Debian Package Tracker
Register | Log in
Subscribe

gimp

GNU Image Manipulation Program

Choose email to subscribe with

general
  • source: gimp (main)
  • version: 3.2.4-3
  • maintainer: Debian GNOME Extras Maintainers (archive) (DMD)
  • uploaders: Jordi Mallach [DMD] – Jeremy Bícha [DMD]
  • arch: all any
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.10.22-4+deb11u2
  • o-o-sec: 2.10.22-4+deb11u8
  • oldstable: 2.10.34-1+deb12u10
  • old-sec: 2.10.34-1+deb12u10
  • stable: 3.0.4-3+deb13u9
  • stable-sec: 3.0.4-3+deb13u8
  • testing: 3.2.4-2
  • unstable: 3.2.4-3
versioned links
  • 2.10.22-4+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.10.22-4+deb11u8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.10.34-1+deb12u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.0.4-3+deb13u8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.0.4-3+deb13u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.2.4-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.2.4-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • gimp (177 bugs: 0, 133, 44, 0)
  • gimp-data (3 bugs: 0, 2, 1, 0)
  • gir1.2-gimp-3.0
  • libgimp-3.0-0
  • libgimp-3.0-bin
  • libgimp-3.0-dev
  • libgimp-3.0-doc (1 bugs: 0, 1, 0, 0)
action needed
10 security issues in trixie high

There are 10 open security issues in trixie.

10 important issues:
  • CVE-2026-58379: A flaw was found in GIMP's Paint Shop Pro (PSP) file format parser. This heap buffer overflow vulnerability allows a remote attacker to cause arbitrary code execution or a denial of service (DoS) by tricking a user into opening a specially crafted PSP image file. The vulnerability occurs because the software incorrectly calculates buffer sizes when processing low bit-depth images, leading to an overwrite of adjacent memory.
  • CVE-2026-58380: A flaw was found in GIMP's PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by-one error in the loop boundary check. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
  • CVE-2026-58381: A flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.
  • CVE-2026-58382:
  • CVE-2026-58383:
  • CVE-2026-58384: A flaw was found in GIMP's PSD parser. An integer overflow in read_RLE_channel() can cause an undersized heap allocation for the RLE row-length table, after which subsequent per-row writes corrupt heap memory. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
  • CVE-2026-58385:
  • CVE-2026-58386:
  • CVE-2026-58387:
  • CVE-2026-58388:
2 issues that should be fixed with the next stable update:
  • CVE-2026-4154: GIMP XPM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XPM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28901.
  • CVE-2026-40915: A flaw was found in GIMP. A remote attacker could exploit an integer overflow vulnerability in the FITS image loader by providing a specially crafted FITS file. This integer overflow leads to a zero-byte memory allocation, which is then subjected to a heap buffer overflow when processing pixel data. Successful exploitation could result in a denial of service (DoS) or potentially arbitrary code execution.
Created: 2026-07-03 Last update: 2026-07-11 15:25
2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:
  • CVE-2026-58379: A flaw was found in GIMP's Paint Shop Pro (PSP) file format parser. This heap buffer overflow vulnerability allows a remote attacker to cause arbitrary code execution or a denial of service (DoS) by tricking a user into opening a specially crafted PSP image file. The vulnerability occurs because the software incorrectly calculates buffer sizes when processing low bit-depth images, leading to an overwrite of adjacent memory.
  • CVE-2026-59089: A flaw was found in GIMP. The PlayStation TIM loader, responsible for handling PlayStation image files, incorrectly calculates the size of the Color Look-Up Table (CLUT) due to an integer overflow. This occurs when multiplying num_colors and num_cluts, both 16-bit unsigned short integers, resulting in a value exceeding the maximum integer limit. An attacker could exploit this by providing a specially crafted image file, leading to undefined behavior and causing the GIMP plug-in to abort, effectively resulting in a denial of service.
Created: 2026-07-04 Last update: 2026-07-11 15:25
2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:
  • CVE-2026-58379: A flaw was found in GIMP's Paint Shop Pro (PSP) file format parser. This heap buffer overflow vulnerability allows a remote attacker to cause arbitrary code execution or a denial of service (DoS) by tricking a user into opening a specially crafted PSP image file. The vulnerability occurs because the software incorrectly calculates buffer sizes when processing low bit-depth images, leading to an overwrite of adjacent memory.
  • CVE-2026-59089: A flaw was found in GIMP. The PlayStation TIM loader, responsible for handling PlayStation image files, incorrectly calculates the size of the Color Look-Up Table (CLUT) due to an integer overflow. This occurs when multiplying num_colors and num_cluts, both 16-bit unsigned short integers, resulting in a value exceeding the maximum integer limit. An attacker could exploit this by providing a specially crafted image file, leading to undefined behavior and causing the GIMP plug-in to abort, effectively resulting in a denial of service.
Created: 2026-07-04 Last update: 2026-07-11 15:25
12 security issues in bullseye high

There are 12 open security issues in bullseye.

