From 5bd3fcfc53b42a281b6c2d0e2d9e60e9a0e24f64 Mon Sep 17 00:00:00 2001 From: Zidong Huang Date: Mon, 24 Nov 2025 17:25:12 +0800 Subject: [PATCH 1/2] Applied upstream patches Fixed CVE-2025-10920, CVE-2025-10922, CVE-2025-10923, CVE-2025-10924, CVE-2025-10925, and CVE-2025-10934 --- 0003-fix-CVE-2025-10920.patch | 36 +++++++++ 0004-fix-CVE-2025-10922.patch | 145 ++++++++++++++++++++++++++++++++++ 0005-fix-CVE-2025-10923.patch | 59 ++++++++++++++ 0006-fix-CVE-2025-10924.patch | 91 +++++++++++++++++++++ 0007-fix-CVE-2025-10925.patch | 46 +++++++++++ 0008-fix-CVE-2025-10934.patch | 47 +++++++++++ gimp.spec | 14 +++- 7 files changed, 436 insertions(+), 2 deletions(-) create mode 100644 0003-fix-CVE-2025-10920.patch create mode 100644 0004-fix-CVE-2025-10922.patch create mode 100644 0005-fix-CVE-2025-10923.patch create mode 100644 0006-fix-CVE-2025-10924.patch create mode 100644 0007-fix-CVE-2025-10925.patch create mode 100644 0008-fix-CVE-2025-10934.patch diff --git a/0003-fix-CVE-2025-10920.patch b/0003-fix-CVE-2025-10920.patch new file mode 100644 index 0000000..11478e6 --- /dev/null +++ b/0003-fix-CVE-2025-10920.patch @@ -0,0 +1,36 @@ +From 5f4329d324b0db7a857918941ef7e1d27f3d3992 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Wed, 3 Sep 2025 13:41:10 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-27684 + +Prevent overflow attack by checking if +output >= max, not just output > max. +--- + plug-ins/file-icns/file-icns-load.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/file-icns/file-icns-load.c b/plug-ins/file-icns/file-icns-load.c +index c8f16fef60..f2298c056e 100644 +--- a/plug-ins/file-icns/file-icns-load.c ++++ b/plug-ins/file-icns/file-icns-load.c +@@ -323,7 +323,7 @@ icns_decompress (guchar *dest, + + for (run -= 125; run > 0; run--) + { +- if (out > max) ++ if (out >= max) + { + g_message ("Corrupt icon? compressed run overflows output size."); + return FALSE; +@@ -341,7 +341,7 @@ icns_decompress (guchar *dest, + g_message ("Corrupt icon: uncompressed run overflows input size."); + return FALSE; + } +- if (out > max) ++ if (out >= max) + { + g_message ("Corrupt icon: uncompressed run overflows output size."); + return FALSE; +-- +GitLab + diff --git a/0004-fix-CVE-2025-10922.patch b/0004-fix-CVE-2025-10922.patch new file mode 100644 index 0000000..b0d0bf5 --- /dev/null +++ b/0004-fix-CVE-2025-10922.patch @@ -0,0 +1,145 @@ +From 0f309f9a8d82f43fa01383bc5a5c41d28727d9e3 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Wed, 3 Sep 2025 13:31:45 -0400 +Subject: [PATCH] plug-ins: fix dicom plug-in ZDI-CAN-27863 + +GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution +Vulnerability + +This adds more safety checks and sets actual GError's instead of just +calling gimp_quit. + +Closes #14811 +--- + plug-ins/common/file-dicom.c | 65 ++++++++++++++++++++++++++++-------- + 1 file changed, 51 insertions(+), 14 deletions(-) + +diff --git a/plug-ins/common/file-dicom.c b/plug-ins/common/file-dicom.c +index 31039050f27..a11a13ef405 100644 +--- a/plug-ins/common/file-dicom.c ++++ b/plug-ins/common/file-dicom.c +@@ -344,6 +344,7 @@ load_image (GFile *file, + gint bits_stored = 0; + gint high_bit = 0; + guint8 *pix_buf = NULL; ++ guint64 pixbuf_size = 0; + gboolean is_signed = FALSE; + guint8 in_sequence = 0; + gboolean implicit_encoding = FALSE; +@@ -399,6 +400,7 @@ load_image (GFile *file, + guint16 ctx_us; + guint8 *value; + guint32 tag; ++ size_t actual_read; + + if (fread (&group_word, 1, 2, dicom) == 0) + break; +@@ -503,15 +505,24 @@ load_image (GFile *file, + + if (element_length >= (G_MAXUINT - 6)) + { +- g_message ("'%s' seems to have an incorrect value field length.", +- gimp_file_get_utf8_name (file)); +- gimp_quit (); ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has an an incorrect value for field size. Possibly corrupt image."), ++ gimp_file_get_utf8_name (file)); ++ g_free (dicominfo); ++ fclose (dicom); ++ return NULL; + } + + /* Read contents. Allocate a bit more to make room for casts to int + below. */ + value = g_new0 (guint8, element_length + 4); +- fread (value, 1, element_length, dicom); ++ actual_read = fread (value, 1, element_length, dicom); ++ if (actual_read < element_length) ++ { ++ g_warning ("Missing data: needed %u bytes, got %u. Possibly corrupt image.", ++ element_length, (guint32) actual_read); ++ element_length = actual_read; ++ } + + /* ignore everything inside of a sequence */ + if (in_sequence) +@@ -524,7 +535,7 @@ load_image (GFile *file, + if (big_endian && group_word != 0x0002) + ctx_us = GUINT16_SWAP_LE_BE (ctx_us); + +- g_debug ("group: %04x, element: %04x, length: %d", ++ g_debug ("group: %04x, element: %04x, length: %u", + group_word, element_word, element_length); + g_debug ("Value: %s", (char*)value); + /* Recognize some critical tags */ +@@ -658,6 +669,7 @@ load_image (GFile *file, + if (group_word == 0x7fe0 && element_word == 0x0010) + { + pix_buf = value; ++ pixbuf_size = element_length; + } + else + { +@@ -688,25 +700,50 @@ load_image (GFile *file, + } + } + ++ g_debug ("Bpp: %d, wxh: %u x %u, spp: %d\n", bpp, width, height, samples_per_pixel); ++ + if ((bpp != 8) && (bpp != 16)) + { +- g_message ("'%s' has a bpp of %d which GIMP