rpms/gimp
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Import from CS git

Browse Source
This commit is contained in:
eabdullin 2025-06-17 10:24:43 +00:00
parent 13d6512d26
commit 9b89e2e572
4 changed files with 235 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
SOURCES/gimp-CVE-2025-48797.patch Normal file
View File

@ -0,0 +1,124 @@
diff -urNp a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
--- a/plug-ins/common/file-tga.c 2025-06-14 14:36:28.298535906 +0200
+++ b/plug-ins/common/file-tga.c 2025-06-14 14:50:52.545808264 +0200
@@ -555,7 +555,7 @@ load_image (const gchar *filename,
switch (info.imageType)
{
case TGA_TYPE_MAPPED:
- if (info.bpp != 8)
+ if (info.bpp != 8 || !info.colorMapLength)
{
g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
gimp_filename_to_utf8 (filename),
@@ -870,32 +870,46 @@ apply_colormap (guchar *dest,
guint width,
const guchar *cmap,
gboolean alpha,
- guint16 index)
+ guint16 colorMapIndex,
+ guint16 colorMapLength)
{
guint x;
+ gint errcnt = 0;
- if (alpha)
- {
- for (x = 0; x < width; x++)
- {
- *(dest++) = cmap[(*src - index) * 4];
- *(dest++) = cmap[(*src - index) * 4 + 1];
- *(dest++) = cmap[(*src - index) * 4 + 2];
- *(dest++) = cmap[(*src - index) * 4 + 3];
-
- src++;
- }
- }
- else
+ for (x = 0; x < width; x++)
{
- for (x = 0; x < width; x++)
- {
- *(dest++) = cmap[(*src - index) * 3];
- *(dest++) = cmap[(*src - index) * 3 + 1];
- *(dest++) = cmap[(*src - index) * 3 + 2];
+ guchar entryIndex = src[x] - colorMapIndex;
- src++;
- }
+ if (src[x] < colorMapIndex || entryIndex >= colorMapLength) {
+ /* On Windows the error console can run out of resources when
+ * producing a huge amount of messages. This can happen when using
+ * fuzzed test images. This causes unresponsiveness at first and
+ * finally crashes GIMP. Eventually this needs to be fixed at the
+ * source, but for now let's limit the error messages to 10
+ * per line (this function is called once per read_line). */
+ if (errcnt < 10)
+ {
+ g_message ("Unsupported colormap entry: %u",
+ src[x]);
+ }
+ else if (errcnt == 10)
+ {
+ g_message ("Too many colormap errors. Image may be corrupt.");
+ }
+ errcnt++;
+ entryIndex = 0;
+ }
+
+ if (alpha) {
+ *(dest++) = cmap[entryIndex * 4];
+ *(dest++) = cmap[entryIndex * 4 + 1];
+ *(dest++) = cmap[entryIndex * 4 + 2];
+ *(dest++) = cmap[entryIndex * 4 + 3];
+ } else {
+ *(dest++) = cmap[entryIndex * 3];
+ *(dest++) = cmap[entryIndex * 3 + 1];
+ *(dest++) = cmap[entryIndex * 3 + 2];
+ }
}
}
@@ -951,7 +965,7 @@ read_line (FILE *fp,
gboolean has_alpha = (info->alphaBits > 0);
apply_colormap (row, buffer, info->width, convert_cmap, has_alpha,
- info->colorMapIndex);
+ info->colorMapIndex, info->colorMapLength);
}
else if (info->imageType == TGA_TYPE_MAPPED)
{
@@ -961,7 +975,7 @@ read_line (FILE *fp,
}
else
{
- memcpy (row, buffer, info->width * drawable->bpp);
+ memcpy (row, buffer, info->width * info->bytes);
}
}
@@ -993,9 +1007,9 @@ ReadImage (FILE *fp,
cmap_bytes = (info->colorMapSize + 7 ) / 8;
tga_cmap = g_new (guchar, info->colorMapLength * cmap_bytes);
- if (info->colorMapSize > 24)
+ if (info->colorMapSize > 24 || info->alphaBits > 0)
{
- /* indexed + full alpha => promoted to RGBA */
+ /* indexed + full alpha, or alpha exists => promoted to RGBA */
itype = GIMP_RGB;
dtype = GIMP_RGBA_IMAGE;
convert_cmap = g_new (guchar, info->colorMapLength * 4);
@@ -1007,13 +1021,6 @@ ReadImage (FILE *fp,
dtype = GIMP_RGB_IMAGE;
convert_cmap = g_new (guchar, info->colorMapLength * 3);
}
- else if (info->alphaBits > 0)
- {
- /* if alpha exists here, promote to RGB */
- itype = GIMP_RGB;
- dtype = GIMP_RGBA_IMAGE;
- convert_cmap = g_new (guchar, info->colorMapLength * 4);
- }
else
{
itype = GIMP_INDEXED;

