diff --git a/CVE-2025-10920.patch b/CVE-2025-10920.patch deleted file mode 100644 index cb1acc23f13587b4b097f89678af59a4f97719ad..0000000000000000000000000000000000000000 --- a/CVE-2025-10920.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 5f4329d324b0db7a857918941ef7e1d27f3d3992 Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Wed, 3 Sep 2025 13:41:10 +0000 -Subject: [PATCH] plug-ins: Fix ZDI-CAN-27684 - -Prevent overflow attack by checking if -output >= max, not just output > max. - -Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/5f4329d324b0db7a857918941ef7e1d27f3d3992 ---- - plug-ins/file-icns/file-icns-load.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/plug-ins/file-icns/file-icns-load.c b/plug-ins/file-icns/file-icns-load.c -index c8f16fef60..f2298c056e 100644 ---- a/plug-ins/file-icns/file-icns-load.c -+++ b/plug-ins/file-icns/file-icns-load.c -@@ -323,7 +323,7 @@ icns_decompress (guchar *dest, - - for (run -= 125; run > 0; run--) - { -- if (out > max) -+ if (out >= max) - { - g_message ("Corrupt icon? compressed run overflows output size."); - return FALSE; -@@ -341,7 +341,7 @@ icns_decompress (guchar *dest, - g_message ("Corrupt icon: uncompressed run overflows input size."); - return FALSE; - } -- if (out > max) -+ if (out >= max) - { - g_message ("Corrupt icon: uncompressed run overflows output size."); - return FALSE; --- -GitLab - diff --git a/CVE-2025-10922.patch b/CVE-2025-10922.patch deleted file mode 100644 index a5b07117ff007fdc4e5f4a04142b694790309933..0000000000000000000000000000000000000000 --- a/CVE-2025-10922.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 0f309f9a8d82f43fa01383bc5a5c41d28727d9e3 Mon Sep 17 00:00:00 2001 -From: Jacob Boerema -Date: Wed, 3 Sep 2025 13:31:45 -0400 -Subject: [PATCH] plug-ins: fix dicom plug-in ZDI-CAN-27863 - -GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution -Vulnerability - -This adds more safety checks and sets actual GError's instead of just -calling gimp_quit. - -Closes #14811 - -Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/0f309f9a8d82f43fa01383bc5a5c41d28727d9e3 ---- - plug-ins/common/file-dicom.c | 65 ++++++++++++++++++++++++++++-------- - 1 file changed, 51 insertions(+), 14 deletions(-) - -diff --git a/plug-ins/common/file-dicom.c b/plug-ins/common/file-dicom.c -index 31039050f27..a11a13ef405 100644 ---- a/plug-ins/common/file-dicom.c -+++ b/plug-ins/common/file-dicom.c -@@ -344,6 +344,7 @@ load_image (GFile *file, - gint bits_stored = 0; - gint high_bit = 0; - guint8 *pix_buf = NULL; -+ guint64 pixbuf_size = 0; - gboolean is_signed = FALSE; - guint8 in_sequence = 0; - gboolean implicit_encoding = FALSE; -@@ -399,6 +400,7 @@ load_image (GFile *file, - guint16 ctx_us; - guint8 *value; - guint32 tag; -+ size_t actual_read; - - if (fread (&group_word, 1, 2, dicom) == 0) - break; -@@ -503,15 +505,24 @@ load_image (GFile *file, - - if (element_length >= (G_MAXUINT - 6)) - { -- g_message ("'%s' seems to have an incorrect value field length.", -- gimp_file_get_utf8_name (file)); -- gimp_quit (); -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("'%s' has an an incorrect value for field size. Possibly corrupt image."), -+ gimp_file_get_utf8_name (file)); -+ g_free (dicominfo); -+ fclose (dicom); -+ return NULL; - } - - /* Read contents. Allocate a bit more to make room for casts to int - below. */ - value = g_new0 (guint8, element_length + 4); -- fread (value, 1, element_length, dicom); -+ actual_read = fread (value, 1, element_length, dicom); -+ if (actual_read < element_length) -+ { -+ g_warning ("Missing data: needed %u bytes, got %u. Possibly corrupt image.", -+ element_length, (guint32) actual_read); -+ element_length = actual_read; -+ } - - /* ignore everything inside of a sequence */ - if (in_sequence) -@@ -524,7 +535,7 @@ load_image (GFile *file, - if (big_endian && group_word != 0x0002) - ctx_us = GUINT16_SWAP_LE_BE (ctx_us); - -- g_debug ("group: %04x, element: %04x, length: %d", -+ g_debug ("group: %04x, element: %04x, length: %u", - group_word, element_word, element_length); - g_debug ("Value: %s", (char*)value); - /* Recognize some critical tags */ -@@ -658,6 +669,7 @@ load_image (GFile *file, - if (group_word == 0x7fe0 && element_word == 0x0010) - { - pix_buf = value; -+ pixbuf_size = element_length; - } - else - { -@@ -688,25 +700,50 @@ load_image (GFile *file, - } - } - -+ g_debug ("Bpp: %d, wxh: %u x %u, spp: %d\n", bpp, width, height, samples_per_pixel); -+ - if ((bpp != 8) && (bpp != 16)) - { -- g_message ("'%s' has a bpp of %d which GIMP cannot handle.", -- gimp_file_get_utf8_name (file), bpp); -- gimp_quit (); -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("'%s' has a bpp of %d which GIMP cannot handle."), -+ gimp_file_get_utf8_name (file), bpp); -+ g_free (pix_buf); -+ g_free (dicominfo); -+ fclose (dicom); -+ return NULL; - } - - if ((width > GIMP_MAX_IMAGE_SIZE) || (height > GIMP_MAX_IMAGE_SIZE)) - { -- g_message ("'%s' has a larger image size (%d x %d) than GIMP can handle.", -- gimp_file_get_utf8_name (file), width, height); -- gimp_quit (); -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("'%s' has a larger image size (%d x %d) than GIMP can handle."), -+ gimp_file_get_utf8_name (file), width, height); -+ g_free (pix_buf); -+ g_free (dicominfo); -+ fclose (dicom); -+ return NULL; - } - - if (samples_per_pixel > 3) - { -- g_message ("'%s' has samples per pixel of %d which GIMP cannot handle.", -- gimp_file_get_utf8_name (file), samples_per_pixel); -- gimp_quit (); -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("'%s' has samples per pixel of %d which GIMP cannot handle."), -+ gimp_file_get_utf8_name (file), samples_per_pixel); -+ g_free (pix_buf); -+ g_free (dicominfo); -+ fclose (dicom); -+ return NULL; -+ } -+ -+ if ((guint64) width * height * (bpp >> 3) * samples_per_pixel > pixbuf_size) -+ { -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("'%s' has not enough pixel data. Possibly corrupt image."), -+ gimp_file_get_utf8_name (file)); -+ g_free (pix_buf); -+ g_free (dicominfo); -+ fclose (dicom); -+ return NULL; - } - - dicominfo->width = width; --- -GitLab - diff --git a/CVE-2025-10923.patch b/CVE-2025-10923.patch deleted file mode 100644 index 1e92346502364aa38b5e44e385781b56a77b0fb0..0000000000000000000000000000000000000000 --- a/CVE-2025-10923.patch +++ /dev/null @@ -1,61 +0,0 @@ -From fb31ddf32298bb2f0f09b3ccc53464b8693a050e Mon Sep 17 00:00:00 2001 -From: Jacob Boerema -Date: Wed, 3 Sep 2025 15:25:55 -0400 -Subject: [PATCH] plug-ins: fix ZDI-CAN-27878 - -GIMP WBMP File Parsing Integer Overflow Remote Code Execution -Vulnerability - -We recently fixed one instance of not upgrading the size, but forgot -the other. Fix that here by casting to (gsize). While we're at it, -also add a warning, when reading more data fails unexpectedly. - -Closes #14812 - -Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/fb31ddf32298bb2f0f09b3ccc53464b8693a050e ---- - plug-ins/common/file-wbmp.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/plug-ins/common/file-wbmp.c b/plug-ins/common/file-wbmp.c -index a19b0f9728..f37450118f 100644 ---- a/plug-ins/common/file-wbmp.c -+++ b/plug-ins/common/file-wbmp.c -@@ -456,6 +456,7 @@ read_image (FILE *fd, - GeglBuffer *buffer; - guchar *dest, *temp; - gint i, cur_progress, max_progress; -+ size_t n_read; - - /* Make a new image in GIMP */ - if ((width < 0) || (width > GIMP_MAX_IMAGE_SIZE)) -@@ -480,14 +481,14 @@ read_image (FILE *fd, - - gimp_image_insert_layer (image, layer, NULL, 0); - -- dest = g_malloc0 (width * height); -+ dest = g_malloc0 ((gsize) width * height); - - ypos = 0; - - cur_progress = 0; - max_progress = height; - -- while (ReadOK (fd, &v, 1)) -+ while ((n_read = ReadOK (fd, &v, 1)) != 0) - { - for (i = 1; (i <= 8) && (xpos < width); i++, xpos++) - { -@@ -512,6 +513,9 @@ read_image (FILE *fd, - break; - } - -+ if (n_read == 0) -+ g_warning (_("Read failure at position %u. Possibly corrupt image."), ypos * width + xpos); -+ - buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); - - gegl_buffer_set (buffer, GEGL_RECTANGLE (0, 0, width, height), 0, NULL, dest, --- -GitLab - diff --git a/CVE-2025-10924.patch b/CVE-2025-10924.patch deleted file mode 100644 index fbd116cc5c1ea33120034c6ec9b8a133affa3bf7..0000000000000000000000000000000000000000 --- a/CVE-2025-10924.