gimp: patch CVE-2025-14423

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14423 Pick the patch references by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-01-01 13:58:06 +00:00 · 2025-12-29 15:52:54 +01:00 · 2025-12-29 15:52:54 +01:00 · 6aa5720e76
commit 6aa5720e76
parent a0b41204af
2 changed files with 107 additions and 0 deletions
--- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch
@ -0,0 +1,106 @@
 From a83e8c4ad8ffbce40aa9f9a0f49880e802ef7da1 Mon Sep 17 00:00:00 2001
 From: Gyorgy Sarvari <skandigraun@gmail.com>
 Date: Sun, 23 Nov 2025 04:22:49 +0000
 Subject: [PATCH] plug-ins: Fix ZDI-CAN-28311
 From: Alx Sa <cmyk.student@gmail.com>
 Resolves #15292
 The IFF specification states that EHB format images
 have exactly 32 colors in their palette. However, it
 is possible for images in the wild to place an incorrect
 palette size. This patch checks for this, and either limits
 the palette size or breaks accordingly.
 CVE: CVE-2025-14423
 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/481cdbbb97746be1145ec3a633c567a68633c521]
 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
 ---
 plug-ins/common/file-iff.c | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)
 diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c
 index d144a96..f087947 100644
 --- a/plug-ins/common/file-iff.c
 +++ b/plug-ins/common/file-iff.c
@@ -337,7 +337,7 @@ load_image (GFile        *file,
       width      = bitMapHeader->w;
       height     = bitMapHeader->h;
       nPlanes    = bitMapHeader->nPlanes;
 -      row_length = (width + 15) / 16;
 +      row_length = ((width + 15) / 16) * 2;
       pixel_size = nPlanes / 8;
       aspect_x   = bitMapHeader->xAspect;
       aspect_y   = bitMapHeader->yAspect;
@@ -375,6 +375,18 @@ load_image (GFile        *file,
             {
               /* EHB mode adds 32 more colors. Each are half the RGB values
                * of the first 32 colors */
 +              if (palette_size < 32)
 +                {
 +                  g_set_error (error, G_FILE_ERROR,
 +                               g_file_error_from_errno (errno),
 +                               _("Invalid ILBM colormap size"));
 +                  return NULL;
 +                }
 +              else if (palette_size > 32)
 +                {
 +                  palette_size = 32;
 +                }
 +
               for (gint j = 0; j < palette_size * 2; j++)
                 {
                   gint offset_index = j + 32;
@@ -386,7 +398,7 @@ load_image (GFile        *file,
                   gimp_cmap[offset_index * 3 + 2] =
                     colorMap->colorRegister[j].blue / 2;
                 }
 -              /* EHB mode always has 64 colors */
 +              /* EHB mode always has 64 colors in total */
               palette_size = 64;
             }
         }
@@ -447,7 +459,7 @@ load_image (GFile        *file,
         {
           guchar *pixel_row;
 -          pixel_row = g_malloc (width * pixel_size * sizeof (guchar));
 +          pixel_row = g_malloc0 (width * pixel_size);
           /* PBM uses one byte per pixel index */
           if (ILBM_imageIsPBM (true_image))
@@ -459,7 +471,7 @@ load_image (GFile        *file,
           else
             deleave_rgb_row (bitplanes, pixel_row, width, nPlanes, pixel_size);
 -          bitplanes += (row_length * 2 * nPlanes);
 +          bitplanes += (row_length * nPlanes);
           gegl_buffer_set (buffer, GEGL_RECTANGLE (0, y_height, width, 1), 0,
                            NULL, pixel_row, GEGL_AUTO_ROWSTRIDE);
@@ -528,7 +540,7 @@ deleave_ham_row (const guchar *gimp_cmap,
   /* Deleave rows */
   for (gint i = 0; i < row_length; i++)
     {
 -      for (gint j = 0; j < 8; j++)
 +      for (gint j = 0; j < nPlanes; j++)
         {
           guint8 bitmask = (1 << (8 - j)) - (1 << (7 - j));
           guint8 control = 0;
@@ -590,11 +602,11 @@ deleave_ham_row (const guchar *gimp_cmap,
 }
 static void
 -deleave_rgb_row (IFF_UByte  *bitplanes,
 -                     guchar *pixel_row,
 -                     gint    width,
 -                     gint    nPlanes,
 -                     gint    pixel_size)
 +deleave_rgb_row (IFF_UByte *bitplanes,
 +                 guchar    *pixel_row,
 +                 gint       width,
 +                 gint       nPlanes,
 +                 gint       pixel_size)
 {
   gint row_length    = ((width + 15) / 16) * 2;
   gint current_pixel = 0;
--- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
@ -62,6 +62,7 @@ SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
           file://0001-meson.build-dont-check-for-lgi.patch \
           file://0001-meson.build-require-iso-codes-native.patch \
           file://CVE-2025-14422.patch \
           file://CVE-2025-14423.patch \
           "
 SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"