index 9a222998bc1..818cf23cd31 100644 +--- a/plug-ins/file-ico/ico-load.c ++++ b/plug-ins/file-ico/ico-load.c +@@ -299,7 +299,11 @@ ico_read_png (FILE *fp, + png_read_info (png_ptr, info); + png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type, + NULL, NULL, NULL); +- if (w*h*4 > maxsize) ++ /* Check for overflow */ ++ if ((w * h * 4) < w || ++ (w * h * 4) < h || ++ (w * h * 4) < (w * h) || ++ (w * h * 4) > maxsize) + { + png_destroy_read_struct (&png_ptr, &info, NULL); + return FALSE; +--- diff --git a/SPECS/gimp.spec b/SPECS/gimp.spec index 55e67b4..9201ce1 100644 --- a/SPECS/gimp.spec +++ b/SPECS/gimp.spec @@ -75,7 +75,7 @@ Summary: GNU Image Manipulation Program Name: gimp Epoch: 2 Version: 2.8.22 -Release: %{?prerelprefix}26%{dotprerel}%{dotgitrev}%{?dist} +Release: %{?prerelprefix}26%{dotprerel}%{dotgitrev}%{?dist}.2 # Compute some version related macros. # Ugly, need to get quoting percent signs straight. @@ -217,6 +217,9 @@ Patch12: gimp-buffer-overflow.patch Patch14: gimp-CVE-2023-44442.patch Patch15: gimp-CVE-2023-44444.patch Patch16: gimp-2.8.22-fix-fclose-leak.patch +Patch17: gimp-CVE-2025-48797.patch +Patch18: gimp-CVE-2025-48798.patch +Patch19: gimp-CVE-2025-5473.patch # use external help browser directly if help browser plug-in is not built Patch100: gimp-2.8.6-external-help-browser.patch @@ -314,10 +317,13 @@ EOF %patch10 -p1 -b .CVE-2022-30067 %patch11 -p1 -b .CVE-2022-32990 %patch12 -p1 -b .buffer-overflow -#%patch13 -p1 -b .python-path +#patch13 -p1 -b .python-path %patch14 -p1 -b .CVE-2023-44442 %patch15 -p1 -b .CVE-2023-44444 %patch16 -p1 -b .fclose-leak +%patch17 -p1 -b .CVE-2025-48797 +%patch18 -p1 -b .CVE-2025-48798 +%patch19 -p1 -b .CVE-2025-5473 %if ! %{with helpbrowser} %patch100 -p1 -b .external-help-browser @@ -657,6 +663,13 @@ make check %endif %changelog +* Sat Jun 14 2025 Josef Ridky - 2:2.8.22-26.2 +- fix CVE-2025-5473 (RHEL-95696) + +* Sat Jun 14 2025 Josef Ridky - 2:2.8.22-26.1 +- fix CVE-2025-48797 (RHEL-93503) +- fix CVE-2025-48798 (RHEL-93506) + * Fri Jan 10 2025 Josef Ridky - 2:2.28.22-26 - bump spec