Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted gimp 2.10.22-4+deb11u3 (source) into oldoldstable-security
Date: Wed, 22 Oct 2025 13:10:27 +0000
Signed by: Sylvain Beucler <beuc@beuc.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 13 Oct 2025 17:53:19 +0200
Source: gimp
Architecture: source
Version: 2.10.22-4+deb11u3
Distribution: bullseye-security
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Closes: 1105005 1107758 1116459
Changes:
 gimp (2.10.22-4+deb11u3) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2025-2760: GIMP XWD File Parsing Integer Overflow Remote Code
     Execution Vulnerability. The specific flaw exists within the parsing
     of XWD files. The issue results from the lack of proper validation of
     user-supplied data, which can result in an integer overflow before
     allocating a buffer. An attacker can leverage this vulnerability to
     execute code in the context of the current process. Was
     ZDI-CAN-25082. (Closes: #1107758)
   * CVE-2025-2761: GIMP FLI File Parsing Out-Of-Bounds Write Remote Code
     Execution Vulnerability. The specific flaw exists within the parsing
     of FLI files. The issue results from the lack of proper validation of
     user-supplied data, which can result in a write past the end of an
     allocated buffer. An attacker can leverage this vulnerability to
     execute code in the context of the current process. Was ZDI-CAN-25100.
   * CVE-2025-5473: GIMP ICO File Parsing Integer Overflow Remote Code
     Execution Vulnerability. The specific flaw exists within the parsing
     of ICO files. The issue results from the lack of proper validation of
     user-supplied data, which can result in an integer overflow before
     writing to memory. An attacker can leverage this vulnerability to
     execute code in the context of the current process. Was
     ZDI-CAN-26752. (Closes: #1105005)
   * CVE-2025-6035: An integer overflow vulnerability exists in the GIMP
     "Despeckle" plug-in. The issue occurs due to unchecked multiplication
     of image dimensions, such as width, height, and bytes-per-pixel
     (img_bpp), which can result in allocating insufficient memory and
     subsequently performing out-of-bounds writes. This issue could lead to
     heap corruption, a potential denial of service (DoS), or arbitrary
     code execution in certain scenarios.
   * CVE-2025-10922: ZDI-CAN-27863: GIMP DCM File Parsing Heap-based Buffer
     Overflow Remote Code Execution Vulnerability (Closes: #1116459)
   * CVE-2025-48797: flaw when processing certain TGA image files. If a
     user opens one of these image files that has been specially crafted by
     an attacker, GIMP can be tricked into making serious memory errors,
     potentially leading to crashes and causing a heap buffer overflow.
   * CVE-2025-48798: flaw when processing XCF image files. If a user opens
     one of these image files that has been specially crafted by an
     attacker, GIMP can be tricked into making serious memory errors,
     potentially leading to crashes and causing use-after-free issues.
   * Salsa CI: add configuration
   * debian/gbp.conf: target debian/bullseye branch
Checksums-Sha1:
 a0205ae1b05fab62e3aede005c7d03ed2c8bf8b4 3470 gimp_2.10.22-4+deb11u3.dsc
 e80144eb060e46c0c6d869caeadeb40d38807ee1 73276 gimp_2.10.22-4+deb11u3.debian.tar.xz
 14d1b3cf25095bc35b7fdcbb20962a419faf209a 19641 gimp_2.10.22-4+deb11u3_source.buildinfo
Checksums-Sha256:
 63f7c21c2c7b31c64697a353520eaa2f286c26c69e6103596865757c602272ad 3470 gimp_2.10.22-4+deb11u3.dsc
 cc4e80d1881ce4d40fa295ca07531059076f8b522bf723af449c85c10370d73e 73276 gimp_2.10.22-4+deb11u3.debian.tar.xz
 ff22857281b36382310be76b0cc16022fe09bfdfebcd21d60215428a8ca183c7 19641 gimp_2.10.22-4+deb11u3_source.buildinfo
Files:
 04e549660bf63ebe52f0ea5520bd51b2 3470 graphics optional gimp_2.10.22-4+deb11u3.dsc
 53b53e4637bde48571514b053c0d721a 73276 graphics optional gimp_2.10.22-4+deb11u3.debian.tar.xz
 def5b03c5ebb72ccbc27a861961f4f6c 19641 graphics optional gimp_2.10.22-4+deb11u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmj4098ACgkQDTl9HeUl
XjDyYRAAk9z1WQEsrHIxP5HMjWCMNLnkE7hWDUoQj9kuI+LCkG6yQzdPx9NV6nRJ
TS57Vhfb+UKblValOK8osm54MalFQOl8E0Mz4nC7frRY/C/h14A2lDg3YpqHm9NN
IbUewG5ajDQX94PnLV9RhtdrfhVSUYNsn3gxX6Im//Mou9VMp22TKzaWbOCMUsue
MpJGU5LdkI2QCnkUHSsNiw8A8bCnmRFdZAlDV1n4qb586vguPgoWlm/r/9X0X/iB
SwCSWA4mPzw1qFEaFr4TRRbbFfRspuolTuu1sVRIyOaPYO27fwTuZrXeERTLM4A0
kpN55/I7TAA+zWTTEHMyI7/YRsnygnfo6LzBx7DCmKQZ+jmTflrVYdmsAR66P+Q7
fyDCwYA0dHYsIrBx92y/5zKlTTQBT1oGKOzsCSxx9MuUaAfuailClD8hwOyF34M8
hKI4gVPtlW36YRATVMUHcmy+1CDjFE4D1/2d8EywdzpVkmougKIYMQunXZe6veXh
vsb6PA4mokooX5BFvO+4RCMSfjFS2fn/ZSfC82SOT2nsPz0qpVY8H0Sn/iS/Aehk
wIvy5kADuAaaqJV9Zmr/cfwhTq6Np26/pEPfjfw0XH6fiJXZMrsO9hZTXMVtm8vG
MwqKKCQ3zw4QkXBxbfgqmav9OW1+P2urzByZW+ECgq5ii/oWM+I=
=7JsI
-----END PGP SIGNATURE-----
News for package gimp
