* [OE-core][whinlatter][PATCH] gdk-pixbuf: Fix CVE-2025-6199
@ 2026-02-26 4:06 Shaik Moin
0 siblings, 0 replies; only message in thread
From: Shaik Moin @ 2026-02-26 4:06 UTC (permalink / raw)
To: openembedded-core; +Cc: careers.myinfo
Backport the fix for CVE-2025-6199
Add below patch to fix
CVE-2025-6199.patch
Reference: In Ubuntu and debian, fixed patch is given -> [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32]
Signed-off-by: Shaik Moin <moins@kpit.com>
---
.../gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch | 36 +++++++++++++++++++
.../gdk-pixbuf/gdk-pixbuf_2.42.12.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch
new file mode 100644
index 0000000000..1952e3ceaf
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch
@@ -0,0 +1,36 @@
+From 140200be0b4d5355aab76a6fd474e17d117045ca Mon Sep 17 00:00:00 2001
+From: lumi <lumi@suwi.moe>
+Date: Sat, 7 Jun 2025 22:27:06 +0200
+Subject: [PATCH] lzw: Fix reporting of bytes written in decoder
+
+When the LZW decoder encounters an invalid code, it stops
+processing the image and returns the whole buffer size.
+It should return the amount of bytes written, instead.
+
+Fixes #257
+
+CVE: CVE-2025-6199
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32]
+
+Signed-off-by: Shaik Moin <moins@kpit.com>
+---
+ gdk-pixbuf/lzw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
+index 15293560b..4f3dd8beb 100644
+--- a/gdk-pixbuf/lzw.c
++++ b/gdk-pixbuf/lzw.c
+@@ -208,7 +208,7 @@ lzw_decoder_feed (LZWDecoder *self,
+ /* Invalid code received - just stop here */
+ if (self->code >= self->code_table_size) {
+ self->last_code = self->eoi_code;
+- return output_length;
++ return n_written;
+ }
+
+ /* Convert codeword into indexes */
+--
+2.34.1
+
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
index 98993cc07d..f22dc2cd91 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
@@ -22,6 +22,7 @@ SRC_URI += "\
file://run-ptest \
file://fatal-loader.patch \
file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \
+ file://CVE-2025-6199.patch \
"
GIR_MESON_OPTION = 'introspection'
--
2.34.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-02-26 6:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-26 4:06 [OE-core][whinlatter][PATCH] gdk-pixbuf: Fix CVE-2025-6199 Shaik Moin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox