From e4f36a6f53d911a6ec8f5a9ee87d674aedaa1b5c Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Wed, 24 Jun 2026 00:32:16 -0400 Subject: [PATCH] import Oracle_OSS gimp-3.0.4-4.el9_8.4 --- SOURCES/gimp-CVE-2026-4150.patch | 196 +++++++++++++++++++++++++++++++ SOURCES/gimp-CVE-2026-4151.patch | 59 ++++++++++ SOURCES/gimp-CVE-2026-4152.patch | 55 +++++++++ SOURCES/gimp-CVE-2026-4153.patch | 62 ++++++++++ SOURCES/gimp-CVE-2026-4154.patch | 90 ++++++++++++++ SOURCES/gimp-CVE-2026-4887.patch | 128 ++++++++++++++++++++ SPECS/gimp.spec | 32 ++++- 7 files changed, 618 insertions(+), 4 deletions(-) create mode 100644 SOURCES/gimp-CVE-2026-4150.patch create mode 100644 SOURCES/gimp-CVE-2026-4151.patch create mode 100644 SOURCES/gimp-CVE-2026-4152.patch create mode 100644 SOURCES/gimp-CVE-2026-4153.patch create mode 100644 SOURCES/gimp-CVE-2026-4154.patch create mode 100644 SOURCES/gimp-CVE-2026-4887.patch diff --git a/SOURCES/gimp-CVE-2026-4150.patch b/SOURCES/gimp-CVE-2026-4150.patch new file mode 100644 index 0000000..34eb599 --- /dev/null +++ b/SOURCES/gimp-CVE-2026-4150.patch @@ -0,0 +1,196 @@ +From 00afdabdadeb5457fd897878b1e5aebc3780af10 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Fri, 6 Mar 2026 10:01:09 -0500 +Subject: [PATCH] plug-ins: fix #15967 integer overflow in psd-load + +Reported as ZDI-CAN-28807 +With large row and column sizes 32-bit int values are not large +enough to hold the product and thus can cause overflow. + +While we are at it, we not only fix the location from the report, but +also other occurrences that could overflow. +- We change certain variables to gsize to make sure they can hold a +64-bit value. +- Other intermediate results are promoted to (gsize) to make sure that +the product is computed as gsize. +- Move some i,j variables to the loops where they are used. + +(cherry picked from commit 7e1241f75147bf6e705a31c81e4d5efab1df1668) +--- + plug-ins/file-psd/psd-load.c | 44 ++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 24 deletions(-) + +diff --git a/plug-ins/file-psd/psd-load.c b/plug-ins/file-psd/psd-load.c +index 0ec888c2ec9..676f3da9b41 100644 +--- a/plug-ins/file-psd/psd-load.c ++++ b/plug-ins/file-psd/psd-load.c +@@ -2813,14 +2813,13 @@ add_merged_image (GimpImage *image, + guint16 bps; + guint32 *rle_pack_len[MAX_CHANNELS]; + guint32 alpha_id; +- gint32 layer_size; ++ gsize layer_size; + GimpLayer *layer = NULL; + GimpChannel *channel = NULL; + gint16 alpha_opacity; + gint cidx; /* Channel index */ + gint rowi; /* Row index */ + gint offset; +- gint i; + gboolean alpha_visible; + gboolean alpha_channel = FALSE; + GeglBuffer *buffer; +@@ -2975,11 +2974,11 @@ add_merged_image (GimpImage *image, + image_type = get_gimp_image_type (img_a->base_type, + img_a->transparency || alpha_channel); + +- layer_size = img_a->columns * img_a->rows; ++ layer_size = (gsize) img_a->columns * img_a->rows; + pixels = g_malloc (layer_size * base_channels * bps); + for (cidx = 0; cidx < base_channels; ++cidx) + { +- for (i = 0; i < layer_size; ++i) ++ for (gint64 i = 0; i < layer_size; ++i) + { + memcpy (&pixels[((i * base_channels) + cidx) * bps], + &chn_a[cidx].data[i * bps], bps); +@@ -3051,7 +3050,7 @@ add_merged_image (GimpImage *image, + { + gfloat *data = iter->items[0].data; + +- for (i = 0; i < iter->length; i++) ++ for (gint i = 0; i < iter->length; i++) + { + gint c; + +@@ -3103,7 +3102,7 @@ add_merged_image (GimpImage *image, + + /* Draw channels */ + IFDBG(2) g_debug ("Number of channels: %d", extra_channels); +- for (i = 0; i < extra_channels; ++i) ++ for (gint i = 0; i < extra_channels; ++i) + { + /* Alpha channel name */ + alpha_name = NULL; +@@ -3144,8 +3143,8 @@ add_merged_image (GimpImage *image, + } + + cidx = base_channels + i; +- pixels = g_realloc (pixels, chn_a[cidx].columns * chn_a[cidx].rows * bps); +- memcpy (pixels, chn_a[cidx].data, chn_a[cidx].columns * chn_a[cidx].rows * bps); ++ pixels = g_realloc (pixels, (gsize) chn_a[cidx].columns * chn_a[cidx].rows * bps); ++ memcpy (pixels, chn_a[cidx].data, (gsize) chn_a[cidx].columns * chn_a[cidx].rows * bps); + channel = gimp_channel_new (image, alpha_name, + chn_a[cidx].columns, chn_a[cidx].rows, + alpha_opacity, alpha_rgb); +@@ -3332,7 +3331,6 @@ read_channel_data (PSDchannel *channel, + gchar *raw_data = NULL; + gchar *src; + guint32 readline_len; +- gint i, j; + + if (bps == 1) + readline_len = ((channel->columns + 7) / 8); +@@ -3364,7 +3362,7 @@ read_channel_data (PSDchannel *channel, + break; + + case PSD_COMP_RLE: +- for (i = 0; i < channel->rows; ++i) ++ for (gint i = 0; i < channel->rows; ++i) + { + src = gegl_scratch_alloc (rle_pack_len[i]); + /* FIXME check for over-run +@@ -3433,12 +3431,11 @@ read_channel_data (PSDchannel *channel, + case 32: + { + guint32 *data; +- guint64 pos; + + if (compression == PSD_COMP_ZIP_PRED) + { + IFDBG(3) g_debug ("Converting 32 bit predictor data"); +- channel->data = (gchar *) g_malloc0 (channel->rows * channel->columns * 4); ++ channel->data = (gchar *) g_malloc0 ((gsize) channel->rows * channel->columns * 4); + decode_32_bit_predictor (raw_data, channel->data, + channel->rows, channel->columns); + } +@@ -3450,7 +3447,7 @@ read_channel_data (PSDchannel *channel, + } + + data = (guint32*) channel->data; +- for (pos = 0; pos < channel->rows * channel->columns; ++pos) ++ for (gsize pos = 0; pos < (gsize) channel->rows * channel->columns; ++pos) + data[pos] = GUINT32_FROM_BE (data[pos]); + + break; +@@ -3463,14 +3460,14 @@ read_channel_data (PSDchannel *channel, + channel->data = raw_data; + raw_data = NULL; + +- for (i = 0; i < channel->rows * channel->columns; ++i) ++ for (gsize i = 0; i < (gsize) channel->rows * channel->columns; ++i) + data[i] = GUINT16_FROM_BE (data[i]); + + if (compression == PSD_COMP_ZIP_PRED) + { + IFDBG(3) g_debug ("Converting 16 bit predictor data"); +- for (i = 0; i < channel->rows; ++i) +- for (j = 1; j < channel->columns; ++j) ++ for (gsize i = 0; i < channel->rows; ++i) ++ for (gsize j = 1; j < channel->columns; ++j) + data[i * channel->columns + j] += data[i * channel->columns + j - 1]; + } + break; +@@ -3483,14 +3480,14 @@ read_channel_data (PSDchannel *channel, + if (compression == PSD_COMP_ZIP_PRED) + { + IFDBG(3) g_debug ("Converting 8 bit predictor data"); +- for (i = 0; i < channel->rows; ++i) +- for (j = 1; j < channel->columns; ++j) ++ for (gsize i = 0; i < channel->rows; ++i) ++ for (gsize j = 1; j < channel->columns; ++j) + channel->data[i * channel->columns + j] += channel->data[i * channel->columns + j - 1]; + } + break; + + case 1: +- channel->data = (gchar *) g_malloc (channel->rows * channel->columns); ++ channel->data = (gchar *) g_malloc ((gsize) channel->rows * channel->columns); + convert_1_bit (raw_data, channel->data, channel->rows, channel->columns); + break; + +@@ -3540,7 +3537,7 @@ decode_32_bit_predictor (gchar *src, + + /* restore byte order */ + dstpos = 0; +- for (row = 0; row < rows * rowsize; row += rowsize) ++ for (row = 0; row < (gsize) rows * rowsize; row += rowsize) + { + guint64 offset; + +@@ -3567,18 +3564,17 @@ convert_1_bit (const gchar *src, + Rows are padded out to a byte boundary. + */ + guint32 row_pos = 0; +- gint i, j; + + IFDBG(3) g_debug ("Start 1 bit conversion"); + +- for (i = 0; i < rows * ((columns + 7) / 8); ++i) ++ for (gsize i = 0; i < (gsize) rows * ((columns + 7) / 8); ++i) + { + guchar mask = 0x80; +- for (j = 0; j < 8 && row_pos < columns; ++j) ++ for (gint j = 0; j < 8 && row_pos < columns; ++j) + { + *dst = (*src & mask) ? 0 : 1; + IFDBG(4) g_debug ("byte %d, bit %d, offset %d, src %d, dst %d", +- i , j, row_pos, *src, *dst); ++ (gint) i , j, row_pos, *src, *dst); + dst++; + mask >>= 1; + row_pos++; +-- +GitLab + + diff --git a/SOURCES/gimp-CVE-2026-4151.patch b/SOURCES/gimp-CVE-2026-4151.patch new file mode 100644 index 0000000..2196b40 --- /dev/null +++ b/SOURCES/gimp-CVE-2026-4151.patch @@ -0,0 +1,59 @@ +From 09e5459de913172fc51da3bd6b6adc533acd368e Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Thu, 5 Mar 2026 23:58:45 +0000 +Subject: [PATCH] plug-ins: Resolve ZDI-CAN-28813 in ANI loading + +Resolves #15968 +It is possible to cause a buffer overflow in our ANI +loading code by setting the Name or Artist metadata +files to 0xFFFFFFFF. This patch changes our allocation +code to use g_try_new0 () instead of g_new0 (), and +verifies if it is NULL before trying to read data into it. +--- + plug-ins/file-ico/ico-load.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c +index 29ad4c5eb59..e20d79a713f 100644 +--- a/plug-ins/file-ico/ico-load.c ++++ b/plug-ins/file-ico/ico-load.c +@@ -893,7 +893,16 @@ ani_load_image (GFile *file, + if (inam) + g_free (inam); + +- inam = g_new0 (gchar, size + 1); ++ inam = g_try_new0 (gchar, size + 1); ++ if (inam == NULL) ++ { ++ fclose (fp); ++ g_set_error (error, G_FILE_ERROR, ++ g_file_error_from_errno (errno), ++ _("Invalid ANI metadata")); ++ return NULL; ++ } ++ + n_read = fread (inam, sizeof (gchar), size, fp); + inam[size] = '\0'; + } +@@ -924,7 +933,16 @@ ani_load_image (GFile *file, + if (iart) + g_free (iart); + +- iart = g_new0 (gchar, size + 1); ++ iart = g_try_new0 (gchar, size + 1); ++ if (iart == NULL) ++ { ++ fclose (fp); ++ g_set_error (error, G_FILE_ERROR, ++ g_file_error_from_errno (errno), ++ _("Invalid ANI metadata")); ++ return NULL; ++ } ++ + n_read = fread (iart, sizeof (gchar), size, fp); + iart[size] = '\0'; + } +-- +GitLab + + diff --git