Version in base suite: 2.10.34-1+deb12u2 Base version: gimp_2.10.34-1+deb12u2 Target version: gimp_2.10.34-1+deb12u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gimp/gimp_2.10.34-1+deb12u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gimp/gimp_2.10.34-1+deb12u3.dsc changelog | 10 ++ patches/CVE-2025-2760.patch | 19 ++++ patches/CVE-2025-2761.patch | 33 +++++++ patches/CVE-2025-48797-1.patch | 117 +++++++++++++++++++++++++ patches/CVE-2025-48797-2.patch | 165 +++++++++++++++++++++++++++++++++++ patches/CVE-2025-48797-3.patch | 96 ++++++++++++++++++++ patches/CVE-2025-48797-4.patch | 57 ++++++++++++ patches/CVE-2025-48798-1.patch | 177 ++++++++++++++++++++++++++++++++++++++ patches/CVE-2025-48798-2.patch | 189 +++++++++++++++++++++++++++++++++++++++++ patches/ZDI-CAN-26752.patch | 36 +++++++ patches/series | 9 + 11 files changed, 908 insertions(+) diff -Nru gimp-2.10.34/debian/changelog gimp-2.10.34/debian/changelog --- gimp-2.10.34/debian/changelog 2023-12-02 13:31:27.000000000 +0000 +++ gimp-2.10.34/debian/changelog 2025-06-04 21:10:49.000000000 +0000 @@ -1,3 +1,13 @@ +gimp (2.10.34-1+deb12u3) bookworm-security; urgency=medium + + * CVE-2025-2760 + * CVE-2025-2761 + * CVE-2025-48797 + * CVE-2025-48798 + * ZDI-CAN-26752 (no CVE yet) + + -- Moritz Mühlenhoff Wed, 04 Jun 2025 23:10:49 +0200 + gimp (2.10.34-1+deb12u2) bookworm; urgency=medium * Non-maintainer upload. diff -Nru gimp-2.10.34/debian/patches/CVE-2025-2760.patch gimp-2.10.34/debian/patches/CVE-2025-2760.patch --- gimp-2.10.34/debian/patches/CVE-2025-2760.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.10.34/debian/patches/CVE-2025-2760.patch 2025-06-04 21:09:52.000000000 +0000 @@ -0,0 +1,19 @@ +https://gitlab.gnome.org/GNOME/gimp/-/issues/12790#note_2328950 + +--- gimp-2.10.34.orig/plug-ins/file-dds/ddsread.c ++++ gimp-2.10.34/plug-ins/file-dds/ddsread.c +@@ -934,6 +934,14 @@ load_layer (FILE *fp, + if (width < 1) width = 1; + if (height < 1) height = 1; + ++ if (width <= 0 ||height <= 0 || d->gimp_bpp <= 0 || ++ (gsize) width > G_MAXSIZE / height || ++ (gsize) width * height > G_MAXSIZE / d->gimp_bpp) ++ { ++ g_message ("Invalid dimensions in header."); ++ return 0; ++ } ++ + switch (d->bpp) + { + case 1: diff -Nru gimp-2.10.34/debian/patches/CVE-2025-2761.patch gimp-2.10.34/debian/patches/CVE-2025-2761.patch --- gimp-2.10.34/debian/patches/CVE-2025-2761.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.10.34/debian/patches/CVE-2025-2761.patch 2025-06-04 21:09:52.000000000 +0000 @@ -0,0 +1,33 @@ +From 0806bc76ca74543d20e1307ccf6aebd26395c56c Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Mon, 10 Mar 2025 04:07:44 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-25100 for FLI plug-in + +Resolves #13073 +This patch adds a check to make sure we're not +writing beyond the bounds of the "pos" array. +This is the same check that we do earlier when +writing pos[xc++], but it was left off of the last +write command. Since "n" will be 0 if we get to the +end of the array, it prevents us from writing beyond +that. +--- + plug-ins/file-fli/fli.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c +index 85dcc994395..1aba31e8f90 100644 +--- a/plug-ins/file-fli/fli.c ++++ b/plug-ins/file-fli/fli.c +@@ -1529,7 +1529,7 @@ fli_read_lc_2 (FILE *f, + xc += len << 1; + } + } +- if (lpf) ++ if (lpf && xc < n) + pos[xc] = lpn; + yc++; + } +-- +GitLab + diff -Nru gimp-2.10.34/debian/patches/CVE-2025-48797-1.patch gimp-2.10.34/debian/patches/CVE-2025-48797-1.patch --- gimp-2.10.34/debian/patches/CVE-2025-48797-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.10.34/debian/patches/CVE-2025-48797-1.patch 2025-06-04 21:09:52.000000000 +0000 @@ -0,0 +1,117 @@ +commit 8d309dd0385fdd298520b69148542375f56ef977 +Author: Andrzej Hunt +Date: Tue Jul 16 18:30:21 2024 +0200 + + tga: always convert colour-mapped images to RGBA if image claims to contain alpha + + If the colourmap contains more than 256 items AND has alpha, it should always + be promoted to RGBA. Therefore we move the "if (info->alphaBits)" check into + the first if clause, to avoid accidentally demoting to RGB in this scenario. + + Other parts of the tga parser assume that the destination array is RGBA + when alphaBits is not zero. For example, upsample() will always write 4 bytes + per pixel when alpha is set - (even if we only allocated 3 because we thought + we should use RGB). Erronously allocating only 3 bytes makes it easy to induce + a heap-buffer-overflow write, see ASAN output below. (apply_colormap makes the + same assumption and would probably do the same thing, but upsample is the + first location that we'd hit this issue.) + + ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61700002ae00 at pc 0x000000563d97 bp 0x7ffde8677890 sp 0x7ffde8677888 + WRITE of size 1 at 0x61700002ae00 thread T0 + #0 0x563d96 in upsample /home/ahunt/git/gimp/plug-ins/common/file-tga.c:830:15 + #1 0x560b59 in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c + #2 0x55f4ee in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:647:11 + #3 0x5652ab in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 + #4 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 + #5 