-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 02 Jan 2026 14:20:38 +0100 Source: gimp Architecture: source Version: 2.10.22-4+deb11u5 Distribution: bullseye-security Urgency: medium Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org> Changed-By: Andreas Henriksson <andreas@fatal.se> Changes: gimp (2.10.22-4+deb11u5) bullseye-security; urgency=medium . * Non-maintainer upload by the LTS Security Team. * CVE-2025-14422: PNM File Parsing Integer Overflow RCE. GIMP PNM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PNM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28273. * CVE-2025-14425: JP2 File Parsing Heap-based Buffer Overflow RCE. GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28248. * CVE-2022-30067: buffer overflow in XCF. GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Through a crafted XCF file, the program will allocate for a huge amount of memory, resulting in insufficient memory or program crash. Checksums-Sha1: 949b693cc5158b05bec5cfe4a2e2f2126c8118f0 3470 gimp_2.10.22-4+deb11u5.dsc da1687341e846fef784485511809da2988cb8200 33152226 gimp_2.10.22.orig.tar.bz2 e5f0c9de5b4390d6ccdb6499b01741c3f6afd369 76208 gimp_2.10.22-4+deb11u5.debian.tar.xz 9c7e2ce660835eea7af6e2c5625c7b7489302492 9838 gimp_2.10.22-4+deb11u5_source.buildinfo Checksums-Sha256: 6e3d80ea0eab9cd2a6859843aee530447842e0d5db099330d1c241e88aab6b10 3470 gimp_2.10.22-4+deb11u5.dsc 2db84b57f3778d80b3466d7c21a21d22e315c7b062de2883cbaaeda9a0f618bb 33152226 gimp_2.10.22.orig.tar.bz2 7e4841a68f284a0bb71a721466f906029b0ded05e14694210d7692eb17130ff8 76208 gimp_2.10.22-4+deb11u5.debian.tar.xz 49d17a34049ad94c3f87d1d3e62ed0729350d8ea66e96e8a642369eb21838ed7 9838 gimp_2.10.22-4+deb11u5_source.buildinfo Files: f7fa854b21d077d137d9b6cdd3fd275f 3470 graphics optional gimp_2.10.22-4+deb11u5.dsc 9d559ba6f039da033754f1d62a91cc39 33152226 graphics optional gimp_2.10.22.orig.tar.bz2 7b02e7a7eea90aea57ab77989f1a6d97 76208 graphics optional gimp_2.10.22-4+deb11u5.debian.tar.xz a8c569a60174957fd5c2ff903d460164 9838 graphics optional gimp_2.10.22-4+deb11u5_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmlXzggACgkQC8R9xk0T UwYhDg//SWteppve2AbsZH8J240GHmEspAfgEWOKpkhoJUXFMPsTZLNxCjbCPKpb xhqiSdrr6FDyhJRSApqf+g1V8KBsdanBDV0JmcCUWG8ijFlW04Sw65sKlQ9tyHMR p6pJDmWkgz9CXJiGiBwUVc//Aa3Nhms4J9VM18Wtyr1FicPN1IdXOEbtGYm2hCUL lcQcdTsy8zYDoGW5puwPlZbbx/SS1yHimcgEZhGTYMcnpkXbxIET+FH8lsFxXrhC rRHynG74M/V673i5eRbD6neyZS6Q2awV+z7kN8QiSYvS6svXi6r5VP5qOocL+Gdf o3vh57jHnt65epoSOpFO2G2oqt10zTuFcP12zxqVXywshjPkIwyaCE7RSOdcd26C KPy0EfF1Vtga+SVXsEhC7KHSUuzs7Dy+0eVsVsGLUEkZOcW4pSjiHeIiMTu8mumO YL/wr9wFKwKeRIqf6pqYzBOPQHJo9GedRfHSTF9yo5kOGGo7X4YM3BqHkaLEyq/a Toywu936I40ya/fC92/bmYzjWpzW5RJcSMCnV8stq3k9/4H6Uvp9np3GPIUejckW 87A7Jrt/gQ1vStqhWz1uYmG0QUg+sXGDhIqZ8ybYcDlgp3F37ASwBrdcMb1YXaXD J/CBfRDgaS8Cen/myGekpT+teYOLoVSfo2xNfbpUDKSD1XfgnYs= =V91t -----END PGP SIGNATURE-----
