Version in base suite: 2.10.34-1+deb12u3 Base version: gimp_2.10.34-1+deb12u3 Target version: gimp_2.10.34-1+deb12u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gimp/gimp_2.10.34-1+deb12u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gimp/gimp_2.10.34-1+deb12u4.dsc changelog | 8 + patches/CVE-2025-10922.patch | 120 +++++++++++++++++++++++++++++ patches/CVE-2025-2760-32bit-followup.patch | 71 +++++++++++++++++ patches/CVE-2025-6035.patch | 113 +++++++++++++++++++++++++++ patches/series | 4 5 files changed, 316 insertions(+) gpgv: Signature made Wed Jun 4 21:23:46 2025 UTC gpgv: using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36 gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Bad public key dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4vqx4zrq/gimp_2.10.34-1+deb12u3.dsc: no acceptable signature found gpgv: Signature made Sat Oct 25 18:10:57 2025 UTC gpgv: using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36 gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Bad public key dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4vqx4zrq/gimp_2.10.34-1+deb12u4.dsc: no acceptable signature found diff -Nru gimp-2.10.34/debian/changelog gimp-2.10.34/debian/changelog --- gimp-2.10.34/debian/changelog 2025-06-04 21:10:49.000000000 +0000 +++ gimp-2.10.34/debian/changelog 2025-10-25 16:17:22.000000000 +0000 @@ -1,3 +1,11 @@ +gimp (2.10.34-1+deb12u4) bookworm-security; urgency=medium + + * CVE-2025-10922 (Closes: #1116459) + * CVE-2025-6035 + * CVE-2025-2760 32bit followup + + -- Moritz Mühlenhoff Sat, 25 Oct 2025 18:17:22 +0200 + gimp (2.10.34-1+deb12u3) bookworm-security; urgency=medium * CVE-2025-2760 diff -Nru gimp-2.10.34/debian/patches/CVE-2025-10922.patch gimp-2.10.34/debian/patches/CVE-2025-10922.patch --- gimp-2.10.34/debian/patches/CVE-2025-10922.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.10.34/debian/patches/CVE-2025-10922.patch 2025-10-25 16:05:15.000000000 +0000 @@ -0,0 +1,120 @@ +From 0f309f9a8d82f43fa01383bc5a5c41d28727d9e3 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Wed, 3 Sep 2025 13:31:45 -0400 +Subject: [PATCH] plug-ins: fix dicom plug-in ZDI-CAN-27863 + +--- gimp-2.10.34.orig/plug-ins/common/file-dicom.c ++++ gimp-2.10.34/plug-ins/common/file-dicom.c +@@ -330,6 +330,7 @@ load_image (const gchar *filename, + gint bits_stored = 0; + gint high_bit = 0; + guint8 *pix_buf = NULL; ++ guint64 pixbuf_size = 0; + gboolean is_signed = FALSE; + guint8 in_sequence = 0; + gboolean implicit_encoding = FALSE; +@@ -383,6 +384,7 @@ load_image (const gchar *filename, + gchar value_rep[3]; + guint32 element_length; + guint16 ctx_us; ++ size_t actual_read; + guint8 *value; + guint32 tag; + +@@ -489,15 +491,24 @@ load_image (const gchar *filename, + + if (element_length >= (G_MAXUINT - 6)) + { +- g_message ("'%s' seems to have an incorrect value field length.", +- gimp_filename_to_utf8 (filename)); +- gimp_quit (); ++ g_set_error (error, G_FILE_ERROR, 0, ++ _("'%s' has an an incorrect value for field size. Possibly corrupt image."), ++ gimp_filename_to_utf8 (filename)); ++ g_free (dicominfo); ++ fclose (DICOM); ++ return -1; + } + + /* Read contents. Allocate a bit more to make room for casts to int + below. */ + value = g_new0 (guint8, element_length + 4); +- fread (value, 1, element_length, DICOM); ++ actual_read = fread (value, 1, element_length, DICOM); ++ if (actual_read < element_length) ++ { ++ g_warning ("Missing data: needed %u bytes, got %u. Possibly corrupt image.", ++ element_length, (guint32) actual_read); ++ element_length = actual_read; ++ } + + /* ignore