diff --git a/0001-fix-CVE-2025-5473.patch b/0001-fix-CVE-2025-5473.patch deleted file mode 100644 index 313b3f1289150921e137b82a76c543d121a3ccf9..0000000000000000000000000000000000000000 --- a/0001-fix-CVE-2025-5473.patch +++ /dev/null @@ -1,36 +0,0 @@ -From c855d1df60ebaf5ef8d02807d448eb088f147a2b Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Sat, 3 May 2025 14:13:46 +0000 -Subject: [PATCH] plug-ins: ZDI-CAN-26752 mitigation - -Resolves #13910 -Since ICO can store PNGs, it's possible to create an -icon that's much larger than the stated image size and -cause a buffer overflow. -This patch adds a check to make sure the width * height * 4 -calculation does not overflow in addition to making sure it -doesn't exceed the maximum allowed size for that icon. ---- - plug-ins/file-ico/ico-load.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c -index 9a222998bc1..818cf23cd31 100644 ---- a/plug-ins/file-ico/ico-load.c -+++ b/plug-ins/file-ico/ico-load.c -@@ -299,7 +299,11 @@ ico_read_png (FILE *fp, - png_read_info (png_ptr, info); - png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type, - NULL, NULL, NULL); -- if (w*h*4 > maxsize) -+ /* Check for overflow */ -+ if ((w * h * 4) < w || -+ (w * h * 4) < h || -+ (w * h * 4) < (w * h) || -+ (w * h * 4) > maxsize) - { - png_destroy_read_struct (&png_ptr, &info, NULL); - return FALSE; --- -GitLab - diff --git a/0002-fix-CVE-2025-6035.patch b/0002-fix-CVE-2025-6035.patch deleted file mode 100644 index 92a874f8ae62e72aa95f104af87ef4356e41d8e6..0000000000000000000000000000000000000000 --- a/0002-fix-CVE-2025-6035.patch +++ /dev/null @@ -1,183 +0,0 @@ -From 548bc3a46d54711d974aae9ce1bce291376c0436 Mon Sep 17 00:00:00 2001 -From: Jacob Boerema -Date: Thu, 1 May 2025 12:42:17 -0400 -Subject: [PATCH] plug-ins: CWE-190: Integer Overflow or Wraparound in - Despeckle -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As reported by Seungho Kim our despeckle filter doesn't check for -integer overflow when allocating buffers, nor do we check for failed -allocations. - -A potential integer overflow vulnerability exists in the GIMP -"Despeckle" plug-in. The issue occurs due to unchecked multiplication -of image dimensions (width, height) and bytes-per-pixel (img_bpp), -which can result in allocating insufficient memory and subsequently -performing out-of-bounds writes. This could lead to heap corruption and -potential denial-of-service (DoS) or arbitrary code execution in -certain scenarios. - -Vulnerability Details -•width and height are of type guint (signed 32-bit int). -•Multiplying width * height * img_bpp can result in a value exceeding -the bounds of gsize. -•g_new() does not perform overflow protection; if the size wraps around, -less memory than needed will be allocated. -•Subsequent pixel processing loops write beyond the allocated memory -region (src, dst). - -Proof of Concept (PoC) -Open a specially crafted image with very large dimensions (e.g., -70,000 x 70,000 pixels) and apply the Despeckle filter. GIMP may crash -due to heap corruption, or undefined behavior may occur. - -We applied the suggested changes and in addition adjusted the despeckle -function to be able to set error messages, and check for NULL -allocations. ---- - plug-ins/common/despeckle.c | 62 +++++++++++++++++++++++++++++-------- - 1 file changed, 49 insertions(+), 13 deletions(-) - -diff --git a/plug-ins/common/despeckle.c b/plug-ins/common/despeckle.c -index 3250925b94d..ffa24f06c68 100644 ---- a/plug-ins/common/despeckle.c -+++ b/plug-ins/common/despeckle.c -@@ -98,8 +98,9 @@ static GimpValueArray * despeckle_run (GimpProcedure *proced - GimpProcedureConfig *config, - gpointer