cannot handle.", +- gimp_file_get_utf8_name (file), bpp); +- gimp_quit (); ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has a bpp of %d which GIMP cannot handle."), ++ gimp_file_get_utf8_name (file), bpp); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (dicom); ++ return NULL; + } + + if ((width > GIMP_MAX_IMAGE_SIZE) || (height > GIMP_MAX_IMAGE_SIZE)) + { +- g_message ("'%s' has a larger image size (%d x %d) than GIMP can handle.", +- gimp_file_get_utf8_name (file), width, height); +- gimp_quit (); ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has a larger image size (%d x %d) than GIMP can handle."), ++ gimp_file_get_utf8_name (file), width, height); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (dicom); ++ return NULL; + } + + if (samples_per_pixel > 3) + { +- g_message ("'%s' has samples per pixel of %d which GIMP cannot handle.", +- gimp_file_get_utf8_name (file), samples_per_pixel); +- gimp_quit (); ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has samples per pixel of %d which GIMP cannot handle."), ++ gimp_file_get_utf8_name (file), samples_per_pixel); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (dicom); ++ return NULL; ++ } ++ ++ if ((guint64) width * height * (bpp >> 3) * samples_per_pixel > pixbuf_size) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has not enough pixel data. Possibly corrupt image."), ++ gimp_file_get_utf8_name (file)); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (dicom); ++ return NULL; + } + + dicominfo->width = width; +-- +GitLab + diff --git a/0005-fix-CVE-2025-10923.patch b/0005-fix-CVE-2025-10923.patch new file mode 100644 index 0000000..b2df18a --- /dev/null +++ b/0005-fix-CVE-2025-10923.patch @@ -0,0 +1,59 @@ +From fb31ddf32298bb2f0f09b3ccc53464b8693a050e Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Wed, 3 Sep 2025 15:25:55 -0400 +Subject: [PATCH] plug-ins: fix ZDI-CAN-27878 + +GIMP WBMP File Parsing Integer Overflow Remote Code Execution +Vulnerability + +We recently fixed one instance of not upgrading the size, but forgot +the other. Fix that here by casting to (gsize). While we're at it, +also add a warning, when reading more data fails unexpectedly. + +Closes #14812 +--- + plug-ins/common/file-wbmp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-wbmp.c b/plug-ins/common/file-wbmp.c +index a19b0f9728..f37450118f 100644 +--- a/plug-ins/common/file-wbmp.c ++++ b/plug-ins/common/file-wbmp.c +@@ -456,6 +456,7 @@ read_image (FILE *fd, + GeglBuffer *buffer; + guchar *dest, *temp; + gint i, cur_progress, max_progress; ++ size_t n_read; + + /* Make a new image in GIMP */ + if ((width < 0) || (width > GIMP_MAX_IMAGE_SIZE)) +@@ -480,14 +481,14 @@ read_image (FILE *fd, + + gimp_image_insert_layer (image, layer, NULL, 0); + +- dest = g_malloc0 (width * height); ++ dest = g_malloc0 ((gsize) width * height); + + ypos = 0; + + cur_progress = 0; + max_progress = height; + +- while (ReadOK (fd, &v, 1)) ++ while ((n_read = ReadOK (fd, &v, 1)) != 0) + { + for (i = 1; (i <= 8) && (xpos < width); i++, xpos++) + { +@@ -512,6 +513,9 @@ read_image (FILE *fd, + break; + } + ++ if (n_read == 0) ++ g_warning (_("Read failure at position %u. Possibly corrupt image."), ypos * width + xpos); ++ + buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); + + gegl_buffer_set (buffer, GEGL_RECTANGLE (0, 0, width, height), 0, NULL, dest, +-- +GitLab + diff --git a/0006-fix-CVE-2025-10924.patch b/0006-fix-CVE-2025-10924.patch new file mode 100644 index 0000000..cc9395f --- /dev/null +++ b/0006-fix-CVE-2025-10924.patch @@ -0,0 +1,91 @@ +From 53b18653bca9404efeab953e75960b1cf7dedbed Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Wed, 3 Sep 2025 22:10:34 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-27836 + +ZDI-CAN-27836: GIMP FF File Parsing Integer Overflow +Remote Code Execution Vulnerability + +This patch increases the row_size data type to gsize and checks if it +would overflow based on the width given. It also makes sure the image +size does not exceed GIMP's image size limits. +--- + plug-ins/common/file-farbfeld.c | 31 ++++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) + +diff --git a/plug-ins/common/file-farbfeld.c b/plug-ins/common/file-farbfeld.c +index f610fa439a..921e4e35cc 100644 +--- a/plug-ins/common/file-farbfeld.c ++++ b/plug-ins/common/file-farbfeld.c +@@ -261,7 +261,7 @@ load_image (GFile *file, + guchar magic_number[8]; + guint32 width; + guint32 height; +- guint32 row_size; ++ gsize row_size; + const Babl *format = babl_format ("R'G'B'A u16"); + FILE *fp; + +@@ -282,13 +282,24 @@ load_image (GFile *file, + { + g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), + _("Failed to read Farbfeld header")); ++ fclose (fp); + return NULL; + } + + /* Header information is stored in Big-Endian format */ + width = GUINT32_FROM_BE (width); + height = GUINT32_FROM_BE (height); +- row_size = width * sizeof (guint16) * 4; ++ ++ if (width > GIMP_MAX_IMAGE_SIZE || ++ height > GIMP_MAX_IMAGE_SIZE || ++ ! g_size_checked_mul (&row_size, width, (sizeof (guint16) * 4))) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("Image dimensions too large: width %d x height %d"), ++ width, height); ++ fclose (fp); ++ return