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 + #6 0x462847 in fuzzer::Fuzzer::MutateAndTestOne() /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 + #7 0x4633d5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 + #8 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 + #9 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 + #10 0x7fd894a94349 in __libc_start_main (/lib64/libc.so.6+0x24349) + #11 0x424a39 in _start /home/abuild/rpmbuild/BUILD/glibc-2.26/csu/../sysdeps/x86_64/start.S:120 + + 0x61700002ae00 is located 0 bytes to the right of 768-byte region [0x61700002ab00,0x61700002ae00) + allocated by thread T0 here: + #0 0x52ca8d in malloc /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 + #1 0x7fd895b14cf2 in g_malloc /home/ahunt/git/glib/_build/../glib/gmem.c:106:13 + #2 0x55fce9 in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c:1039:26 + #3 0x55f4ee in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:647:11 + #4 0x5652ab in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 + #5 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 + #6 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 + #7 0x462847 in fuzzer::Fuzzer::MutateAndTestOne() /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 + #8 0x4633d5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 + #9 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 + #10 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 + #11 0x7fd894a94349 in __libc_start_main (/lib64/libc.so.6+0x24349) + + SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ahunt/git/gimp/plug-ins/common/file-tga.c:830:15 in upsample + Shadow bytes around the buggy address: + 0x0c2e7fffd570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c2e7fffd580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c2e7fffd590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c2e7fffd5a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c2e7fffd5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + =>0x0c2e7fffd5c0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c2e7fffd5d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c2e7fffd5e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c2e7fffd5f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c2e7fffd600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c2e7fffd610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc + ==12179==ABORTING + + ( crash-f65fd5404bff32c1d9d10ee049d9c98d02bbbdc2 ) + + (cherry picked from commit 49755f085a6fcc9c692b14e67856e91a79245688) + +diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c +index e833c60cd9..d70991020a 100644 +--- a/plug-ins/common/file-tga.c ++++ b/plug-ins/common/file-tga.c +@@ -1009,9 +1009,9 @@ ReadImage (FILE *fp, + cmap_bytes = (info->colorMapSize + 7 ) / 8; + tga_cmap = g_new (guchar, info->colorMapLength * cmap_bytes); + +- if (info->colorMapSize > 24) ++ if (info->colorMapSize > 24 || info->alphaBits > 0) + { +- /* indexed + full alpha => promoted to RGBA */ ++ /* indexed + full alpha, or alpha exists => promoted to RGBA */ + itype = GIMP_RGB; + dtype = GIMP_RGBA_IMAGE; + convert_cmap = g_new (guchar, info->colorMapLength * 4); +@@ -1023,13 +1023,6 @@ ReadImage (FILE *fp, + dtype = GIMP_RGB_IMAGE; + convert_cmap = g_new (guchar, info->colorMapLength * 3); + } +- else if (info->alphaBits > 0) +- { +- /* if alpha exists here, promote to RGB */ +- itype = GIMP_RGB; +- dtype = GIMP_RGBA_IMAGE; +- convert_cmap = g_new (guchar, info->colorMapLength * 4); +- } + else + { + itype = GIMP_INDEXED; diff -Nru gimp-2.10.34/debian/patches/CVE-2025-48797-2.patch gimp-2.10.34/debian/patches/CVE-2025-48797-2.patch --- gimp-2.10.34/debian/patches/CVE-2025-48797-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.10.34/debian/patches/CVE-2025-48797-2.patch 2025-06-04 21:09:52.000000000 +0000 @@ -0,0 +1,165 @@ +commit 97f8c2e468cffce70c6772e74cbff8eda4e8c180 +Author: Andrzej Hunt +Date: Tue Jul 16 18:30:22 2024 +0200 + + tga: check for valid color ID in apply_colormap + + A malformed colourmapped tga file could specify color IDs that are not + contained in the colourmap. Therefore we add some bounds checking to + ensure that we only use entries that actually exist. + + We could completely give up on such files, but it's just as easy to fall + back to the first colour in the map in this case. However we can only + fall back to the first colour in the map IF the colourmap contains + at least one entry. Therefore we add an up-front check to verify that + colourmapped images actually do contain at least one entry. + + Without this bounds-checking, it's possible to induce a heap-buffer-overflow + read in apply-colormap(), see ASAN output below: + + ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900002257c at pc 0x000000564f99 bp 0x7ffe65fdb040 sp 0x7ffe65fdb038 + READ of size 1 at 0x61900002257c thread T0 + #0 0x564f98 in apply_colormap /home/ahunt/git/gimp/plug-ins/common/file-tga.c:901:23 + #1 0x56411a in read_line /home/ahunt/git/gimp/plug-ins/common/file-tga.c:975:7 + #2 0x560648 in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c:1202:15 + #3 0x55f4ee in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:647:11 + #4 0x5653ab