run_data); - --static void despeckle (GimpDrawable *drawable, -- GObject *config); -+static gboolean despeckle (GimpDrawable *drawable, -+ GObject *config, -+ GError **error); - static void despeckle_median (GObject *config, - guchar *src, - guchar *dst, -@@ -224,13 +225,12 @@ despeckle_run (GimpProcedure *procedure, - gpointer run_data) - { - GimpDrawable *drawable; -+ GError *error = NULL; - - gegl_init (NULL, NULL); - - if (gimp_core_object_array_get_length ((GObject **) drawables) != 1) - { -- GError *error = NULL; -- - g_set_error (&error, GIMP_PLUG_IN_ERROR, 0, - _("Procedure '%s' only works with one drawable."), - PLUG_IN_PROC); -@@ -250,7 +250,10 @@ despeckle_run (GimpProcedure *procedure, - if (run_mode == GIMP_RUN_INTERACTIVE && ! despeckle_dialog (procedure, G_OBJECT (config), drawable)) - return gimp_procedure_new_return_values (procedure, GIMP_PDB_CANCEL, NULL); - -- despeckle (drawable, G_OBJECT (config)); -+ if (! despeckle (drawable, G_OBJECT (config), &error)) -+ return gimp_procedure_new_return_values (procedure, -+ GIMP_PDB_EXECUTION_ERROR, -+ error); - - return gimp_procedure_new_return_values (procedure, GIMP_PDB_SUCCESS, NULL); - } -@@ -323,9 +326,10 @@ get_u8_format (GimpDrawable *drawable) - } - } - --static void -+static gboolean - despeckle (GimpDrawable *drawable, -- GObject *config) -+ GObject *config, -+ GError **error) - { - GeglBuffer *src_buffer; - GeglBuffer *dest_buffer; -@@ -335,10 +339,11 @@ despeckle (GimpDrawable *drawable, - gint img_bpp; - gint x, y; - gint width, height; -+ gsize bufsize = 0; - - if (! gimp_drawable_mask_intersect (drawable, - &x, &y, &width, &height)) -- return; -+ return TRUE; - - format = get_u8_format (drawable); - img_bpp = babl_format_get_bytes_per_pixel (format); -@@ -346,8 +351,26 @@ despeckle (GimpDrawable *drawable, - src_buffer = gimp_drawable_get_buffer (drawable); - dest_buffer = gimp_drawable_get_shadow_buffer (drawable); - -- src = g_new (guchar, width * height * img_bpp); -- dst = g_new (guchar, width * height * img_bpp); -+ if (! g_size_checked_mul (&bufsize, width, height) || -+ ! g_size_checked_mul (&bufsize, bufsize, img_bpp)) -+ { -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("Image dimensions too large: width %d x height %d"), -+ width, height); -+ return FALSE; -+ } -+ -+ src = g_try_malloc (bufsize); -+ dst = g_try_malloc (bufsize); -+ -+ if (src == NULL || dst == NULL) -+ { -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("There was not enough memory to complete the operation.")); -+ g_free (src); -+ -+ return FALSE; -+ } - - gegl_buffer_get (src_buffer, GEGL_RECTANGLE (x, y, width, height), 1.0, - format, src, -@@ -368,6 +391,8 @@ despeckle (GimpDrawable *drawable, - - g_free (dst); - g_free (src); -+ -+ return TRUE; - } - - static gboolean -@@ -446,8 +471,9 @@ static void - preview_update (GtkWidget *widget, - GObject *config) - { -- GimpPreview *preview = GIMP_PREVIEW (widget); -+ GimpPreview *preview = GIMP_PREVIEW (widget); - GimpDrawable *drawable = g_object_get_data (config, "drawable"); -+ gsize bufsize = 0; - GeglBuffer *src_buffer; - const Babl *format; - guchar *dst; -@@ -464,8 +490,18 @@ preview_update (GtkWidget *widget, - - src_buffer = gimp_drawable_get_buffer (drawable); - -- dst = g_new (guchar, width * height * img_bpp); -- src = g_new (guchar, width * height * img_bpp); -+ if (! g_size_checked_mul (&bufsize, width, height) || -+ ! g_size_checked_mul (&bufsize, bufsize, img_bpp)) -+ return; -+ -+ src = g_try_malloc (bufsize); -+ dst = g_try_malloc (bufsize); -+ -+ if (src == NULL || dst == NULL) -+ { -+ g_free (src); -+ return; -+ } - - gegl_buffer_get (src_buffer, GEGL_RECTANGLE (x1, y1, width, height), 1.0, - format, src, --- -GitLab diff --git a/gimp.spec b/gimp.spec index 53c1932cdc406c98f1b9a018177b029ef53a5ae1..8149324df244ac6737fb3b207e4d0b7d8c08a51e 100644 --- a/gimp.spec +++ b/gimp.spec @@ -7,8 +7,8 @@ Summary: GNU Image Manipulation Program Name: gimp -Version: 3.0.2 -Release: 3%{?dist} +Version: 3.0.6 +Release: 1%{?dist} %global major %(ver=%{version}; echo ${ver%%%%.