NULL; ++ } + + image = gimp_image_new_with_precision (width, height, GIMP_RGB, + GIMP_PRECISION_U16_NON_LINEAR); +@@ -298,12 +309,19 @@ load_image (GFile *file, + gimp_image_get_default_new_layer_mode (image)); + gimp_image_insert_layer (image, layer, NULL, 0); + +- buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); ++ pixels = g_try_malloc (row_size); ++ if (pixels == NULL) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("There was not enough memory to complete the " ++ "operation.")); ++ fclose (fp); ++ return NULL; ++ } + ++ buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); + for (gint i = 0; i < height; i++) + { +- pixels = g_malloc (row_size); +- + if (! fread (pixels, row_size, 1, fp)) + { + g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), +@@ -318,9 +336,8 @@ load_image (GFile *file, + gegl_buffer_set (buffer, + GEGL_RECTANGLE (0, i, width, 1), 0, + format, pixels, GEGL_AUTO_ROWSTRIDE); +- +- g_free (pixels); + } ++ g_free (pixels); + + fclose (fp); + g_object_unref (buffer); +-- +GitLab + diff --git a/0007-fix-CVE-2025-10925.patch b/0007-fix-CVE-2025-10925.patch new file mode 100644 index 0000000..c17ffc7 --- /dev/null +++ b/0007-fix-CVE-2025-10925.patch @@ -0,0 +1,46 @@ +From 002b22c15028b18557bd0823a081af9ed5316679 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Thu, 4 Sep 2025 04:45:43 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-27793 + +GIMP ILBM File Parsing Stack-based Buffer Overflow +Remote Code Execution Vulnerability + +Adds a check to file-iff.c to ensure the palette_size is +between 0 and 256. +--- + plug-ins/common/file-iff.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c +index 6c1418950db..d144a96a4c9 100644 +--- a/plug-ins/common/file-iff.c ++++ b/plug-ins/common/file-iff.c +@@ -328,7 +328,9 @@ load_image (GFile *file, + bitMapHeader = true_image->bitMapHeader; + if (! bitMapHeader || ! true_image->body) + { +- g_message (_("ILBM contains no image data - likely a palette file")); ++ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), ++ _("ILBM contains no image data - likely a palette " ++ "file")); + return NULL; + } + +@@ -355,6 +357,13 @@ load_image (GFile *file, + { + palette_size = colorMap->colorRegisterLength; + ++ if (palette_size < 0 || palette_size > 256) ++ { ++ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), ++ _("Invalid ILBM colormap size")); ++ return NULL; ++ } ++ + for (gint j = 0; j < palette_size; j++) + { + gimp_cmap[j * 3] = colorMap->colorRegister[j].red; +-- +GitLab + diff --git a/0008-fix-CVE-2025-10934.patch b/0008-fix-CVE-2025-10934.patch new file mode 100644 index 0000000..dfd03f9 --- /dev/null +++ b/0008-fix-CVE-2025-10934.patch @@ -0,0 +1,47 @@ +From 5c3e2122d53869599d77ef0f1bdece117b24fd7c Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Wed, 3 Sep 2025 18:37:26 -0400 +Subject: [PATCH] plug-ins: fix ZDI-CAN-27823 + +GIMP XWD File Parsing Heap-based Buffer Overflow Remote Code Execution +Vulnerability. + +Check offset in colormap is valid before writing to it. + +Closes #14814 + +(cherry picked from commit 4eb106f2bff2d9b8e518aa455a884c6f38d70c6a) +--- + plug-ins/common/file-xwd.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c +index 8d013397be6..c4c41e5bea7 100644 +--- a/plug-ins/common/file-xwd.c ++++ b/plug-ins/common/file-xwd.c +@@ -1683,9 +1683,20 @@ load_xwd_f2_d16_b16 (GFile *file, + greenval = (green * 255) / maxgreen; + for (blue = 0; blue <= maxblue; blue++) + { ++ guint32 offset = ((red << redshift) + (green << greenshift) + ++ (blue << blueshift)) * 3; ++ ++ if (offset+2 >= maxval) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("Invalid colormap offset. Possibly corrupt image.")); ++ g_free (data); ++ g_free (ColorMap); ++ g_object_unref (buffer); ++ return NULL; ++ } + blueval = (blue * 255) / maxblue; +- cm = ColorMap + ((red << redshift) + (green << greenshift) +- + (blue << blueshift)) * 3; ++ cm = ColorMap + offset; + *(cm++) = redval; + *(cm++) = greenval; + *cm = blueval; +-- +GitLab + diff --git a/gimp.spec b/gimp.spec index 53c1932..c9127f5 100644 --- a/gimp.spec +++ b/gimp.spec @@ -8,7 +8,7 @@ Summary: GNU Image Manipulation Program Name: gimp Version: 3.0.2 -Release: 3%{?dist} +Release: 4%{?dist} %global major %(ver=%{version}; echo ${ver%%%%.*}) %global minor %(ver=%{version}; ver=${ver#%major.}; echo ${ver%%%%.*}) @@ -21,6 +21,12 @@ Source0: https://download.gimp.org/pub/gimp/v%{binver}/gimp-%{version}.ta Patch0001: 0001-fix-CVE-2025-5473.patch Patch0002: 0002-fix-CVE-2025-6035.patch +Patch0003: 0003-fix-CVE-2025-10920.patch +Patch0004: 0004-fix-CVE-2025-10922.patch +Patch0005: 0005-fix-CVE-2025-10923.patch +Patch0006: 0006-fix-CVE-2025-10924.patch +Patch0007: 0007-fix-CVE-2025-10925.patch +Patch0008: 0008-fix-CVE-2025-10934.patch Patch3000: gimp-2.10.12-default-font.patch BuildRequires: gcc glib2-devel meson ninja-build pkgconfig @@ -265,7 +271,11 @@ cat gimp-plugin-files gimp-all.lang > gimp.files %changelog -* Mon Jul 21 2025 bbrucezhang - 3.0.2-3 +* Mon Nov 24 2025 zidonghuang - 3.0.2-4 +- [Type] Security +- [DESC] Applied upstream patches to fix CVE-2025-10920, CVE-2025-10922, CVE-2025-10923, CVE-2025-10924, CVE-2025-10925, and CVE-2025-10934 + +* Mon Jul 