in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 + #5 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 + #6 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 + #7 0x462847 in fuzzer::Fuzzer::MutateAndTestOne() /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 + #8 0x4633d5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 + #9 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 + #10 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 + #11 0x7fe76a5dc349 in __libc_start_main (/lib64/libc.so.6+0x24349) + #12 0x424a39 in _start /home/abuild/rpmbuild/BUILD/glibc-2.26/csu/../sysdeps/x86_64/start.S:120 + + 0x61900002257c is located 0 bytes to the right of 1020-byte region [0x619000022180,0x61900002257c) + allocated by thread T0 here: + #0 0x52ca8d in malloc /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 + #1 0x7fe76b65ccf2 in g_malloc /home/ahunt/git/glib/_build/../glib/gmem.c:106:13 + #2 0x55fdc6 in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c:1049:26 + #3 0x55f4ee in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:647:11 + #4 0x5653ab in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 + #5 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 + #6 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 + #7 0x462847 in fuzzer::Fuzzer::MutateAndTestOne() /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 + #8 0x4633d5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 + #9 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 + #10 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 + #11 0x7fe76a5dc349 in __libc_start_main (/lib64/libc.so.6+0x24349) + + SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ahunt/git/gimp/plug-ins/common/file-tga.c:901:23 in apply_colormap + Shadow bytes around the buggy address: + 0x0c327fffc450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c327fffc460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c327fffc470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c327fffc480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c327fffc490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + =>0x0c327fffc4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04] + 0x0c327fffc4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c327fffc4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c327fffc4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c327fffc4e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c327fffc4f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc + ==16309==ABORTING + + ( crash-f70628d4df7a65babc8e57d890425771a1d67e06 ) + + (cherry picked from commit 723d383e57e8f599c4a44ab8541ea6902e29579e) + +diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c +index d70991020a..27251644fa 100644 +--- a/plug-ins/common/file-tga.c ++++ b/plug-ins/common/file-tga.c +@@ -566,7 +566,7 @@ load_image (const gchar *filename, + switch (info.imageType) + { + case TGA_TYPE_MAPPED: +- if (info.bpp != 8) ++ if (info.bpp != 8 || !info.colorMapLength) + { + g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)", + gimp_filename_to_utf8 (filename), +@@ -889,32 +889,31 @@ apply_colormap (guchar *dest, + guint width, + const guchar *cmap, + gboolean alpha, +- guint16 index) ++ guint16 colorMapIndex, ++ guint16 colorMapLength) + { + guint x; + +- if (alpha) +- { +- for (x = 0; x < width; x++) +- { +- *(dest++) = cmap[(*src - index) * 4]; +- *(dest++) = cmap[(*src - index) * 4 + 1]; +- *(dest++) = cmap[(*src - index) * 4 + 2]; +- *(dest++) = cmap[(*src - index) * 4 + 3]; +- +- src++; +- } +- } +- else ++ for (x = 0; x < width; x++) + { +- for (x = 0; x < width; x++) +- { +- *(dest++) = cmap[(*src - index) * 3]; +- *(dest++) = cmap[(*src - index) * 3 + 1]; +- *(dest++) = cmap[(*src - index) * 3 + 2]; +- +- src++; +- } ++ guchar entryIndex = src[x] - colorMapIndex; ++ ++ if (src[x] < colorMapIndex || entryIndex >= colorMapLength) { ++ g_message ("Unsupported colormap entry: %u", ++ src[x]); ++ entryIndex = 0; ++ } ++ ++ if (alpha) { ++ *(dest++) = cmap[entryIndex * 4]; ++ *(dest++) = cmap[entryIndex * 4 + 1]; ++ *(dest++) = cmap[entryIndex * 4 + 2]; ++ *(dest++) = cmap[entryIndex * 4 + 3]; ++ } else { ++ *(dest++) = cmap[entryIndex * 3]; ++ *(dest++) = cmap[entryIndex * 3 + 1]; ++ *(dest++) = cmap[entryIndex * 3 + 2]; ++ } + } + } + +@@ -970,7 +969,7 @@ read_line (FILE *fp, + gboolean has_alpha = (info->alphaBits > 0); + + apply_colormap (row, buf, info->width, convert_cmap, has_alpha, +- info->colorMapIndex); ++ info->colorMapIndex, info->colorMapLength); + } + else if (info->imageType == TGA_TYPE_MAPPED) + { diff -Nru gimp-2.10.34/debian/patches/CVE-2025-48797-3.patch gimp-2.10.34/debian/patches/CVE-2025-48797-3.patch --- gimp-2.10.34/debian/patches/CVE-2025-48797-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.10.34/debian/patches/CVE-2025-48797-3.patch 2025-06-04 21:09:52.000000000 +0000 @@ -0,0 +1,96 @@ +commit d7f0829ae995ca7ca9c64851a1ed03b11702ef1c +Author: Andrzej Hunt +Date: Tue Jul 16 18:30:24 2024 +0200 + + tga: don't copy more bytes than necessary + + We are trying to copy all bytes in the current row, which is the width times + the number of bytes per pixel (stored in info->bytes), not width times bits + per