commit: 0a30d862acf29fc8e87d90e1af5be280920405fc Author: Alfred Wingate <parona <AT> protonmail <DOT> com> AuthorDate: Wed Jan 28 17:47:12 2026 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Thu Jan 29 17:12:58 2026 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a30d862
media-gfx/gimp: backport vulnerability fixes Keep the old revision around just in case due to how many patches got backported. Bug: https://bugs.gentoo.org/969287 Bug: https://bugs.gentoo.org/969286 Signed-off-by: Alfred Wingate <parona <AT> protonmail.com> Part-of: https://github.com/gentoo/gentoo/pull/45563 Signed-off-by: Sam James <sam <AT> gentoo.org> .../gimp/files/gimp-2.10.38-ZDI-CAN-27863.patch | 149 +++++++++++++ .../gimp/files/gimp-2.10.38-ZDI-CAN-28158.patch | 28 +++ .../gimp/files/gimp-2.10.38-ZDI-CAN-28232.patch | 34 +++ .../gimp/files/gimp-2.10.38-ZDI-CAN-28248.patch | 82 +++++++ .../gimp/files/gimp-2.10.38-ZDI-CAN-28265.patch | 40 ++++ .../gimp/files/gimp-2.10.38-ZDI-CAN-28273.patch | 64 ++++++ .../gimp/files/gimp-2.10.38-ZDI-CAN-28591.patch | 88 ++++++++ .../gimp/files/gimp-2.10.38-ZDI-CAN-28599.patch | 89 ++++++++ .../gimp/files/gimp-2.10.38-fix-psp-overflow.patch | 46 ++++ media-gfx/gimp/gimp-2.10.38-r4.ebuild | 245 +++++++++++++++++++++ 10 files changed, 865 insertions(+) diff --git a/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-27863.patch b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-27863.patch new file mode 100644 index 000000000000..47d24434779c --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-27863.patch @@ -0,0 +1,149 @@ +https://bugs.gentoo.org/969286 +https://www.zerodayinitiative.com/advisories/ZDI-25-911/ +https://gitlab.gnome.org/GNOME/gimp/-/issues/14811 +https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2444 +https://gitlab.gnome.org/GNOME/gimp/-/commit/0f309f9a8d82f43fa01383bc5a5c41d28727d9e3 + +From ea423250c1f3dca4a1cea15e2644c5b04fda478b Mon Sep 17 00:00:00 2001 +From: Jacob Boerema <[email protected]> +Date: Wed, 3 Sep 2025 13:31:45 -0400 +Subject: [PATCH] plug-ins: fix dicom plug-in ZDI-CAN-27863 + +GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution +Vulnerability + +This adds more safety checks and sets actual GError's instead of just +calling gimp_quit. + +Cherry-picked from 3d909166463731e94dfe62042d76225ecfc4c1e4 + +Cherry-picked to 2.10 and modified to work correctly with this context: +6bca8c4f8970d976c731463f938ae39df3c3fd4c +72df7883ef503bc81a2e1498bfcb842dd97da221 +--- a/plug-ins/common/file-dicom.c ++++ b/plug-ins/common/file-dicom.c +@@ -330,6 +330,7 @@ load_image (const gchar *filename, + gint bits_stored = 0; + gint high_bit = 0; + guint8 *pix_buf = NULL; ++ guint64 pixbuf_size = 0; + gboolean is_signed = FALSE; + guint8 in_sequence = 0; + gboolean implicit_encoding = FALSE; +@@ -385,6 +386,7 @@ load_image (const gchar *filename, + guint16 ctx_us; + guint8 *value; + guint32 tag; ++ size_t actual_read; + + if (fread (&group_word, 1, 2, DICOM) == 0) + break; +@@ -489,15 +491,24 @@ load_image (const gchar *filename, + + if (element_length >= (G_MAXUINT - 6)) + { +- g_message ("'%s' seems to have an incorrect value field length.", +- gimp_filename_to_utf8 (filename)); +- gimp_quit (); ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has an an incorrect value for field size. Possibly corrupt image."), ++ gimp_filename_to_utf8 (filename)); ++ g_free (dicominfo); ++ fclose (DICOM); ++ return -1; + } + + /* Read contents. Allocate a bit more to make room for casts to int + below. */ + value = g_new0 (guint8, element_length + 4); +- fread (value, 1, element_length, DICOM); ++ actual_read = fread (value, 1, element_length, DICOM); ++ if (actual_read < element_length) ++ { ++ g_warning ("Missing data: needed %u bytes, got %u. Possibly corrupt image.", ++ element_length, (guint32) actual_read); ++ element_length = actual_read; ++ } + + /* ignore everything inside of a sequence */ + if (in_sequence) +@@ -510,7 +521,7 @@ load_image (const gchar *filename, + if (big_endian && group_word != 0x0002) + ctx_us = GUINT16_SWAP_LE_BE (ctx_us); + +- g_debug ("group: %04x, element: %04x, length: %d", ++ g_debug ("group: %04x, element: %04x, length: %u", + group_word, element_word, element_length); + g_debug ("Value: %s", (char*)value); + /* Recognize some critical tags */ +@@ -644,6 +655,7 @@ load_image (const gchar *filename, + if (group_word == 0x7fe0 && element_word == 0x0010) + { + pix_buf = value; ++ pixbuf_size = element_length; + } + else + { +@@ -674,25 +686,50 @@ load_image (const gchar *filename, + } + } + ++ g_debug ("Bpp: %d, wxh: %u x %u, spp: %d\n", bpp, width, height, samples_per_pixel); ++ + if ((bpp != 8) && (bpp != 16)) + { +- g_message ("'%s' has a bpp of %d which GIMP cannot handle.", +- gimp_filename_to_utf8 (filename), bpp); +- gimp_quit (); ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has a bpp of %d which GIMP cannot handle."), ++ gimp_filename_to_utf8 (filename), bpp); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (DICOM); ++ return -1; + } + + if ((width > GIMP_MAX_IMAGE_SIZE) || (height > GIMP_MAX_IMAGE_SIZE)) + { +- g_message ("'%s' has a larger image size (%d x %d) than GIMP can handle.", +- gimp_filename_to_utf8 (filename), width, height); +- gimp_quit (); ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has a larger image size (%d x %d) than GIMP can handle."), ++ gimp_filename_to_utf8 (filename), width, height); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (DICOM); ++ return -1; + } + + if (samples_per_pixel > 3) + { +- g_message ("'%s' has samples per pixel of %d which GIMP cannot handle.", +- gimp_filename_to_utf8 (filename), samples_per_pixel); +- gimp_quit (); ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has samples per pixel of %d which GIMP cannot handle."), ++ gimp_filename_to_utf8 (filename), samples_per_pixel); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (DICOM); ++ return -1; ++ } ++ ++ if ((guint64) width * height * (bpp >> 3) * samples_per_pixel > pixbuf_size) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has not enough pixel data. Possibly corrupt image."), ++ gimp_filename_to_utf8 (filename)); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (DICOM); ++ return -1; + } + + dicominfo->width = width; +-- +2.52.0 + diff --git a/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28158.patch b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28158.patch new file mode 100644 index 000000000000..0d481e86f2f1 --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28158.patch @@ -0,0 +1,28 @@ +https://bugs.gentoo.org/969287 +https://gitlab.gnome.org/GNOME/gimp/-/issues/15287 +https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2569 +https://gitlab.gnome.org/GNOME/gimp/-/commit/112a5e038f0646eae5ae314988ec074433d2b365 + +From 90716a8407adc9c4683b556422594d4590e83b69 Mon Sep 17 00:00:00 2001 +From: Gabriele Barbero <[email protected]> +Date: Fri, 5 Dec 2025 19:13:01 +0100 +Subject: [PATCH] ZDI-CAN-28158: use g_malloc0 instead of g_malloc + +To avoid accessing uninitialized memory, replace calls to g_malloc with +g_malloc0 which initializes the allocated memory to zero. + +Cherry-picked from 112a5e038f0646eae5ae314988ec074433d2b365 +--- a/plug-ins/common/file-pnm.c ++++ b/plug-ins/common/file-pnm.c +@@ -571,7 +571,7 @@ load_image (GFile *file, + return -1; + + /* allocate the necessary structures */ +- pnminfo = g_new (PNMInfo, 1); ++ pnminfo = g_new0 (PNMInfo, 1); + + scan = NULL; + /* set error handling */ +-- +2.52.0 + diff --git a/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28232.patch b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28232.patch