21 2025 zidonghuang - 3.0.2-3 - [Type] Security - [DESC] Applied upstream patches to fix CVE-2025-5473 and CVE-2025-6035 -- Gitee From 116e3b87dbf2c6d74197e792967170c87402e7b4 Mon Sep 17 00:00:00 2001 From: Zidong Huang Date: Fri, 12 Dec 2025 11:07:22 +0800 Subject: [PATCH 2/2] Update to 3.0.6 to fix CVE-2025-10920, CVE-2025-10922, CVE-2025-10923, CVE-2025-10924, CVE-2025-10925, and CVE-2025-10934 --- 0001-fix-CVE-2025-5473.patch | 36 ------- 0002-fix-CVE-2025-6035.patch | 183 ---------------------------------- 0003-fix-CVE-2025-10920.patch | 36 ------- 0004-fix-CVE-2025-10922.patch | 145 --------------------------- 0005-fix-CVE-2025-10923.patch | 59 ----------- 0006-fix-CVE-2025-10924.patch | 91 ----------------- 0007-fix-CVE-2025-10925.patch | 46 --------- 0008-fix-CVE-2025-10934.patch | 47 --------- gimp.spec | 46 ++------- sources | 2 +- 10 files changed, 10 insertions(+), 681 deletions(-) delete mode 100644 0001-fix-CVE-2025-5473.patch delete mode 100644 0002-fix-CVE-2025-6035.patch delete mode 100644 0003-fix-CVE-2025-10920.patch delete mode 100644 0004-fix-CVE-2025-10922.patch delete mode 100644 0005-fix-CVE-2025-10923.patch delete mode 100644 0006-fix-CVE-2025-10924.patch delete mode 100644 0007-fix-CVE-2025-10925.patch delete mode 100644 0008-fix-CVE-2025-10934.patch diff --git a/0001-fix-CVE-2025-5473.patch b/0001-fix-CVE-2025-5473.patch deleted file mode 100644 index 313b3f1..0000000 --- a/0001-fix-CVE-2025-5473.patch +++ /dev/null @@ -1,36 +0,0 @@ -From c855d1df60ebaf5ef8d02807d448eb088f147a2b Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Sat, 3 May 2025 14:13:46 +0000 -Subject: [PATCH] plug-ins: ZDI-CAN-26752 mitigation - -Resolves #13910 -Since ICO can store PNGs, it's possible to create an -icon that's much larger than the stated image size and -cause a buffer overflow. -This patch adds a check to make sure the width * height * 4 -calculation does not overflow in addition to making sure it -doesn't exceed the maximum allowed size for that icon. ---- - plug-ins/file-ico/ico-load.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c -index 9a222998bc1..818cf23cd31 100644 ---- a/plug-ins/file-ico/ico-load.c -+++ b/plug-ins/file-ico/ico-load.c -@@ -299,7 +299,11 @@ ico_read_png (FILE *fp, - png_read_info (png_ptr, info); - png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type, - NULL, NULL, NULL); -- if (w*h*4 > maxsize) -+ /* Check for overflow */ -+ if ((w * h * 4) < w || -+ (w * h * 4) < h || -+ (w * h * 4) < (w * h) || -+ (w * h * 4) > maxsize) - { - png_destroy_read_struct (&png_ptr, &info, NULL); - return FALSE; --- -GitLab - diff --git a/0002-fix-CVE-2025-6035.patch b/0002-fix-CVE-2025-6035.patch deleted file mode 100644 index 92a874f..0000000 --- a/0002-fix-CVE-2025-6035.patch +++ /dev/null @@ -1,183 +0,0 @@ -From 548bc3a46d54711d974aae9ce1bce291376c0436 Mon Sep 17 00:00:00 2001 -From: Jacob Boerema -Date: Thu, 1 May 2025 12:42:17 -0400 -Subject: [PATCH] plug-ins: CWE-190: Integer Overflow or Wraparound in - Despeckle -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As reported by Seungho Kim our despeckle filter doesn't check for -integer overflow when allocating buffers, nor do we check for failed -allocations. - -A potential integer overflow vulnerability exists in the GIMP -"Despeckle" plug-in. The issue occurs due to unchecked multiplication -of image dimensions (width, height) and bytes-per-pixel (img_bpp), -which can result in allocating insufficient memory and subsequently -performing out-of-bounds writes. This could lead to heap corruption and -potential denial-of-service (DoS) or arbitrary code execution in -certain scenarios. - -Vulnerability Details -•width and height are of type guint (signed 32-bit int). -•Multiplying width * height * img_bpp can result in a value exceeding -the bounds of gsize. -•g_new() does not perform overflow protection; if the size wraps around, -less memory than needed will be allocated. -•Subsequent pixel processing loops write beyond the allocated memory -region (src, dst). - -Proof of Concept (PoC) -Open a specially crafted image with very large dimensions (e.g., -70,000 x 70,000 pixels) and apply the Despeckle filter. GIMP may crash -due to heap corruption, or undefined behavior may occur. - -We applied the suggested changes and in addition adjusted the despeckle -function to be able to set error messages, and check for NULL -allocations. ---- - plug-ins/common/despeckle.c | 62 +++++++++++++++++++++++++++++-------- - 1 file changed, 49 insertions(+), 13 deletions(-) - -diff --git a/plug-ins/common/despeckle.c b/plug-ins/common/despeckle.c -index 3250925b94d..ffa24f06c68 100644 ---- a/plug-ins/common/despeckle.c -+++ b/plug-ins/common/despeckle.c -@@ -98,8 +98,9 @@ static GimpValueArray * despeckle_run (GimpProcedure *proced - GimpProcedureConfig *config, - gpointer run_data); - --static void despeckle (GimpDrawable *drawable, -- GObject *config); -+static gboolean despeckle (GimpDrawable *drawable, -+ GObject *config, -+ GError **error); - static void despeckle_median (GObject *config, - guchar *src, - guchar *dst, -@@ -224,13 +225,12 @@ despeckle_run (GimpProcedure *procedure, - gpointer run_data) - { - GimpDrawable *drawable; -+ GError *error = NULL; - - gegl_init (NULL, NULL); - - if (gimp_core_object_array_get_length ((GObject **) drawables) != 1) - { -- GError *error = NULL; -- - g_set_error (&error, GIMP_PLUG_IN_ERROR, 0, - _("Procedure '%s' only works with one drawable."), - PLUG_IN_PROC); -@@ -250,7 +250,10 @@ despeckle_run (GimpProcedure *procedure, - if (run_mode == GIMP_RUN_INTERACTIVE && ! despeckle_dialog (procedure, G_OBJECT (config), drawable)) - return gimp_procedure_new_return_values (procedure, GIMP_PDB_CANCEL, NULL); - -- despeckle (drawable, G_OBJECT (config)); -+ if (! despeckle (drawable, G_OBJECT (config), &error)) -+ return gimp_procedure_new_return_values (procedure, -+ GIMP_PDB_EXECUTION_ERROR, -+ error); - - return gimp_procedure_new_return_values (procedure, GIMP_PDB_SUCCESS, NULL); - } -@@ -323,9 +326,10 @@ get_u8_format (GimpDrawable *drawable) - } - } - --static void -+static gboolean - despeckle (GimpDrawable *drawable, -- GObject *config) -+ GObject *config, -+ GError **error) - { - GeglBuffer *src_buffer; - GeglBuffer *dest_buffer; -@@ -335,10 +339,11 @@ despeckle (GimpDrawable *drawable, - gint img_bpp; - gint x, y; - gint width, height; -+ gsize bufsize = 0; - - if (! gimp_drawable_mask_intersect (drawable, - &x, &y, &width, &height)) -- return; -+ return TRUE; - - format = get_u8_format (drawable); - img_bpp = babl_format_get_bytes_per_pixel (format); -@@ -346,8 +351,26 @@ despeckle (GimpDrawable *drawable, - src_buffer = gimp_drawable_get_buffer (drawable); - dest_buffer = gimp_drawable_get_shadow_buffer (drawable); - -- src = g_new (guchar, width * height * img_bpp); -- dst = g_new (guchar, width * height * img_bpp); -+ if (! g_size_checked_mul (&bufsize, width, height) || -+ ! g_size_checked_mul (&bufsize, bufsize, img_bpp)) -+ { -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("Image dimensions too large: width %d x height %d"), -+ width, height); -+ return FALSE; -+ } -+ -+ src = g_try_malloc (bufsize); -+ dst = g_try_malloc (bufsize); -+ -+ if (src == NULL || dst == NULL) -+ { -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("There was not enough memory to complete the operation.")); -+ g_free (src); -+ -+ return FALSE; -+ } - - gegl_buffer_get (src_buffer, GEGL_RECTANGLE (x, y, width, height), 1.0, - format, src, -@@ -368,6 +391,8 @@ despeckle (GimpDrawable *drawable, - - g_free (dst); - g_free (src); -+ -+ return TRUE; - } - - static gboolean -@@ -446,8 +471,9 @@ static void - preview_update (GtkWidget *widget, - GObject *config) - { -- GimpPreview *preview = GIMP_PREVIEW (widget); -+ GimpPreview *preview = GIMP_PREVIEW (widget); - GimpDrawable *drawable = g_object_get_data (config, "drawable"); -+ gsize bufsize = 0; - GeglBuffer *src_buffer; - const Babl *format; - guchar *dst; -@@ -464,8 +490,18 @@ preview_update (GtkWidget *widget, - - src_buffer = gimp_drawable_get_buffer (drawable); - -- dst = g_new (guchar, width * height * img_bpp); -- src = g_new (guchar, width * height * img_bpp); -+ if (! g_size_checked_mul (&bufsize, width, height) || -+ ! g_size_checked_mul (&bufsize, bufsize, img_bpp)) -+ return; -+ -+ src = g_try_malloc (bufsize); -+ dst = g_try_malloc (bufsize); -+ -+ if (src == NULL || dst == NULL) -+ { -+ g_free (src); -+ return; -+ } - - gegl_buffer_get (src_buffer, GEGL_RECTANGLE (x1, y1, width, height), 1.0, - format, src, --- -GitLab diff --git a/0003-fix-CVE-2025-10920.patch b/0003-fix-CVE-2025-10920.patch deleted file mode 100644 index 11478e6..0000000 --- a/0003-fix-CVE-2025-10920.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 5f4329d324b0db7a857918941ef7e1d27f3d3992 Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Wed, 3 Sep 2025 13:41:10 +0000 -Subject: [PATCH] plug-ins: Fix ZDI-CAN-27684 - -Prevent overflow attack by checking if -output >= max, not just output > max. ---- - plug-ins/file-icns/file-icns-load.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/plug-ins/file-icns/file-icns-load.c b/plug-ins/file-icns/file-icns-load.c -index c8f16fef60..f2298c056e 100644 ---- a/plug-ins/file-icns/file-icns-load.c -+++ b/plug-ins/file-icns/file-icns-load.c -@@ -323,7 +323,7 @@ icns_decompress (guchar *dest, - - for (run -= 125; run > 0; run--) - { -- if (out > max) -+ if (out >= max) - { - g_message ("Corrupt icon? compressed run overflows output size."); - return FALSE; -@@ -341,7 +341,7 @@ icns_decompress (guchar *dest, - g_message ("Corrupt icon: uncompressed run overflows input size."); - return FALSE; - } -- if (out > max) -+ if (out >= max) - { - g_message ("Corrupt icon: uncompressed run overflows output size."); - return FALSE; --- -GitLab - diff --git a/0004-fix-CVE-2025-10922.patch b/0004-fix-CVE-2025-10922.patch deleted file mode 100644 index b0d0bf5..0000000 --- a/0004-fix-CVE-2025-10922.