pixel. + + Copying too much data allows certain inputs to induce a heap-buffer-buffer + overflow read, and probably also a write, see ASAN output below: + + ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000008088 at pc 0x00000052be17 bp 0x7ffd8bbe8e20 sp 0x7ffd8bbe85e8 + READ of size 16448 at 0x61d000008088 thread T0 + #0 0x52be16 in __asan_memcpy /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 + #1 0x5641ca in read_line /home/ahunt/git/gimp/plug-ins/common/file-tga.c:982:7 + #2 0x560218 in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c:1147:15 + #3 0x55f526 in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:646:11 + #4 0x56519b in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 + #5 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 + #6 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 + #7 0x462ec4 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:814:7 + #8 0x4630d9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:845:3 + #9 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 + #10 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 + #11 0x7fdbd277c349 in __libc_start_main (/lib64/libc.so.6+0x24349) + #12 0x424a39 in _start /home/abuild/rpmbuild/BUILD/glibc-2.26/csu/../sysdeps/x86_64/start.S:120 + + 0x61d000008088 is located 0 bytes to the right of 2056-byte region [0x61d000007880,0x61d000008088) + allocated by thread T0 here: + #0 0x52ca8d in malloc /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 + #1 0x7fdbd37fccf2 in g_malloc /home/ahunt/git/glib/_build/../glib/gmem.c:106:13 + #2 0x56009b in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c:1134:10 + #3 0x55f526 in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:646:11 + #4 0x56519b in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 + #5 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 + #6 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 + #7 0x462ec4 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:814:7 + #8 0x4630d9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:845:3 + #9 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 + #10 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 + #11 0x7fdbd277c349 in __libc_start_main (/lib64/libc.so.6+0x24349) + + SUMMARY: AddressSanitizer: heap-buffer-overflow /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy + Shadow bytes around the buggy address: + 0x0c3a7fff8fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c3a7fff8fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c3a7fff8fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c3a7fff8ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c3a7fff9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + =>0x0c3a7fff9010: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3a7fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3a7fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3a7fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3a7fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3a7fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc + ==26560==ABORTING + + crash-4b13aca1db7bb795a815431b86cc20284f3aa6da + + (cherry picked from commit 2ba35e5b3d43d881b0623f47b8068d9ee19d1d70) + +diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c +index 27251644fa..1e31f1f126 100644 +--- a/plug-ins/common/file-tga.c ++++ b/plug-ins/common/file-tga.c +@@ -979,7 +979,7 @@ read_line (FILE *fp, + } + else + { +- memcpy (row, buf, info->width * bpp); ++ memcpy (row, buf, info->width * info->bytes); + } + } + diff -Nru gimp-2.10.34/debian/patches/CVE-2025-48797-4.patch gimp-2.10.34/debian/patches/CVE-2025-48797-4.patch --- gimp-2.10.34/debian/patches/CVE-2025-48797-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.10.34/debian/patches/CVE-2025-48797-4.patch 2025-06-04 21:09:52.000000000 +0000 @@ -0,0 +1,57 @@ +commit ffb7cad1a402377927bc2dc62dad324ae03cec92 +Author: Jacob Boerema +Date: Fri Jul 19 14:42:17 2024 -0400 + + plug-ins, tga: don't crash when generating a huge amount of messages + + A follow-up to the previous commits, that address the tga issues from + issue #11822. + + On Windows, when using the error console for messages, a huge amount + of error messages, that can be generated with special fuzzed images, + like crash-f65fd5404bff32c1d9d10ee049d9c98d02bbbdc2.tga from + the above mentioned issue, can cause GIMP to crash. + + Although this is most likely caused in the error console or its + dependencies, we should not let it cause problems here until that is + fixed. There is also no real need to generate a huge amount of similar + repeated error messages, so let's limit it to 10 per read line of input. + + (cherry picked from commit 1f062867172d5c68b858a6efa3011686aa32bb38) + +diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c +index 1e31f1f126..46dacc788c 100644 +--- a/plug-ins/common/file-tga.c ++++ b/plug-ins/common/file-tga.c +@@ -893,14 +893,29 @@ apply_colormap (guchar *dest, + guint16 colorMapLength) + { + guint x; ++ gint errcnt = 0; + + for (x = 0; x < width; x++) + { + guchar entryIndex = src[x] - colorMapIndex; + + if (src[x] < colorMapIndex || entryIndex >= colorMapLength) { +- g_message ("Unsupported colormap