From fac97f0b7c0f9c92da9fe404ac52e38cdeccaff9 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 19 Jun 2025 10:25:30 +0000 Subject: [PATCH] import OL gimp-2.99.8-4.el9_6.2 --- ...-Fix-DDS-vulnerability-ZDI-CAN-22093.patch | 63 ------- ...-DDS-import-regression-from-7db71cd0.patch | 100 ----------- ...-ins-Additional-fixes-for-DDS-Import.patch | 54 ------ .../gimp-2.10.36-CVE-2023-44441-dds-rce.patch | 98 +++++++++++ ...gimp-2.10.36-CVE-2023-44442-psd-rce.patch} | 11 +- ...gimp-2.10.36-CVE-2023-44443-psp-rce.patch} | 19 +-- .../gimp-2.10.36-CVE-2023-44444-psp-rce.patch | 21 +++ SOURCES/gimp-CVE-2023-44444.patch | 31 ---- SOURCES/gimp-CVE-2025-48797.patch | 159 ++++++++++++++++++ SOURCES/gimp-CVE-2025-48798.patch | 93 ++++++++++ SOURCES/gimp-CVE-2025-5473.patch | 18 ++ SPECS/gimp.spec | 60 ++++--- 12 files changed, 435 insertions(+), 292 deletions(-) delete mode 100644 SOURCES/gimp-2.10.36-CVE-2023-44441-0001-plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch delete mode 100644 SOURCES/gimp-2.10.36-CVE-2023-44441-0002-plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch delete mode 100644 SOURCES/gimp-2.10.36-CVE-2023-44441-0003-plug-ins-Additional-fixes-for-DDS-Import.patch create mode 100644 SOURCES/gimp-2.10.36-CVE-2023-44441-dds-rce.patch rename SOURCES/{gimp-CVE-2023-44442.patch => gimp-2.10.36-CVE-2023-44442-psd-rce.patch} (60%) rename SOURCES/{gimp-CVE-2023-44443.patch => gimp-2.10.36-CVE-2023-44443-psp-rce.patch} (61%) create mode 100644 SOURCES/gimp-2.10.36-CVE-2023-44444-psp-rce.patch delete mode 100644 SOURCES/gimp-CVE-2023-44444.patch create mode 100644 SOURCES/gimp-CVE-2025-48797.patch create mode 100644 SOURCES/gimp-CVE-2025-48798.patch create mode 100644 SOURCES/gimp-CVE-2025-5473.patch diff --git a/SOURCES/gimp-2.10.36-CVE-2023-44441-0001-plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch b/SOURCES/gimp-2.10.36-CVE-2023-44441-0001-plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch deleted file mode 100644 index 66072a9..0000000 --- a/SOURCES/gimp-2.10.36-CVE-2023-44441-0001-plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 1e67a41b5171ab6c852d2b82ad3f3c23393d6326 Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Wed, 7 Feb 2024 12:45:17 +0000 -Subject: [PATCH 1/3] plug-ins: Fix DDS vulnerability (ZDI-CAN-22093) - -Resolves #10069 - -Currently, the DDS header information for the width, height, and bytes per scan line -are read in and assumed to be correct. As these values are used for memory allocation -and reading, it would be good to verify they do not exceed the file size. - -This patch adds a condition after the header is read in to verify those values. If they exceed -the file size (mins an offset), the file is not read in and an error message is shown. - -Modified-by: Alex Burmashev -Signed-off-by: Alex Burmashev ---- - plug-ins/file-dds/ddsread.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c -index 72102d0..add4ba5 100644 ---- a/plug-ins/file-dds/ddsread.c -+++ b/plug-ins/file-dds/ddsread.c -@@ -124,6 +124,7 @@ read_dds (GFile *file, - guint l = 0; - guchar *pixels; - FILE *fp; -+ gsize file_size; - dds_header_t hdr; - dds_header_dx10_t dx10hdr; - dds_load_info_t d; -@@ -157,6 +158,10 @@ read_dds (GFile *file, - return GIMP_PDB_EXECUTION_ERROR; - } - -+ fseek (fp, 0L, SEEK_END); -+ file_size = ftell (fp); -+ fseek (fp, 0, SEEK_SET); -+ - gimp_progress_init_printf ("Loading %s:", gimp_file_get_utf8_name (file)); - - /* read header */ -@@ -207,6 +212,16 @@ read_dds (GFile *file, - } - } - -+ /* verify header information is accurate */ -+ if (hdr.depth < 1 || -+ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) || -+ (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr)))) -+ { -+ fclose (fp); -+ g_message ("Invalid or corrupted DDS header\n"); -+ return GIMP_PDB_EXECUTION_ERROR; -+ } -+ - if (hdr.pixelfmt.flags & DDPF_FOURCC) - { - /* fourcc is dXt* or rXgb */ --- -2.39.3 - diff --git a/SOURCES/gimp-2.10.36-CVE-2023-44441-0002-plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch b/SOURCES/gimp-2.10.36-CVE-2023-44441-0002-plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch deleted file mode 100644 index f6ce8b8..0000000 --- a/SOURCES/gimp-2.10.36-CVE-2023-44441-0002-plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch +++ /dev/null @@ -1,100 +0,0 @@ -From bd6e7854b7b679444af685fab06dbb6559f3d720 Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Wed, 7 Feb 2024 12:47:12 +0000 -Subject: [PATCH 2/3] plug-ins: Fix DDS import regression from 7db71cd0 - -@Wormnest pointed out that compressed files are likely smaller than -width * height * bps, so our check to prevent ZDI-CAN-22093 -also caught valid files. -The size check is removed from load_image () and moved to load_layer () -before the two fread() functions, as we know exactly how much we'll -try to read at that point. -(Backport of 8faad92e) - -Modified-by: Alex Burmashev -Signed-off-by: Alex Burmashev ---- - plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++---------- - 1 file changed, 29 insertions(+), 10 deletions(-) - -diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c -index add4ba5..b19d32e 100644 ---- a/plug-ins/file-dds/ddsread.c -+++ b/plug-ins/file-dds/ddsread.c -@@ -212,16 +212,6 @@ read_dds (GFile *file, - } - } - -- /* verify header information is accurate */ -- if (hdr.depth < 1 || -- (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) || -- (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr)))) -- { -- fclose (fp); -- g_message ("Invalid or corrupted DDS header\n"); -- return GIMP_PDB_EXECUTION_ERROR; -- } -- - if (hdr.pixelfmt.flags & DDPF_FOURCC) - { - /* fourcc is dXt* or rXgb */ -@@ -332,6 +322,15 @@ read_dds (GFile *file, - precision = GIMP_PRECISION_U8_NON_LINEAR; - } - -+ /* verify header information is accurate */ -+ if (d.bpp < 1 || -+ (hdr.pitch_or_linsize > (file_size - sizeof (hdr)))) -+ { -+ fclose (fp); -+ g_message ("Invalid or corrupted DDS header\n"); -+ return GIMP_PDB_EXECUTION_ERROR; -+ } -+ - image = gimp_image_new_with_precision (hdr.width, hdr.height, type, precision); - - if (! image) -@@ -1000,6 +999,13 @@ load_layer (FILE *fp, - guint size = hdr->pitch_or_linsize >> (2 * level); - guint layerw; - gint format = DDS_COMPRESS_NONE; -+ gsize file_size; -+ gsize current_position; -+ -+ current_position = ftell (fp); -+ fseek (fp, 0L, SEEK_END); -+ file_size = ftell (fp); -+ fseek (fp, current_position, SEEK_SET); - - if (width < 1) width = 1; - if (height < 1) height = 1; -@@ -1097,6 +1103,12 @@ load_layer (FILE *fp, - size *= 16; - } - -+ if (size > (file_size - current_position)) -+ { -+ g_message ("Requested data exceeds size of file.\n"); -+ return 0; -+ } -+ - if ((hdr->flags & DDSD_LINEARSIZE) && - !fread (buf, size, 1, fp)) - { -@@ -1136,6 +1148,13 @@ load_layer (FILE *fp, - gimp_progress_update ((double) y / (double) hdr->height); - } - -+ current_position = ftell (fp); -+ if ((width * d->bpp) > (file_size - current_position)) -+ { -+ g_message ("Requested data exceeds size of file.