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 0f309f9a8d82f43fa01383bc5a5c41d28727d9e3 Mon Sep 17 00:00:00 2001 -From: Jacob Boerema -Date: Wed, 3 Sep 2025 13:31:45 -0400 -Subject: [PATCH] plug-ins: fix dicom plug-in ZDI-CAN-27863 - -GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution -Vulnerability - -This adds more safety checks and sets actual GError's instead of just -calling gimp_quit. - -Closes #14811 ---- - plug-ins/common/file-dicom.c | 65 ++++++++++++++++++++++++++++-------- - 1 file changed, 51 insertions(+), 14 deletions(-) - -diff --git a/plug-ins/common/file-dicom.c b/plug-ins/common/file-dicom.c -index 31039050f27..a11a13ef405 100644 ---- a/plug-ins/common/file-dicom.c -+++ b/plug-ins/common/file-dicom.c -@@ -344,6 +344,7 @@ load_image (GFile *file, - gint bits_stored = 0; - gint high_bit = 0; - guint8 *pix_buf = NULL; -+ guint64 pixbuf_size = 0; - gboolean is_signed = FALSE; - guint8 in_sequence = 0; - gboolean implicit_encoding = FALSE; -@@ -399,6 +400,7 @@ load_image (GFile *file, - guint16 ctx_us; - guint8 *value; - guint32 tag; -+ size_t actual_read; - - if (fread (&group_word, 1, 2, dicom) == 0) - break; -@@ -503,15 +505,24 @@ load_image (GFile *file, - - if (element_length >= (G_MAXUINT - 6)) - { -- g_message ("'%s' seems to have an incorrect value field length.", -- gimp_file_get_utf8_name (file)); -- gimp_quit (); -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("'%s' has an an incorrect value for field size. Possibly corrupt image."), -+ gimp_file_get_utf8_name (file)); -+ g_free (dicominfo); -+ fclose (dicom); -+ return NULL; - } - - /* Read contents. Allocate a bit more to make room for casts to int - below. */ - value = g_new0 (guint8, element_length + 4); -- fread (value, 1, element_length, dicom); -+ actual_read = fread (value, 1, element_length, dicom); -+ if (actual_read < element_length) -+ { -+ g_warning ("Missing data: needed %u bytes, got %u. Possibly corrupt image.", -+ element_length, (guint32) actual_read); -+ element_length = actual_read; -+ } - - /* ignore everything inside of a sequence */ - if (in_sequence) -@@ -524,7 +535,7 @@ load_image (GFile *file, - if (big_endian && group_word != 0x0002) - ctx_us = GUINT16_SWAP_LE_BE (ctx_us); - -- g_debug ("group: %04x, element: %04x, length: %d", -+ g_debug ("group: %04x, element: %04x, length: %u", - group_word, element_word, element_length); - g_debug ("Value: %s", (char*)value); - /* Recognize some critical tags */ -@@ -658,6 +669,7 @@ load_image (GFile *file, - if (group_word == 0x7fe0 && element_word == 0x0010) - { - pix_buf = value; -+ pixbuf_size = element_length; - } - else - { -@@ -688,25 +700,50 @@ load_image (GFile *file, - } - } - -+ g_debug ("Bpp: %d, wxh: %u x %u, spp: %d\n", bpp, width, height, samples_per_pixel); -+ - if ((bpp != 8) && (bpp != 16)) - { -- g_message ("'%s' has a bpp of %d which GIMP cannot handle.", -- gimp_file_get_utf8_name (file), bpp); -- gimp_quit (); -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("'%s' has a bpp of %d which GIMP cannot handle."), -+ gimp_file_get_utf8_name (file), bpp); -+ g_free (pix_buf); -+ g_free (dicominfo); -+ fclose (dicom); -+ return NULL; - } - - if ((width > GIMP_MAX_IMAGE_SIZE) || (height > GIMP_MAX_IMAGE_SIZE)) - { -- g_message ("'%s' has a larger image size (%d x %d) than GIMP can handle.", -- gimp_file_get_utf8_name (file), width, height); -- gimp_quit (); -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("'%s' has a larger image size (%d x %d) than GIMP can handle."), -+ gimp_file_get_utf8_name (file), width, height); -+ g_free (pix_buf); -+ g_free (dicominfo); -+ fclose (dicom); -+ return NULL; - } - - if (samples_per_pixel > 3) - { -- g_message ("'%s' has samples per pixel of %d which GIMP cannot handle.", -- gimp_file_get_utf8_name (file), samples_per_pixel); -- gimp_quit (); -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("'%s' has samples per pixel of %d which GIMP cannot handle."), -+ gimp_file_get_utf8_name (file), samples_per_pixel); -+ g_free (pix_buf); -+ g_free (dicominfo); -+ fclose (dicom); -+ return NULL; -+ } -+ -+ if ((guint64) width * height * (bpp >> 3) * samples_per_pixel > pixbuf_size) -+ { -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("'%s' has not enough pixel data. Possibly corrupt image."), -+ gimp_file_get_utf8_name (file)); -+ g_free (pix_buf); -+ g_free (dicominfo); -+ fclose (dicom); -+ return NULL; - } - - dicominfo->width = width; --- -GitLab - diff --git a/0005-fix-CVE-2025-10923.patch b/0005-fix-CVE-2025-10923.patch deleted file mode 100644 index b2df18a..0000000 --- a/0005-fix-CVE-2025-10923.patch +++ /dev/null @@ -1,59 +0,0 @@ -From fb31ddf32298bb2f0f09b3ccc53464b8693a050e Mon Sep 17 00:00:00 2001 -From: Jacob Boerema -Date: Wed, 3 Sep 2025 15:25:55 -0400 -Subject: [PATCH] plug-ins: fix ZDI-CAN-27878 - -GIMP WBMP File Parsing Integer Overflow Remote Code Execution -Vulnerability - -We recently fixed one instance of not upgrading the size, but forgot -the other. Fix that here by casting to (gsize). While we're at it, -also add a warning, when reading more data fails unexpectedly. - -Closes #14812 ---- - plug-ins/common/file-wbmp.