10 important issues:
  • CVE-2026-58379: A flaw was found in GIMP's Paint Shop Pro (PSP) file format parser. This heap buffer overflow vulnerability allows a remote attacker to cause arbitrary code execution or a denial of service (DoS) by tricking a user into opening a specially crafted PSP image file. The vulnerability occurs because the software incorrectly calculates buffer sizes when processing low bit-depth images, leading to an overwrite of adjacent memory.
  • CVE-2026-58380: A flaw was found in GIMP's PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by-one error in the loop boundary check. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
  • CVE-2026-58381: A flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.
  • CVE-2026-58382:
  • CVE-2026-58383:
  • CVE-2026-58384: A flaw was found in GIMP's PSD parser. An integer overflow in read_RLE_channel() can cause an undersized heap allocation for the RLE row-length table, after which subsequent per-row writes corrupt heap memory. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
  • CVE-2026-58385:
  • CVE-2026-58386:
  • CVE-2026-58387:
  • CVE-2026-58388:
2 issues postponed or untriaged:
  • CVE-2026-4154: (postponed; to be fixed through a stable update) GIMP XPM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XPM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28901.
  • CVE-2026-40915: (postponed; to be fixed through a stable update) A flaw was found in GIMP. A remote attacker could exploit an integer overflow vulnerability in the FITS image loader by providing a specially crafted FITS file. This integer overflow leads to a zero-byte memory allocation, which is then subjected to a heap buffer overflow when processing pixel data. Successful exploitation could result in a denial of service (DoS) or potentially arbitrary code execution.
Created: 2026-07-03 Last update: 2026-07-11 15:25
12 security issues in bookworm high

There are 12 open security issues in bookworm.

10 important issues:
  • CVE-2026-58379: A flaw was found in GIMP's Paint Shop Pro (PSP) file format parser. This heap buffer overflow vulnerability allows a remote attacker to cause arbitrary code execution or a denial of service (DoS) by tricking a user into opening a specially crafted PSP image file. The vulnerability occurs because the software incorrectly calculates buffer sizes when processing low bit-depth images, leading to an overwrite of adjacent memory.
  • CVE-2026-58380: A flaw was found in GIMP's PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by-one error in the loop boundary check. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
  • CVE-2026-58381: A flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.
  • CVE-2026-58382:
  • CVE-2026-58383:
  • CVE-2026-58384: A flaw was found in GIMP's PSD parser. An integer overflow in read_RLE_channel() can cause an undersized heap allocation for the RLE row-length table, after which subsequent per-row writes corrupt heap memory. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
  • CVE-2026-58385:
  • CVE-2026-58386:
  • CVE-2026-58387:
  • CVE-2026-58388:
2 issues left for the package maintainer to handle:
  • CVE-2026-4154: (needs triaging) GIMP XPM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XPM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28901.
  • CVE-2026-40915: (needs triaging) A flaw was found in GIMP. A remote attacker could exploit an integer overflow vulnerability in the FITS image loader by providing a specially crafted FITS file. This integer overflow leads to a zero-byte memory allocation, which is then subjected to a heap buffer overflow when processing pixel data. Successful exploitation could result in a denial of service (DoS) or potentially arbitrary code execution.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-04-11 Last update: 2026-07-11 15:25
Problems while searching for a new upstream version high
uscan had problems while searching for a new upstream version:
No Matching-Pattern found, using .*?@ANY_VERSION@@ARCHIVE_EXT@
Created: 2025-12-05 Last update: 2026-07-11 15:25
Does not build reproducibly during testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2026-06-29 Last update: 2026-07-11 18:30
lintian reports 8 warnings normal
Lintian reports 8 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2026-07-10 Last update: 2026-07-10 16:48
Multiarch hinter reports 1 issue(s) low
There are issues with the multiarch metadata for this package.
  • libgimp-3.0-doc could be marked Multi-Arch: foreign
Created: 2026-04-20 Last update: 2026-07-11 18:31
debian/patches: 3 patches to forward upstream low

Among the 3 debian patches available in version 3.2.4-3 of the package, we noticed the following issues:

