Version in base suite: 2.10.34-1+deb12u5
Version in overlay suite: 2.10.34-1+deb12u9

Base version: gimp_2.10.34-1+deb12u9
Target version: gimp_2.10.34-1+deb12u10
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gimp/gimp_2.10.34-1+deb12u9.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gimp/gimp_2.10.34-1+deb12u10.dsc

 changelog                   |   18 ++++--
 patches/CVE-2026-4150.patch |  128 ++++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2026-4152.patch |   34 +++++++++++
 patches/CVE-2026-4153.patch |   41 ++++++++++++++
 patches/series              |    4 +
 5 files changed, 220 insertions(+), 5 deletions(-)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp81pbudoq/gimp_2.10.34-1+deb12u9.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp81pbudoq/gimp_2.10.34-1+deb12u10.dsc: no acceptable signature found
diff -Nru gimp-2.10.34/debian/changelog gimp-2.10.34/debian/changelog
--- gimp-2.10.34/debian/changelog	2026-02-28 13:16:35.000000000 +0000
+++ gimp-2.10.34/debian/changelog	2026-04-14 18:18:07.000000000 +0000
@@ -1,11 +1,19 @@
+gimp (2.10.34-1+deb12u10) bookworm-security; urgency=medium
+
+  * CVE-2026-4150
+  * CVE-2026-4152
+  * CVE-2026-4153
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Tue, 14 Apr 2026 20:18:07 +0200
+
 gimp (2.10.34-1+deb12u9) bookworm-security; urgency=medium
 
-   * CVE-2026-0797 (Closes: #1128601)
-   * CVE-2026-2044
-   * CVE-2026-2045 (Closes: #1128604)
-   * CVE-2026-2048 (Closes: #1128606)
+  * CVE-2026-0797 (Closes: #1128601)
+  * CVE-2026-2044
+  * CVE-2026-2045 (Closes: #1128604)
+  * CVE-2026-2048 (Closes: #1128606)
 
- -- Moritz Mühlenhoff <jmm@debian.org>  Sat, 28 Feb 2026 14:16:35 +0100
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 27 Feb 2026 00:04:25 +0100
 