78
SOURCES/gimp-CVE-2025-48798.patch Normal file
View File

@ -0,0 +1,78 @@
diff -urNp a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
--- a/app/xcf/xcf-load.c 2025-06-14 14:52:18.545874780 +0200
+++ b/app/xcf/xcf-load.c 2025-06-14 14:59:52.471067194 +0200
@@ -97,7 +97,8 @@ static gboolean xcf_load_layer_pr
guint32 *group_layer_flags);
static gboolean xcf_load_channel_props (XcfInfo *info,
GimpImage *image,
- GimpChannel **channel);
+ GimpChannel **channel,
+ gboolean is_mask);
static gboolean xcf_load_prop (XcfInfo *info,
PropType *prop_type,
guint32 *prop_size);
@@ -987,7 +988,8 @@ xcf_load_layer_props (XcfInfo *info,
static gboolean
xcf_load_channel_props (XcfInfo *info,
GimpImage *image,
- GimpChannel **channel)
+ GimpChannel **channel,
+ gboolean is_mask)
{
PropType prop_type;
guint32 prop_size;
@@ -1010,6 +1012,36 @@ xcf_load_channel_props (XcfInfo *in
{
GimpChannel *mask;
+ if (is_mask)
+ {
+ /* PROP_SELECTION is not valid for masks, and we have to avoid
+ * overwriting the channel.
+ */
+ continue;
+ }
+
+ if (*channel == gimp_image_get_mask (image))
+ {
+ /* PROP_SELECTION was already seen once for this
+ * channel. Let's silently ignore the second identical
+ * property to avoid a double free.
+ */
+ continue;
+ }
+ else if (gimp_image_get_mask (image) != NULL &&
+ ! gimp_channel_is_empty (gimp_image_get_mask (image)))
+ {
+ /* This would happen when PROP_SELECTION was already set
+ * on a previous channel. This is a minor case of data
+ * loss (we don't know which selection was the right one
+ * and we drop the non-first ones), and also means it's
+ * a broken XCF, though it's not a major bug either. So
+ * let's go with a stderr print.
+ */
+ g_printerr ("PROP_SELECTION property was set on 2 channels (skipping)\n");
+ continue;
+ }
+
/* We're going to delete *channel, Don't leave its pointer
* in @info. See bug #767873.
*/
@@ -1317,7 +1349,7 @@ xcf_load_channel (XcfInfo *info,
return NULL;
/* read in the channel properties */
- if (!xcf_load_channel_props (info, image, &channel))
+ if (!xcf_load_channel_props (info, image, &channel, FALSE))
goto error;
xcf_progress_update (info);
@@ -1379,7 +1411,7 @@ xcf_load_layer_mask (XcfInfo *info,
/* read in the layer_mask properties */
channel = GIMP_CHANNEL (layer_mask);
- if (!xcf_load_channel_props (info, image, &channel))
+ if (!xcf_load_channel_props (info, image, &channel, TRUE))
goto error;
xcf_progress_update (info);