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 53b18653bca9404efeab953e75960b1cf7dedbed Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Wed, 3 Sep 2025 22:10:34 +0000 -Subject: [PATCH] plug-ins: Fix ZDI-CAN-27836 - -ZDI-CAN-27836: GIMP FF File Parsing Integer Overflow -Remote Code Execution Vulnerability - -This patch increases the row_size data type to gsize and checks if it -would overflow based on the width given. It also makes sure the image -size does not exceed GIMP's image size limits. - -Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/53b18653bca9404efeab953e75960b1cf7dedbed ---- - plug-ins/common/file-farbfeld.c | 31 ++++++++++++++++++++++++------- - 1 file changed, 24 insertions(+), 7 deletions(-) - -diff --git a/plug-ins/common/file-farbfeld.c b/plug-ins/common/file-farbfeld.c -index f610fa439a..921e4e35cc 100644 ---- a/plug-ins/common/file-farbfeld.c -+++ b/plug-ins/common/file-farbfeld.c -@@ -261,7 +261,7 @@ load_image (GFile *file, - guchar magic_number[8]; - guint32 width; - guint32 height; -- guint32 row_size; -+ gsize row_size; - const Babl *format = babl_format ("R'G'B'A u16"); - FILE *fp; - -@@ -282,13 +282,24 @@ load_image (GFile *file, - { - g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), - _("Failed to read Farbfeld header")); -+ fclose (fp); - return NULL; - } - - /* Header information is stored in Big-Endian format */ - width = GUINT32_FROM_BE (width); - height = GUINT32_FROM_BE (height); -- row_size = width * sizeof (guint16) * 4; -+ -+ if (width > GIMP_MAX_IMAGE_SIZE || -+ height > GIMP_MAX_IMAGE_SIZE || -+ ! g_size_checked_mul (&row_size, width, (sizeof (guint16) * 4))) -+ { -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("Image dimensions too large: width %d x height %d"), -+ width, height); -+ fclose (fp); -+ return NULL; -+ } - - image = gimp_image_new_with_precision (width, height, GIMP_RGB, - GIMP_PRECISION_U16_NON_LINEAR); -@@ -298,12 +309,19 @@ load_image (GFile *file, - gimp_image_get_default_new_layer_mode (image)); - gimp_image_insert_layer (image, layer, NULL, 0); - -- buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); -+ pixels = g_try_malloc (row_size); -+ if (pixels == NULL) -+ { -+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, -+ _("There was not enough memory to complete the " -+ "operation.")); -+ fclose (fp); -+ return NULL; -+ } - -+ buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); - for (gint i = 0; i < height; i++) - { -- pixels = g_malloc (row_size); -- - if (! fread (pixels, row_size, 1, fp)) - { - g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), -@@ -318,9 +336,8 @@ load_image (GFile *file, - gegl_buffer_set (buffer, - GEGL_RECTANGLE (0, i, width, 1), 0, - format, pixels, GEGL_AUTO_ROWSTRIDE); -- -- g_free (pixels); - } -+ g_free (pixels); - - fclose (fp); - g_object_unref (buffer); --- -GitLab - diff --git a/CVE-2025-10925.patch b/CVE-2025-10925.patch deleted file mode 100644 index 2e7868463538228cd1c8eb3ffaeb6d624b5d94e2..0000000000000000000000000000000000000000 --- a/CVE-2025-10925.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 002b22c15028b18557bd0823a081af9ed5316679 Mon Sep 17 00:00:00 2001 -From: Alx Sa -Date: Thu, 4 Sep 2025 04:45:43 +0000 -Subject: [PATCH] plug-ins: Fix ZDI-CAN-27793 - -GIMP ILBM File Parsing Stack-based Buffer Overflow -Remote Code Execution Vulnerability - -Adds a check to file-iff.c to ensure the palette_size is -between 0 and 256. - -Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/002b22c15028b18557bd0823a081af9ed5316679 ---- - plug-ins/common/file-iff.