 gimp (2.10.34-1+deb12u8) bookworm-security; urgency=high
 
diff -Nru gimp-2.10.34/debian/patches/CVE-2026-4150.patch gimp-2.10.34/debian/patches/CVE-2026-4150.patch
--- gimp-2.10.34/debian/patches/CVE-2026-4150.patch	1970-01-01 00:00:00.000000000 +0000
+++ gimp-2.10.34/debian/patches/CVE-2026-4150.patch	2026-04-13 21:39:51.000000000 +0000
@@ -0,0 +1,128 @@
+From 7e1241f75147bf6e705a31c81e4d5efab1df1668 Mon Sep 17 00:00:00 2001
+From: Jacob Boerema <jgboerema@gmail.com>
+Date: Fri, 6 Mar 2026 10:01:09 -0500
+Subject: [PATCH] plug-ins: fix #15967 integer overflow in psd-load
+
+--- gimp-2.10.34.orig/plug-ins/file-psd/psd-load.c
++++ gimp-2.10.34/plug-ins/file-psd/psd-load.c
+@@ -1980,14 +1980,14 @@ add_merged_image (gint32     image_id,
+   guint16               bps;
+   guint16              *rle_pack_len[MAX_CHANNELS];
+   guint32               alpha_id;
+-  gint32                layer_size;
++  gsize                 layer_size;
+   gint32                layer_id = -1;
+   gint32                channel_id = -1;
+   gint16                alpha_opacity;
+   gint                  cidx;                  /* Channel index */
+   gint                  rowi;                  /* Row index */
+   gint                  offset;
+   gint                  i;
+   gboolean              alpha_visible;
+   gboolean              alpha_channel = FALSE;
+   GeglBuffer           *buffer;
+@@ -2136,11 +2135,11 @@ add_merged_image (gint32     image_id,
+       image_type = get_gimp_image_type (img_a->base_type,
+                                         img_a->transparency || alpha_channel);
+ 
+-      layer_size = img_a->columns * img_a->rows;
++      layer_size = (gsize) img_a->columns * img_a->rows;
+       pixels = g_malloc (layer_size * base_channels * bps);
+       for (cidx = 0; cidx < base_channels; ++cidx)
+         {
+-          for (i = 0; i < layer_size; ++i)
++          for (gint64 i = 0; i < layer_size; ++i)
+             {
+               memcpy (&pixels[((i * base_channels) + cidx) * bps],
+                       &chn_a[cidx].data[i * bps], bps);
+@@ -2197,7 +2196,7 @@ add_merged_image (gint32     image_id,
+             {
+               gfloat *data = iter->items[0].data;
+ 
+-              for (i = 0; i < iter->length; i++)
++              for (gint i = 0; i < iter->length; i++)
+                 {
+                   gint c;
+ 
+@@ -2249,7 +2248,7 @@ add_merged_image (gint32     image_id,
+ 
+       /* Draw channels */
+       IFDBG(2) g_debug ("Number of channels: %d", extra_channels);
+-      for (i = 0; i < extra_channels; ++i)
++      for (gint i = 0; i < extra_channels; ++i)
+         {
+           /* Alpha channel name */
+           alpha_name = NULL;
+@@ -2290,8 +2289,8 @@ add_merged_image (gint32     image_id,
+             }
+ 
+           cidx = base_channels + i;
+-          pixels = g_realloc (pixels, chn_a[cidx].columns * chn_a[cidx].rows * bps);
+-          memcpy (pixels, chn_a[cidx].data, chn_a[cidx].columns * chn_a[cidx].rows * bps);
++          pixels = g_realloc (pixels, (gsize) chn_a[cidx].columns * chn_a[cidx].rows * bps);
++          memcpy (pixels, chn_a[cidx].data, (gsize) chn_a[cidx].columns * chn_a[cidx].rows * bps);
+           channel_id = gimp_channel_new (image_id, alpha_name,
+                                          chn_a[cidx].columns, chn_a[cidx].rows,
+                                          alpha_opacity, &alpha_rgb);
+@@ -2486,7 +2484,7 @@ read_channel_data (PSDchannel     *chann
+         break;
+ 
+       case PSD_COMP_RLE:
+-        for (i = 0; i < channel->rows; ++i)
++        for (gint i = 0; i < channel->rows; ++i)
+           {
+             src = gegl_scratch_alloc (rle_pack_len[i]);
+ /*      FIXME check for over-run
+@@ -2575,13 +2573,13 @@ read_channel_data (PSDchannel     *chann
+         channel->data = raw_data;
+         raw_data      = NULL;
+ 
+-        for (i = 0; i < channel->rows * channel->columns; ++i)
++        for (gsize i = 0; i < (gsize) channel->rows * channel->columns; ++i)
+           data[i] = GUINT16_FROM_BE (data[i]);
+ 
+         if (compression == PSD_COMP_ZIP_PRED)
+           {
+-            for (i = 0; i < channel->rows; ++i)
+-              for (j = 1; j < channel->columns; ++j)
++            for (gsize i = 0; i < channel->rows; ++i)
++              for (gsize j = 1; j < channel->columns; ++j)
+                 data[i * channel->columns + j] += data[i * channel->columns + j - 1];
+           }
+         break;
+@@ -2593,14 +2591,14 @@ read_channel_data (PSDchannel     *chann
+ 
+         if (compression == PSD_COMP_ZIP_PRED)
+           {
+-            for (i = 0; i < channel->rows; ++i)
+-              for (j = 1; j < channel->columns; ++j)
++            for (gsize i = 0; i < channel->rows; ++i)
