From 1803f965e4990be3fbdcd52544f0080e9c83800d Mon Sep 17 00:00:00 2001 From: Archana Polampalli Date: Mon, 14 Jul 2025 17:48:49 +0530 Subject: [PATCH] gdk-pixbuf: fix CVE-2025-7345 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit A flaw exists in gdk‑pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch | 55 +++++++++++++++++++ .../gdk-pixbuf/gdk-pixbuf_2.42.10.bb | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch new file mode 100644 index 00000000000..a8f23d35012 --- /dev/null +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch @@ -0,0 +1,55 @@ +From 4af78023ce7d3b5e3cec422a59bb4f48fa4f5886 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen +Date: Fri, 11 Jul 2025 11:02:05 -0400 +Subject: [PATCH] jpeg: Be more careful with chunked icc data + +We we inadvertendly trusting the sequence numbers not to lie. +If they do we would report a larger data size than we actually +allocated, leading to out of bounds memory access in base64 +encoding later on. + +This has been assigned CVE-2025-7345. + +Fixes: #249 + +CVE: CVE-2025-7345 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4af78023ce7d3b5e3cec422a59bb4f48fa4f5886] + +Signed-off-by: Archana Polampalli +--- + gdk-pixbuf/io-jpeg.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c +index 3841fc0..9ee1d21 100644 +--- a/gdk-pixbuf/io-jpeg.c ++++ b/gdk-pixbuf/io-jpeg.c +@@ -356,6 +356,7 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma + context->icc_profile = g_new (gchar, chunk_size); + /* copy the segment data to the profile space */ + memcpy (context->icc_profile, marker->data + 14, chunk_size); ++ ret = TRUE; + goto out; + } + +@@ -377,12 +378,15 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma + /* copy the segment data to the profile space */ + memcpy (context->icc_profile + offset, marker->data + 14, chunk_size); + +- /* it's now this big plus the new data we've just copied */ +- context->icc_profile_size += chunk_size; ++ context->icc_profile_size = MAX (context->icc_profile_size, offset + chunk_size); + + /* success */ + ret = TRUE; + out: ++ if (!ret) { ++ g_free (context->icc_profile); ++ context->icc_profile = NULL; ++ } + return ret; + } + +-- +2.40.0 diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.10.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.10.bb index cca89a90598..471d72d8ddf 100644 --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.10.bb +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.10.bb @@ -20,6 +20,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \ file://run-ptest \ file://fatal-loader.patch \ file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \ + file://CVE-2025-7345.patch \ " SRC_URI[sha256sum] = "ee9b6c75d13ba096907a2e3c6b27b61bcd17f5c7ebeab5a5b439d2f2e39fe44b" -- 2.47.2