Details: https://nvd.nist.gov/vuln/detail/CVE-2026-2048
Pick the patch from the relevant upstream issue[1]; [1]: https://gitlab.gnome.org/GNOME/gimp/-/issues/15554 Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../gimp/gimp/CVE-2026-2048.patch | 84 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 1 + 2 files changed, 85 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2048.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2048.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2048.patch new file mode 100644 index 0000000000..e0d506b0c3 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2048.patch @@ -0,0 +1,84 @@ +From f8c00176788240744218e43664cba1cec4092822 Mon Sep 17 00:00:00 2001 +From: Alx Sa <[email protected]> +Date: Wed, 31 Dec 2025 14:45:15 +0000 +Subject: [PATCH] plug-ins: Add OoB check for loading XWD + +Resolves #15554 +This patch adds a check for if our pointer arithmetic +exceeds the memory allocated for the dest array. If so, +we throw an error rather than access memory outside +the bounds. + +CVE: CVE-2026-2048 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/57712677007793118388c5be6fb8231f22a2b341] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + plug-ins/common/file-xwd.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c +index 8ab11c0..c84d70e 100644 +--- a/plug-ins/common/file-xwd.c ++++ b/plug-ins/common/file-xwd.c +@@ -2103,6 +2103,7 @@ load_xwd_f1_d24_b1 (const gchar *filename, + gulong redmask, greenmask, bluemask; + guint redshift, greenshift, blueshift; + gulong g; ++ guint32 maxval; + guchar redmap[256], greenmap[256], bluemap[256]; + guchar bit_reverse[256]; + guchar *xwddata, *xwdin, *data; +@@ -2194,6 +2195,7 @@ load_xwd_f1_d24_b1 (const gchar *filename, + + tile_height = gimp_tile_height (); + data = g_malloc (tile_height * width * bytes_per_pixel); ++ maxval = tile_height * width * bytes_per_pixel; + + ncols = xwdhdr->l_colormap_entries; + if (xwdhdr->l_ncolors < ncols) +@@ -2218,6 +2220,8 @@ load_xwd_f1_d24_b1 (const gchar *filename, + + for (tile_start = 0; tile_start < height; tile_start += tile_height) + { ++ guint current_dest = 0; ++ + memset (data, 0, width*tile_height*bytes_per_pixel); + + tile_end = tile_start + tile_height - 1; +@@ -2241,7 +2245,16 @@ load_xwd_f1_d24_b1 (const gchar *filename, + else /* 3 bytes per pixel */ + { + fromright = xwdhdr->l_pixmap_depth-1-plane; +- dest += 2 - fromright/8; ++ current_dest += 2 - fromright / 8; ++ if (current_dest < maxval) ++ { ++ dest += 2 - fromright / 8; ++ } ++ else ++ { ++ err = 1; ++ break; ++ } + outmask = (1 << (fromright % 8)); + } + +@@ -2296,7 +2309,17 @@ load_xwd_f1_d24_b1 (const gchar *filename, + + if (g & inmask) + *dest |= outmask; +- dest += bytes_per_pixel; ++ ++ current_dest += bytes_per_pixel; ++ if (current_dest < maxval) ++ { ++ dest += bytes_per_pixel; ++ } ++ else ++ { ++ err = 1; ++ break; ++ } + + inmask >>= 1; + } diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index 8b3dd4aa5f..4e0dd76744 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb @@ -57,6 +57,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ file://CVE-2026-0797.patch \ file://CVE-2026-2044.patch \ file://CVE-2026-2045.patch \ + file://CVE-2026-2048.patch \ " SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124872): https://lists.openembedded.org/g/openembedded-devel/message/124872 Mute This Topic: https://lists.openembedded.org/mt/118149899/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