new file mode 100644 index 000000000000..b643f6094991 --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28232.patch @@ -0,0 +1,34 @@ +https://bugs.gentoo.org/969287 +https://www.zerodayinitiative.com/advisories/ZDI-25-1196/ +https://gitlab.gnome.org/GNOME/gimp/-/issues/15284 +https://gitlab.gnome.org/GNOME/gimp/-/commit/03575ac8cbb0ef3103b0a15d6598475088dcc15e + +From 112f04950ff06a0ccf548f9a7fd49bd63aaf8b58 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema <[email protected]> +Date: Sat, 20 Dec 2025 10:10:48 -0500 +Subject: [PATCH] plug-ins: fix #15284 ZDI-CAN-28232 vulnerability in + file-psp + +We were not checking whether channel types were valid for grayscale +images. Using a blue color channel caused an invalid computation of +the offset which could cause us to access an invalid memory location. + +Now we separate RGB from non-RGB images when checking which channels +are valid, and if not return with an error. + +Cherry-picked from 03575ac8cbb0ef3103b0a15d6598475088dcc15e +--- a/plug-ins/common/file-psp.c ++++ b/plug-ins/common/file-psp.c +@@ -2020,7 +2020,8 @@ read_layer_block (FILE *f, + } + else + { +- if (channel_type > PSP_CHANNEL_BLUE) ++ if ((ia->base_type == GIMP_RGB && channel_type > PSP_CHANNEL_BLUE) || ++ (ia->base_type != GIMP_RGB && channel_type >= PSP_CHANNEL_RED)) + { + g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, + _("Invalid channel type %d in channel information chunk"), +-- +2.52.0 + diff --git a/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28248.patch b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28248.patch new file mode 100644 index 000000000000..70ab57c39b97 --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28248.patch @@ -0,0 +1,82 @@ +https://bugs.gentoo.org/969287 +https://www.zerodayinitiative.com/advisories/ZDI-25-1139/ +https://gitlab.gnome.org/GNOME/gimp/-/issues/15285 +https://gitlab.gnome.org/GNOME/gimp/-/commit/cd1c88a0364ad1444c06536731972a99bd8643fd + +From e337ed744103c424cc4a069769bcb6328742566d Mon Sep 17 00:00:00 2001 +From: Alx Sa <[email protected]> +Date: Wed, 12 Nov 2025 13:25:44 +0000 +Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images + +Resolves #15285 +Per the report, it's possible to exceed the size of the pixel buffer +with a high precision_scaled value, as we size it to the width * bpp. +This patch includes precision_scaled in the allocation calculation. +It also adds a g_size_checked_mul () check to ensure there's no +overflow, and moves the pixel and buffer memory freeing to occur +in the out section so that it always runs even on failure. + +Cherry-picked from cd1c88a0364ad1444c06536731972a99bd8643fd + +Cherry-picked to 2.10 and modified to work correctly with this context +6bca8c4f8970d976c731463f938ae39df3c3fd4c +19c57a9765ac3451c9cde94ccb06bec5ae06fbd8 +--- a/plug-ins/common/file-jp2-load.c ++++ b/plug-ins/common/file-jp2-load.c +@@ -1050,14 +1050,15 @@ load_image (const gchar *filename, + GimpColorProfile *profile; + gint32 image_ID; + gint32 layer_ID; ++ GeglBuffer *buffer = NULL; ++ guchar *pixels = NULL; ++ gsize pixels_size; + GimpImageType image_type; + GimpImageBaseType base_type; + gint width; + gint height; + gint num_components; +- GeglBuffer *buffer; + gint i, j, k, it; +- guchar *pixels; + const Babl *file_format; + gint bpp; + GimpPrecision image_precision; +@@ -1298,7 +1299,16 @@ load_image (const gchar *filename, + bpp = babl_format_get_bytes_per_pixel (file_format); + + buffer = gimp_drawable_get_buffer (layer_ID); +- pixels = g_new0 (guchar, width * bpp); ++ ++ if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8)))) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("Defined row size is too large in JP2 image '%s'."), ++ gimp_filename_to_utf8 (filename)); ++ goto out; ++ } ++ pixels = g_new0 (guchar, pixels_size); ++ + + for (i = 0; i < height; i++) + { +@@ -1324,13 +1334,13 @@ load_image (const gchar *filename, + gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0, + file_format, pixels, GEGL_AUTO_ROWSTRIDE); + } +- +- g_free (pixels); +- +- g_object_unref (buffer); + gimp_progress_update (1.0); + + out: ++ if (pixels) ++ g_free (pixels); ++ if (buffer) ++ g_object_unref (buffer); + if (profile) + g_object_unref (profile); + if (image) +-- +2.52.0 + diff --git a/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28265.patch b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28265.patch new file mode 100644 index 000000000000..59cad581aa02 --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28265.patch @@ -0,0 +1,40 @@ +https://bugs.gentoo.org/969287 +https://gitlab.gnome.org/GNOME/gimp/-/issues/15293 +https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2597 +https://gitlab.gnome.org/GNOME/gimp/-/commit/68b27dfb1cbd9b3f22d7fa624dbab8647ee5f275 + +From 8092982213651dcab8b6b76730d0d2a7c147a448 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema <[email protected]> +Date: Thu, 15 Jan 2026 10:12:07 -0500 +Subject: [PATCH] plug-ins: fix #15293 security issue ZDI-CAN-28265 + +Just like we did in commit 4eb106f2bff2d9b8e518aa455a884c6f38d70c6a +we need to make sure that the offset in the colormap is valid before +using it, before using it to compute the RGB values. + +Cherry-picked from 68b27dfb1cbd9b3f22d7fa624dbab8647ee5f275 + +Cherry-picked to 2.10 and modified to work correctly with this context: +44ebcee901f25180b8b9b04f6d26474919557f0d +--- a/plug-ins/common/file-xwd.c ++++ b/plug-ins/common/file-xwd.c +@@ -1637,7 +1637,15 @@ load_xwd_f2_d16_b16 (const gchar *filename, + + for (j = 0; j < ncols; j++) + { +- cm = ColorMap + xwdcolmap[j].l_pixel * 3; ++ goffset offset = xwdcolmap[j].l_pixel * 3; ++ ++ if (offset+2 >= maxval) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("Invalid colormap offset. Possibly corrupt image.")); ++ return -1; ++ } ++ cm = ColorMap + offset; + *(cm++) = (xwdcolmap[j].l_red >> 8); + *(cm++) = (xwdcolmap[j].l_green >> 8); + *cm = (xwdcolmap[j].l_blue >> 8); +-- +2.52.0 + diff --git a/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28273.patch b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28273.patch new file mode 100644 index 000000000000..9b7f3256b2c5 --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28273.patch @@ -0,0 +1,64 @@ +https://bugs.gentoo.org/969287 +https://www.zerodayinitiative.com/advisories/ZDI-CAN-28273/ +https://gitlab.gnome.org/GNOME/gimp/-/issues/15286 +https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2d773d58064e6130495de498e440f4a6d5edb + +From 62389832a62f6df8a1fca9cbd197b5441b0e32f5 Mon Sep 17 00:00:00 2001 +From: Alx Sa <[email protected]> +Date: Sun, 23 Nov 2025 16:43:51 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273 + +Resolves #15286 +Adds a check to the memory allocation +in pnm_load_raw () with g_size_checked_mul () +to see if the size would go out of bounds. +If so, we don't try to allocate and load the +image. + +Cherry-picked from 4ff2d773d58064e6130495de498e440f4a6d5edb +--- a/plug-ins/common/file-pnm.c ++++ b/plug-ins/common/file-pnm.c +@@ -554,7 +554,7 @@ load_image (GFile *file, + GError **error) + { + GInputStream *input; +- GeglBuffer *buffer; ++ GeglBuffer *buffer = NULL; + gint32 volatile image_ID = -1; + gint32 layer_ID; + char buf[BUFLEN + 4]; /* buffer for random things like scanning */ +@@ -584,6 +584,9 @@ load_image (GFile *file, + g_object_unref (input); + g_free (pnminfo); + ++ if (buffer) ++ g_object_unref (buffer); ++ + if (image_ID != -1) + gimp_image_delete (image_ID); + +@@ -819,6 +822,7 @@ pnm_load_raw (PNMScanner *scan, + GInputStream *input; + gint bpc; + guchar *data, *d; ++ gsize data_size; + gushort *s; + gint