commit: fcc303d606c16b7f621341894d4220feefe3bc11 Author: Alfred Wingate <parona <AT> protonmail <DOT> com> AuthorDate: Mon Nov 3 17:08:02 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Tue Nov 4 11:43:22 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fcc303d6
media-gfx/gimp: backport ZDI-CAN-27823 fix Bug: https://bugs.gentoo.org/965334 Signed-off-by: Alfred Wingate <parona <AT> protonmail.com> Part-of: https://github.com/gentoo/gentoo/pull/44451 Signed-off-by: Sam James <sam <AT> gentoo.org> .../gimp/files/gimp-2.10.38-ZDI-CAN-27823.patch | 76 ++++++++++++++++++++++ ...mp-2.10.38-r2.ebuild => gimp-2.10.38-r3.ebuild} | 1 + 2 files changed, 77 insertions(+) diff --git a/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-27823.patch b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-27823.patch new file mode 100644 index 000000000000..95023eae1da5 --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-27823.patch @@ -0,0 +1,76 @@ +https://bugs.gentoo.org/965334 +https://www.zerodayinitiative.com/advisories/ZDI-25-978/ +https://gitlab.gnome.org/GNOME/gimp/-/issues/14814 +https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2449 +https://gitlab.gnome.org/GNOME/gimp/-/commit/4eb106f2bff2d9b8e518aa455a884c6f38d70c6a + +From 345c79b73b1a6d0fbdc11ff86899a3d0a9c8c003 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema <[email protected]> +Date: Wed, 3 Sep 2025 18:37:26 -0400 +Subject: [PATCH] plug-ins: fix ZDI-CAN-27823 + +GIMP XWD File Parsing Heap-based Buffer Overflow Remote Code Execution +Vulnerability. + +Check offset in colormap is valid before writing to it. + +Cherry-picked to 2.10 and modified to work correctly with this context: +ea68d87b66ec53e3cc5073993bd84ed96ce59590 +44ebcee901f25180b8b9b04f6d26474919557f0d +--- a/plug-ins/common/file-xwd.c ++++ b/plug-ins/common/file-xwd.c +@@ -183,7 +183,8 @@ static gint32 load_xwd_f2_d8_b8 (const gchar *filename, + static gint32 load_xwd_f2_d16_b16 (const gchar *filename, + FILE *ifp, + L_XWDFILEHEADER *xwdhdr, +- L_XWDCOLOR *xwdcolmap); ++ L_XWDCOLOR *xwdcolmap, ++ GError **error); + static gint32 load_xwd_f2_d24_b32 (const gchar *filename, + FILE *ifp, + L_XWDFILEHEADER *xwdhdr, +@@ -581,7 +582,7 @@ load_image (const gchar *filename, + } + else if ((depth <= 16) && (bpp == 16)) + { +- image_ID = load_xwd_f2_d16_b16 (filename, ifp, &xwdhdr, xwdcolmap); ++ image_ID = load_xwd_f2_d16_b16 (filename, ifp, &xwdhdr, xwdcolmap, error); + } + else if ((depth <= 24) && ((bpp == 24) || (bpp == 32))) + { +@@ -1543,7 +1544,8 @@ static gint32 + load_xwd_f2_d16_b16 (const gchar *filename, + FILE *ifp, + L_XWDFILEHEADER *xwdhdr, +- L_XWDCOLOR *xwdcolmap) ++ L_XWDCOLOR *xwdcolmap, ++ GError **error) + { + register guchar *dest, lsbyte_first; + gint width, height, linepad, i, j, c0, c1, ncols; +@@ -1606,9 +1608,20 @@ load_xwd_f2_d16_b16 (const gchar *filename, + greenval = (green * 255) / maxgreen; + for (blue = 0; blue <= maxblue; blue++) + { ++ guint32 offset = ((red << redshift) + (green << greenshift) + ++ (blue << blueshift)) * 3; ++ ++ if (offset+2 >= maxval) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("Invalid colormap offset. Possibly corrupt image.")); ++ g_free (data); ++ g_free (ColorMap); ++ g_object_unref (buffer); ++ return -1; ++ } + blueval = (blue * 255) / maxblue; +- cm = ColorMap + ((red << redshift) + (green << greenshift) +- + (blue << blueshift)) * 3; ++ cm = ColorMap + offset; + *(cm++) = redval; + *(cm++) = greenval; + *cm = blueval; +-- +2.51.2 + diff --git a/media-gfx/gimp/gimp-2.10.38-r2.ebuild b/media-gfx/gimp/gimp-2.10.38-r3.ebuild similarity index 99% rename from media-gfx/gimp/gimp-2.10.38-r2.ebuild rename to media-gfx/gimp/gimp-2.10.38-r3.ebuild index 56e34cc0e333..7cefe19fa9e8 100644 --- a/media-gfx/gimp/gimp-2.10.38-r2.ebuild +++ b/media-gfx/gimp/gimp-2.10.38-r3.ebuild @@ -97,6 +97,7 @@ PATCHES=( "${FILESDIR}/${PN}-2.10_fix_configure_GCC13_implicit_function_declarations.patch" #899796 "${FILESDIR}/${PN}-2.10.36_c99_tiff.patch" #919282 "${FILESDIR}/${PN}-2.10.36_c99_metadata.patch" #919282 + "${FILESDIR}/${PN}-2.10.38-ZDI-CAN-27823.patch" #965334 ) src_prepare() {