everything inside of a sequence */ + if (in_sequence) +@@ -644,6 +655,7 @@ load_image (const gchar *filename, + if (group_word == 0x7fe0 && element_word == 0x0010) + { + pix_buf = value; ++ pixbuf_size = element_length; + } + else + { +@@ -674,25 +686,50 @@ load_image (const gchar *filename, + } + } + ++ g_debug ("Bpp: %d, wxh: %u x %u, spp: %d\n", bpp, width, height, samples_per_pixel); ++ + if ((bpp != 8) && (bpp != 16)) + { +- g_message ("'%s' has a bpp of %d which GIMP cannot handle.", +- gimp_filename_to_utf8 (filename), bpp); +- gimp_quit (); ++ g_set_error (error, G_FILE_ERROR, 0, ++ _("'%s' has a bpp of %d which GIMP cannot handle."), ++ gimp_filename_to_utf8 (filename), bpp); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (DICOM); ++ return -1; + } + + if ((width > GIMP_MAX_IMAGE_SIZE) || (height > GIMP_MAX_IMAGE_SIZE)) + { +- g_message ("'%s' has a larger image size (%d x %d) than GIMP can handle.", +- gimp_filename_to_utf8 (filename), width, height); +- gimp_quit (); ++ g_set_error (error, G_FILE_ERROR, 0, ++ _("'%s' has a larger image size (%d x %d) than GIMP can handle."), ++ gimp_filename_to_utf8 (filename), width, height); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (DICOM); ++ return -1; + } + + if (samples_per_pixel > 3) + { +- g_message ("'%s' has samples per pixel of %d which GIMP cannot handle.", +- gimp_filename_to_utf8 (filename), samples_per_pixel); +- gimp_quit (); ++ g_set_error (error, G_FILE_ERROR, 0, ++ _("'%s' has samples per pixel of %d which GIMP cannot handle."), ++ gimp_filename_to_utf8 (filename), samples_per_pixel); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (DICOM); ++ return -1; ++ } ++ ++ if ((guint64) width * height * (bpp >> 3) * samples_per_pixel > pixbuf_size) ++ { ++ g_set_error (error, G_FILE_ERROR, 0, ++ _("'%s' has not enough pixel data. Possibly corrupt image."), ++ gimp_filename_to_utf8 (filename)); ++ g_free (pix_buf); ++ g_free (dicominfo); ++ fclose (DICOM); ++ return -1; + } + + dicominfo->width = width; diff -Nru gimp-2.10.34/debian/patches/CVE-2025-2760-32bit-followup.patch gimp-2.10.34/debian/patches/CVE-2025-2760-32bit-followup.patch --- gimp-2.10.34/debian/patches/CVE-2025-2760-32bit-followup.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.10.34/debian/patches/CVE-2025-2760-32bit-followup.patch 2025-10-25 16:17:11.000000000 +0000 @@ -0,0 +1,71 @@ +From c17b324910204a47828d6fbb542bdcefbd66bcc1 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Thu, 12 Jun 2025 13:23:59 -0400 +Subject: [PATCH] plug-ins/dds: fix #12790 for 32-bit + +with 2.10 backport bits by Sylvain Beucler + +--- gimp-2.10.34.orig/plug-ins/file-dds/ddsread.c ++++ gimp-2.10.34/plug-ins/file-dds/ddsread.c +@@ -169,26 +169,33 @@ read_dds (gchar *filename, + /* a lot of DDS images out there don't have this for some reason -_- */ + if (hdr.pitch_or_linsize == 0) + { ++ gboolean valid = TRUE; + if (hdr.pixelfmt.flags & DDPF_FOURCC) /* assume linear size */ + { +- hdr.pitch_or_linsize = ((hdr.width + 3) >> 2) * ((hdr.height + 3) >> 2); ++ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, (hdr.width + 3) >> 2, (hdr.height + 3) >> 2); + switch (GETL32(hdr.pixelfmt.fourcc)) + { + case FOURCC ('D','X','T','1'): + case FOURCC ('A','T','I','1'): + case FOURCC ('B','C','4','U'): + case FOURCC ('B','C','4','S'): +- hdr.pitch_or_linsize *= 8; ++ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, 8); + break; + default: +- hdr.pitch_or_linsize *= 16; ++ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, 16); + break; + } + } + else /* assume pitch */ + { +- hdr.pitch_or_linsize = hdr.height * hdr.width * (hdr.pixelfmt.bpp >> 3); ++ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.height, hdr.width); ++ valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, hdr.pixelfmt.bpp >> 3); + } ++ if (!valid) { ++ fclose (fp); ++ g_message ("Image size is too big to handle.