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c -index 6c1418950db..d144a96a4c9 100644 ---- a/plug-ins/common/file-iff.c -+++ b/plug-ins/common/file-iff.c -@@ -328,7 +328,9 @@ load_image (GFile *file, - bitMapHeader = true_image->bitMapHeader; - if (! bitMapHeader || ! true_image->body) - { -- g_message (_("ILBM contains no image data - likely a palette file")); -+ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), -+ _("ILBM contains no image data - likely a palette " -+ "file")); - return NULL; - } - -@@ -355,6 +357,13 @@ load_image (GFile *file, - { - palette_size = colorMap->colorRegisterLength; - -+ if (palette_size < 0 || palette_size > 256) -+ { -+ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), -+ _("Invalid ILBM colormap size")); -+ return NULL; -+ } -+ - for (gint j = 0; j < palette_size; j++) - { - gimp_cmap[j * 3] = colorMap->colorRegister[j].red; --- -GitLab - diff --git a/gimp-3.0.4.tar.xz b/gimp-3.0.6.tar.xz similarity index 32% rename from gimp-3.0.4.tar.xz rename to gimp-3.0.6.tar.xz index 2639639be547b98d5f267227f380b6fe18bf6fa9..c3cab336ebff44119c796ee59c07033d0301f813 100644 --- a/gimp-3.0.4.tar.xz +++ b/gimp-3.0.6.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8caa2ec275bf09326575654ac276afc083f8491e7cca45d19cf29e696aecab25 -size 27060240 +oid sha256:246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b +size 27197880 diff --git a/gimp.spec b/gimp.spec index ae780b9bf61f45097d65f7667a3b995ba5f893ab..cc08bdfcf1f7de6216d50653c8f85065cff25b3f 100644 --- a/gimp.spec +++ b/gimp.spec @@ -1,5 +1,5 @@ %define alsa_version 1.0.0 -%define appstream_glib_version 0.7.7 +%define appstream_version 0.16.1 %define atk_version 2.4.0 %define babl_version 0.1.114 %define cairo_version 1.14.0 @@ -36,19 +36,14 @@ %bcond_without heif Name: gimp -Version: 3.0.4 -Release: 2 +Version: 3.0.6 +Release: 1 Epoch: 2 Summary: The GNU Image Manipulation Program License: GPL-3.0-or-later Group: Productivity/Graphics/Bitmap Editors URL: https://www.gimp.org/ Source: https://download.gimp.org/mirror/pub/gimp/v3.0/%{name}-%{version}.tar.xz -Patch0: CVE-2025-10920.patch -Patch1: CVE-2025-10922.patch -Patch2: CVE-2025-10923.patch -Patch3: CVE-2025-10924.patch -Patch4: CVE-2025-10925.patch BuildRequires: meson >= 0.61.0 BuildRequires: aalib-devel BuildRequires: babl-vala >= %{babl_version} @@ -61,7 +56,7 @@ BuildRequires: python3-gobject BuildRequires: xdg-utils BuildRequires: pkgconfig(OpenEXR) >= %{OpenEXR_version} BuildRequires: pkgconfig(alsa) >= %{alsa_version} -BuildRequires: pkgconfig(appstream-glib) >= %{appstream_glib_version} +BuildRequires: pkgconfig(appstream) >= %{appstream_version} BuildRequires: pkgconfig(atk) >= %{atk_version} BuildRequires: pkgconfig(babl-0.1) >= %{babl_version} BuildRequires: pkgconfig(bzip2) @@ -496,7 +491,6 @@ install -D -m0644 macros.gimp %{buildroot}%{_rpmconfigdir}/macros.d/macros.gimp %{_libdir}/girepository-1.0/GimpUi-%{api_version}.typelib %files plugin-python3 -f gimp%{gettext_version}-python.lang -%{_libdir}/gimp/%{api_version}/environ/python.env %{_libdir}/gimp/%{api_version}/plug-ins/colorxhtml %{_libdir}/gimp/%{api_version}/plug-ins/file-openraster %{_libdir}/gimp/%{api_version}/plug-ins/foggify @@ -536,6 +530,9 @@ install -D -m0644 macros.gimp %{buildroot}%{_rpmconfigdir}/macros.d/macros.gimp %dir %{_libdir}/gimp/%{api_version}/extensions/org.gimp.extension.goat-exercises/locale %changelog +* Mon Oct 06 2025 Funda Wang - 2:3.0.6-1 +- update to version 3.0.6 + * Fri Sep 26 2025 yaoxin <1024769339@qq.com> - 2:3.0.4-2 - Fix CVE-2025-10920, CVE-2025-10922, CVE-2025-10923, CVE-2025-10924 and CVE-2025-10925