  • 3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2026-05-12 Last update: 2026-07-10 13:00
Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2026-03-03 Last update: 2026-04-20 13:00
testing migrations
  • excuses:
    • Migration status for gimp (3.2.4-2 to 3.2.4-3): BLOCKED: Maybe temporary, maybe blocked but Britney is missing information (check below)
    • Issues preventing migration:
    • ∙ ∙ Missing build on riscv64
    • ∙ ∙ Piuparts check waiting for test results - https://piuparts.debian.org/sid/source/g/gimp.html
    • ∙ ∙ Autopkgtest deferred on riscv64: missing arch:riscv64 build
    • ∙ ∙ Autopkgtest for gimp/3.2.4-3: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), s390x: No tests, superficial or marked flaky ♻ (reference ♻)
    • ∙ ∙ Lintian check waiting for test results on arm64, loong64, all, amd64, i386, armhf, riscv64 - info
    • ∙ ∙ Reproducibility check waiting for results on arm64 - info
    • ∙ ∙ Reproducibility check waiting for results on armhf - info
    • ∙ ∙ Too young, only 1 of 5 days old
    • Additional info (not blocking):
    • ∙ ∙ Reproduced on amd64 - info
    • ∙ ∙ Reproduced on i386 - info
    • Not considered
news
[rss feed]
  • [2026-07-10] Accepted gimp 3.2.4-3 (source) into unstable (Jeremy Bícha)
  • [2026-06-28] gimp 3.2.4-2 MIGRATED to testing (Debian testing watch)
  • [2026-06-20] gimp REMOVED from testing (Debian testing watch)
  • [2026-06-13] Accepted gimp 3.0.4-3+deb13u9 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
  • [2026-05-20] gimp 3.2.4-2 MIGRATED to testing (Debian testing watch)
  • [2026-05-11] Accepted gimp 3.2.4-2 (source) into unstable (Jeremy Bícha)
  • [2026-04-30] gimp 3.2.4-1 MIGRATED to testing (Debian testing watch)
  • [2026-04-19] Accepted gimp 3.2.4-1 (source) into unstable (Jeremy Bícha)
  • [2026-04-19] Accepted gimp 2.10.22-4+deb11u8 (source) into oldoldstable-security (Thorsten Alteholz)
  • [2026-04-18] Accepted gimp 2.10.34-1+deb12u10 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
  • [2026-04-18] Accepted gimp 3.0.4-3+deb13u8 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
  • [2026-04-17] Accepted gimp 2.10.34-1+deb12u10 (source) into oldstable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
  • [2026-04-17] Accepted gimp 3.0.4-3+deb13u8 (source) into stable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
  • [2026-04-04] gimp 3.2.2-1 MIGRATED to testing (Debian testing watch)
  • [2026-03-29] Accepted gimp 3.2.2-1 (source) into unstable (Jeremy Bícha)
  • [2026-03-29] gimp 3.2.0-1 MIGRATED to testing (Debian testing watch)
  • [2026-03-19] Accepted gimp 3.2.0-1 (source) into unstable (Jeremy Bícha)
  • [2026-03-15] Accepted gimp 2.10.22-4+deb11u7 (source) into oldoldstable-security (Thorsten Alteholz)
  • [2026-03-13] Accepted gimp 2.10.34-1+deb12u9 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
  • [2026-03-05] Accepted gimp 3.0.4-3+deb13u7 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
  • [2026-03-05] gimp 3.2.0~RC3-1 MIGRATED to testing (Debian testing watch)
  • [2026-03-03] Accepted gimp 3.0.4-3+deb13u7 (source) into stable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
  • [2026-03-03] Accepted gimp 2.10.34-1+deb12u9 (source) into oldstable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
  • [2026-03-02] Accepted gimp 3.2.0~RC3-1 (source) into unstable (Jeremy Bícha)
  • [2026-02-26] gimp 3.2.0~RC2-3.3 MIGRATED to testing (Debian testing watch)
  • [2026-02-21] Accepted gimp 2.10.34-1+deb12u8 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
  • [2026-02-19] Accepted gimp 3.0.4-3+deb13u6 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
  • [2026-02-18] Accepted gimp 2.10.22-4+deb11u6 (source) into oldoldstable-security (Thorsten Alteholz)
  • [2026-02-18] Accepted gimp 3.0.4-3+deb13u6 (source) into stable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
  • [2026-02-18] Accepted gimp 2.10.34-1+deb12u8 (source) into oldstable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
  • 1
  • 2
bugs [bug history graph]
  • all: 174 183
  • RC: 0
  • I&N: 131 137
  • M&W: 43 46
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian (0, 8)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • screenshots
  • l10n (-, 80)
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 3.2.4-2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing