rpms/gimp
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import OL gimp-2.99.8-4.el9_6.2

Browse Source
This commit is contained in:
eabdullin 2025-06-19 10:25:30 +00:00
parent 5a848b7509
commit fac97f0b7c
12 changed files with 435 additions and 292 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
SOURCES/gimp-2.10.36-CVE-2023-44441-0001-plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
View File

@ -1,63 +0,0 @@
From 1e67a41b5171ab6c852d2b82ad3f3c23393d6326 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Wed, 7 Feb 2024 12:45:17 +0000
Subject: [PATCH 1/3] plug-ins: Fix DDS vulnerability (ZDI-CAN-22093)
Resolves #10069
Currently, the DDS header information for the width, height, and bytes per scan line
are read in and assumed to be correct. As these values are used for memory allocation
and reading, it would be good to verify they do not exceed the file size.
This patch adds a condition after the header is read in to verify those values. If they exceed
the file size (mins an offset), the file is not read in and an error message is shown.
Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
---
plug-ins/file-dds/ddsread.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index 72102d0..add4ba5 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -124,6 +124,7 @@ read_dds (GFile *file,
guint l = 0;
guchar *pixels;
FILE *fp;
+ gsize file_size;
dds_header_t hdr;
dds_header_dx10_t dx10hdr;
dds_load_info_t d;
@@ -157,6 +158,10 @@ read_dds (GFile *file,
return GIMP_PDB_EXECUTION_ERROR;
}
+ fseek (fp, 0L, SEEK_END);
+ file_size = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
+
gimp_progress_init_printf ("Loading %s:", gimp_file_get_utf8_name (file));
/* read header */
@@ -207,6 +212,16 @@ read_dds (GFile *file,
}
}
+ /* verify header information is accurate */
+ if (hdr.depth < 1 ||
+ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
+ (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
+ {
+ fclose (fp);
+ g_message ("Invalid or corrupted DDS header\n");
+ return GIMP_PDB_EXECUTION_ERROR;
+ }
+
if (hdr.pixelfmt.flags & DDPF_FOURCC)
{
/* fourcc is dXt* or rXgb */
--
2.39.3

100
SOURCES/gimp-2.10.36-CVE-2023-44441-0002-plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
View File

@ -1,100 +0,0 @@
From bd6e7854b7b679444af685fab06dbb6559f3d720 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Wed, 7 Feb 2024 12:47:12 +0000
Subject: [PATCH 2/3] plug-ins: Fix DDS import regression from 7db71cd0
@Wormnest pointed out that compressed files are likely smaller than
width * height * bps, so our check to prevent ZDI-CAN-22093
also caught valid files.
The size check is removed from load_image () and moved to load_layer ()
before the two fread() functions, as we know exactly how much we'll
try to read at that point.
(Backport of 8faad92e)
Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
---
plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++----------
1 file changed, 29 insertions(+), 10 deletions(-)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index add4ba5..b19d32e 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -212,16 +212,6 @@ read_dds (GFile *file,
}
}
- /* verify header information is accurate */
- if (hdr.depth < 1 ||
- (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
- (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
- {
- fclose (fp);
- g_message ("Invalid or corrupted DDS header\n");
- return GIMP_PDB_EXECUTION_ERROR;
- }
-
if (hdr.pixelfmt.flags & DDPF_FOURCC)
{
/* fourcc is dXt* or rXgb */
@@ -332,6 +322,15 @@ read_dds (GFile *file,
precision = GIMP_PRECISION_U8_NON_LINEAR;
}
+ /* verify header information is accurate */
+ if (d.bpp < 1 ||
+ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))))
+ {
+ fclose (fp);
+ g_message ("Invalid or corrupted DDS header\n");
+ return GIMP_PDB_EXECUTION_ERROR;
+ }
+
image = gimp_image_new_with_precision (hdr.width, hdr.height, type, precision);
if (! image)
@@ -1000,6 +999,13 @@ load_layer (FILE *fp,
guint size = hdr->pitch_or_linsize >> (2 * level);
guint layerw;
gint format = DDS_COMPRESS_NONE;
+ gsize file_size;
+ gsize current_position;
+
+ current_position = ftell (fp);
+ fseek (fp, 0L, SEEK_END);
+ file_size = ftell (fp);
+ fseek (fp, current_position, SEEK_SET);
if (width < 1) width = 1;
if (height < 1) height = 1;
@@ -1097,6 +1103,12 @@ load_layer (FILE *fp,
size *= 16;
}
+ if (size > (file_size - current_position))
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+ }
+
if ((hdr->flags & DDSD_LINEARSIZE) &&
!fread (buf, size, 1, fp))
{
@@ -1136,6 +1148,13 @@ load_layer (FILE *fp,
gimp_progress_update ((double) y / (double) hdr->height);
}
+ current_position = ftell (fp);
+ if ((width * d->bpp) > (file_size - current_position))
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+ }
+
if ((hdr->flags & DDSD_PITCH) &&
! fread (buf, width * d->bpp, 1, fp))
{
--
2.39.3

