From 2b1b01c495018682b8d99985c5e484adb1c80aa1 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Thu, 19 Jun 2025 14:20:41 +0800 Subject: [PATCH] Fix CVE-2025-6035 (cherry picked from commit cd3f3c285948ac4500fff8d9e63bcaf96e84046b) --- CVE-2025-6035.patch | 184 ++++++++++++++++++++++++++++++++++++++++++++ gimp.spec | 6 +- 2 files changed, 189 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-6035.patch diff --git a/CVE-2025-6035.patch b/CVE-2025-6035.patch new file mode 100644 index 0000000..c6f91a9 --- /dev/null +++ b/CVE-2025-6035.patch @@ -0,0 +1,184 @@ +From 548bc3a46d54711d974aae9ce1bce291376c0436 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Thu, 1 May 2025 12:42:17 -0400 +Subject: [PATCH] plug-ins: CWE-190: Integer Overflow or Wraparound in + Despeckle +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As reported by Seungho Kim our despeckle filter doesn't check for +integer overflow when allocating buffers, nor do we check for failed +allocations. + +A potential integer overflow vulnerability exists in the GIMP +"Despeckle" plug-in. The issue occurs due to unchecked multiplication +of image dimensions (width, height) and bytes-per-pixel (img_bpp), +which can result in allocating insufficient memory and subsequently +performing out-of-bounds writes. This could lead to heap corruption and +potential denial-of-service (DoS) or arbitrary code execution in +certain scenarios. + +Vulnerability Details +•width and height are of type guint (signed 32-bit int). +•Multiplying width * height * img_bpp can result in a value exceeding +the bounds of gsize. +•g_new() does not perform overflow protection; if the size wraps around, +less memory than needed will be allocated. +•Subsequent pixel processing loops write beyond the allocated memory +region (src, dst). + +Proof of Concept (PoC) +Open a specially crafted image with very large dimensions (e.g., +70,000 x 70,000 pixels) and apply the Despeckle filter. GIMP may crash +due to heap corruption, or undefined behavior may occur. + +We applied the suggested changes and in addition adjusted the despeckle +function to be able to set error messages, and check for NULL +allocations. +--- + plug-ins/common/despeckle.c | 62 +++++++++++++++++++++++++++++-------- + 1 file changed, 49 insertions(+), 13 deletions(-) + +diff --git a/plug-ins/common/despeckle.c b/plug-ins/common/despeckle.c +index 3250925b94d..ffa24f06c68 100644 +--- a/plug-ins/common/despeckle.c ++++ b/plug-ins/common/despeckle.c +@@ -98,8 +98,9 @@ static GimpValueArray * despeckle_run (GimpProcedure *proced + GimpProcedureConfig *config, + gpointer run_data); + +-static void despeckle (GimpDrawable *drawable, +- GObject *config); ++static gboolean despeckle (GimpDrawable *drawable, ++ GObject *config, ++ GError **error); + static void despeckle_median (GObject *config, + guchar *src, + guchar *dst, +@@ -224,13 +225,12 @@ despeckle_run (GimpProcedure *procedure, + gpointer run_data) + { + GimpDrawable *drawable; ++ GError *error = NULL; + + gegl_init (NULL, NULL); + + if (gimp_core_object_array_get_length ((GObject **) drawables) != 1) + { +- GError *error = NULL; +- + g_set_error (&error, GIMP_PLUG_IN_ERROR, 0, + _("Procedure '%s' only works with one drawable."), + PLUG_IN_PROC); +@@ -250,7 +250,10 @@ despeckle_run (GimpProcedure *procedure, + if (run_mode == GIMP_RUN_INTERACTIVE && ! despeckle_dialog (procedure, G_OBJECT (config), drawable)) + return gimp_procedure_new_return_values (procedure, GIMP_PDB_CANCEL, NULL); + +- despeckle (drawable, G_OBJECT (config)); ++ if (! despeckle (drawable, G_OBJECT (config), &error)) ++ return