\n"); -+ return 0; -+ } -+ - if ((hdr->flags & DDSD_PITCH) && - ! fread (buf, width * d->bpp, 1, fp)) - { --- -2.39.3 - diff --git a/SOURCES/gimp-2.10.36-CVE-2023-44441-0003-plug-ins-Additional-fixes-for-DDS-Import.patch b/SOURCES/gimp-2.10.36-CVE-2023-44441-0003-plug-ins-Additional-fixes-for-DDS-Import.patch deleted file mode 100644 index ca9c299..0000000 --- a/SOURCES/gimp-2.10.36-CVE-2023-44441-0003-plug-ins-Additional-fixes-for-DDS-Import.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 6d7aa0fd52d4d48e09e3c2fb3fb39b55cd35e0ea Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Sat, 28 Oct 2023 21:44:51 +0000 -Subject: [PATCH 3/3] plug-ins: Additional fixes for DDS Import - -@Wormnest noted remaining regressions after 8faad92e. -The second fread() only runs if the DDSD_PITCH flag is set, -so the error handling check should also be conditional. -Additionally, the ZDI-CAN-22093 exploit no longer runs but -still could cause a plug-in crash. This patch adds an additional -check to ensure the buffer size was within bounds. - -Modified-by: Alex Burmashev -Signed-off-by: Alex Burmashev ---- - plug-ins/file-dds/ddsread.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c -index b19d32e..21eeb56 100644 ---- a/plug-ins/file-dds/ddsread.c -+++ b/plug-ins/file-dds/ddsread.c -@@ -1005,6 +1005,7 @@ load_layer (FILE *fp, - current_position = ftell (fp); - fseek (fp, 0L, SEEK_END); - file_size = ftell (fp); -+ fseek (fp, 0, SEEK_SET); - fseek (fp, current_position, SEEK_SET); - - if (width < 1) width = 1; -@@ -1103,7 +1104,8 @@ load_layer (FILE *fp, - size *= 16; - } - -- if (size > (file_size - current_position)) -+ if (size > (file_size - current_position) || -+ size > hdr->pitch_or_linsize) - { - g_message ("Requested data exceeds size of file.\n"); - return 0; -@@ -1149,7 +1151,9 @@ load_layer (FILE *fp, - } - - current_position = ftell (fp); -- if ((width * d->bpp) > (file_size - current_position)) -+ if ((hdr->flags & DDSD_PITCH) && -+ ((width * d->bpp) > (file_size - current_position) || -+ (width * d->bpp) > hdr->pitch_or_linsize)) - { - g_message ("Requested data exceeds size of file.\n"); - return 0; --- -2.39.3 - diff --git a/SOURCES/gimp-2.10.36-CVE-2023-44441-dds-rce.patch b/SOURCES/gimp-2.10.36-CVE-2023-44441-dds-rce.patch new file mode 100644 index 0000000..a951510 --- /dev/null +++ b/SOURCES/gimp-2.10.36-CVE-2023-44441-dds-rce.patch @@ -0,0 +1,98 @@ +Built out of the following commits from release 2.10.36: +- 7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc +- e92f279c97282a2b20dca0d923db7465f2057703 +- 9dda8139e4d07e3a273436eda993fef32555edbe + +Applied onto worktree starting from top to bottom. +--- + plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c +index 72102d0e1c..ba5b712edd 100644 +--- a/plug-ins/file-dds/ddsread.c ++++ b/plug-ins/file-dds/ddsread.c +@@ -124,6 +124,7 @@ read_dds (GFile *file, + guint l = 0; + guchar *pixels; + FILE *fp; ++ gsize file_size; + dds_header_t hdr; + dds_header_dx10_t dx10hdr; + dds_load_info_t d; +@@ -157,6 +158,10 @@ read_dds (GFile *file, + return GIMP_PDB_EXECUTION_ERROR; + } + ++ fseek (fp, 0L, SEEK_END); ++ file_size = ftell (fp); ++ fseek (fp, 0, SEEK_SET); ++ + gimp_progress_init_printf ("Loading %s:", gimp_file_get_utf8_name (file)); + + /* read header */ +@@ -317,6 +322,16 @@ read_dds (GFile *file, + precision = GIMP_PRECISION_U8_NON_LINEAR; + } + ++ /* verify header information is accurate */ ++ if (hdr.depth < 1 || ++ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) || ++ (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr)))) ++ { ++ fclose (fp); ++ g_message ("Invalid or corrupted DDS header\n"); ++ return GIMP_PDB_EXECUTION_ERROR; ++ } ++ + image = gimp_image_new_with_precision (hdr.width, hdr.height, type, precision); + + if (! image) +@@ -985,6 +1000,14 @@ load_layer (FILE *fp, + guint size = hdr->pitch_or_linsize >> (2 * level); + guint layerw; + gint format = DDS_COMPRESS_NONE; ++ gsize file_size; ++ gsize current_position; ++ ++ current_position = ftell (fp); ++ fseek (fp, 0L, SEEK_END); ++ file_size = ftell (fp); ++ fseek (fp, 0, SEEK_SET); ++ fseek (fp, current_position, SEEK_SET); + + if (width < 1) width = 1; + if (height < 1) height = 1; +@@ -1082,6 +1105,13 @@ load_layer (FILE *fp, + size *= 16; + } + ++ if (size > (file_size - current_position) || ++ size > hdr->pitch_or_linsize) ++ { ++ g_message ("Requested data exceeds size of file.\n"); ++ return 0; ++ } ++ + if ((hdr->flags & DDSD_LINEARSIZE) && + !fread (buf, size, 1, fp)) + { +@@ -1121,6 +1151,15 @@ load_layer (FILE *fp, + gimp_progress_update ((double) y / (double) hdr->height); + } + ++ current_position = ftell (fp); ++ if ((hdr->flags & DDSD_PITCH) && ++ ((width * d->bpp) > (file_size - current_position) || ++ (width * d->bpp) > hdr->pitch_or_linsize)) ++ { ++ g_message ("Requested data exceeds size of file.\n"); ++ return 0; ++ } ++ + if ((hdr->flags & DDSD_PITCH) && + ! fread (buf, width * d->bpp, 1, fp)) + { +-- +2.43.0 + diff --git a/SOURCES/gimp-CVE-2023-44442.patch b/SOURCES/gimp-2.10.36-CVE-2023-44442-psd-rce.patch similarity index 60% rename from SOURCES/gimp-CVE-2023-44442.patch rename to SOURCES/gimp-2.10.36-CVE-2023-44442-psd-rce.patch index 2c72cf5..b0c5e6d 100644 --- a/SOURCES/gimp-CVE-2023-44442.patch +++ b/SOURCES/gimp-2.10.36-CVE-2023-44442-psd-rce.patch @@ -1,11 +1,4 @@ -From 865cc56894dcb6e1c664a55e4b4010ebf6919e10 Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Fri, 29 Sep 2023 20:38:51 +0000 -Subject: [PATCH] plug-ins: Fix vulnerability in file-psd - -Resolves #10101. -This patch adds a missing break statement after an error condition -is detected to prevent the code from continuing afterwards. +O-Commit: 865cc56894dcb6e1c664a55e4b4010ebf6919e10 --- plug-ins/file-psd/psd-util.c | 1 + 1 file changed, 1 insertion(+) @@ -23,5 +16,5 @@ index 761865e7af..545bd32f7c 100644 memset (dst, *src, n); src++; -- -2.31.1 +2.43.0 diff --git a/SOURCES/gimp-CVE-2023-44443.patch b/SOURCES/gimp-2.10.36-CVE-2023-44443-psp-rce.patch similarity index 61% rename from SOURCES/gimp-CVE-2023-44443.patch rename to SOURCES/gimp-2.10.36-CVE-2023-44443-psp-rce.patch index 77fabea..9cc8ce0 100644 --- a/SOURCES/gimp-CVE-2023-44443.patch +++ b/SOURCES/gimp-2.10.36-CVE-2023-44443-psp-rce.patch @@ -1,24 +1,13 @@ -From 96f536a33590bb9811da5b5639e1d6c25aaf2e01 Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Sat, 23 Sep 2023 02:41:57 +0000 -Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22096) - -Resolves #10072. - -The current PSP palette loading code does not check if -the file's palette entry count value is below the limit -(G_MAXUNIT32 / 4 due to each color being 4 bytes long). -This patch adds this check and stops loading if the count -is larger than GIMP currently supports. +O-Commit: 9c9521e99dd24a73fe7701bf5bde6dbbd26c4862 --- plug-ins/common/file-psp.