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/plug-ins/common/file-wbmp.c b/plug-ins/common/file-wbmp.c -index a19b0f9728..f37450118f 100644 ---- a/plug-ins/common/file-wbmp.c -+++ b/plug-ins/common/file-wbmp.c -@@ -456,6 +456,7 @@ read_image (FILE *fd, - GeglBuffer *buffer; - guchar *dest, *temp; - gint i, cur_progress, max_progress; -+ size_t n_read; - - /* Make a new image in GIMP */ - if ((width < 0) || (width > GIMP_MAX_IMAGE_SIZE)) -@@ -480,14 +481,14 @@ read_image (FILE *fd, - - gimp_image_insert_layer (image, layer, NULL, 0); - -- dest = g_malloc0 (width * height); -+ dest = g_malloc0 ((gsize) width * height); - - ypos = 0; - - cur_progress = 0; - max_progress = height; - -- while (ReadOK (fd, &v, 1)) -+ while ((n_read = ReadOK (fd, &v, 1)) != 0) - { - for (i = 1; (i <= 8) && (xpos < width); i++, xpos++) - { -@@ -512,6 +513,9 @@ read_image (FILE *fd, - break; - } - -+ if (n_read == 0) -+ g_warning (_("Read failure at position %u. Possibly corrupt image."), ypos * width + xpos); -+ - buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); - - gegl_buffer_set (buffer, GEGL_RECTANGLE (0, 0, width, height), 0, NULL, dest, --- -GitLab - diff --git a/0006-fix-CVE-2025-10924.patch b/0006-fix-CVE-2025-10924.patch deleted file mode 100644 index cc9395f..0000000 --- a/0006-fix-CVE-2025-10924.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 53b18653bca9404efeab953e75960b1cf7dedbed Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Wed, 3 Sep 2025 22:10:34 +0000 -Subject: [PATCH] plug-ins: Fix ZDI-CAN-27836 - -ZDI-CAN-27836: GIMP FF File Parsing Integer Overflow -Remote Code Execution Vulnerability - -This patch increases the row_size data type to gsize and checks if it -would overflow based on the width given. It also makes sure the image -size does not exceed GIMP's image size limits. ---- - plug-ins/common/file-farbfeld.c | 31 ++++++++++++++++++++++++------- - 1 file changed, 24 insertions(+), 7 deletions(-) - -diff --git a/plug-ins/common/file-farbfeld.c b/plug-ins/common/file-farbfeld.c -index f610fa439a..921e4e35cc 100644 ---- a/plug-ins/common/file-farbfeld.c -+++ b/plug-ins/common/file-farbfeld.c -@@ -261,7 +261,7 @@ load_image (GFile *file, - guchar magic_number[8]; - guint32 width; - guint32 height; -- guint32 row_size; -+ gsize row_size; - const Babl *format = babl_format ("R'G'B'A u16"); - FILE *fp; - -@@ -282,13 +282,24 @@ load_image (GFile *file, - { - g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), - _("Failed to read Farbfeld header")); -+ fclose (fp); - return NULL; - } - - /* Header information is stored in Big-Endian format */ - width = GUINT32_FROM_BE (width); - height = GUINT32_FROM_BE (height); -- row_size = width * sizeof (guint16) * 4; -+ -+ if (width > GIMP_MAX_IMAGE_SIZE || -+ height > GIMP_MAX_IMAGE_SIZE || -+ ! g_size_checked_mul (&row_size, width, (sizeof (guint16) * 4))) -+ { -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("Image dimensions too large: width %d x height %d"), -+ width, height); -+ fclose (fp); -+ return NULL; -+ } - - image = gimp_image_new_with_precision (width, height, GIMP_RGB, - GIMP_PRECISION_U16_NON_LINEAR); -@@ -298,12 +309,19 @@ load_image (GFile *file, - gimp_image_get_default_new_layer_mode (image)); - gimp_image_insert_layer (image, layer, NULL, 0); - -- buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); -+ pixels = g_try_malloc (row_size); -+ if (pixels == NULL) -+ { -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("There was not enough memory to complete the " -+ "operation.")); -+ fclose (fp); -+ return NULL; -+ } - -+ buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); - for (gint i = 0; i < height; i++) - { -- pixels = g_malloc (row_size); -- - if (! fread (pixels, row_size, 1, fp)) - { - g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), -@@ -318,9 +336,8 @@ load_image (GFile *file, - gegl_buffer_set (buffer, - GEGL_RECTANGLE (0, i, width, 1), 0, - format, pixels, GEGL_AUTO_ROWSTRIDE); -- -- g_free (pixels); - } -+ g_free (pixels); - - fclose (fp); - g_object_unref (buffer); --- -GitLab - diff --git a/0007-fix-CVE-2025-10925.patch b/0007-fix-CVE-2025-10925.patch deleted file mode 100644 index c17ffc7..0000000 --- a/0007-fix-CVE-2025-10925.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 002b22c15028b18557bd0823a081af9ed5316679 Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Thu, 4 Sep 2025 04:45:43 +0000 -Subject: [PATCH] plug-ins: Fix ZDI-CAN-27793 - -GIMP ILBM File Parsing Stack-based Buffer Overflow -Remote Code Execution Vulnerability - -Adds a check to file-iff.c to ensure the palette_size is -between 0 and 256. ---- - plug-ins/common/file-iff.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c -index 6c1418950db..d144a96a4c9 100644 ---- a/plug-ins/common/file-iff.c -+++ b/plug-ins/common/file-iff.c -@@ -328,7 +328,9 @@ load_image (GFile *file, - bitMapHeader = true_image->bitMapHeader; - if (! bitMapHeader || ! true_image->body) - { -- g_message (_("ILBM contains no image data - likely a palette file")); -+ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), -+ _("ILBM contains no image data - likely a palette " -+ "file")); - return NULL; - } - -@@ -355,6 +357,13 @@ load_image (GFile *file, - { - palette_size = colorMap->colorRegisterLength; - -+ if (palette_size < 0 || palette_size > 256) -+ { -+ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), -+ _("Invalid ILBM colormap size")); -+ return NULL; -+ } -+ - for (gint j = 0; j < palette_size; j++) - { - gimp_cmap[j * 3] = colorMap->colorRegister[j].red; --- -GitLab - diff --git a/0008-fix-CVE-2025-10934.patch b/0008-fix-CVE-2025-10934.patch deleted file mode 100644 index dfd03f9..0000000 --- a/0008-fix-CVE-2025-10934.