mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
gimp: patch CVE-2025-5473
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-5473 Pick the patch that resolved the relevant upstream bugreport: https://gitlab.gnome.org/GNOME/gimp/-/issues/13910 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
@@ -0,0 +1,38 @@
|
|||||||
|
From 9df9326e291876d4447558f710976d4830d19d2f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alx Sa <cmyk.student@gmail.com>
|
||||||
|
Date: Sat, 3 May 2025 14:13:46 +0000
|
||||||
|
Subject: [PATCH] plug-ins: ZDI-CAN-26752 mitigation
|
||||||
|
|
||||||
|
Resolves #13910
|
||||||
|
Since ICO can store PNGs, it's possible to create an
|
||||||
|
icon that's much larger than the stated image size and
|
||||||
|
cause a buffer overflow.
|
||||||
|
This patch adds a check to make sure the width * height * 4
|
||||||
|
calculation does not overflow in addition to making sure it
|
||||||
|
doesn't exceed the maximum allowed size for that icon.
|
||||||
|
|
||||||
|
CVE: CVE-2025-5473
|
||||||
|
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/c855d1df60ebaf5ef8d02807d448eb088f147a2b]
|
||||||
|
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
plug-ins/file-ico/ico-load.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
|
||||||
|
index 9a22299..818cf23 100644
|
||||||
|
--- a/plug-ins/file-ico/ico-load.c
|
||||||
|
+++ b/plug-ins/file-ico/ico-load.c
|
||||||
|
@@ -299,7 +299,11 @@ ico_read_png (FILE *fp,
|
||||||
|
png_read_info (png_ptr, info);
|
||||||
|
png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type,
|
||||||
|
NULL, NULL, NULL);
|
||||||
|
- if (w*h*4 > maxsize)
|
||||||
|
+ /* Check for overflow */
|
||||||
|
+ if ((w * h * 4) < w ||
|
||||||
|
+ (w * h * 4) < h ||
|
||||||
|
+ (w * h * 4) < (w * h) ||
|
||||||
|
+ (w * h * 4) > maxsize)
|
||||||
|
{
|
||||||
|
png_destroy_read_struct (&png_ptr, &info, NULL);
|
||||||
|
return FALSE;
|
||||||
@@ -61,6 +61,7 @@ SRC_URI += "file://0001-gimp-cross-compile-fix-for-bz2.patch"
|
|||||||
SRC_URI += "file://0002-meson.build-reproducibility-fix.patch"
|
SRC_URI += "file://0002-meson.build-reproducibility-fix.patch"
|
||||||
SRC_URI += "file://0001-meson.build-dont-check-for-lgi.patch"
|
SRC_URI += "file://0001-meson.build-dont-check-for-lgi.patch"
|
||||||
SRC_URI += "file://0001-meson.build-require-iso-codes-native.patch"
|
SRC_URI += "file://0001-meson.build-require-iso-codes-native.patch"
|
||||||
|
SRC_URI += "file://0001-plug-ins-ZDI-CAN-26752-mitigation.patch"
|
||||||
SRC_URI[sha256sum] = "546ddc30cb2d0e79123c7fcb4d78211e1ee7a6aace91a6a0ad8cbcbf6ea571a2"
|
SRC_URI[sha256sum] = "546ddc30cb2d0e79123c7fcb4d78211e1ee7a6aace91a6a0ad8cbcbf6ea571a2"
|
||||||
|
|
||||||
PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib"
|
PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib"
|
||||||
|
|||||||
Reference in New Issue
Block a user