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c -index 582a10c300..7c9340ee2b 100644 +index f891ca1856..6944ad4072 100644 --- a/plug-ins/common/file-psp.c +++ b/plug-ins/common/file-psp.c -@@ -1279,8 +1279,17 @@ read_color_block (FILE *f, +@@ -1278,8 +1278,17 @@ read_color_block (FILE *f, } color_palette_entries = GUINT32_FROM_LE (entry_count); @@ -38,5 +27,5 @@ index 582a10c300..7c9340ee2b 100644 color_palette = g_malloc (pal_size); if (fread (color_palette, pal_size, 1, f) < 1) -- -2.31.1 +2.43.0 diff --git a/SOURCES/gimp-2.10.36-CVE-2023-44444-psp-rce.patch b/SOURCES/gimp-2.10.36-CVE-2023-44444-psp-rce.patch new file mode 100644 index 0000000..6de7213 --- /dev/null +++ b/SOURCES/gimp-2.10.36-CVE-2023-44444-psp-rce.patch @@ -0,0 +1,21 @@ +O-Commit: d52d32cb82905e4ee58d249dcde9e8d47f2b915d +--- + plug-ins/common/file-psp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c +index 6944ad4072..d1156d4732 100644 +--- a/plug-ins/common/file-psp.c ++++ b/plug-ins/common/file-psp.c +@@ -1657,7 +1657,7 @@ read_channel_data (FILE *f, + else + endq = q + line_width * height; + +- buf = g_malloc (127); ++ buf = g_malloc (128); + while (q < endq) + { + fread (&runcount, 1, 1, f); +-- +2.43.0 + diff --git a/SOURCES/gimp-CVE-2023-44444.patch b/SOURCES/gimp-CVE-2023-44444.patch deleted file mode 100644 index f71c021..0000000 --- a/SOURCES/gimp-CVE-2023-44444.patch +++ /dev/null @@ -1,31 +0,0 @@ -From e1bfd87195e4fe60a92df70cde65464d032dd3c1 Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Sat, 23 Sep 2023 02:16:24 +0000 -Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22097) - -Resolves #10071. - -When reading RLE compressed data, a buffer was allocated to 127 bytes. -However, it can potentially be used to read 128 bytes, leading to a -off-by-one vulnerability. This patch allocates 128 bytes to the buffer -to prevent this from occurring. ---- - plug-ins/common/file-psp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c -index c8b166471e..582a10c300 100644 ---- a/plug-ins/common/file-psp.c -+++ b/plug-ins/common/file-psp.c -@@ -1649,7 +1649,7 @@ read_channel_data (FILE *f, - else - endq = q + line_width * height; - -- buf = g_malloc (127); -+ buf = g_malloc (128); - while (q < endq) - { - fread (&runcount, 1, 1, f); --- -2.31.1 - diff --git a/SOURCES/gimp-CVE-2025-48797.patch b/SOURCES/gimp-CVE-2025-48797.patch new file mode 100644 index 0000000..18e5129 --- /dev/null +++ b/SOURCES/gimp-CVE-2025-48797.patch @@ -0,0 +1,159 @@ +diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c +index f6f24a13194..c0d7ad94c20 100644 +--- a/plug-ins/common/file-tga.c ++++ b/plug-ins/common/file-tga.c +@@ -982,9 +982,9 @@ ReadImage (FILE *fp, + cmap_bytes = (info->colorMapSize + 7 ) / 8; + tga_cmap = g_new (guchar, info->colorMapLength * cmap_bytes); + +- if (info->colorMapSize > 24) ++ if (info->colorMapSize > 24 || info->alphaBits > 0) + { +- /* indexed + full alpha => promoted to RGBA */ ++ /* indexed + full alpha, or alpha exists => promoted to RGBA */ + itype = GIMP_RGB; + dtype = GIMP_RGBA_IMAGE; + convert_cmap = g_new (guchar, info->colorMapLength * 4); +@@ -996,13 +996,6 @@ ReadImage (FILE *fp, + dtype = GIMP_RGB_IMAGE; + convert_cmap = g_new (guchar, info->colorMapLength * 3); + } +- else if (info->alphaBits > 0) +- { +- /* if alpha exists here, promote to RGB */ +- itype = GIMP_RGB; +- dtype = GIMP_RGBA_IMAGE; +- convert_cmap = g_new (guchar, info->colorMapLength * 4); +- } + else + { + itype = GIMP_INDEXED; +--- +diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c +index c0d7ad94c20..433410ff471 100644 +--- a/plug-ins/common/file-tga.c ++++ b/plug-ins/common/file-tga.c +@@ -539,7 +539,7 @@ load_image (GFile *file, + switch (info.imageType) + { + case TGA_TYPE_MAPPED: +- if (info.bpp != 8) ++ if (info.bpp != 8 || !info.colorMapLength) + { + g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)", + gimp_file_get_utf8_name (file), +@@ -862,32 +862,31 @@ apply_colormap (guchar *dest, + guint width, + const guchar *cmap, + gboolean alpha, +- guint16 index) ++ guint16 colorMapIndex, ++ guint16 colorMapLength) + { + guint x; + +- if (alpha) +- { +- for (x = 0; x < width; x++) +- { +- *(dest++) = cmap[(*src - index) * 4]; +- *(dest++) = cmap[(*src - index) * 4 + 1]; +- *(dest++) = cmap[(*src - index) * 4 + 2]; +- *(dest++) = cmap[(*src - index) * 4 + 3]; +- +- src++; +- } +- } +- else ++ for (x = 0; x < width; x++) + { +- for (x = 0; x < width; x++) +- { +- *(dest++) = cmap[(*src - index) * 3]; +- *(dest++) = cmap[(*src - index) * 3 + 1]; +- *(dest++) = cmap[(*src - index) * 3 + 2]; +- +- src++; +- } ++ guchar entryIndex = src[x] - colorMapIndex; ++ ++ if (src[x] < colorMapIndex || entryIndex >= colorMapLength) { ++ g_message ("Unsupported colormap entry: %u", ++ src[x]); ++ entryIndex = 0; ++ } ++ ++ if (alpha) { ++ *(dest++) = cmap[entryIndex * 4]; ++ *(dest++) = cmap[entryIndex * 4 + 1]; ++ *(dest++) = cmap[entryIndex * 4 + 2]; ++ *(dest++) = cmap[entryIndex * 4 + 3]; ++ } else { ++ *(dest++) = cmap[entryIndex * 3]; ++ *(dest++) = cmap[entryIndex * 3 + 1]; ++ *(dest++) = cmap[entryIndex * 3 + 2]; ++ } + } + } + +@@ -943,7 +942,7 @@ read_line (FILE *fp, + gboolean has_alpha = (info->alphaBits > 0); + + apply_colormap (row, buf, info->width, convert_cmap, has_alpha, +- info->colorMapIndex); ++ info->colorMapIndex, info->colorMapLength); + } + else if (info->imageType == TGA_TYPE_MAPPED) + { +--- +diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c +index 433410ff471..a171a264772 100644 +--- a/plug-ins/common/file-tga.c ++++ b/plug-ins/common/file-tga.c +@@ -952,7 +952,7 @@ read_line (FILE *fp, + } + else + { +- memcpy (row, buf, info->width * bpp); ++ memcpy (row, buf, info->width * info->bytes); + } + } + +--- +diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c +index a171a264772..abecde86857 100644 +--- a/plug-ins/common/file-tga.c ++++ b/plug-ins/common/file-tga.c +@@ -866,14 +866,29 @@ apply_colormap (guchar *dest, + guint16 colorMapLength) + { + guint x; ++ gint errcnt = 0; + + for (x = 0; x < width; x++) + { + guchar entryIndex = src[x] - colorMapIndex; + + if (src[x] < colorMapIndex || entryIndex >= colorMapLength) { +- g_message ("Unsupported colormap entry: %u", +- src[x]); ++ /* On Windows the error console can run out of resources when ++ * producing a huge amount of messages. This can happen when using ++ * fuzzed test images. This causes unresponsiveness at first and ++ * finally crashes GIMP. Eventually this needs to be fixed at the ++ * source, but for now let's limit the error messages to 10 ++ * per line (this function is called once per read_line). */ ++ if (errcnt < 10) ++ { ++ g_message ("Unsupported colormap entry: %u", ++ src[x]); ++ } ++ else if (errcnt == 10) ++ { ++ g_message ("Too many colormap errors. Image may be corrupt."); ++ } ++ errcnt++; + entryIndex = 0; + } + +--- diff --git a/SOURCES/gimp-CVE-2025-48798.patch