entry: %u", +- src[x]); ++ /* On Windows the error console can run out of resources when ++ * producing a huge amount of messages. This can happen when using ++ * fuzzed test images. This causes unresponsiveness at first and ++ * finally crashes GIMP. Eventually this needs to be fixed at the ++ * source, but for now let's limit the error messages to 10 ++ * per line (this function is called once per read_line). */ ++ if (errcnt < 10) ++ { ++ g_message ("Unsupported colormap entry: %u", ++ src[x]); ++ } ++ else if (errcnt == 10) ++ { ++ g_message ("Too many colormap errors. Image may be corrupt."); ++ } ++ errcnt++; + entryIndex = 0; + } + diff -Nru gimp-2.10.34/debian/patches/CVE-2025-48798-1.patch gimp-2.10.34/debian/patches/CVE-2025-48798-1.patch --- gimp-2.10.34/debian/patches/CVE-2025-48798-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.10.34/debian/patches/CVE-2025-48798-1.patch 2025-06-04 21:09:52.000000000 +0000 @@ -0,0 +1,177 @@ +commit ebf0b569a63f15b5dc7532f16936104af1e09f02 +Author: Andrzej Hunt +Date: Tue Jul 16 18:30:28 2024 +0200 + + xcf: don't use potentially dangling pointer in xcf_load_layer_mask + + layer_mask points to the original mask created by xcf_load_layer_mask. We copy + this pointer into channel, and xcf_load_channel_props can overwrite this + pointer and free the original mask. If this happens, layer_mask points to + the now-freed original mask, and should not be used. + + Therefore we need to change later parts of xcf_load_layer_mask to use channel + instead of layer_mask. Additionally, we add a block and move layer_mask into + this block to guarantee that layer_mask cannot be used after it has + potentially been freed. + + Adjustments by Jacob Boerema: + Follow GIMP's code style regarding variables, comment style and + position of braces + + See also ASAN output below: + + ==5247==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000010fd0 at pc 0x7f4e2dbbf31b bp 0x7ffca8a95cd0 sp 0x7ffca8a95cc8 + READ of size 8 at 0x615000010fd0 thread T0 + #0 0x7f4e2dbbf31a in g_type_check_instance_cast /home/ahunt/git/glib/_build/../gobject/gtype.c:4117:26 + #1 0xb200fe in xcf_load_layer_mask /home/ahunt/git/gimp/app/xcf/xcf-load.c:2305:52 + #2 0xb18eea in xcf_load_layer /home/ahunt/git/gimp/app/xcf/xcf-load.c:2133:20 + #3 0xb13d91 in xcf_load_image /home/ahunt/git/gimp/app/xcf/xcf-load.c:499:15 + #4 0xb11deb in xcf_load_stream /home/ahunt/git/gimp/app/xcf/xcf.c:305:19 + #5 0x619dfd in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/app/fuzzers/xcf_fuzzer.c:50:17 + #6 0x51d364 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 + #7 0x506fe2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 + #8 0x50d350 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 + #9 0x5373a2 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 + #10 0x7f4e2c84c349 in __libc_start_main (/lib64/libc.so.6+0x24349) + #11 0x4e0779 in _start /home/abuild/rpmbuild/BUILD/glibc-2.26/csu/../sysdeps/x86_64/start.S:120 + + 0x615000010fd0 is located 336 bytes inside of 504-byte region [0x615000010e80,0x615000011078) + freed by thread T0 here: + #0 0x5e8562 in free /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 + #1 0x7f4e2d76ce08 in g_free /home/ahunt/git/glib/_build/../glib/gmem.c:199:3 + #2 0x7f4e2d797a6b in g_slice_free1 /home/ahunt/git/glib/_build/../glib/gslice.c:1183:7 + #3 0x7f4e2dbb7b04 in g_type_free_instance /home/ahunt/git/glib/_build/../gobject/gtype.c:2008:5 + #4 0x7f4e2db8fe3a in g_object_unref /home/ahunt/git/glib/_build/../gobject/gobject.c:3604:11 + #5 0xb22fff in xcf_load_channel_props /home/ahunt/git/gimp/app/xcf/xcf-load.c:1738:13 + #6 0xb20037 in xcf_load_layer_mask /home/ahunt/git/gimp/app/xcf/xcf-load.c:2292:9 + #7 0xb18eea in xcf_load_layer /home/ahunt/git/gimp/app/xcf/xcf-load.c:2133:20 + #8 0xb13d91 in xcf_load_image /home/ahunt/git/gimp/app/xcf/xcf-load.c:499:15 + #9 0xb11deb in xcf_load_stream /home/ahunt/git/gimp/app/xcf/xcf.c:305:19 + #10 0x619dfd in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/app/fuzzers/xcf_fuzzer.c:50:17 + #11 0x51d364 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 + #12 0x506fe2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 + #13 0x50d350 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 + #14 0x5373a2 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 + #15 0x7f4e2c84c349 in __libc_start_main (/lib64/libc.so.6+0x24349) + + previously allocated by thread T0 here: + #0 0x5e87cd in malloc /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 + #1 0x7f4e2d76ccf2 in g_malloc /home/ahunt/git/glib/_build/../glib/gmem.c:106:13 + #2 0x7f4e2d7972e0 in g_slice_alloc /home/ahunt/git/glib/_build/../glib/gslice.c:1072:11 + #3 0x7f4e2d7978ae in g_slice_alloc0 /home/ahunt/git/glib/_build/../glib/gslice.c:1098:18 + #4 0x7f4e2dbb6e0a in g_type_create_instance /home/ahunt/git/glib/_build/../gobject/gtype.c:1911:17 + #5 0x7f4e2db9215e in g_object_new_internal /home/ahunt/git/glib/_build/../gobject/gobject.c:1945:24 + #6 0x7f4e2db91d1f in g_object_new_valist /home/ahunt/git/glib/_build/../gobject/gobject.c:2288:16 + #7 0x7f4e2db90e8b in g_object_new /home/ahunt/git/glib/_build/../gobject/gobject.c:1788:12 + #8 0xdb69e0 in gimp_item_new /home/ahunt/git/gimp/app/core/gimpitem.c:723:10 + #9 0xce11c8 in gimp_drawable_new /home/ahunt/git/gimp/app/core/gimpdrawable.c:1067:14 + #10 0xddf5d8 in gimp_layer_mask_new /home/ahunt/git/gimp/app/core/gimplayermask.c:254:5 + #11 0xb1ffc5 in xcf_load_layer_mask /home/ahunt/git/gimp/app/xcf/xcf-load.c:2279:31 + #12 0xb18eea in xcf_load_layer /home/ahunt/git/gimp/app/xcf/xcf-load.c:2133:20 + #13 0xb13d91 in xcf_load_image /home/ahunt/git/gimp/app/xcf/xcf-load.c:499:15 + #14 0xb11deb in xcf_load_stream /home/ahunt/git/gimp/app/xcf/xcf.c:305:19 + #15 0x619dfd in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/app/fuzzers/xcf_fuzzer.c:50:17 + #16 0x51d364 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 + #17 0x506fe2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 + #18 0x50d350 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 + #19 0x5373a2 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 + #20 0x7f4e2c84c349 in __libc_start_main (/lib64/libc.so.6+0x24349) + + SUMMARY: AddressSanitizer: heap-use-after-free /home/ahunt/git/glib/_build/../gobject/gtype.c:4117:26 in g_type_check_instance_cast + Shadow bytes around the buggy address: + 0x0c2a7fffa1a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c2a7fffa1b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c2a7fffa1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c2a7fffa1d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c2a7fffa1e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + =>0x0c2a7fffa1f0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd + 0x0c2a7fffa200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa + 0x0c2a7fffa210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c2a7fffa220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c2a7fffa230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c2a7fffa240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc + ==5247==ABORTING + ./crash-0507799c3e4291570e060f53332b58b8a96f95e5 + + (cherry picked from commit fe26086e16943860f3852120f546ce913a7a73ee) + + # Conflicts: + # app/xcf/xcf-load.c + +diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c +index da196bcdb2..41e582719a 100644 +--- a/app/xcf/xcf-load.c ++++ b/app/xcf/xcf-load.c +@@ -102,7 +102,8 @@ static gboolean xcf_check_layer_props (XcfInfo *info, + gboolean *is_text_layer); + static gboolean xcf_load_channel_props (XcfInfo *info, + GimpImage *image, +- GimpChannel **channel); ++ GimpChannel **channel, ++ gboolean is_mask); + static gboolean xcf_load_prop (XcfInfo *info, + PropType *prop_type, + guint32 *prop_size); +@@ -1656,7 +1657,8 @@ xcf_check_layer_props (XcfInfo *info, + static gboolean + xcf_load_channel_props (XcfInfo *info, + GimpImage *image, +- GimpChannel **channel) ++ GimpChannel **channel, ++ gboolean is_mask) + { + PropType prop_type; + guint32 prop_size; +@@ -1679,6 +1681,14 @@ xcf_load_channel_props (XcfInfo *info, + { + GimpChannel *mask; + ++ if (is_mask) ++ { ++ /* PROP_SELECTION is not valid for masks, and we have to avoid ++ * overwriting the channel. ++ */ ++ continue; ++ } ++ + /* We're going to delete *channel, Don't leave its pointer + * in @info. See bug #767873. + */ +@@ -2151,7 +2161,7 @@ xcf_load_channel (XcfInfo *info, + return NULL; + + /* read in the channel properties */ +- if (! xcf_load_channel_props (info, image, &channel)) ++ if (! xcf_load_channel_props (info, image, &channel, FALSE)) + goto error; + + xcf_progress_update (info); +@@ -2238,7 +2248,7 @@ xcf_load_layer_mask (XcfInfo *info, + + /* read in the layer_mask properties */ + channel = GIMP_CHANNEL (layer_mask); +- if (! xcf_load_channel_props (info, image, &channel)) ++ if (! xcf_load_channel_props (info, image, &channel, TRUE)) + goto error; + + xcf_progress_update (info); diff -Nru gimp-2.10.34/debian/patches/CVE-2025-48798-2.patch gimp-2.10.34/debian/patches/CVE-2025-48798-2.patch --- gimp-2.10.34/debian/patches/CVE-2025-48798-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.10.34/debian/patches/CVE-2025-48798-2.patch 2025-06-04 21:09:52.000000000 +0000 @@ -0,0 +1,189 @@ +commit e7523ed41271e48a909011b8598d496c1be642e2 +Author: Jehan +Date: Mon Nov 4 00:04:40 2024 +0100 + + Issue #11822: fix double-free in edge cases of broken XCF. + + A patch was originally contributed by Andrzej Hunt in #11822 (cf. + 0002-xcf-fix-channel-s-reference-counts.patch in the report). + + The diagnostic of the double PROP_SELECTION issue is right, but not the + fix which was over-reffing, hence leaking channels and buffers, in the + normal cases, just to avoid double-free in broken edge cases. + + The other issue is not possible though (unreffing the image's selection + when encountering an error in xcf_load_channel()) because we explicitly + check it it's the image mask AFAICS. + + I added a second test which was not double-freeing yet which deserves a + bit of stderr messaging: when 2 different channels have PROP_SELECTION + set. + + Relevant text from the commit message originally contributed by Andrzej + Hunt is the following (diagnostic and ASAN output still of interest): + + ---------------- + + xcf_load_channel creates a new channel using gimp_channel_new. This + channel has a floating reference (because GimpChannel is a subclass of + GimpItem, and gimp_item_init uses g_object_force_floating()). + + Next, three different scenarios can occur: + - xcf_load_channel_props does nothing, and we either return channel, OR + in the error case we g_object_unref (channel) which frees channel. + The returned channel is either silently dropped (in the case where + it's already been set as the mask), or added to the image using + gimp_image_add_channel if not (which sinks the floating reference). + - xcf_load_channel_props encounters a single PROP_SELECTION. We create + a selection using gimp_selection_new (which again has a floating + reference), transfer ownership of the new selection to the image + using gimp_image_take_mask(), free the old channel, and finally set + channel to point to this new selection. Back in xcf_load_channel, IF + we hit the error case, we call g_object_unref (channel), which frees + the new selection - but we're still using it as the image's mask, + meaning we could eventually hit a use-after-free whenever someone + reads the mask. + - xcf_load_channel_props encounters 2 PROP_SELECTION's. After the first + PROP_SELECTION, channel is pointing to the image mask, which has + reference count == 1 (as explained above). When we hit the second + PROP_SELECTION: we create another new selection, followed by calling + gimp_image_take_mask() again. gimp_image_take_mask() call + g_object_unref() on the old mask, which frees it - but channel is still + pointing to this mask. We then call g_object_unref() on channel, which + is effectively a double-free. + + We fix this by making sure to always ref_sink whatever object is put + into channel. gimp_image_take_mask also calls ref_sink, which means + we'll now bump the refcount up to 2 when the channel is being used as + the image's mask (and drop back to 1 if the mask is replaced, and down + to 0 when channel is unref'd). + + See also ASAN output below from the 2x PROP_SELECTION scenario: + + ==6381==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150000047d0 at pc 0x7fb5531ef31b bp 0x7ffe81e86cb0 sp 0x7ffe81e86ca8 + READ of size 8 at 0x6150000047d0 thread T0 + #0 0x7fb5531ef31a in g_type_check_instance_cast /home/ahunt/git/glib/_build/../gobject/gtype.c:4117:26 + #1 0xb2346b in xcf_load_channel_props /home/ahunt/git/gimp/app/xcf/xcf-load.c:1742:41 + #2 0xb1a3cc in xcf_load_channel /home/ahunt/git/gimp/app/xcf/xcf-load.c:2219:9 + #3 0xb147eb in xcf_load_image /home/ahunt/git/gimp/app/xcf/xcf-load.c:653:17 + #4 0xb121bb in xcf_load_stream /home/ahunt/git/gimp/app/xcf/xcf.c:305:19 + #5 0x619ead in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/app/fuzzers/xcf_fuzzer.c:50:17 + #6 0x51d414 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 + #7 0x507092 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 + #8 0x50d400 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 + #9 0x537452 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 + #10 0x7fb551e7c349 in __libc_start_main (/lib64/libc.so.6+0x24349) + #11 0x4e0829 in _start /home/abuild/rpmbuild/BUILD/glibc-2.26/csu/../sysdeps/x86_64/start.S:120 + + 0x6150000047d0 is located 336 bytes inside of 504-byte region [0x615000004680,0x615000004878) + freed by thread T0 here: + #0 0x5e8612 in free /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 + #1 0x7fb552d9ce08 in g_free /home/ahunt/git/glib/_build/../glib/gmem.c:199:3 + #2 0x7fb552dc7a6b in g_slice_free1 /home/ahunt/git/glib/_build/../glib/gslice.c:1183:7 + #3 0x7fb5531e7b04 in g_type_free_instance /home/ahunt/git/glib/_build/../gobject/gtype.c:2008:5 + #4 0x7fb5531bfe3a in g_object_unref /home/ahunt/git/glib/_build/../gobject/gobject.c:3604:11 + #5 0xd4d4d4 in gimp_image_take_mask /home/ahunt/git/gimp/app/core/gimpimage.c:3267:5 + #6 0xb23438 in xcf_load_channel_props /home/ahunt/git/gimp/app/xcf/xcf-load.c:1739:13 + #7 0xb1a3cc in xcf_load_channel /home/ahunt/git/gimp/app/xcf/xcf-load.c:2219:9 + #8 0xb147eb in xcf_load_image /home/ahunt/git/gimp/app/xcf/xcf-load.c:653:17 + #9 0xb121bb in xcf_load_stream /home/ahunt/git/gimp/app/xcf/xcf.c:305:19 + #10 0x619ead in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/app/fuzzers/xcf_fuzzer.c:50:17 + #11 0x51d414 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 + #12 0x507092 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 + #13 0x50d400 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 + #14 0x537452 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 + #15 0x7fb551e7c349 in __libc_start_main (/lib64/libc.so.6+0x24349) + + previously allocated by thread T0 here: + #0 0x5e887d in malloc /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 + #1 0x7fb552d9ccf2 in g_malloc /home/ahunt/git/glib/_build/../glib/gmem.c:106:13 + #2 0x7fb552dc72e0 in g_slice_alloc /home/ahunt/git/glib/_build/../glib/gslice.c:1072:11 + #3 0x7fb552dc78ae in g_slice_alloc0 /home/ahunt/git/glib/_build/../glib/gslice.c:1098:18 + #4 0x7fb5531e6e0a in g_type_create_instance /home/ahunt/git/glib/_build/../gobject/gtype.c:1911:17 + #5 0x7fb5531c215e in g_object_new_internal /home/ahunt/git/glib/_build/../gobject/gobject.c:1945:24 + #6 0x7fb5531c1d1f in g_object_new_valist /home/ahunt/git/glib/_build/../gobject/gobject.c:2288:16 + #7 0x7fb5531c0e8b in g_object_new /home/ahunt/git/glib/_build/../gobject/gobject.c:1788:12 + #8 0xdb7260 in gimp_item_new /home/ahunt/git/gimp/app/core/gimpitem.c:722:10 + #9 0xce1668 in gimp_drawable_new /home/ahunt/git/gimp/app/core/gimpdrawable.c:1067:14 + #10 0xe283e9 in gimp_selection_new /home/ahunt/git/gimp/app/core/gimpselection.c:626:13 + #11 0xb2342a in xcf_load_channel_props /home/ahunt/git/gimp/app/xcf/xcf-load.c:1735:15 + #12 0xb1a3cc in xcf_load_channel /home/ahunt/git/gimp/app/xcf/xcf-load.c:2219:9 + #13 0xb147eb in xcf_load_image /home/ahunt/git/gimp/app/xcf/xcf-load.c:653:17 + #14 0xb121bb in xcf_load_stream /home/ahunt/git/gimp/app/xcf/xcf.c:305:19 + #15 0x619ead in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/app/fuzzers/xcf_fuzzer.c:50:17 + #16 0x51d414 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 + #17 0x507092 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 + #18 0x50d400 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 + #19 0x537452 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 + #20 0x7fb551e7c349 in __libc_start_main (/lib64/libc.so.6+0x24349) + + SUMMARY: AddressSanitizer: heap-use-after-free /home/ahunt/git/glib/_build/../gobject/gtype.c:4117:26 in g_type_check_instance_cast + Shadow bytes around the buggy address: + 0x0c2a7fff88a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c2a7fff88b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa + 0x0c2a7fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c2a7fff88d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c2a7fff88e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + =>0x0c2a7fff88f0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd + 0x0c2a7fff8900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa + 0x0c2a7fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c2a7fff8920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c2a7fff8930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c2a7fff8940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc + ==6381==ABORTING + + ( crash-c35bcae86d35ce7d0cd8ffcb41a470f37354e018 ) + +diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c +index 1fb0752832..3b1bcc872a 100644 +--- a/app/xcf/xcf-load.c ++++ b/app/xcf/xcf-load.c +@@ -2176,6 +2176,28 @@ xcf_load_channel_props (XcfInfo *info, + continue; + } + ++ if (*channel == gimp_image_get_mask (image)) ++ { ++ /* PROP_SELECTION was already seen once for this ++ * channel. Let's silently ignore the second identical ++ * property to avoid a double free. ++ */ ++ continue; ++ } ++ else if (gimp_image_get_mask (image) != NULL && ++ ! gimp_channel_is_empty (gimp_image_get_mask (image))) ++ { ++ /* This would happen when PROP_SELECTION was already set ++ * on a previous channel. This is a minor case of data ++ * loss (we don't know which selection was the right one ++ * and we drop the non-first ones), and also means it's ++ * a broken XCF, though it's not a major bug either. So ++ * let's go with a stderr print. ++ */ ++ g_printerr ("PROP_SELECTION property was set on 2 channels (skipping)\n"); ++ continue; ++ } ++ + /* We're going to delete *channel, Don't leave its pointer + * in @info. See bug #767873. + */ diff -Nru gimp-2.10.34/debian/patches/ZDI-CAN-26752.patch gimp-2.10.34/debian/patches/ZDI-CAN-26752.patch --- gimp-2.10.34/debian/patches/ZDI-CAN-26752.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.10.34/debian/patches/ZDI-CAN-26752.patch 2025-06-04 21:09:52.000000000 +0000 @@ -0,0 +1,36 @@ +From c855d1df60ebaf5ef8d02807d448eb088f147a2b Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Sat, 3 May 2025 14:13:46 +0000 +Subject: [PATCH] plug-ins: ZDI-CAN-26752 mitigation + +Resolves #13910 +Since ICO can store PNGs, it's possible to create an +icon that's much larger than the stated image size and +cause a buffer overflow. +This patch adds a check to make sure the width * height * 4 +calculation does not overflow in addition to making sure it +doesn't exceed the maximum allowed size for that icon. +--- + plug-ins/file-ico/ico-load.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c +index 9a222998bc1..818cf23cd31 100644 +--- a/plug-ins/file-ico/ico-load.c ++++ b/plug-ins/file-ico/ico-load.c +@@ -299,7 +299,11 @@ ico_read_png (FILE *fp, + png_read_info (png_ptr, info); + png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type, + NULL, NULL, NULL); +- if (w*h*4 > maxsize) ++ /* Check for overflow */ ++ if ((w * h * 4) < w || ++ (w * h * 4) < h || ++ (w * h * 4) < (w * h) || ++ (w * h * 4) > maxsize) + { + png_destroy_read_struct (&png_ptr, &info, NULL); + return FALSE; +-- +GitLab + diff -Nru gimp-2.10.34/debian/patches/series gimp-2.10.34/debian/patches/series --- gimp-2.10.34/debian/patches/series 2023-11-18 15:57:48.000000000 +0000 +++ gimp-2.10.34/debian/patches/series 2025-06-04 21:10:49.000000000 +0000 @@ -5,3 +5,12 @@ plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch plug-ins-Additional-fixes-for-DDS-Import.patch +CVE-2025-2760.patch +CVE-2025-2761.patch +CVE-2025-48797-1.patch +CVE-2025-48797-2.patch +CVE-2025-48797-3.patch +CVE-2025-48797-4.patch +CVE-2025-48798-1.patch +CVE-2025-48798-2.patch +ZDI-CAN-26752.patch