a/SOURCES/gimp-CVE-2026-4152.patch b/SOURCES/gimp-CVE-2026-4152.patch new file mode 100644 index 0000000..82f7bc0 --- /dev/null +++ b/SOURCES/gimp-CVE-2026-4152.patch @@ -0,0 +1,55 @@ +From f64c9c23ba3c37dc7b875a9fb477c23953b4666e Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Thu, 12 Mar 2026 13:48:45 +0000 +Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28863 + +Resolves #15969 + +It is possible to set the number of color components +in the JPEG 2000 file separate from the color space, +and OpenJPEG reports that value as-is. This can result +in a buffer overflow if the num_components variable is +larger than the number of channels in the color space. + +This patch adds a check to make sure num_components +is within range. If it's larger, then we clamp it to the maximum +value for that color model. +--- + plug-ins/common/file-jp2-load.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c +index cb420f9cb37..5c99a093d49 100644 +--- a/plug-ins/common/file-jp2-load.c ++++ b/plug-ins/common/file-jp2-load.c +@@ -1563,16 +1563,22 @@ load_image (GimpProcedure *procedure, + base_type = GIMP_GRAY; + image_type = GIMP_GRAY_IMAGE; + +- if (num_components == 2) +- image_type = GIMP_GRAYA_IMAGE; ++ if (num_components >= 2) ++ { ++ image_type = GIMP_GRAYA_IMAGE; ++ num_components = 2; ++ } + } + else if (image->color_space == OPJ_CLRSPC_SRGB) + { + base_type = GIMP_RGB; + image_type = GIMP_RGB_IMAGE; + +- if (num_components == 4) +- image_type = GIMP_RGBA_IMAGE; ++ if (num_components >= 4) ++ { ++ image_type = GIMP_RGBA_IMAGE; ++ num_components = 4; ++ } + } + else + { +-- +GitLab + + diff --git a/SOURCES/gimp-CVE-2026-4153.patch b/SOURCES/gimp-CVE-2026-4153.patch new file mode 100644 index 0000000..f710fc1 --- /dev/null +++ b/SOURCES/gimp-CVE-2026-4153.patch @@ -0,0 +1,62 @@ +From 98cb1371fd4e22cca75017ea3252dc32fc218712 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Sat, 7 Mar 2026 15:55:04 -0500 +Subject: [PATCH] plug-ins: fix #15970 buffer overflow in file-psp + +Reported as ZDI-CAN-28874. + +For psp images with bit depth 1 or 4 bits and small widths, it was +possible to overflow the buffer because these bit depths are stored +in multiples of 4 bytes per line. +Because these formats are converted to regular RGB, this means that for +small widths, more bytes are needed than expected when we are upscaling +to 8-bit. + +To fix this, we compute the line size when depth < 8, and adjust +line width if that value is larger. +--- + plug-ins/common/file-psp.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c +index 286cbed2bb7..763dd994fcd 100644 +--- a/plug-ins/common/file-psp.c ++++ b/plug-ins/common/file-psp.c +@@ -2127,7 +2127,23 @@ read_layer_block (FILE *f, + + if (can_handle_layer) + { +- pixel = g_malloc0 (height * width * bytespp); ++ gint line_width = width * bytespp; ++ ++ if (ia->depth < 8) ++ { ++ gint min_line_width = (((width * ia->depth + 7) / 8) + (ia->depth - 1)) / 4 * 4; ++ ++ /* For small widths, when depth is 1, or 4, the number of bytes ++ * used can be larger than the width * bytespp. Adjust for that. */ ++ if (min_line_width > line_width) ++ { ++ IFDBG(3) g_message ("Adjusting