54
SOURCES/gimp-2.10.36-CVE-2023-44441-0003-plug-ins-Additional-fixes-for-DDS-Import.patch
View File

@ -1,54 +0,0 @@
From 6d7aa0fd52d4d48e09e3c2fb3fb39b55cd35e0ea Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 28 Oct 2023 21:44:51 +0000
Subject: [PATCH 3/3] plug-ins: Additional fixes for DDS Import
@Wormnest noted remaining regressions after 8faad92e.
The second fread() only runs if the DDSD_PITCH flag is set,
so the error handling check should also be conditional.
Additionally, the ZDI-CAN-22093 exploit no longer runs but
still could cause a plug-in crash. This patch adds an additional
check to ensure the buffer size was within bounds.
Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
---
plug-ins/file-dds/ddsread.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index b19d32e..21eeb56 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -1005,6 +1005,7 @@ load_layer (FILE *fp,
current_position = ftell (fp);
fseek (fp, 0L, SEEK_END);
file_size = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
fseek (fp, current_position, SEEK_SET);
if (width < 1) width = 1;
@@ -1103,7 +1104,8 @@ load_layer (FILE *fp,
size *= 16;
}
- if (size > (file_size - current_position))
+ if (size > (file_size - current_position) ||
+ size > hdr->pitch_or_linsize)
{
g_message ("Requested data exceeds size of file.\n");
return 0;
@@ -1149,7 +1151,9 @@ load_layer (FILE *fp,
}
current_position = ftell (fp);
- if ((width * d->bpp) > (file_size - current_position))
+ if ((hdr->flags & DDSD_PITCH) &&
+ ((width * d->bpp) > (file_size - current_position) ||
+ (width * d->bpp) > hdr->pitch_or_linsize))
{
g_message ("Requested data exceeds size of file.\n");
return 0;
--
2.39.3