++              for (gsize j = 1; j < channel->columns; ++j)
+                 channel->data[i * channel->columns + j] += channel->data[i * channel->columns + j - 1];
+           }
+         break;
+ 
+       case 1:
+-        channel->data = (gchar *) g_malloc (channel->rows * channel->columns);
++        channel->data = (gchar *) g_malloc ((gsize) channel->rows * channel->columns);
+         convert_1_bit (raw_data, channel->data, channel->rows, channel->columns);
+         break;
+ 
+@@ -2624,14 +2622,14 @@ convert_1_bit (const gchar *src,
+ 
+   IFDBG(3)  g_debug ("Start 1 bit conversion");
+ 
+-  for (i = 0; i < rows * ((columns + 7) / 8); ++i)
++  for (gsize i = 0; i < (gsize) rows * ((columns + 7) / 8); ++i)
+     {
+       guchar    mask = 0x80;
+-      for (j = 0; j < 8 && row_pos < columns; ++j)
++      for (gint j = 0; j < 8 && row_pos < columns; ++j)
+         {
+           *dst = (*src & mask) ? 0 : 1;
+           IFDBG(3) g_debug ("byte %d, bit %d, offset %d, src %d, dst %d",
+-            i , j, row_pos, *src, *dst);
+++            (gint) i , j, row_pos, *src, *dst);
+           dst++;
+           mask >>= 1;
+           row_pos++;
diff -Nru gimp-2.10.34/debian/patches/CVE-2026-4152.patch gimp-2.10.34/debian/patches/CVE-2026-4152.patch
--- gimp-2.10.34/debian/patches/CVE-2026-4152.patch	1970-01-01 00:00:00.000000000 +0000
+++ gimp-2.10.34/debian/patches/CVE-2026-4152.patch	2026-04-13 21:09:22.000000000 +0000
@@ -0,0 +1,34 @@
+From f64c9c23ba3c37dc7b875a9fb477c23953b4666e Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Thu, 12 Mar 2026 13:48:45 +0000
+Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28863
+
+--- gimp-2.10.34.orig/plug-ins/common/file-jp2-load.c
++++ gimp-2.10.34/plug-ins/common/file-jp2-load.c
+@@ -1248,16 +1248,22 @@ load_image (const gchar       *filename,
+       base_type  = GIMP_GRAY;
+       image_type = GIMP_GRAY_IMAGE;
+ 
+-      if (num_components == 2)
+-        image_type = GIMP_GRAYA_IMAGE;
++      if (num_components >= 2)
++        {
++          image_type     = GIMP_GRAYA_IMAGE;
++          num_components = 2;
++        }
+     }
+   else if (image->color_space == OPJ_CLRSPC_SRGB)
+     {
+       base_type  = GIMP_RGB;
+       image_type = GIMP_RGB_IMAGE;
+ 
+-      if (num_components == 4)
+-        image_type = GIMP_RGBA_IMAGE;
++      if (num_components >= 4)
++        {
++          image_type     = GIMP_RGBA_IMAGE;
++          num_components = 4;
++        }
+     }
+   else
+     {
diff -Nru gimp-2.10.34/debian/patches/CVE-2026-4153.patch gimp-2.10.34/debian/patches/CVE-2026-4153.patch
--- gimp-2.10.34/debian/patches/CVE-2026-4153.patch	1970-01-01 00:00:00.000000000 +0000
+++ gimp-2.10.34/debian/patches/CVE-2026-4153.patch	2026-04-13 21:09:54.000000000 +0000
@@ -0,0 +1,41 @@
+From 98cb1371fd4e22cca75017ea3252dc32fc218712 Mon Sep 17 00:00:00 2001
+From: Jacob Boerema <jgboerema@gmail.com>
+Date: Sat, 7 Mar 2026 15:55:04 -0500
+Subject: [PATCH] plug-ins: fix #15970 buffer overflow in file-psp
+
+--- gimp-2.10.34.orig/plug-ins/common/file-psp.c
++++ gimp-2.10.34/plug-ins/common/file-psp.c
+@@ -1966,7 +1966,23 @@ read_layer_block (FILE      *f,
+ 
+       if (can_handle_layer)
+         {
+-          pixel = g_malloc0 (height * width * bytespp);
++          gint line_width = width * bytespp;
++
++          if (ia->depth < 8)
++            {
++              gint min_line_width = (((width * ia->depth + 7) / 8) + (ia->depth - 1)) / 4 * 4;
++
++              /* For small widths, when depth is 1, or 4, the number of bytes
++               * used can be larger than the width * bytespp. Adjust for that. */
++              if (min_line_width > line_width)
++                {
++                  IFDBG(3) g_message ("Adjusting line width from %d to %d\n",
++                                      line_width, min_line_width);
++                  line_width = min_line_width;
++                }
++            }
++
++          pixel = g_malloc0 (height * line_width);
+           if (null_layer)
+             {
+               pixels = NULL;
+@@ -1975,7 +1991,7 @@ read_layer_block (FILE      *f,
+             {
+               pixels = g_new (guchar *, height);
+               for (i = 0; i < height; i++)
+-                pixels[i] = pixel + width * bytespp * i;
++                pixels[i] = pixel + line_width * i;
+             }
+ 
+           buffer = gimp_drawable_get_buffer (layer_ID);
diff -Nru gimp-2.10.34/debian/patches/series gimp-2.10.34/debian/patches/series
--- gimp-2.10.34/debian/patches/series	2026-02-27 13:04:04.000000000 +0000
+++ gimp-2.10.34/debian/patches/series	2026-04-14 18:18:07.000000000 +0000
@@ -30,3 +30,7 @@
 CVE-2026-2044.patch
 CVE-2026-2045.patch
 CVE-2026-2048.patch
+CVE-2026-4150.patch
+CVE-2026-4152.patch
+CVE-2026-4153.patch
+