From: Ankur Tyagi <[email protected]> Detail: https://nvd.nist.gov/vuln/detail/CVE-2025-5473
Backport commit associated with the resolution of issue[1]. [1] https://gitlab.gnome.org/GNOME/gimp/-/issues/13910 Signed-off-by: Ankur Tyagi <[email protected]> --- .../gimp/gimp/CVE-2025-5473.patch | 38 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch new file mode 100644 index 0000000000..ef2eb48d61 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch @@ -0,0 +1,38 @@ +From 9e4ebb38ba85661ee62361f218d6c35ace502395 Mon Sep 17 00:00:00 2001 +From: Alx Sa <[email protected]> +Date: Sat, 3 May 2025 14:13:46 +0000 +Subject: [PATCH] plug-ins: ZDI-CAN-26752 mitigation + +Resolves #13910 +Since ICO can store PNGs, it's possible to create an +icon that's much larger than the stated image size and +cause a buffer overflow. +This patch adds a check to make sure the width * height * 4 +calculation does not overflow in addition to making sure it +doesn't exceed the maximum allowed size for that icon. + +CVE: CVE-2025-5473 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/c855d1df60ebaf5ef8d02807d448eb088f147a2b] +(cherry picked from commit c855d1df60ebaf5ef8d02807d448eb088f147a2b) +Signed-off-by: Ankur Tyagi <[email protected]> +--- + plug-ins/file-ico/ico-load.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c +index f44b805905..c144b6e2cd 100644 +--- a/plug-ins/file-ico/ico-load.c ++++ b/plug-ins/file-ico/ico-load.c +@@ -295,7 +295,11 @@ ico_read_png (FILE *fp, + png_read_info (png_ptr, info); + png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type, + NULL, NULL, NULL); +- if (w*h*4 > maxsize) ++ /* Check for overflow */ ++ if ((w * h * 4) < w || ++ (w * h * 4) < h || ++ (w * h * 4) < (w * h) || ++ (w * h * 4) > maxsize) + { + png_destroy_read_struct (&png_ptr, &info, NULL); + return FALSE; diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index 064a797986..36b0712976 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb @@ -49,6 +49,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ file://0001-libtool-Do-not-add-build-time-library-paths-to-LD_LI.patch \ file://CVE-2025-14422.patch \ file://CVE-2025-14425.patch \ + file://CVE-2025-5473.patch \ " SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123355): https://lists.openembedded.org/g/openembedded-devel/message/123355 Mute This Topic: https://lists.openembedded.org/mt/117219569/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