98
SOURCES/gimp-2.10.36-CVE-2023-44441-dds-rce.patch Normal file
View File

@ -0,0 +1,98 @@
Built out of the following commits from release 2.10.36:
- 7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc
- e92f279c97282a2b20dca0d923db7465f2057703
- 9dda8139e4d07e3a273436eda993fef32555edbe
Applied onto worktree starting from top to bottom.
---
plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index 72102d0e1c..ba5b712edd 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -124,6 +124,7 @@ read_dds (GFile *file,
guint l = 0;
guchar *pixels;
FILE *fp;
+ gsize file_size;
dds_header_t hdr;
dds_header_dx10_t dx10hdr;
dds_load_info_t d;
@@ -157,6 +158,10 @@ read_dds (GFile *file,
return GIMP_PDB_EXECUTION_ERROR;
}
+ fseek (fp, 0L, SEEK_END);
+ file_size = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
+
gimp_progress_init_printf ("Loading %s:", gimp_file_get_utf8_name (file));
/* read header */
@@ -317,6 +322,16 @@ read_dds (GFile *file,
precision = GIMP_PRECISION_U8_NON_LINEAR;
}
+ /* verify header information is accurate */
+ if (hdr.depth < 1 ||
+ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
+ (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
+ {
+ fclose (fp);
+ g_message ("Invalid or corrupted DDS header\n");
+ return GIMP_PDB_EXECUTION_ERROR;
+ }
+
image = gimp_image_new_with_precision (hdr.width, hdr.height, type, precision);
if (! image)
@@ -985,6 +1000,14 @@ load_layer (FILE *fp,
guint size = hdr->pitch_or_linsize >> (2 * level);
guint layerw;
gint format = DDS_COMPRESS_NONE;
+ gsize file_size;
+ gsize current_position;
+
+ current_position = ftell (fp);
+ fseek (fp, 0L, SEEK_END);
+ file_size = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
+ fseek (fp, current_position, SEEK_SET);
if (width < 1) width = 1;
if (height < 1) height = 1;
@@ -1082,6 +1105,13 @@ load_layer (FILE *fp,
size *= 16;
}
+ if (size > (file_size - current_position) ||
+ size > hdr->pitch_or_linsize)
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+ }
+
if ((hdr->flags & DDSD_LINEARSIZE) &&
!fread (buf, size, 1, fp))
{
@@ -1121,6 +1151,15 @@ load_layer (FILE *fp,
gimp_progress_update ((double) y / (double) hdr->height);
}
+ current_position = ftell (fp);
+ if ((hdr->flags & DDSD_PITCH) &&
+ ((width * d->bpp) > (file_size - current_position) ||
+ (width * d->bpp) > hdr->pitch_or_linsize))
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+ }
+
if ((hdr->flags & DDSD_PITCH) &&
! fread (buf, width * d->bpp, 1, fp))
{
--
2.43.0

11
SOURCES/gimp-CVE-2023-44442.patch → SOURCES/gimp-2.10.36-CVE-2023-44442-psd-rce.patch
View File

@ -1,11 +1,4 @@
From 865cc56894dcb6e1c664a55e4b4010ebf6919e10 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Fri, 29 Sep 2023 20:38:51 +0000
Subject: [PATCH] plug-ins: Fix vulnerability in file-psd
Resolves #10101.
This patch adds a missing break statement after an error condition
is detected to prevent the code from continuing afterwards.
O-Commit: 865cc56894dcb6e1c664a55e4b4010ebf6919e10
---
plug-ins/file-psd/psd-util.c | 1 +
1 file changed, 1 insertion(+)
@ -23,5 +16,5 @@ index 761865e7af..545bd32f7c 100644
memset (dst, *src, n);
src++;
--
2.31.1
2.43.0

19
SOURCES/gimp-CVE-2023-44443.patch → SOURCES/gimp-2.10.36-CVE-2023-44443-psp-rce.patch
View File

@ -1,24 +1,13 @@
From 96f536a33590bb9811da5b5639e1d6c25aaf2e01 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 23 Sep 2023 02:41:57 +0000
Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22096)
Resolves #10072.
The current PSP palette loading code does not check if
the file's palette entry count value is below the limit
(G_MAXUNIT32 / 4 due to each color being 4 bytes long).
This patch adds this check and stops loading if the count
is larger than GIMP currently supports.
O-Commit: 9c9521e99dd24a73fe7701bf5bde6dbbd26c4862
---
plug-ins/common/file-psp.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index 582a10c300..7c9340ee2b 100644
index f891ca1856..6944ad4072 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -1279,8 +1279,17 @@ read_color_block (FILE *f,
@@ -1278,8 +1278,17 @@ read_color_block (FILE *f,
}
color_palette_entries = GUINT32_FROM_LE (entry_count);
@ -38,5 +27,5 @@ index 582a10c300..7c9340ee2b 100644
color_palette = g_malloc (pal_size);
if (fread (color_palette, pal_size, 1, f) < 1)
--
2.31.1
2.43.0

21
SOURCES/gimp-2.10.36-CVE-2023-44444-psp-rce.patch Normal file
View File

@ -0,0 +1,21 @@
O-Commit: d52d32cb82905e4ee58d249dcde9e8d47f2b915d
---
plug-ins/common/file-psp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index 6944ad4072..d1156d4732 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -1657,7 +1657,7 @@ read_channel_data (FILE *f,
else
endq = q + line_width * height;
- buf = g_malloc (127);
+ buf = g_malloc (128);
while (q < endq)
{
fread (&runcount, 1, 1, f);
--
2.43.0

31
SOURCES/gimp-CVE-2023-44444.patch
View File

@ -1,31 +0,0 @@
From e1bfd87195e4fe60a92df70cde65464d032dd3c1 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 23 Sep 2023 02:16:24 +0000
Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22097)
Resolves #10071.
When reading RLE compressed data, a buffer was allocated to 127 bytes.
However, it can potentially be used to read 128 bytes, leading to a
off-by-one vulnerability. This patch allocates 128 bytes to the buffer
to prevent this from occurring.
---
plug-ins/common/file-psp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index c8b166471e..582a10c300 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -1649,7 +1649,7 @@ read_channel_data (FILE *f,
else
endq = q + line_width * height;
- buf = g_malloc (127);
+ buf = g_malloc (128);
while (q < endq)
{
fread (&runcount, 1, 1, f);
--
2.31.1