b/SOURCES/gimp-CVE-2025-48798.patch new file mode 100644 index 0000000..f9d774d --- /dev/null +++ b/SOURCES/gimp-CVE-2025-48798.patch @@ -0,0 +1,93 @@ +diff -urNp a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c +--- a/app/xcf/xcf-load.c 2025-06-14 13:08:43.443446885 +0200 ++++ b/app/xcf/xcf-load.c 2025-06-14 13:22:09.771911460 +0200 +@@ -102,7 +102,8 @@ static gboolean xcf_check_layer_p + gboolean *is_text_layer); + static gboolean xcf_load_channel_props (XcfInfo *info, + GimpImage *image, +- GimpChannel **channel); ++ GimpChannel **channel, ++ gboolean is_mask); + static gboolean xcf_load_prop (XcfInfo *info, + PropType *prop_type, + guint32 *prop_size); +@@ -1213,6 +1214,14 @@ xcf_load_layer_props (XcfInfo *info, + + case PROP_ACTIVE_LAYER: + info->selected_layers = g_list_prepend (info->selected_layers, *layer); ++ { ++ if (g_list_index (info->selected_layers, *layer) < 0) ++ info->selected_layers = g_list_prepend (info->selected_layers, *layer); ++ else ++ gimp_message_literal (info->gimp, G_OBJECT (info->progress), ++ GIMP_MESSAGE_WARNING, ++ "Invalid duplicate selected layer detected"); ++ } + break; + + case PROP_FLOATING_SELECTION: +@@ -1663,7 +1672,8 @@ xcf_check_layer_props (XcfInfo *info, + static gboolean + xcf_load_channel_props (XcfInfo *info, + GimpImage *image, +- GimpChannel **channel) ++ GimpChannel **channel, ++ gboolean is_mask) + { + PropType prop_type; + guint32 prop_size; +@@ -1686,6 +1696,36 @@ xcf_load_channel_props (XcfInfo *in + { + GimpChannel *mask; + ++ if (is_mask) ++ { ++ /* PROP_SELECTION is not valid for masks, and we have to avoid ++ * overwriting the channel. ++ */ ++ continue; ++ } ++ ++ if (*channel == gimp_image_get_mask (image)) ++ { ++ /* PROP_SELECTION was already seen once for this ++ * channel. Let's silently ignore the second identical ++ * property to avoid a double free. ++ */ ++ continue; ++ } ++ else if (gimp_image_get_mask (image) != NULL && ++ ! gimp_channel_is_empty (gimp_image_get_mask (image))) ++ { ++ /* This would happen when PROP_SELECTION was already set ++ * on a previous channel. This is a minor case of data ++ * loss (we don't know which selection was the right one ++ * and we drop the non-first ones), and also means it's ++ * a broken XCF, though it's not a major bug either. So ++ * let's go with a stderr print. ++ */ ++ g_printerr ("PROP_SELECTION property was set on 2 channels (skipping)\n"); ++ continue; ++ } ++ + /* We're going to delete *channel, Don't leave its pointer + * in @info. See bug #767873. + */ +@@ -2155,7 +2195,7 @@ xcf_load_channel (XcfInfo *info, + return NULL; + + /* read in the channel properties */ +- if (! xcf_load_channel_props (info, image, &channel)) ++ if (! xcf_load_channel_props (info, image, &channel, FALSE)) + goto error; + + xcf_progress_update (info); +@@ -2228,7 +2268,7 @@ xcf_load_layer_mask (XcfInfo *info, + + /* read in the layer_mask properties */ + channel = GIMP_CHANNEL (layer_mask); +- if (! xcf_load_channel_props (info, image, &channel)) ++ if (! xcf_load_channel_props (info, image, &channel, TRUE)) + goto error; + + xcf_progress_update (info); diff --git a/SOURCES/gimp-CVE-2025-5473.patch b/SOURCES/gimp-CVE-2025-5473.patch new file mode 100644 index 0000000..d33f906 --- /dev/null +++ b/SOURCES/gimp-CVE-2025-5473.patch @@ -0,0 +1,18 @@ +diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c +index 9a222998bc1..818cf23cd31 100644 +--- a/plug-ins/file-ico/ico-load.c ++++ b/plug-ins/file-ico/ico-load.c +@@ -299,7 +299,11 @@ ico_read_png (FILE *fp, + png_read_info (png_ptr, info); + png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type, + NULL, NULL, NULL); +- if (w*h*4 > maxsize) ++ /* Check for overflow */ ++ if ((w * h * 4) < w || ++ (w * h * 4) < h || ++ (w * h * 4) < (w * h) || ++ (w * h * 4) > maxsize) + { + png_destroy_read_struct (&png_ptr, &info, NULL); + return FALSE; +--- diff --git a/SPECS/gimp.spec b/SPECS/gimp.spec index 99734a7..a01cec2 100644 --- a/SPECS/gimp.spec +++ b/SPECS/gimp.spec @@ -89,7 +89,7 @@ Name: gimp Epoch: 2 Version: 2.99.8 %global rel 4 -Release: %{?prerelprefix}%{rel}%{dotprerel}%{dotgitrev}%{?dist} +Release: %{?prerelprefix}%{rel}%{dotprerel}%{dotgitrev}%{?dist}.2 # Compute some version related macros. # Ugly, need to get quoting percent signs straight. @@ -249,13 +249,26 @@ Patch5: gimp-CVE-2022-30067.patch # CVE-2022-32990 Patch6: gimp-CVE-2022-32990.patch -# CVE-2023-44441 CVE-2023-44442 CVE-2023-44443 CVE-2023-44444 -Patch7: gimp-2.10.36-CVE-2023-44441-0001-plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch -Patch8: gimp-2.10.36-CVE-2023-44441-0002-plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch -Patch9: gimp-2.10.36-CVE-2023-44441-0003-plug-ins-Additional-fixes-for-DDS-Import.patch -Patch10: gimp-CVE-2023-44442.patch -Patch11: gimp-CVE-2023-44443.patch -Patch12: gimp-CVE-2023-44444.patch +# RHEL-86049: dds buffer overflow RCE +Patch7: gimp-2.10.36-CVE-2023-44441-dds-rce.patch + +# RHEL-86046: psd buffer overflow RCE +Patch8: gimp-2.10.36-CVE-2023-44442-psd-rce.patch + +# RHEL-86043: psp buffer overflow RCE +Patch9: gimp-2.10.36-CVE-2023-44443-psp-rce.patch + +# RHEL-86040: psp buffer overflow RCE +Patch10: gimp-2.10.36-CVE-2023-44444-psp-rce.patch + +# RHEL-93521: CVE-2025-48797 +Patch11: gimp-CVE-2025-48797.patch + +# RHEL-93522: CVE-2025-48798 +Patch12: gimp-CVE-2025-48798.patch + +# RHEL-95700: CVE-2025-5473 +Patch13: gimp-CVE-2025-5473.patch # use external help browser directly if help browser plug-in is not built Patch100: gimp-2.10.24-external-help-browser.patch @@ -362,15 +375,16 @@ EOF %patch4 -p1 -b .remove-lua %patch5 -p1 -b .CVE-2022-30067 %patch6 -p1 -b .CVE-2022-32990 -%patch7 -p1 -b .CVE-2023-44441-1 -%patch8 -p1 -b .CVE-2023-44441-2 -%patch9 -p1 -b .CVE-2023-44441-3 -%patch10 -p1 -b .CVE-2023-44442 -%patch11 -p1 -b .CVE-2023-44443 -%patch12 -p1 -b .CVE-2023-44444 +%patch7 -p1 -b .dds-rce +%patch8 -p1 -b .psd-rce +%patch9 -p1 -b .psp-rce1 +%patch10 -p1 -b .psp-rce2 +%patch11 -p1 -b .CVE-2025-48797 +%patch12 -p1 -b .CVE-2025-48798 +%patch13 -p1 -b .CVE-2025-5473 %if ! %{with helpbrowser} -#%patch100 -p1 -b .external-help-browser +#patch100 -p1 -b .external-help-browser %endif %build @@ -750,11 +764,17 @@ make check %{?_smp_mflags} %endif %changelog -* Mon Feb 05 2024 Darren Archibald - 2:2.99.8-4 -- fix CVE-2023-44441 -- fix CVE-2023-44442 -- fix CVE-2023-44443 -- fix CVE-2023-44444 +* Sat Jun 14 2025 Josef Ridky - 2:2.99.8-4.2 +- fix CVE-2025-5473 (RHEL-95700) + +* Sat Jun 14 2025 Josef Ridky - 2:2.99.8-4.1 +- fix CVE-2025-48797 (RHEL-93521) +- fix CVE-2025-48798 (RHEL-93522) + +* Wed Apr 09 2025 Josef Ridky - 2:2.99.8-4 +- Applying fixes for vulnerabilities that led to possible RCE conditions. +- Fixes: CVE-2023-44441 CVE-2023-44442 CVE-2023-44443 CVE-2023-44444 +- Resolves: RHEL-86049 RHEL-86046 RHEL-86043 RHEL-86040 * Mon Jul 18 2022 Josef Ridky - 2:2.99.8-3 - fix CVE-2022-30067