[oe] [meta-gnome][scarthgap][PATCH 3/7] gimp: patch CVE-2026-0797

Gyorgy Sarvari via lists.openembedded.org Thu, 05 Mar 2026 03:07:23 -0800

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0797


The patch referenced in the NVD report looks incorrect.
This change in this patch was taken from the related upstream issue[1].

[1]: https://gitlab.gnome.org/GNOME/gimp/-/issues/15555

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../gimp/gimp/CVE-2026-0797.patch             | 91 +++++++++++++++++++
 meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb  |  1 +
 2 files changed, 92 insertions(+)
 create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch

diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch 
b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch
new file mode 100644
index 0000000000..46e83ac30c
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797.patch
@@ -0,0 +1,91 @@
+From b00dbb729ef8218ffadc3ddeee6841b8ffb1b7ea Mon Sep 17 00:00:00 2001
+From: Alx Sa <[email protected]>
+Date: Fri, 26 Dec 2025 15:49:45 +0000
+Subject: [PATCH] plug-ins: Add more fread () checks in ICO loading
+
+Resolves #15555
+
+This patch adds some guards for ico_read_int8 (),
+which was used for loading palettes and maps
+without verifying that it returned the same number
+of bytes as what it tried to read in.
+
+CVE: CVE-2026-0797
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/gimp/-/commit/09e72ef32bf47dea047b044dba789557f334b7d5]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ plug-ins/file-ico/ico-load.c | 33 ++++++++++++++++++++++++++-------
+ 1 file changed, 26 insertions(+), 7 deletions(-)
+
+diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
+index c144b6e..7eb9cb7 100644
+--- a/plug-ins/file-ico/ico-load.c
++++ b/plug-ins/file-ico/ico-load.c
+@@ -69,7 +69,9 @@ ico_read_int32 (FILE    *fp,
+   total = count;
+   if (count > 0)
+     {
+-      ico_read_int8 (fp, (guint8 *) data, count * 4);
++      if (ico_read_int8 (fp, (guint8 *) data, count * 4) != (count * 4))
++        return FALSE;
++
+       for (i = 0; i < count; i++)
+         data[i] = GUINT32_FROM_LE (data[i]);
+     }
+@@ -88,7 +90,9 @@ ico_read_int16 (FILE    *fp,
+   total = count;
+   if (count > 0)
+     {
+-      ico_read_int8 (fp, (guint8 *) data, count * 2);
++      if (ico_read_int8 (fp, (guint8 *) data, count * 2) != (count * 2))
++        return FALSE;
++
+       for (i = 0; i < count; i++)
+         data[i] = GUINT16_FROM_LE (data[i]);
+     }
+@@ -109,8 +113,8 @@ ico_read_int8 (FILE   *fp,
+   while (count > 0)
+     {
+       bytes = fread ((gchar *) data, sizeof (gchar), count, fp);
+-      if (bytes <= 0) /* something bad happened */
+-        break;
++      if (bytes != count) /* something bad happened */
++        return -1;
+ 
+       count -= bytes;
+       data += bytes;
+@@ -485,16 +489,31 @@ ico_read_icon (FILE    *fp,
+          data.used_clrs, data.bpp));
+ 
+       palette = g_new0 (guint32, data.used_clrs);
+-      ico_read_int8 (fp, (guint8 *) palette, data.used_clrs * 4);
++      if (ico_read_int8 (fp,
++                         (guint8 *) palette,
++                         data.used_clrs * 4) != (data.used_clrs * 4))
++        {
++          D(("skipping image: too large\n"));
++          return FALSE;
++        }
++
+     }
+ 
+   xor_map = ico_alloc_map (w, h, data.bpp, &length);
+-  ico_read_int8 (fp, xor_map, length);
++  if (ico_read_int8 (fp, xor_map, length) != length)
++    {
++      D(("skipping image: too large\n"));
++      return FALSE;
++    }
+   D(("  length of xor_map: %i\n", length));
+ 
+   /* Read in and_map. It's padded out to 32 bits per line: */
+   and_map = ico_alloc_map (w, h, 1, &length);
+-  ico_read_int8 (fp, and_map, length);
++  if (! ico_read_int8 (fp, and_map, length) != length)
++    {
++      D(("skipping image: too large\n"));
++      return FALSE;
++    }
+   D(("  length of and_map: %i\n", length));
+ 
+   dest_vec = (guint32 *) buf;
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb 
b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
index a04b3d0e4c..9a969bde7c 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
@@ -54,6 +54,7 @@ SRC_URI = 
"https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
            file://CVE-2025-2760-1.patch \
            file://CVE-2025-2760-2.patch \
            file://CVE-2025-2761.patch \
+           file://CVE-2026-0797.patch \
            "
 SRC_URI[sha256sum] = 
"50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#124868): 
https://lists.openembedded.org/g/openembedded-devel/message/124868
Mute This Topic: https://lists.openembedded.org/mt/118149895/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

[oe] [meta-gnome][scarthgap][PATCH 3/7] gimp: patch CVE-2026-0797

Reply via email to