x, y, i; + gint start, end, scanlines; +@@ -829,7 +833,12 @@ pnm_load_raw (PNMScanner *scan, + bpc = 1; + + /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */ +- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc); ++ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) || ++ ! g_size_checked_mul (&data_size, data_size, info->np) || ++ ! g_size_checked_mul (&data_size, data_size, bpc)) ++ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value.")); ++ ++ data = g_new (guchar, data_size); + + input = pnmscanner_input (scan); + +-- +2.52.0 + diff --git a/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28591.patch b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28591.patch new file mode 100644 index 000000000000..9f09e703d871 --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28591.patch @@ -0,0 +1,88 @@ +https://bugs.gentoo.org/969287 +https://gitlab.gnome.org/GNOME/gimp/-/issues/15554 +https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2586 +https://gitlab.gnome.org/GNOME/gimp/-/commit/57712677007793118388c5be6fb8231f22a2b341 + +From df7e93ad6223caa3d5d2d9cfc1a5019dcba3cde3 Mon Sep 17 00:00:00 2001 +From: Alx Sa <[email protected]> +Date: Wed, 31 Dec 2025 14:45:15 +0000 +Subject: [PATCH] plug-ins: Add OoB check for loading XWD + +Resolves #15554 +This patch adds a check for if our pointer arithmetic +exceeds the memory allocated for the dest array. If so, +we throw an error rather than access memory outside +the bounds. + +Cherry-picked from 57712677007793118388c5be6fb8231f22a2b341 +--- a/plug-ins/common/file-xwd.c ++++ b/plug-ins/common/file-xwd.c +@@ -2116,6 +2116,7 @@ load_xwd_f1_d24_b1 (const gchar *filename, + gulong redmask, greenmask, bluemask; + guint redshift, greenshift, blueshift; + gulong g; ++ guint32 maxval; + guchar redmap[256], greenmap[256], bluemap[256]; + guchar bit_reverse[256]; + guchar *xwddata, *xwdin, *data; +@@ -2206,7 +2207,8 @@ load_xwd_f1_d24_b1 (const gchar *filename, + &layer_ID, &buffer); + + tile_height = gimp_tile_height (); +- data = g_malloc (tile_height * width * bytes_per_pixel); ++ data = g_malloc (tile_height * width * bytes_per_pixel); ++ maxval = tile_height * width * bytes_per_pixel; + + ncols = xwdhdr->l_colormap_entries; + if (xwdhdr->l_ncolors < ncols) +@@ -2231,6 +2233,8 @@ load_xwd_f1_d24_b1 (const gchar *filename, + + for (tile_start = 0; tile_start < height; tile_start += tile_height) + { ++ guint current_dest = 0; ++ + memset (data, 0, width*tile_height*bytes_per_pixel); + + tile_end = tile_start + tile_height - 1; +@@ -2254,7 +2258,18 @@ load_xwd_f1_d24_b1 (const gchar *filename, + else /* 3 bytes per pixel */ + { + fromright = xwdhdr->l_pixmap_depth-1-plane; +- dest += 2 - fromright/8; ++ ++ current_dest += 2 - fromright / 8; ++ if (current_dest < maxval) ++ { ++ dest += 2 - fromright / 8; ++ } ++ else ++ { ++ err = 1; ++ break; ++ } ++ + outmask = (1 << (fromright % 8)); + } + +@@ -2309,7 +2324,17 @@ load_xwd_f1_d24_b1 (const gchar *filename, + + if (g & inmask) + *dest |= outmask; +- dest += bytes_per_pixel; ++ ++ current_dest += bytes_per_pixel; ++ if (current_dest < maxval) ++ { ++ dest += bytes_per_pixel; ++ } ++ else ++ { ++ err = 1; ++ break; ++ } + + inmask >>= 1; + } +-- +2.52.0 + diff --git a/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28599.patch b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28599.patch new file mode 100644 index 000000000000..13520ca29dbf --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.10.38-ZDI-CAN-28599.patch @@ -0,0 +1,89 @@ +https://gitlab.gnome.org/GNOME/gimp/-/issues/15555 +https://gitlab.gnome.org/GNOME/gimp/-/commit/c54bf22acb04b83ae38ed50add58f300e898dd81 + +From e7d10ae2d8c2d96dd838fdec754eaf255e1d1d97 Mon Sep 17 00:00:00 2001 +From: Alx Sa <[email protected]> +Date: Fri, 26 Dec 2025 15:49:45 +0000 +Subject: [PATCH] plug-ins: Add more fread () checks in ICO loading + +Resolves #15555 + +This patch adds some guards for ico_read_int8 (), +which was used for loading palettes and maps +without verifying that it returned the same number +of bytes as what it tried to read in. + +Cherry-picked from c54bf22acb04b83ae38ed50add58f300e898dd81 +--- a/plug-ins/file-ico/ico-load.c ++++ b/plug-ins/file-ico/ico-load.c +@@ -69,7 +69,9 @@ ico_read_int32 (FILE *fp, + total = count; + if (count > 0) + { +- ico_read_int8 (fp, (guint8 *) data, count * 4); ++ if (ico_read_int8 (fp, (guint8 *) data, count * 4) != (count * 4)) ++ return FALSE; ++ + for (i = 0; i < count; i++) + data[i] = GUINT32_FROM_LE (data[i]); + } +@@ -88,7 +90,9 @@ ico_read_int16 (FILE *fp, + total = count; + if (count > 0) + { +- ico_read_int8 (fp, (guint8 *) data, count * 2); ++ if (ico_read_int8 (fp, (guint8 *) data, count * 2) != (count * 2)) ++ return FALSE; ++ + for (i = 0; i < count; i++) + data[i] = GUINT16_FROM_LE (data[i]); + } +@@ -109,8 +113,8 @@ ico_read_int8 (FILE *fp, + while (count > 0) + { + bytes = fread ((gchar *) data, sizeof (gchar), count, fp); +- if (bytes <= 0) /* something bad happened */ +- break; ++ if (bytes != count) /* something bad happened */ ++ return -1; + + count -= bytes; + data += bytes; +@@ -481,16 +485,31 @@ ico_read_icon (FILE *fp, + data.used_clrs, data.bpp)); + + palette = g_new0 (guint32, data.used_clrs); +- ico_read_int8 (fp, (guint8 *) palette, data.used_clrs * 4); ++ if (ico_read_int8 (fp, ++ (guint8 *) palette, ++ data.used_clrs * 4) != (data.used_clrs * 4)) ++ { ++ D(("skipping image: too large\n")); ++ return FALSE; ++ } ++ + } + + xor_map = ico_alloc_map (w, h, data.bpp, &length); +- ico_read_int8 (fp, xor_map, length); ++ if (ico_read_int8 (fp, xor_map, length) != length) ++ { ++ D(("skipping image: too large\n")); ++ return FALSE; ++ } + D((" length of xor_map: %i\n", length)); + + /* Read in and_map. It's padded out to 32 bits per line: */ + and_map = ico_alloc_map (w, h, 1, &length); +- ico_read_int8 (fp, and_map, length); ++ if (! ico_read_int8 (fp, and_map, length) != length) ++ { ++ D(("skipping image: too large\n")); ++ return FALSE; ++ } + D((" length of and_map: %i\n", length)); + + dest_vec = (guint32 *) buf; +-- +2.52.0 + diff --git a/media-gfx/gimp/files/gimp-2.10.38-fix-psp-overflow.patch b/media-gfx/gimp/files/gimp-2.10.38-fix-psp-overflow.patch new file mode 100644 index 000000000000..20805a356f53 --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.10.38-fix-psp-overflow.patch @@ -0,0 +1,46 @@ +https://gitlab.gnome.org/GNOME/gimp/-/issues/15732 +https://gitlab.gnome.org/GNOME/gimp/-/commit/d9d0f5b4e642dd5b101e70728042027d568bb01d + +From 12eb87a32d70556fb413c0741ed38fd89fc96447 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema <[email protected]> +Date: Fri, 23 Jan 2026 11:35:50 -0500 +Subject: [PATCH] plug-ins: Fix #15732 PSP File Parsing Integer + Overflow... + +Leading to Heap Corruption + +An integer overflow vulnerability has been identified in the PSP +(Paint Shop Pro) file parser of GIMP. The issue occurs in the +read_creator_block() function, where the Creator metadata block is +processed. Specifically, a 32-bit length value read from the file is +used directly for memory allocation without proper validation. +Trigger -> when length is set to 0xFFFFFFFF + +To fix this, we check that using that length doesn't exceed the end +of the creator block. If it does, we return with an error message. + +Cherry-picked from d9d0f5b4e642dd5b101e70728042027d568bb01d +--- a/plug-ins/common/file-psp.c ++++ b/plug-ins/common/file-psp.c +@@ -983,7 +983,17 @@ read_creator_block (FILE *f, + } + keyword = GUINT16_FROM_LE (keyword); + length = GUINT32_FROM_LE (length); +- switch (keyword) ++ ++ if ((goffset) ftell (f) + length > (goffset) data_start + total_len) ++ { ++ /* FIXME: After string freeze is over, we should consider changing ++ * this error message to be a bit more descriptive. */ ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Error reading creator keyword data")); ++ return -1; ++ } ++ ++ switch (keyword) + { + case PSP_CRTR_FLD_TITLE: + case PSP_CRTR_FLD_ARTIST: +-- +2.52.0 + diff --git a/media-gfx/gimp/gimp-2.10.38-r4.ebuild b/media-gfx/gimp/gimp-2.10.38-r4.ebuild new file mode 100644 index 000000000000..c3d87cbe5017 --- /dev/null +++ b/media-gfx/gimp/gimp-2.10.38-r4.ebuild @@ -0,0 +1,245 @@ +# Copyright 1999-2026 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +GNOME2_EAUTORECONF=yes +WANT_AUTOMAKE= + +inherit autotools flag-o-matic gnome2 toolchain-funcs virtualx + +DESCRIPTION="GNU Image Manipulation Program" +HOMEPAGE="https://www.gimp.org/"; +SRC_URI="mirror://gimp/v$(ver_cut 1-2)/${P}.tar.bz2" +LICENSE="GPL-3+ LGPL-3+" +SLOT="0/2" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~x86" + +IUSE="aalib alsa aqua debug doc gnome heif jpeg2k jpegxl mng openexr postscript udev unwind vector-icons webp wmf xpm cpu_flags_ppc_altivec cpu_flags_x86_mmx cpu_flags_x86_sse" + +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + >=app-accessibility/at-spi2-core-2.50.1 + app-arch/bzip2 + app-arch/xz-utils + >=app-text/poppler-0.50[cairo] + >=app-text/poppler-data-0.4.7 + >=dev-libs/glib-2.56.2:2 + >=dev-libs/json-glib-1.2.6 + >=gnome-base/librsvg-2.40.6:2 + >=media-gfx/mypaint-brushes-1.3.1:1.0= + >=media-libs/babl-0.1.98 + >=media-libs/fontconfig-2.12.4 + >=media-libs/freetype-2.1.7 + >=media-libs/gegl-0.4.40:0.4[cairo] + <media-libs/gexiv2-0.15.0 + >=media-libs/gexiv2-0.10.6 + >=media-libs/harfbuzz-0.9.19:= + >=media-libs/lcms-2.8:2 + media-libs/libjpeg-turbo:= + >=media-libs/libmypaint-1.6.1:= + >=media-libs/libpng-1.6.25:0= + >=media-libs/tiff-3.5.7:= + net-libs/glib-networking[ssl] + virtual/zlib:= + >=x11-libs/cairo-1.12.2 + >=x11-libs/gdk-pixbuf-2.31:2 + >=x11-libs/gtk+-2.24.32:2 + x11-libs/libX11 + x11-libs/libXcursor + x11-libs/libXext + x11-libs/libXfixes + x11-libs/libXmu + >=x11-libs/pango-1.29.4 + aalib? ( media-libs/aalib ) + alsa? ( >=media-libs/alsa-lib-1.0.0 ) + aqua? ( >=x11-libs/gtk-mac-integration-2.0.0 ) + heif? ( >=media-libs/libheif-1.9.1:= ) + jpeg2k? ( >=media-libs/openjpeg-2.1.0:2= ) + jpegxl? ( >=media-libs/libjxl-0.7.0:= ) + mng? ( media-libs/libmng:= ) + openexr? ( >=media-libs/openexr-1.6.1:= ) + postscript? ( app-text/ghostscript-gpl:= ) + udev? ( dev-libs/libgudev ) + unwind? ( >=sys-libs/libunwind-1.1.0:= ) + webp? ( >=media-libs/libwebp-0.6.0:= ) + wmf? ( >=media-libs/libwmf-0.2.8 ) + xpm? ( x11-libs/libXpm ) +" + +RDEPEND=" + ${COMMON_DEPEND} + x11-themes/hicolor-icon-theme + gnome? ( gnome-base/gvfs ) +" + +DEPEND=" + ${COMMON_DEPEND} + dev-libs/libxml2:2= + dev-libs/libxslt +" + +BDEPEND=" + >=dev-build/gtk-doc-am-1 + >=dev-lang/perl-5.10.0 + dev-libs/appstream-glib + dev-util/gtk-update-icon-cache + >=dev-util/intltool-0.40.1 + >=sys-devel/gettext-0.19.8 + >=dev-build/libtool-2.2 + virtual/pkgconfig +" + +DOCS=( "AUTHORS" "ChangeLog" "HACKING" "NEWS" "README" "README.i18n" ) + +PATCHES=( + "${FILESDIR}/${PN}-2.10_fix_test-appdata.patch" # Bugs 685210 (and duplicate 691070) + "${FILESDIR}/${PN}-2.10_fix_musl_backtrace_backend_switch.patch" #900148 + "${FILESDIR}/${PN}-2.10_fix_configure_GCC13_implicit_function_declarations.patch" #899796 + "${FILESDIR}/${PN}-2.10.36_c99_tiff.patch" #919282 + "${FILESDIR}/${PN}-2.10.36_c99_metadata.patch" #919282 + "${FILESDIR}/${PN}-2.10.38-ZDI-CAN-27823.patch" #965334 + "${FILESDIR}/${PN}-2.10.38-ZDI-CAN-27863.patch" #969286 + "${FILESDIR}/${PN}-2.10.38-ZDI-CAN-28158.patch" #969287 + "${FILESDIR}/${PN}-2.10.38-ZDI-CAN-28232.patch" #969287 + "${FILESDIR}/${PN}-2.10.38-ZDI-CAN-28248.patch" #969287 + "${FILESDIR}/${PN}-2.10.38-ZDI-CAN-28265.patch" #969287 + "${FILESDIR}/${PN}-2.10.38-ZDI-CAN-28273.patch" #969287 + "${FILESDIR}/${PN}-2.10.38-ZDI-CAN-28591.patch" #969287 + "${FILESDIR}/${PN}-2.10.38-ZDI-CAN-28599.patch" #969287 + "${FILESDIR}/${PN}-2.10.38-fix-psp-overflow.patch" #969287 +) + +src_prepare() { + sed -i -e 's/== "xquartz"/= "xquartz"/' configure.ac || die #494864 + sed 's/-DGIMP_DISABLE_DEPRECATED/-DGIMP_protect_DISABLE_DEPRECATED/g' -i configure.ac || die #615144 + + if use heif ; then + has_version -d ">=media-libs/libheif-1.18.0" && eapply "${FILESDIR}/${PN}-2.10_libheif-1.18_unconditional_compat.patch" # 940915 + fi + + gnome2_src_prepare # calls eautoreconf + + sed 's/-DGIMP_protect_DISABLE_DEPRECATED/-DGIMP_DISABLE_DEPRECATED/g' -i configure || die #615144 + grep -F -q GIMP_DISABLE_DEPRECATED configure || die #615144, self-test + + export CC_FOR_BUILD="$(tc-getBUILD_CC)" +} + +_adjust_sandbox() { + # Bugs #569738 and #591214 + local nv + for nv in /dev/nvidia-uvm /dev/nvidiactl /dev/nvidia{0..9} ; do + # We do not check for existence as they may show up later + # https://bugs.gentoo.org/show_bug.cgi?id=569738#c21 + addwrite "${nv}" + done + + addwrite /dev/dri/ # bugs #574038 and #684886 + addwrite /dev/ati/ # bug #589198 + addwrite /proc/mtrr # bug #589198 +} + +src_configure() { + _adjust_sandbox + + # bug #944284 (https://gitlab.gnome.org/GNOME/gimp/-/issues/12843) + append-cflags -std=gnu17 + + # segfault in tests with gcc-15 + filter-lto + + local myconf=( + GEGL="${EPREFIX}"/usr/bin/gegl-0.4 + GDBUS_CODEGEN="${EPREFIX}"/bin/false + + --enable-default-binary + + --disable-check-update + --disable-python + --enable-mp + --with-appdata-test + --with-bug-report-url=https://bugs.gentoo.org/ + --with-xmc + --without-libbacktrace + --without-webkit + --without-xvfb-run + $(use_enable cpu_flags_ppc_altivec altivec) + $(use_enable cpu_flags_x86_mmx mmx) + $(use_enable cpu_flags_x86_sse sse) + $(use_enable debug) + $(use_enable vector-icons) + $(use_with aalib aa) + $(use_with alsa) + $(use_with !aqua x) + $(use_with heif libheif) + $(use_with jpeg2k jpeg2000) + $(use_with jpegxl) + $(use_with mng libmng) + $(use_with openexr) + $(use_with postscript gs) + $(use_with udev gudev) + $(use_with unwind libunwind) + $(use_with webp) + $(use_with wmf) + $(use_with xpm libxpm) + ) + + gnome2_src_configure "${myconf[@]}" +} + +src_compile() { + export XDG_DATA_DIRS="${EPREFIX}"/usr/share # bug 587004 + gnome2_src_compile +} + +# for https://bugs.gentoo.org/664938 +_rename_plugins() { + einfo 'Renaming plug-ins to not collide with pre-2.10.6 file layout (bug #664938)...' + local prename=gimp-org- + ( + cd "${ED}"/usr/$(get_libdir)/gimp/2.0/plug-ins || die + for plugin_slash in $(ls -d1 */); do + plugin=${plugin_slash%/} + if [[ -f ${plugin}/${plugin} ]]; then + # NOTE: Folder and file name need to match for Gimp to load that plug-in + # so "file-svg/file-svg" becomes "${prename}file-svg/${prename}file-svg" + mv ${plugin}/{,${prename}}${plugin} || die + mv {,${prename}}${plugin} || die + fi + done + ) +} + +src_test() { + virtx emake check +} + +src_install() { + gnome2_src_install + + # Workaround for bug #321111 to give GIMP the least + # precedence on PDF documents by default + mv "${ED}"/usr/share/applications/{,zzz-}gimp.desktop || die + + find "${ED}" -name '*.la' -type f -delete || die + + # Prevent dead symlink gimp-console.1 from downstream man page compression (bug #433527) + local gimp_app_version=$(ver_cut 1-2) + mv "${ED}"/usr/share/man/man1/gimp-console{-${gimp_app_version},}.1 || die + + # Remove gimp devel-docs html files if user doesn't need it + if ! use doc; then + rm -r "${ED}"/usr/share/gtk-doc || die + fi + + _rename_plugins || die +} + +pkg_postinst() { + gnome2_pkg_postinst +} + +pkg_postrm() { + gnome2_pkg_postrm +}
