From f60e1d3df55bdb4a8a8babe8eeee5c37b9d8be46 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Fri, 26 Sep 2025 11:06:20 +0800 Subject: [PATCH] Fix CVE-2025-10920, CVE-2025-10922, CVE-2025-10923, CVE-2025-10924 and CVE-2025-10925 (cherry picked from commit ba6dc6471cf655ae15cd377d8eefadbbb9e0aa47) --- CVE-2025-10920.patch | 38 +++++++++++ CVE-2025-10922.patch | 147 +++++++++++++++++++++++++++++++++++++++++++ CVE-2025-10923.patch | 61 ++++++++++++++++++ CVE-2025-10924.patch | 93 +++++++++++++++++++++++++++ CVE-2025-10925.patch | 48 ++++++++++++++ gimp.spec | 10 ++- 6 files changed, 396 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-10920.patch create mode 100644 CVE-2025-10922.patch create mode 100644 CVE-2025-10923.patch create mode 100644 CVE-2025-10924.patch create mode 100644 CVE-2025-10925.patch diff --git a/CVE-2025-10920.patch b/CVE-2025-10920.patch new file mode 100644 index 0000000..cb1acc2 --- /dev/null +++ b/CVE-2025-10920.patch @@ -0,0 +1,38 @@ +From 5f4329d324b0db7a857918941ef7e1d27f3d3992 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Wed, 3 Sep 2025 13:41:10 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-27684 + +Prevent overflow attack by checking if +output >= max, not just output > max. + +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/5f4329d324b0db7a857918941ef7e1d27f3d3992 +--- + plug-ins/file-icns/file-icns-load.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/file-icns/file-icns-load.c b/plug-ins/file-icns/file-icns-load.c +index c8f16fef60..f2298c056e 100644 +--- a/plug-ins/file-icns/file-icns-load.c ++++ b/plug-ins/file-icns/file-icns-load.c +@@ -323,7 +323,7 @@ icns_decompress (guchar *dest, + + for (run -= 125; run > 0; run--) + { +- if (out > max) ++ if (out >= max) + { + g_message ("Corrupt icon? compressed run overflows output size."); + return FALSE; +@@ -341,7 +341,7 @@ icns_decompress (guchar *dest, + g_message ("Corrupt icon: uncompressed run overflows input size."); + return FALSE; + } +- if (out > max) ++ if (out >= max) + { + g_message ("Corrupt icon: uncompressed run overflows output size."); + return FALSE; +-- +GitLab + diff --git a/CVE-2025-10922.patch b/CVE-2025-10922.patch new file mode 100644 index 0000000..a5b0711 --- /dev/null +++ b/CVE-2025-10922.patch @@ -0,0 +1,147 @@ +From 0f309f9a8d82f43fa01383bc5a5c41d28727d9e3 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Wed, 3 Sep 2025 13:31:45 -0400 +Subject: [PATCH] plug-ins: fix dicom plug-in ZDI-CAN-27863 + +GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution +Vulnerability + +This adds more safety checks and sets actual GError's instead of just +calling gimp_quit. + +Closes #14811 + +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/0f309f9a8d82f43fa01383bc5a5c41d28727d9e3 +--- + plug-ins/common/file-dicom.c | 65 ++++++++++++++++++++++++++++-------- + 1 file changed, 51 insertions(+), 14 deletions(-) + +diff --git a/plug-ins/common/file-dicom.c b/plug-ins/common/file-dicom.c +index 31039050f27..a11a13ef405 100644 +--- a/plug-ins/common/file-dicom.c ++++ b/plug-ins/common/file-dicom.c +@@ -344,6 +344,7 @@ load_image (GFile *file, + gint bits_stored = 0; + gint high_bit = 0; + guint8 *pix_buf = NULL; ++ guint64 pixbuf_size = 0; + gboolean is_signed = FALSE; + guint8 in_sequence = 0; + gboolean implicit_encoding = FALSE; +@@ -399,6 +400,7 @@ load_image (GFile *file, + guint16 ctx_us; + guint8 *value; + guint32 tag; ++ size_t actual_read; + + if (fread (&group_word, 1, 2, dicom) == 0) + break; +@@ -503,15 +505,24 @@ load_image (GFile *file, + + if (element_length >= (G_MAXUINT - 6)) + { +- g_message ("'%s' seems to have an incorrect value field length.", +- gimp_file_get_utf8_name (file)); +- gimp_quit (); ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has an an incorrect value for field size. Possibly corrupt image."), ++ gimp_file_get_utf8_name (file)); ++ g_free (dicominfo); ++ fclose (dicom); ++ return NULL; + } + + /* Read contents. Allocate a bit more to make room for casts to int + below. */ + value = g_new0 (guint8, element_length + 4); +- fread (value, 1, element_length, dicom); ++ actual_read = fread (value, 1, element_length, dicom); ++ if (actual_read < element_length) ++ { ++ g_warning ("Missing data: needed %u bytes, got %u. Possibly corrupt image.", ++ element_length, (guint32) actual_read); ++ element_length = actual_read; ++ } + + /* ignore everything inside of a sequence */ + if (in_sequence) +@@ -524,7 +535,7 @@ load_image (GFile *file, + if (big_endian && group_word != 0x0002) + ctx_us = GUINT16_SWAP_LE_BE (ctx_us); + +- g_debug ("group: %04x, element: %04x, length: %d", ++ g_debug ("group: %04x, element: %04x, length: %u", + group_word, element_word, element_length); + g_debug ("Value: %s", (char*)value); + /* Recognize some critical tags */ +@@ -658,6 +669,7 @@ load_image (GFile *file, + if (group_word == 0x7fe0 && element_word == 0x0010) + { + pix_buf = value; ++ pixbuf_size = element_length; + } + else + { +@@ -688,25 +700,50 @@ load_image (GFile *file, + } + } + ++ g_debug ("Bpp: %d, wxh: %u x %u, spp: %d\n", bpp, width, height, samples_per_pixel); ++ + if ((bpp != 8) && (bpp != 16)) + { +- g_message ("'%s' has a bpp of %d which GIMP cannot handle.", +- gimp_file_get_utf8_name (file), bpp); +- gimp_quit (); ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has a bpp of %d which GIMP cannot handle."), ++ gimp_file_get_utf8_name (file), bpp); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (dicom); ++ return NULL; + } + + if ((width > GIMP_MAX_IMAGE_SIZE) || (height > GIMP_MAX_IMAGE_SIZE)) + { +- g_message ("'%s' has a larger image size (%d x %d) than GIMP can handle.", +- gimp_file_get_utf8_name (file), width, height); +- gimp_quit (); ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has a larger image size (%d x %d) than GIMP can handle."), ++ gimp_file_get_utf8_name (file), width, height); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (dicom); ++ return NULL; + } + + if (samples_per_pixel > 3) + { +- g_message ("'%s' has samples per pixel of %d which GIMP cannot handle.", +- gimp_file_get_utf8_name (file), samples_per_pixel); +- gimp_quit (); ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has samples per pixel of %d which GIMP cannot handle."), ++ gimp_file_get_utf8_name (file), samples_per_pixel); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (dicom); ++ return NULL; ++ } ++ ++ if ((guint64) width * height * (bpp >> 3) * samples_per_pixel > pixbuf_size) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has not enough pixel data. Possibly corrupt image."), ++ gimp_file_get_utf8_name (file)); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (dicom); ++ return NULL; + } + + dicominfo->width = width; +-- +GitLab + diff --git a/CVE-2025-10923.patch b/CVE-2025-10923.patch new file mode 100644 index 0000000..1e92346 --- /dev/null +++ b/CVE-2025-10923.patch @@ -0,0 +1,61 @@ +From fb31ddf32298bb2f0f09b3ccc53464b8693a050e Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Wed, 3 Sep 2025 15:25:55 -0400 +Subject: [PATCH] plug-ins: fix ZDI-CAN-27878 + +GIMP WBMP File Parsing Integer Overflow Remote