159
SOURCES/gimp-CVE-2025-48797.patch Normal file
View File

@ -0,0 +1,159 @@
diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
index f6f24a13194..c0d7ad94c20 100644
--- a/plug-ins/common/file-tga.c
+++ b/plug-ins/common/file-tga.c
@@ -982,9 +982,9 @@ ReadImage (FILE *fp,
cmap_bytes = (info->colorMapSize + 7 ) / 8;
tga_cmap = g_new (guchar, info->colorMapLength * cmap_bytes);
- if (info->colorMapSize > 24)
+ if (info->colorMapSize > 24 || info->alphaBits > 0)
{
- /* indexed + full alpha => promoted to RGBA */
+ /* indexed + full alpha, or alpha exists => promoted to RGBA */
itype = GIMP_RGB;
dtype = GIMP_RGBA_IMAGE;
convert_cmap = g_new (guchar, info->colorMapLength * 4);
@@ -996,13 +996,6 @@ ReadImage (FILE *fp,
dtype = GIMP_RGB_IMAGE;
convert_cmap = g_new (guchar, info->colorMapLength * 3);
}
- else if (info->alphaBits > 0)
- {
- /* if alpha exists here, promote to RGB */
- itype = GIMP_RGB;
- dtype = GIMP_RGBA_IMAGE;
- convert_cmap = g_new (guchar, info->colorMapLength * 4);
- }
else
{
itype = GIMP_INDEXED;
---
diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
index c0d7ad94c20..433410ff471 100644
--- a/plug-ins/common/file-tga.c
+++ b/plug-ins/common/file-tga.c
@@ -539,7 +539,7 @@ load_image (GFile *file,
switch (info.imageType)
{
case TGA_TYPE_MAPPED:
- if (info.bpp != 8)
+ if (info.bpp != 8 || !info.colorMapLength)
{
g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
gimp_file_get_utf8_name (file),
@@ -862,32 +862,31 @@ apply_colormap (guchar *dest,
guint width,
const guchar *cmap,
gboolean alpha,
- guint16 index)
+ guint16 colorMapIndex,
+ guint16 colorMapLength)
{
guint x;
- if (alpha)
- {
- for (x = 0; x < width; x++)
- {
- *(dest++) = cmap[(*src - index) * 4];
- *(dest++) = cmap[(*src - index) * 4 + 1];
- *(dest++) = cmap[(*src - index) * 4 + 2];
- *(dest++) = cmap[(*src - index) * 4 + 3];
-
- src++;
- }
- }
- else
+ for (x = 0; x < width; x++)
{
- for (x = 0; x < width; x++)
- {
- *(dest++) = cmap[(*src - index) * 3];
- *(dest++) = cmap[(*src - index) * 3 + 1];
- *(dest++) = cmap[(*src - index) * 3 + 2];
-
- src++;
- }
+ guchar entryIndex = src[x] - colorMapIndex;
+
+ if (src[x] < colorMapIndex || entryIndex >= colorMapLength) {
+ g_message ("Unsupported colormap entry: %u",
+ src[x]);
+ entryIndex = 0;
+ }
+
+ if (alpha) {
+ *(dest++) = cmap[entryIndex * 4];
+ *(dest++) = cmap[entryIndex * 4 + 1];
+ *(dest++) = cmap[entryIndex * 4 + 2];
+ *(dest++) = cmap[entryIndex * 4 + 3];
+ } else {
+ *(dest++) = cmap[entryIndex * 3];
+ *(dest++) = cmap[entryIndex * 3 + 1];
+ *(dest++) = cmap[entryIndex * 3 + 2];
+ }
}
}
@@ -943,7 +942,7 @@ read_line (FILE *fp,
gboolean has_alpha = (info->alphaBits > 0);
apply_colormap (row, buf, info->width, convert_cmap, has_alpha,
- info->colorMapIndex);
+ info->colorMapIndex, info->colorMapLength);
}
else if (info->imageType == TGA_TYPE_MAPPED)
{
---
diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
index 433410ff471..a171a264772 100644
--- a/plug-ins/common/file-tga.c
+++ b/plug-ins/common/file-tga.c
@@ -952,7 +952,7 @@ read_line (FILE *fp,
}
else
{
- memcpy (row, buf, info->width * bpp);
+ memcpy (row, buf, info->width * info->bytes);
}
}
---
diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
index a171a264772..abecde86857 100644
--- a/plug-ins/common/file-tga.c
+++ b/plug-ins/common/file-tga.c
@@ -866,14 +866,29 @@ apply_colormap (guchar *dest,
guint16 colorMapLength)
{
guint x;
+ gint errcnt = 0;
for (x = 0; x < width; x++)
{
guchar entryIndex = src[x] - colorMapIndex;
if (src[x] < colorMapIndex || entryIndex >= colorMapLength) {
- g_message ("Unsupported colormap entry: %u",
- src[x]);
+ /* On Windows the error console can run out of resources when
+ * producing a huge amount of messages. This can happen when using
+ * fuzzed test images. This causes unresponsiveness at first and
+ * finally crashes GIMP. Eventually this needs to be fixed at the
+ * source, but for now let's limit the error messages to 10
+ * per line (this function is called once per read_line). */
+ if (errcnt < 10)
+ {
+ g_message ("Unsupported colormap entry: %u",
+ src[x]);
+ }
+ else if (errcnt == 10)
+ {
+ g_message ("Too many colormap errors. Image may be corrupt.");
+ }
+ errcnt++;
entryIndex = 0;
}
---