*}) %global minor %(ver=%{version}; ver=${ver#%major.}; echo ${ver%%%%.*}) @@ -19,20 +19,17 @@ License: GPLv3+ and GPLv3 URL: https://www.gimp.org/ Source0: https://download.gimp.org/pub/gimp/v%{binver}/gimp-%{version}.tar.xz -Patch0001: 0001-fix-CVE-2025-5473.patch -Patch0002: 0002-fix-CVE-2025-6035.patch Patch3000: gimp-2.10.12-default-font.patch -BuildRequires: gcc glib2-devel meson ninja-build pkgconfig +BuildRequires: gcc glib2-devel meson ninja-build pkgconfig cmake BuildRequires: alsa-lib-devel atk-devel babl-devel bzip2-devel cairo-devel fontconfig-devel freetype-devel BuildRequires: gdk-pixbuf2-devel gegl04-tools gegl04-devel libgs-devel gtk3-devel gtk-doc harfbuzz-devel -BuildRequires: iso-codes-devel lcms2-devel libappstream-glib libappstream-glib-devel libarchive +BuildRequires: iso-codes-devel lcms2-devel appstream-devel libarchive-devel BuildRequires: exiv2-devel libgexiv2-devel libgudev1-devel libjpeg-devel libmng-devel libpng-devel librsvg2-devel BuildRequires: libtiff-devel libwebp-devel libwmf-devel libmypaint-devel mypaint-brushes-devel gjs-devel BuildRequires: OpenEXR-devel openjpeg2-devel pango-devel perl poppler-glib-devel poppler-data-devel json-glib-devel BuildRequires: python3-cairo-devel python3-gobject-devel python3-devel chrpath intltool gettext vala BuildRequires: xz-devel zlib-devel libX11-devel libXmu-devel libXpm-devel libheif-devel cfitsio-devel -BuildRequires: libjxl-devel BuildRequires: xorg-x11-server-Xvfb dbus-daemon Requires: gjs hicolor-icon-theme luajit xdg-utils python3-gobject Requires: %{name}-libs = %{version}-%{release} @@ -85,30 +82,11 @@ build GNU Image Manipulation Program (GIMP) plug-ins and extensions. %meson \ -Dbug-report-url=https://gitee.com/opencloudos-stream/gimp/issues \ -Daa=disabled \ - -Dalsa=enabled \ - -Dappdata-test=disabled \ - -Dcairo-pdf=enabled \ - -Dfits=enabled \ - -Dghostscript=enabled \ - -Dgudev=enabled \ - -Dheif=enabled \ -Dilbm=disabled \ - -Djpeg2000=enabled \ - -Djpeg-xl=enabled \ - -Dmng=enabled \ - -Dopenexr=enabled \ - -Dopenmp=enabled \ - -Dwebp=enabled \ - -Dwmf=enabled \ - -Dxcursor=enabled \ - -Dxpm=enabled \ - -Dheadless-tests=enabled \ + -Djpeg-xl=disabled \ -Dgi-docgen=disabled \ - -Dlinux-input=enabled \ - -Dvector-icons=true \ - -Dvala=enabled \ - -Djavascript=enabled \ - -Dlua=true + -Dheif=enabled \ + -Dheadless-tests=disabled %meson_build @@ -265,7 +243,11 @@ cat gimp-plugin-files gimp-all.lang > gimp.files %changelog -* Mon Jul 21 2025 bbrucezhang - 3.0.2-3 +* Fri Dec 05 2025 zidonghuang - 3.0.6-1 +- [Type] Security +- [DESC] Update to 3.0.6 to fix CVE-2025-10920, CVE-2025-10922, CVE-2025-10923, CVE-2025-10924, CVE-2025-10925, and CVE-2025-10934 + +* Mon Jul 21 2025 zidonghuang - 3.0.2-3 - [Type] Security - [DESC] Applied upstream patches to fix CVE-2025-5473 and CVE-2025-6035 diff --git a/sources b/sources index cdbff4c078c9184e5763256ad39dd449c8812b18..030c380b1b0aaa2a1c9356cb6bcc9b0a71953add 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (gimp-3.0.2.tar.xz) = e5f72f9f1447ff3ec5ab78bc589831767c00be91a0f337b1ab2d5beee3f79b01464c3de0dc1a518fd72180b4232be5b8d7121d186425a766090842b550f534df +SHA512 (gimp-3.0.6.tar.xz) = 513fe11083b6560ce7bbe1b56ccbc0d83a4edb33e110508543fc8c8fdf6c60d91f9af60cb4d83926eec490baceb6c9cc5aae43a4d0ae7a04099f4036e50d179c