首页 发现 帮助
登录
crispAudio
/
poky
镜像自地址 git://git.yoctoproject.org/poky
5
0
派生 0
文件 工单管理 0 Wiki
浏览代码

gdk-pixbuf: fix CVE-2025-7345

A flaw exists in gdk‑pixbuf within the gdk_pixbuf__jpeg_image_load_increment function
(io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing
maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding,
allowing out-of-bounds reads from heap memory, potentially causing application crashes or
arbitrary code execution.

(From OE-Core rev: 1803f965e4990be3fbdcd52544f0080e9c83800d)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Archana Polampalli 3 月之前
父节点
86182e972c
当前提交
de4b007ac0
共有 2 个文件被更改,包括 56 次插入0 次删除
分列视图 显示文件统计
  1. 55 0
      meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch
  2. 1 0
      meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.10.bb

+ 55 - 0
meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch
查看文件 

@@ -0,0 +1,55 @@
 
+From 4af78023ce7d3b5e3cec422a59bb4f48fa4f5886 Mon Sep 17 00:00:00 2001
 
+From: Matthias Clasen <mclasen@redhat.com>
 
+Date: Fri, 11 Jul 2025 11:02:05 -0400
 
+Subject: [PATCH] jpeg: Be more careful with chunked icc data
 
+
 
+We we inadvertendly trusting the sequence numbers not to lie.
 
+If they do we would report a larger data size than we actually
 
+allocated, leading to out of bounds memory access in base64
 
+encoding later on.
 
+
 
+This has been assigned CVE-2025-7345.
 
+
 
+Fixes: #249
 
+
 
+CVE: CVE-2025-7345
 
+
 
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4af78023ce7d3b5e3cec422a59bb4f48fa4f5886]
 
+
 
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
 
+---
 
+ gdk-pixbuf/io-jpeg.c | 8 ++++++--
 
+ 1 file changed, 6 insertions(+), 2 deletions(-)
 
+
 
+diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
 
+index 3841fc0..9ee1d21 100644
 
+--- a/gdk-pixbuf/io-jpeg.c
 
++++ b/gdk-pixbuf/io-jpeg.c
 
+@@ -356,6 +356,7 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
 
+		context->icc_profile = g_new (gchar, chunk_size);
 
+		/* copy the segment data to the profile space */
 
+		memcpy (context->icc_profile, marker->data + 14, chunk_size);
 
++                ret = TRUE;
 
+		goto out;
 
+	}
 
+
 
+@@ -377,12 +378,15 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
 
+	/* copy the segment data to the profile space */
 
+	memcpy (context->icc_profile + offset, marker->data + 14, chunk_size);
 
+
 
+-	/* it's now this big plus the new data we've just copied */
 
+-	context->icc_profile_size += chunk_size;
 
++        context->icc_profile_size = MAX (context->icc_profile_size, offset + chunk_size);
 
+
 
+	/* success */
 
+	ret = TRUE;
 
+ out:
 
++        if (!ret) {
 
++                g_free (context->icc_profile);
 
++                context->icc_profile = NULL;
 
++        }
 
+	return ret;
 
+ }
 
+
 
+--
 
+2.40.0

+ 1 - 0
meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.10.bb
查看文件 

@@ -20,6 +20,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
 
            file://run-ptest \
 
            file://fatal-loader.patch \
 
            file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \
 
+           file://CVE-2025-7345.patch \
 
            "
 
 
 SRC_URI[sha256sum] = "ee9b6c75d13ba096907a2e3c6b27b61bcd17f5c7ebeab5a5b439d2f2e39fe44b"