93
SOURCES/gimp-CVE-2025-48798.patch Normal file
View File

@ -0,0 +1,93 @@
diff -urNp a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
--- a/app/xcf/xcf-load.c 2025-06-14 13:08:43.443446885 +0200
+++ b/app/xcf/xcf-load.c 2025-06-14 13:22:09.771911460 +0200
@@ -102,7 +102,8 @@ static gboolean xcf_check_layer_p
gboolean *is_text_layer);
static gboolean xcf_load_channel_props (XcfInfo *info,
GimpImage *image,
- GimpChannel **channel);
+ GimpChannel **channel,
+ gboolean is_mask);
static gboolean xcf_load_prop (XcfInfo *info,
PropType *prop_type,
guint32 *prop_size);
@@ -1213,6 +1214,14 @@ xcf_load_layer_props (XcfInfo *info,
case PROP_ACTIVE_LAYER:
info->selected_layers = g_list_prepend (info->selected_layers, *layer);
+ {
+ if (g_list_index (info->selected_layers, *layer) < 0)
+ info->selected_layers = g_list_prepend (info->selected_layers, *layer);
+ else
+ gimp_message_literal (info->gimp, G_OBJECT (info->progress),
+ GIMP_MESSAGE_WARNING,
+ "Invalid duplicate selected layer detected");
+ }
break;
case PROP_FLOATING_SELECTION:
@@ -1663,7 +1672,8 @@ xcf_check_layer_props (XcfInfo *info,
static gboolean
xcf_load_channel_props (XcfInfo *info,
GimpImage *image,
- GimpChannel **channel)
+ GimpChannel **channel,
+ gboolean is_mask)
{
PropType prop_type;
guint32 prop_size;
@@ -1686,6 +1696,36 @@ xcf_load_channel_props (XcfInfo *in
{
GimpChannel *mask;
+ if (is_mask)
+ {
+ /* PROP_SELECTION is not valid for masks, and we have to avoid
+ * overwriting the channel.
+ */
+ continue;
+ }
+
+ if (*channel == gimp_image_get_mask (image))
+ {
+ /* PROP_SELECTION was already seen once for this
+ * channel. Let's silently ignore the second identical
+ * property to avoid a double free.
+ */
+ continue;
+ }
+ else if (gimp_image_get_mask (image) != NULL &&
+ ! gimp_channel_is_empty (gimp_image_get_mask (image)))
+ {
+ /* This would happen when PROP_SELECTION was already set
+ * on a previous channel. This is a minor case of data
+ * loss (we don't know which selection was the right one
+ * and we drop the non-first ones), and also means it's
+ * a broken XCF, though it's not a major bug either. So
+ * let's go with a stderr print.
+ */
+ g_printerr ("PROP_SELECTION property was set on 2 channels (skipping)\n");
+ continue;
+ }
+
/* We're going to delete *channel, Don't leave its pointer
* in @info. See bug #767873.
*/
@@ -2155,7 +2195,7 @@ xcf_load_channel (XcfInfo *info,
return NULL;
/* read in the channel properties */
- if (! xcf_load_channel_props (info, image, &channel))
+ if (! xcf_load_channel_props (info, image, &channel, FALSE))
goto error;
xcf_progress_update (info);
@@ -2228,7 +2268,7 @@ xcf_load_layer_mask (XcfInfo *info,
/* read in the layer_mask properties */
channel = GIMP_CHANNEL (layer_mask);
- if (! xcf_load_channel_props (info, image, &channel))
+ if (! xcf_load_channel_props (info, image, &channel, TRUE))
goto error;
xcf_progress_update (info);

18
SOURCES/gimp-CVE-2025-5473.patch Normal file
View File

@ -0,0 +1,18 @@
diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
index 9a222998bc1..818cf23cd31 100644
--- a/plug-ins/file-ico/ico-load.c
+++ b/plug-ins/file-ico/ico-load.c
@@ -299,7 +299,11 @@ ico_read_png (FILE *fp,
png_read_info (png_ptr, info);
png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type,
NULL, NULL, NULL);
- if (w*h*4 > maxsize)
+ /* Check for overflow */
+ if ((w * h * 4) < w ||
+ (w * h * 4) < h ||
+ (w * h * 4) < (w * h) ||
+ (w * h * 4) > maxsize)
{
png_destroy_read_struct (&png_ptr, &info, NULL);
return FALSE;
---