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 5c3e2122d53869599d77ef0f1bdece117b24fd7c Mon Sep 17 00:00:00 2001 -From: Jacob Boerema -Date: Wed, 3 Sep 2025 18:37:26 -0400 -Subject: [PATCH] plug-ins: fix ZDI-CAN-27823 - -GIMP XWD File Parsing Heap-based Buffer Overflow Remote Code Execution -Vulnerability. - -Check offset in colormap is valid before writing to it. - -Closes #14814 - -(cherry picked from commit 4eb106f2bff2d9b8e518aa455a884c6f38d70c6a) ---- - plug-ins/common/file-xwd.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c -index 8d013397be6..c4c41e5bea7 100644 ---- a/plug-ins/common/file-xwd.c -+++ b/plug-ins/common/file-xwd.c -@@ -1683,9 +1683,20 @@ load_xwd_f2_d16_b16 (GFile *file, - greenval = (green * 255) / maxgreen; - for (blue = 0; blue <= maxblue; blue++) - { -+ guint32 offset = ((red << redshift) + (green << greenshift) + -+ (blue << blueshift)) * 3; -+ -+ if (offset+2 >= maxval) -+ { -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("Invalid colormap offset. Possibly corrupt image.")); -+ g_free (data); -+ g_free (ColorMap); -+ g_object_unref (buffer); -+ return NULL; -+ } - blueval = (blue * 255) / maxblue; -- cm = ColorMap + ((red << redshift) + (green << greenshift) -- + (blue << blueshift)) * 3; -+ cm = ColorMap + offset; - *(cm++) = redval; - *(cm++) = greenval; - *cm = blueval; --- -GitLab - diff --git a/gimp.spec b/gimp.spec index c9127f5..8149324 100644 --- a/gimp.spec +++ b/gimp.spec @@ -7,8 +7,8 @@ Summary: GNU Image Manipulation Program Name: gimp -Version: 3.0.2 -Release: 4%{?dist} +Version: 3.0.6 +Release: 1%{?dist} %global major %(ver=%{version}; echo ${ver%%%%.*}) %global minor %(ver=%{version}; ver=${ver#%major.}; echo ${ver%%%%.*}) @@ -19,26 +19,17 @@ License: GPLv3+ and GPLv3 URL: https://www.gimp.org/ Source0: https://download.gimp.org/pub/gimp/v%{binver}/gimp-%{version}.tar.xz -Patch0001: 0001-fix-CVE-2025-5473.patch -Patch0002: 0002-fix-CVE-2025-6035.patch -Patch0003: 0003-fix-CVE-2025-10920.patch -Patch0004: 0004-fix-CVE-2025-10922.patch -Patch0005: 0005-fix-CVE-2025-10923.patch -Patch0006: 0006-fix-CVE-2025-10924.patch -Patch0007: 0007-fix-CVE-2025-10925.patch -Patch0008: 0008-fix-CVE-2025-10934.patch Patch3000: gimp-2.10.12-default-font.patch -BuildRequires: gcc glib2-devel meson ninja-build pkgconfig +BuildRequires: gcc glib2-devel meson ninja-build pkgconfig cmake BuildRequires: alsa-lib-devel atk-devel babl-devel bzip2-devel cairo-devel fontconfig-devel freetype-devel BuildRequires: gdk-pixbuf2-devel gegl04-tools gegl04-devel libgs-devel gtk3-devel gtk-doc harfbuzz-devel -BuildRequires: iso-codes-devel lcms2-devel libappstream-glib libappstream-glib-devel libarchive +BuildRequires: iso-codes-devel lcms2-devel appstream-devel libarchive-devel BuildRequires: exiv2-devel libgexiv2-devel libgudev1-devel libjpeg-devel libmng-devel libpng-devel librsvg2-devel BuildRequires: libtiff-devel libwebp-devel libwmf-devel libmypaint-devel mypaint-brushes-devel gjs-devel BuildRequires: OpenEXR-devel openjpeg2-devel pango-devel perl poppler-glib-devel poppler-data-devel json-glib-devel BuildRequires: python3-cairo-devel python3-gobject-devel python3-devel chrpath intltool gettext vala BuildRequires: xz-devel zlib-devel libX11-devel libXmu-devel libXpm-devel libheif-devel cfitsio-devel -BuildRequires: libjxl-devel BuildRequires: xorg-x11-server-Xvfb dbus-daemon Requires: gjs hicolor-icon-theme luajit xdg-utils python3-gobject Requires: %{name}-libs = %{version}-%{release} @@ -91,30 +82,11 @@ build GNU Image Manipulation Program (GIMP) plug-ins and extensions. %meson \ -Dbug-report-url=https://gitee.com/opencloudos-stream/gimp/issues \ -Daa=disabled \ - -Dalsa=enabled \ - -Dappdata-test=disabled \ - -Dcairo-pdf=enabled \ - -Dfits=enabled \ - -Dghostscript=enabled \ - -Dgudev=enabled \ - -Dheif=enabled \ -Dilbm=disabled \ - -Djpeg2000=enabled \ - -Djpeg-xl=enabled \ - -Dmng=enabled \ - -Dopenexr=enabled \ - -Dopenmp=enabled \ - -Dwebp=enabled \ - -Dwmf=enabled \ - -Dxcursor=enabled \ - -Dxpm=enabled \ - -Dheadless-tests=enabled \ + -Djpeg-xl=disabled \ -Dgi-docgen=disabled \ - -Dlinux-input=enabled \ - -Dvector-icons=true \ - -Dvala=enabled \ - -Djavascript=enabled \ - -Dlua=true + -Dheif=enabled \ + -Dheadless-tests=disabled %meson_build @@ -271,9 +243,9 @@ cat gimp-plugin-files gimp-all.lang > gimp.files %changelog -* Mon Nov 24 2025 zidonghuang - 3.0.2-4 +* Fri Dec 05 2025 zidonghuang - 3.0.6-1 - [Type] Security -- [DESC] Applied upstream patches to fix CVE-2025-10920, CVE-2025-10922, CVE-2025-10923, CVE-2025-10924, CVE-2025-10925, and CVE-2025-10934 +- [DESC] Update to 3.0.6 to fix CVE-2025-10920, CVE-2025-10922, CVE-2025-10923, CVE-2025-10924, CVE-2025-10925, and CVE-2025-10934 * Mon Jul 21 2025 zidonghuang - 3.0.2-3 - [Type] Security diff --git a/sources b/sources index cdbff4c..030c380 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (gimp-3.0.2.tar.xz) = e5f72f9f1447ff3ec5ab78bc589831767c00be91a0f337b1ab2d5beee3f79b01464c3de0dc1a518fd72180b4232be5b8d7121d186425a766090842b550f534df +SHA512 (gimp-3.0.6.tar.xz) = 513fe11083b6560ce7bbe1b56ccbc0d83a4edb33e110508543fc8c8fdf6c60d91f9af60cb4d83926eec490baceb6c9cc5aae43a4d0ae7a04099f4036e50d179c -- Gitee