gimp: patch CVE-2025-14423

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14423 Pick the patch references by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-01-01 13:58:06 +00:00 · 2025-12-29 15:52:54 +01:00 · 2025-12-29 15:52:54 +01:00 · 6aa5720e76
commit 6aa5720e76
parent a0b41204af
2 changed files with 107 additions and 0 deletions
--- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch
@ -0,0 +1,106 @@
+From a83e8c4ad8ffbce40aa9f9a0f49880e802ef7da1 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sun, 23 Nov 2025 04:22:49 +0000
+Subject: [PATCH] plug-ins: Fix ZDI-CAN-28311
+
+From: Alx Sa <cmyk.student@gmail.com>
+
+Resolves #15292
+The IFF specification states that EHB format images
+have exactly 32 colors in their palette. However, it
+is possible for images in the wild to place an incorrect
+palette size. This patch checks for this, and either limits
+the palette size or breaks accordingly.
+
+CVE: CVE-2025-14423
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/481cdbbb97746be1145ec3a633c567a68633c521]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/common/file-iff.c | 32 ++++++++++++++++++++++----------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c
+index d144a96..f087947 100644
+--- a/plug-ins/common/file-iff.c
+++ b/plug-ins/common/file-iff.c
+@@ -337,7 +337,7 @@ load_image (GFile        *file,
+       width      = bitMapHeader->w;
+       height     = bitMapHeader->h;
+       nPlanes    = bitMapHeader->nPlanes;
+-      row_length = (width + 15) / 16;
+      row_length = ((width + 15) / 16) * 2;
+       pixel_size = nPlanes / 8;
+       aspect_x   = bitMapHeader->xAspect;
+       aspect_y   = bitMapHeader->yAspect;
+@@ -375,6 +375,18 @@ load_image (GFile        *file,
+             {
+               /* EHB mode adds 32 more colors. Each are half the RGB values
+                * of the first 32 colors */
+              if (palette_size < 32)
+                {
+                  g_set_error (error, G_FILE_ERROR,
+                               g_file_error_from_errno (errno),
+                               _("Invalid ILBM colormap size"));
+                  return NULL;
+                }
+              else if (palette_size > 32)
+                {
+                  palette_size = 32;
+                }
+
+               for (gint j = 0; j < palette_size * 2; j++)
+                 {
+                   gint offset_index = j + 32;
+@@ -386,7 +398,7 @@ load_image (GFile        *file,
+                   gimp_cmap[offset_index * 3 + 2] =
+                     colorMap->colorRegister[j].blue / 2;
+                 }
+-              /* EHB mode always has 64 colors */
+              /* EHB mode always has 64 colors in total */
+               palette_size = 64;
+             }
+         }
+@@ -447,7 +459,7 @@ load_image (GFile        *file,
+         {
+           guchar *pixel_row;
+ 
+-          pixel_row = g_malloc (width * pixel_size * sizeof (guchar));
+          pixel_row = g_malloc0 (width * pixel_size);
+ 
+           /* PBM uses one byte per pixel index */
+           if (ILBM_imageIsPBM (true_image))
+@@ -459,7 +471,7 @@ load_image (GFile        *file,
+           else
+             deleave_rgb_row (bitplanes, pixel_row, width, nPlanes, pixel_size);
+ 
+-          bitplanes += (row_length * 2 * nPlanes);
+          bitplanes += (row_length * nPlanes);
+ 
+           gegl_buffer_set (buffer, GEGL_RECTANGLE (0, y_height, width, 1), 0,
+                            NULL, pixel_row, GEGL_AUTO_ROWSTRIDE);
+@@ -528,7 +540,7 @@ deleave_ham_row (const guchar *gimp_cmap,
+   /* Deleave rows */
+   for (gint i = 0; i < row_length; i++)
+     {
+-      for (gint j = 0; j < 8; j++)
+      for (gint j = 0; j < nPlanes; j++)
+         {
+           guint8 bitmask = (1 << (8 - j)) - (1 << (7 - j));
+           guint8 control = 0;
+@@ -590,11 +602,11 @@ deleave_ham_row (const guchar *gimp_cmap,
+ }
+ 
+ static void
+-deleave_rgb_row (IFF_UByte  *bitplanes,
+-                     guchar *pixel_row,
+-                     gint    width,
+-                     gint    nPlanes,
+-                     gint    pixel_size)
+deleave_rgb_row (IFF_UByte *bitplanes,
+                 guchar    *pixel_row,
+                 gint       width,
+                 gint       nPlanes,
+                 gint       pixel_size)
+ {
+   gint row_length    = ((width + 15) / 16) * 2;
+   gint current_pixel = 0;
--- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
@ -62,6 +62,7 @@ SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
           file://0001-meson.build-dont-check-for-lgi.patch \
           file://0001-meson.build-require-iso-codes-native.patch \
           file://CVE-2025-14422.patch \
+           file://CVE-2025-14423.patch \
           "
 SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"