60
SPECS/gimp.spec
View File

@ -89,7 +89,7 @@ Name: gimp
Epoch: 2
Version: 2.99.8
%global rel 4
Release: %{?prerelprefix}%{rel}%{dotprerel}%{dotgitrev}%{?dist}
Release: %{?prerelprefix}%{rel}%{dotprerel}%{dotgitrev}%{?dist}.2
# Compute some version related macros.
# Ugly, need to get quoting percent signs straight.
@ -249,13 +249,26 @@ Patch5: gimp-CVE-2022-30067.patch
# CVE-2022-32990
Patch6: gimp-CVE-2022-32990.patch
# CVE-2023-44441 CVE-2023-44442 CVE-2023-44443 CVE-2023-44444
Patch7: gimp-2.10.36-CVE-2023-44441-0001-plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
Patch8: gimp-2.10.36-CVE-2023-44441-0002-plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
Patch9: gimp-2.10.36-CVE-2023-44441-0003-plug-ins-Additional-fixes-for-DDS-Import.patch
Patch10: gimp-CVE-2023-44442.patch
Patch11: gimp-CVE-2023-44443.patch
Patch12: gimp-CVE-2023-44444.patch
# RHEL-86049: dds buffer overflow RCE
Patch7: gimp-2.10.36-CVE-2023-44441-dds-rce.patch
# RHEL-86046: psd buffer overflow RCE
Patch8: gimp-2.10.36-CVE-2023-44442-psd-rce.patch
# RHEL-86043: psp buffer overflow RCE
Patch9: gimp-2.10.36-CVE-2023-44443-psp-rce.patch
# RHEL-86040: psp buffer overflow RCE
Patch10: gimp-2.10.36-CVE-2023-44444-psp-rce.patch
# RHEL-93521: CVE-2025-48797
Patch11: gimp-CVE-2025-48797.patch
# RHEL-93522: CVE-2025-48798
Patch12: gimp-CVE-2025-48798.patch
# RHEL-95700: CVE-2025-5473
Patch13: gimp-CVE-2025-5473.patch
# use external help browser directly if help browser plug-in is not built
Patch100: gimp-2.10.24-external-help-browser.patch
@ -362,15 +375,16 @@ EOF
%patch4 -p1 -b .remove-lua
%patch5 -p1 -b .CVE-2022-30067
%patch6 -p1 -b .CVE-2022-32990
%patch7 -p1 -b .CVE-2023-44441-1
%patch8 -p1 -b .CVE-2023-44441-2
%patch9 -p1 -b .CVE-2023-44441-3
%patch10 -p1 -b .CVE-2023-44442
%patch11 -p1 -b .CVE-2023-44443
%patch12 -p1 -b .CVE-2023-44444
%patch7 -p1 -b .dds-rce
%patch8 -p1 -b .psd-rce
%patch9 -p1 -b .psp-rce1
%patch10 -p1 -b .psp-rce2
%patch11 -p1 -b .CVE-2025-48797
%patch12 -p1 -b .CVE-2025-48798
%patch13 -p1 -b .CVE-2025-5473
%if ! %{with helpbrowser}
#%patch100 -p1 -b .external-help-browser
#patch100 -p1 -b .external-help-browser
%endif
%build
@ -750,11 +764,17 @@ make check %{?_smp_mflags}
%endif
%changelog
* Mon Feb 05 2024 Darren Archibald <darren.archibald@oracle.com> - 2:2.99.8-4
- fix CVE-2023-44441
- fix CVE-2023-44442
- fix CVE-2023-44443
- fix CVE-2023-44444
* Sat Jun 14 2025 Josef Ridky <jridky@redhat.com> - 2:2.99.8-4.2
- fix CVE-2025-5473 (RHEL-95700)
* Sat Jun 14 2025 Josef Ridky <jridky@redhat.com> - 2:2.99.8-4.1
- fix CVE-2025-48797 (RHEL-93521)
- fix CVE-2025-48798 (RHEL-93522)
* Wed Apr 09 2025 Josef Ridky <jridky@redhat.com> - 2:2.99.8-4
- Applying fixes for vulnerabilities that led to possible RCE conditions.
- Fixes: CVE-2023-44441 CVE-2023-44442 CVE-2023-44443 CVE-2023-44444
- Resolves: RHEL-86049 RHEL-86046 RHEL-86043 RHEL-86040
* Mon Jul 18 2022 Josef Ridky <jridky@redhat.com> - 2:2.99.8-3
- fix CVE-2022-30067