gimp_procedure_new_return_values (procedure, ++ GIMP_PDB_EXECUTION_ERROR, ++ error); + + return gimp_procedure_new_return_values (procedure, GIMP_PDB_SUCCESS, NULL); + } +@@ -323,9 +326,10 @@ get_u8_format (GimpDrawable *drawable) + } + } + +-static void ++static gboolean + despeckle (GimpDrawable *drawable, +- GObject *config) ++ GObject *config, ++ GError **error) + { + GeglBuffer *src_buffer; + GeglBuffer *dest_buffer; +@@ -335,10 +339,11 @@ despeckle (GimpDrawable *drawable, + gint img_bpp; + gint x, y; + gint width, height; ++ gsize bufsize = 0; + + if (! gimp_drawable_mask_intersect (drawable, + &x, &y, &width, &height)) +- return; ++ return TRUE; + + format = get_u8_format (drawable); + img_bpp = babl_format_get_bytes_per_pixel (format); +@@ -346,8 +351,26 @@ despeckle (GimpDrawable *drawable, + src_buffer = gimp_drawable_get_buffer (drawable); + dest_buffer = gimp_drawable_get_shadow_buffer (drawable); + +- src = g_new (guchar, width * height * img_bpp); +- dst = g_new (guchar, width * height * img_bpp); ++ if (! g_size_checked_mul (&bufsize, width, height) || ++ ! g_size_checked_mul (&bufsize, bufsize, img_bpp)) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("Image dimensions too large: width %d x height %d"), ++ width, height); ++ return FALSE; ++ } ++ ++ src = g_try_malloc (bufsize); ++ dst = g_try_malloc (bufsize); ++ ++ if (src == NULL || dst == NULL) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("There was not enough memory to complete the operation.")); ++ g_free (src); ++ ++ return FALSE; ++ } + + gegl_buffer_get (src_buffer, GEGL_RECTANGLE (x, y, width, height), 1.0, + format, src, +@@ -368,6 +391,8 @@ despeckle (GimpDrawable *drawable, + + g_free (dst); + g_free (src); ++ ++ return TRUE; + } + + static gboolean +@@ -446,8 +471,9 @@ static void + preview_update (GtkWidget *widget, + GObject *config) + { +- GimpPreview *preview = GIMP_PREVIEW (widget); ++ GimpPreview *preview = GIMP_PREVIEW (widget); + GimpDrawable *drawable = g_object_get_data (config, "drawable"); ++ gsize bufsize = 0; + GeglBuffer *src_buffer; + const Babl *format; + guchar *dst; +@@ -464,8 +490,18 @@ preview_update (GtkWidget *widget, + + src_buffer = gimp_drawable_get_buffer (drawable); + +- dst = g_new (guchar, width * height * img_bpp); +- src = g_new (guchar, width * height * img_bpp); ++ if (! g_size_checked_mul (&bufsize, width, height) || ++ ! g_size_checked_mul (&bufsize, bufsize, img_bpp)) ++ return; ++ ++ src = g_try_malloc (bufsize); ++ dst = g_try_malloc (bufsize); ++ ++ if (src == NULL || dst == NULL) ++ { ++ g_free (src); ++ return; ++ } + + gegl_buffer_get (src_buffer, GEGL_RECTANGLE (x1, y1, width, height), 1.0, + format, src, +-- +GitLab + diff --git a/gimp.spec b/gimp.spec index f06a1d0..19e5b26 100644 --- a/gimp.spec +++ b/gimp.spec @@ -35,7 +35,7 @@ Name: gimp Version: 3.0.2 -Release: 2 +Release: 3 Epoch: 2 Summary: The GNU Image Manipulation Program License: GPL-3.0-or-later @@ -43,6 +43,7 @@ Group: Productivity/Graphics/Bitmap Editors URL: https://www.gimp.org/ Source: https://download.gimp.org/mirror/pub/gimp/v3.0/%{name}-%{version}.tar.xz Patch0: CVE-2025-5473.patch +Patch1: CVE-2025-6035.patch BuildRequires: meson >= 0.61.0 BuildRequires: aalib-devel BuildRequires: babl-vala >= %{babl_version} @@ -522,6 +523,9 @@ install -D -m0644 macros.gimp %{buildroot}%{_rpmconfigdir}/macros.d/macros.gimp %dir %{_libdir}/gimp/%{api_version}/extensions/org.gimp.extension.goat-exercises/locale %changelog +* Thu Jun 19 2025 yaoxin <1024769339@qq.com> - 2:3.0.2-3 +- Fix CVE-2025-6035 + * Wed Jun 11 2025 wangkai <13474090681@163.com> - 2:3.0.2-2 - Fix CVE-2025-5473 -- Gitee