line width from %d to %d\n", ++ line_width, min_line_width); ++ line_width = min_line_width; ++ } ++ } ++ ++ pixel = g_malloc0 (height * line_width); + if (null_layer) + { + pixels = NULL; +@@ -2136,7 +2152,7 @@ read_layer_block (FILE *f, + { + pixels = g_new (guchar *, height); + for (i = 0; i < height; i++) +- pixels[i] = pixel + width * bytespp * i; ++ pixels[i] = pixel + line_width * i; + } + + buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); +-- +GitLab + + diff --git a/SOURCES/gimp-CVE-2026-4154.patch b/SOURCES/gimp-CVE-2026-4154.patch new file mode 100644 index 0000000..024b368 --- /dev/null +++ b/SOURCES/gimp-CVE-2026-4154.patch @@ -0,0 +1,90 @@ +From 2e7ed91793792d9e980b2df4c829e9aa60459253 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Fri, 6 Mar 2026 13:54:44 +0000 +Subject: [PATCH] plug-in: Resolve ZDI-CAN-28901 for file-xpm + +Resolves #15971 +It was possible to set a XPM image to have a width and/or height +that is larger than what GIMP can create an image for. In addition to +causing gimp_image_new () to fail, it can also lead to buffer overflow +when allocating space to read in the image. + +This patch adds a GError parameter to parse_image (), then uses it to +pass up an error for either oversized images or buffer overflows. +--- + plug-ins/common/file-xpm.c | 32 ++++++++++++++++++++++++++++---- + 1 file changed, 28 insertions(+), 4 deletions(-) + +diff --git a/plug-ins/common/file-xpm.c b/plug-ins/common/file-xpm.c +index ba02961f1c0..71a0b19e8d3 100644 +--- a/plug-ins/common/file-xpm.c ++++ b/plug-ins/common/file-xpm.c +@@ -125,7 +125,8 @@ static GimpImage * load_image (GFile *file, + static guchar * parse_colors (XpmImage *xpm_image); + static void parse_image (GimpImage *image, + XpmImage *xpm_image, +- guchar *cmap); ++ guchar *cmap, ++ GError **error); + static gboolean export_image (GFile *file, + GimpImage *image, + GimpDrawable *drawable, +@@ -385,12 +386,28 @@ load_image (GFile *file, + + cmap = parse_colors (&xpm_image); + ++ if (xpm_image.width > GIMP_MAX_IMAGE_SIZE) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Unsupported or invalid image width: %d"), ++ xpm_image.width); ++ return NULL; ++ } ++ ++ if (xpm_image.height > GIMP_MAX_IMAGE_SIZE) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Unsupported or invalid image height: %d"), ++ xpm_image.height); ++ return NULL; ++ } ++ + image = gimp_image_new (xpm_image.width, + xpm_image.height, + GIMP_RGB); + + /* fill it */ +- parse_image (image, &xpm_image, cmap); ++ parse_image (image, &xpm_image, cmap, error); + + g_free (cmap); + +@@ -472,7 +489,8 @@ parse_colors (XpmImage *xpm_image) + static void + parse_image (GimpImage *image, + XpmImage *xpm_image, +- guchar *cmap) ++ guchar *cmap, ++ GError **error) + { + GeglBuffer *buffer; + gint tile_height; +@@ -498,7 +516,13 @@ parse_image (GimpImage *image, + + tile_height = gimp_tile_height (); + +- buf = g_new (guchar, tile_height * xpm_image->width * 4); ++ buf = g_try_new (guchar, tile_height * xpm_image->width * 4); ++ if (buf == NULL) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ "%s", _("XPM file invalid")); ++ return; ++ } + + src = xpm_image->data; + for (i = 0; i < xpm_image->height; i += tile_height) +-- +GitLab + + diff --git a/SOURCES/gimp-CVE-2026-4887.patch b/SOURCES/gimp-CVE-2026-4887.patch new file mode 100644 index 0000000..c73076b --- /dev/null +++ b/SOURCES/gimp-CVE-2026-4887.patch @@ -0,0 +1,128 @@ +From aabce89271a9943a43bda9225aa43fc524f1c8a4 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Sun, 8 Mar 2026 15:18:33 -0400 +Subject: [PATCH] plug-ins:: fix #15960 PCX buffer overflow + +A buffer overflow in the PCX reader was reported. + +The +1 was added in commit da217088d0fab77b7a696e782f6e2fb3b597f48f +to allow loading where the images have an off by 1 value. However, +this leaves the problem that allocated buffers may be 1 byte too small. + +Because we prefer to keep loading as many images as possible, we choose +not to return an error. Instead we allocate 1 extra byte for the +line buffers. +In addition to that, we add check for valid values of bpp and error +out early when invalid. +If the bytesperline value is off by more than 1, we output a warning +message and use the manually computed value instead. + +Additionally add a comment that we need to fix a British English +word in a string after string freeze. +--- + plug-ins/common/file-pcx.c | 35 ++++++++++++++++++++++++++--------- + 1 file changed, 26 insertions(+), 9 deletions(-) + +diff --git a/plug-ins/common/file-pcx.c b/plug-ins/common/file-pcx.c +index 3cf1070d2d4..276b568e78b 100644 +--- a/plug-ins/common/file-pcx.c ++++ b/plug-ins/common/file-pcx.c +@@ -632,7 +632,7 @@ load_image (GimpProcedure *procedure, + GError **error) + { + GeglBuffer *buffer; +- guint16 offset_x, offset_y, bytesperline; ++ guint16 offset_x, offset_y, bytesperline, computed_bytesperline; + gint32 width, height; + guint16 resolution_x, resolution_y; + GimpImage *image; +@@ -681,13 +681,29 @@ load_image (GimpProcedure *procedure, + height); + return NULL; + } +- if ((bytesperline + 1) < ((width * pcx_header.bpp + 7) / 8) || +- bytesperline == 0) ++ ++ if (pcx_header.bpp != 1 && pcx_header.bpp != 2 && pcx_header.bpp != 4 && ++ pcx_header.bpp != 8) + { ++ /* FIXME: After string freeze this should be changed to a more descriptive error. */ + g_set_error (error, GIMP_PLUG_IN_ERROR, 0, +- _("Invalid number of bytes per line in PCX header")); ++ _("Unusual PCX flavour, giving up")); + return NULL; + } ++ ++ /* Some legacy images have incorrect values for bytesperline, that are ++ * off by 1. To be able to load these, we will allow a difference of 1 here. ++ * However, that means we need to allocate 1 more byte than officially ++ * required to make sure we don't cause a buffer overrun. ++ * For larger differences we will compute the value of bytesperline. ++ */ ++ computed_bytesperline = (width * pcx_header.bpp + 7) / 8; ++ if (bytesperline + 1 < computed_bytesperline || bytesperline == 0) ++ { ++ g_message (_("Invalid number of bytes per line in PCX header")); ++ bytesperline = (width * pcx_header.bpp + 7) / 8; ++ } ++ + if ((resolution_x < 1) || (resolution_x > GIMP_MAX_RESOLUTION) || + (resolution_y < 1) || (resolution_y > GIMP_MAX_RESOLUTION)) + { +@@ -838,6 +854,7 @@ load_image (GimpProcedure *procedure, + } + else + { ++ /* FIXME: flavour is British English, should be flavor. */ + g_set_error (error, GIMP_PLUG_IN_ERROR, 0, + _("Unusual PCX flavour, giving up")); + g_object_unref (buffer); +@@ -889,7 +906,7 @@ load_8 (FILE *fp, + guint16 bytes) + { + gint row; +- guchar *line = g_new (guchar, bytes); ++ guchar *line = g_new0 (guchar, bytes + 1); + + for (row = 0; row < height; buf += width, ++row) + { +@@ -910,7 +927,7 @@ load_24 (FILE *fp, + guint8 planes) + { + gint x, y, c; +- guchar *line = g_new (guchar, bytes); ++ guchar *line = g_new0 (guchar, bytes + 1); + + for (y = 0; y < height; buf += width * planes, ++y) + { +@@ -936,7 +953,7 @@ load_1 (FILE *fp, + guint16 bytes) + { + gint x, y; +- guchar *line = g_new (guchar, bytes); ++ guchar *line = g_new0 (guchar, bytes + 1); + + for (y = 0; y < height; buf += width, ++y) + { +@@ -962,7 +979,7 @@ load_4 (FILE *fp, + guint16 bytes) + { + gint x, y, c; +- guchar *line = g_new (guchar, bytes); ++ guchar *line = g_new0 (guchar, bytes + 1); + + for (y = 0; y < height; buf += width, ++y) + { +@@ -993,7 +1010,7 @@ load_sub_8 (FILE *fp, + guint16 bytes) + { + gint x, y, c, b; +- guchar *line = g_new (guchar, bytes); ++ guchar *line = g_new0 (guchar, bytes + 1); + gint real_bpp = bpp - 1; + gint current_bit = 0; + +-- +GitLab + + diff --git a/SPECS/gimp.spec b/SPECS/gimp.spec index 2701cc5..34f2f5e 100644 --- a/SPECS/gimp.spec +++ b/SPECS/gimp.spec @@ -67,7 +67,7 @@ Name: gimp Epoch: 2 Version: 3.0.4 %global rel 4 -Release: %{rel}%{?dist}.2 +Release: %{rel}%{?dist}.4 # https://bugzilla.redhat.com/show_bug.cgi?id=2318369 ExcludeArch: s390x @@ -265,6 +265,12 @@ Patch11: gimp-3.0.4-CVE-2026-2044.patch Patch12: gimp-3.0.4-CVE-2026-2045.patch Patch13: gimp-3.0.4-CVE-2026-2047.patch Patch14: gimp-3.0.4-CVE-2026-2048.patch +Patch15: gimp-CVE-2026-4150.patch +Patch16: gimp-CVE-2026-4151.patch +Patch17: gimp-CVE-2026-4152.patch +Patch18: gimp-CVE-2026-4153.patch +Patch19: gimp-CVE-2026-4154.patch +Patch20: gimp-CVE-2026-4887.patch # use external help browser directly if help browser plug-in is not built Patch100: gimp-3.0.2-external-help-browser.patch @@ -351,6 +357,12 @@ EOF %patch12 -p1 -b .CVE-2026-2045 %patch13 -p1 -b .CVE-2026-2047 %patch14 -p1 -b .CVE-2026-2048 +%patch15 -p1 -b .CVE-2026-4150 +%patch16 -p1 -b .CVE-2026-4151 +%patch17 -p1 -b .CVE-2026-4152 +%patch18 -p1 -b .CVE-2026-4153 +%patch19 -p1 -b .CVE-2026-4154 +%patch20 -p1 -b .CVE-2026-4887 %patch100 -p1 -b .external-help-browser @@ -666,10 +678,22 @@ done %endif %changelog -* Tue May 19 2026 Eduard Abdullin - 2:3.0.4-4.2 -- Bump release +* Mon May 11 2026 Josef Ridky - 2:3.0.4-4.4 +- fix CVE-2026-4150 - align with Y-stream +- fix CVE-2026-4151 +- fix CVE-2026-4152 +- fix CVE-2026-4153 +- fix CVE-2026-4154 +- fix CVE-2026-4887 -* Fri Mar 06 2026 Josef Ridky - 2:3.0.4-4.1 +* Tue May 05 2026 RHEL Packaging Agent - 2:3.0.4-4.3 +- fix CVE-2026-4150 +- Resolves: RHEL-167738 + +* Tue Mar 10 2026 Josef Ridky - 2:3.0.4-4.2 +- bump spec + +* Mon Mar 09 2026 Josef Ridky - 2:3.0.4-4.1 - fix CVE-2026-0797 - fix CVE-2026-2044 - fix CVE-2026-2045