18
SOURCES/gimp-CVE-2025-5473.patch Normal file
View File

@ -0,0 +1,18 @@
diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
index 9a222998bc1..818cf23cd31 100644
--- a/plug-ins/file-ico/ico-load.c
+++ b/plug-ins/file-ico/ico-load.c
@@ -299,7 +299,11 @@ ico_read_png (FILE *fp,
png_read_info (png_ptr, info);
png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type,
NULL, NULL, NULL);
- if (w*h*4 > maxsize)
+ /* Check for overflow */
+ if ((w * h * 4) < w ||
+ (w * h * 4) < h ||
+ (w * h * 4) < (w * h) ||
+ (w * h * 4) > maxsize)
{
png_destroy_read_struct (&png_ptr, &info, NULL);
return FALSE;
---

17
SPECS/gimp.spec
View File

@ -75,7 +75,7 @@ Summary: GNU Image Manipulation Program
Name: gimp Name: gimp
Epoch: 2 Epoch: 2
Version: 2.8.22 Version: 2.8.22
Release: %{?prerelprefix}26%{dotprerel}%{dotgitrev}%{?dist} Release: %{?prerelprefix}26%{dotprerel}%{dotgitrev}%{?dist}.2
# Compute some version related macros. # Compute some version related macros.
# Ugly, need to get quoting percent signs straight. # Ugly, need to get quoting percent signs straight.
@ -217,6 +217,9 @@ Patch12: gimp-buffer-overflow.patch
Patch14: gimp-CVE-2023-44442.patch Patch14: gimp-CVE-2023-44442.patch
Patch15: gimp-CVE-2023-44444.patch Patch15: gimp-CVE-2023-44444.patch
Patch16: gimp-2.8.22-fix-fclose-leak.patch Patch16: gimp-2.8.22-fix-fclose-leak.patch
Patch17: gimp-CVE-2025-48797.patch
Patch18: gimp-CVE-2025-48798.patch
Patch19: gimp-CVE-2025-5473.patch
# use external help browser directly if help browser plug-in is not built # use external help browser directly if help browser plug-in is not built
Patch100: gimp-2.8.6-external-help-browser.patch Patch100: gimp-2.8.6-external-help-browser.patch
@ -314,10 +317,13 @@ EOF
%patch10 -p1 -b .CVE-2022-30067 %patch10 -p1 -b .CVE-2022-30067
%patch11 -p1 -b .CVE-2022-32990 %patch11 -p1 -b .CVE-2022-32990
%patch12 -p1 -b .buffer-overflow %patch12 -p1 -b .buffer-overflow
#%patch13 -p1 -b .python-path #patch13 -p1 -b .python-path
%patch14 -p1 -b .CVE-2023-44442 %patch14 -p1 -b .CVE-2023-44442
%patch15 -p1 -b .CVE-2023-44444 %patch15 -p1 -b .CVE-2023-44444
%patch16 -p1 -b .fclose-leak %patch16 -p1 -b .fclose-leak
%patch17 -p1 -b .CVE-2025-48797
%patch18 -p1 -b .CVE-2025-48798
%patch19 -p1 -b .CVE-2025-5473
%if ! %{with helpbrowser} %if ! %{with helpbrowser}
%patch100 -p1 -b .external-help-browser %patch100 -p1 -b .external-help-browser
@ -657,6 +663,13 @@ make check
%endif %endif
%changelog %changelog
* Sat Jun 14 2025 Josef Ridky <jridky@redhat.com> - 2:2.8.22-26.2
- fix CVE-2025-5473 (RHEL-95696)
* Sat Jun 14 2025 Josef Ridky <jridky@redhat.com> - 2:2.8.22-26.1
- fix CVE-2025-48797 (RHEL-93503)
- fix CVE-2025-48798 (RHEL-93506)
* Fri Jan 10 2025 Josef Ridky <jridky@redhat.com> - 2:2.28.22-26 * Fri Jan 10 2025 Josef Ridky <jridky@redhat.com> - 2:2.28.22-26
- bump spec - bump spec