Code Execution +Vulnerability + +We recently fixed one instance of not upgrading the size, but forgot +the other. Fix that here by casting to (gsize). While we're at it, +also add a warning, when reading more data fails unexpectedly. + +Closes #14812 + +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/fb31ddf32298bb2f0f09b3ccc53464b8693a050e +--- + plug-ins/common/file-wbmp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-wbmp.c b/plug-ins/common/file-wbmp.c +index a19b0f9728..f37450118f 100644 +--- a/plug-ins/common/file-wbmp.c ++++ b/plug-ins/common/file-wbmp.c +@@ -456,6 +456,7 @@ read_image (FILE *fd, + GeglBuffer *buffer; + guchar *dest, *temp; + gint i, cur_progress, max_progress; ++ size_t n_read; + + /* Make a new image in GIMP */ + if ((width < 0) || (width > GIMP_MAX_IMAGE_SIZE)) +@@ -480,14 +481,14 @@ read_image (FILE *fd, + + gimp_image_insert_layer (image, layer, NULL, 0); + +- dest = g_malloc0 (width * height); ++ dest = g_malloc0 ((gsize) width * height); + + ypos = 0; + + cur_progress = 0; + max_progress = height; + +- while (ReadOK (fd, &v, 1)) ++ while ((n_read = ReadOK (fd, &v, 1)) != 0) + { + for (i = 1; (i <= 8) && (xpos < width); i++, xpos++) + { +@@ -512,6 +513,9 @@ read_image (FILE *fd, + break; + } + ++ if (n_read == 0) ++ g_warning (_("Read failure at position %u. Possibly corrupt image."), ypos * width + xpos); ++ + buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); + + gegl_buffer_set (buffer, GEGL_RECTANGLE (0, 0, width, height), 0, NULL, dest, +-- +GitLab + diff --git a/CVE-2025-10924.patch b/CVE-2025-10924.patch new file mode 100644 index 0000000..fbd116c --- /dev/null +++ b/CVE-2025-10924.patch @@ -0,0 +1,93 @@ +From 53b18653bca9404efeab953e75960b1cf7dedbed Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Wed, 3 Sep 2025 22:10:34 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-27836 + +ZDI-CAN-27836: GIMP FF File Parsing Integer Overflow +Remote Code Execution Vulnerability + +This patch increases the row_size data type to gsize and checks if it +would overflow based on the width given. It also makes sure the image +size does not exceed GIMP's image size limits. + +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/53b18653bca9404efeab953e75960b1cf7dedbed +--- + plug-ins/common/file-farbfeld.c | 31 ++++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) + +diff --git a/plug-ins/common/file-farbfeld.c b/plug-ins/common/file-farbfeld.c +index f610fa439a..921e4e35cc 100644 +--- a/plug-ins/common/file-farbfeld.c ++++ b/plug-ins/common/file-farbfeld.c +@@ -261,7 +261,7 @@ load_image (GFile *file, + guchar magic_number[8]; + guint32 width; + guint32 height; +- guint32 row_size; ++ gsize row_size; + const Babl *format = babl_format ("R'G'B'A u16"); + FILE *fp; + +@@ -282,13 +282,24 @@ load_image (GFile *file, + { + g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), + _("Failed to read Farbfeld header")); ++ fclose (fp); + return NULL; + } + + /* Header information is stored in Big-Endian format */ + width = GUINT32_FROM_BE (width); + height = GUINT32_FROM_BE (height); +- row_size = width * sizeof (guint16) * 4; ++ ++ if (width > GIMP_MAX_IMAGE_SIZE || ++ height > GIMP_MAX_IMAGE_SIZE || ++ ! g_size_checked_mul (&row_size, width, (sizeof (guint16) * 4))) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("Image dimensions too large: width %d x height %d"), ++ width, height); ++ fclose (fp); ++ return NULL; ++ } + + image = gimp_image_new_with_precision (width, height, GIMP_RGB, + GIMP_PRECISION_U16_NON_LINEAR); +@@ -298,12 +309,19 @@ load_image (GFile *file, + gimp_image_get_default_new_layer_mode (image)); + gimp_image_insert_layer (image, layer, NULL, 0); + +- buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); ++ pixels = g_try_malloc (row_size); ++ if (pixels == NULL) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("There was not enough memory to complete the " ++ "operation.")); ++ fclose (fp); ++ return NULL; ++ } + ++ buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); + for (gint i = 0; i < height; i++) + { +- pixels = g_malloc (row_size); +- + if (! fread (pixels, row_size, 1, fp)) + { + g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), +@@ -318,9 +336,8 @@ load_image (GFile *file, + gegl_buffer_set (buffer, + GEGL_RECTANGLE (0, i, width, 1), 0, + format, pixels, GEGL_AUTO_ROWSTRIDE); +- +- g_free (pixels); + } ++ g_free (pixels); + + fclose (fp); + g_object_unref (buffer); +-- +GitLab + diff --git a/CVE-2025-10925.patch b/CVE-2025-10925.patch new file mode 100644 index 0000000..2e78684 --- /dev/null +++ b/CVE-2025-10925.patch @@ -0,0 +1,48 @@ +From 002b22c15028b18557bd0823a081af9ed5316679 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Thu, 4 Sep 2025 04:45:43 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-27793 + +GIMP ILBM File Parsing Stack-based Buffer Overflow +Remote Code Execution Vulnerability + +Adds a check to file-iff.c to ensure the palette_size is +between 0 and 256. + +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/002b22c15028b18557bd0823a081af9ed5316679 +--- + plug-ins/common/file-iff.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c +index 6c1418950db..d144a96a4c9 100644 +--- a/plug-ins/common/file-iff.c ++++ b/plug-ins/common/file-iff.c +@@ -328,7 +328,9 @@ load_image (GFile *file, + bitMapHeader = true_image->bitMapHeader; + if (! bitMapHeader || ! true_image->body) + { +- g_message (_("ILBM contains no image data - likely a palette file")); ++ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), ++ _("ILBM contains no image data - likely a palette " ++ "file")); + return NULL; + } + +@@ -355,6 +357,13 @@ load_image (GFile *file, + { + palette_size = colorMap->colorRegisterLength; + ++ if (palette_size < 0 || palette_size > 256) ++ { ++ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), ++ _("Invalid ILBM colormap size")); ++ return NULL; ++ } ++ + for (gint j = 0; j < palette_size; j++) + { + gimp_cmap[j * 3] = colorMap->colorRegister[j].red; +-- +GitLab + diff --git a/gimp.spec b/gimp.spec index 19e5b26..0ec6658 100644 --- a/gimp.spec +++ b/gimp.spec @@ -35,7 +35,7 @@ Name: gimp Version: 3.0.2 -Release: 3 +Release: 4 Epoch: 2 Summary: The GNU Image Manipulation Program License: GPL-3.0-or-later @@ -44,6 +44,11 @@ URL: https://www.gimp.org/ Source: https://download.gimp.org/mirror/pub/gimp/v3.0/%{name}-%{version}.tar.xz Patch0: CVE-2025-5473.patch Patch1: CVE-2025-6035.patch +Patch2: CVE-2025-10920.patch +Patch3: CVE-2025-10922.patch +Patch4: CVE-2025-10923.patch +Patch5: CVE-2025-10924.patch +Patch6: CVE-2025-10925.patch BuildRequires: meson >= 0.61.0 BuildRequires: aalib-devel BuildRequires: babl-vala >= %{babl_version} @@ -523,6 +528,9 @@ install -D -m0644 macros.gimp %{buildroot}%{_rpmconfigdir}/macros.d/macros.gimp %dir %{_libdir}/gimp/%{api_version}/extensions/org.gimp.extension.goat-exercises/locale %changelog +* Fri Sep 26 2025 yaoxin <1024769339@qq.com> - 2:3.0.2-4 +- Fix CVE-2025-10920, CVE-2025-10922, CVE-2025-10923, CVE-2025-10924 and CVE-2025-10925 + * Thu Jun 19 2025 yaoxin <1024769339@qq.com> - 2:3.0.2-3 - Fix CVE-2025-6035 -- Gitee