\n"); ++ return GIMP_PDB_EXECUTION_ERROR; ++ } + } + + if (hdr.pixelfmt.flags & DDPF_FOURCC) +@@ -1217,14 +1224,19 @@ load_layer (FILE *fp, + { + unsigned char *dst; + +- dst = g_malloc (width * height * d->gimp_bpp); +- memset (dst, 0, width * height * d->gimp_bpp); ++ dst = g_malloc ((gsize) width * height * d->gimp_bpp); ++ memset (dst, 0, (gsize) width * height * d->gimp_bpp); + + if (d->gimp_bpp == 4) + { +- for (y = 0; y < height; ++y) ++ guchar *dst_line; ++ ++ dst_line = dst; ++ for (y = 0; y < height; ++y) { + for (x = 0; x < width; ++x) +- dst[y * (width * 4) + (x * 4) + 3] = 255; ++ dst_line[(x * 4) + 3] = 255; ++ dst_line += width * 4; ++ } + } + + dxt_decompress (dst, buf, format, size, width, height, d->gimp_bpp, diff -Nru gimp-2.10.34/debian/patches/CVE-2025-6035.patch gimp-2.10.34/debian/patches/CVE-2025-6035.patch --- gimp-2.10.34/debian/patches/CVE-2025-6035.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-2.10.34/debian/patches/CVE-2025-6035.patch 2025-10-25 16:07:37.000000000 +0000 @@ -0,0 +1,113 @@ +From 548bc3a46d54711d974aae9ce1bce291376c0436 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Thu, 1 May 2025 12:42:17 -0400 +Subject: [PATCH] plug-ins: CWE-190: Integer Overflow or Wraparound in + Despeckle + +plus 2.10 backport by Sylvain Beucler + +--- gimp-2.10.34.orig/plug-ins/common/despeckle.c ++++ gimp-2.10.34/plug-ins/common/despeckle.c +@@ -89,7 +89,7 @@ static void run (const gchar + gint *nreturn_vals, + GimpParam **return_vals); + +-static void despeckle (void); ++static gboolean despeckle (void); + static void despeckle_median (guchar *src, + guchar *dst, + gint width, +@@ -250,7 +250,8 @@ run (const gchar *name, + if (gimp_drawable_is_rgb (drawable_ID) || + gimp_drawable_is_gray (drawable_ID)) + { +- despeckle (); ++ if (! despeckle ()) ++ return; + + if (run_mode != GIMP_RUN_NONINTERACTIVE) + gimp_displays_flush (); +@@ -317,7 +318,7 @@ pixel_copy (guchar *dest, + * accordingly. + */ + +-static void ++static gboolean + despeckle (void) + { + GeglBuffer *src_buffer; +@@ -328,10 +329,11 @@ despeckle (void) + gint img_bpp; + gint x, y; + gint width, height; ++ gsize bufsize = 0; + + if (! gimp_drawable_mask_intersect (drawable_ID, + &x, &y, &width, &height)) +- return; ++ return TRUE; + + if (gimp_drawable_is_rgb (drawable_ID)) + { +@@ -353,8 +355,21 @@ despeckle (void) + src_buffer = gimp_drawable_get_buffer (drawable_ID); + dest_buffer = gimp_drawable_get_shadow_buffer (drawable_ID); + +- src = g_new (guchar, width * height * img_bpp); +- dst = g_new (guchar, width * height * img_bpp); ++ if (! g_size_checked_mul (&bufsize, width, height) || ++ ! g_size_checked_mul (&bufsize, bufsize, img_bpp)) ++ { ++ return FALSE; ++ } ++ ++ src = g_try_malloc (bufsize); ++ dst = g_try_malloc (bufsize); ++ ++ if (src == NULL || dst == NULL) ++ { ++ g_free (src); ++ ++ return FALSE; ++ } + + gegl_buffer_get (src_buffer, GEGL_RECTANGLE (x, y, width, height), 1.0, + format, src, +@@ -374,6 +389,8 @@ despeckle (void) + + g_free (dst); + g_free (src); ++ ++ return TRUE; + } + + static gboolean +@@ -515,6 +532,7 @@ static void + preview_update (GtkWidget *widget) + { + GimpPreview *preview = GIMP_PREVIEW (widget); ++ gsize bufsize = 0; + GeglBuffer *src_buffer; + const Babl *format; + guchar *dst; +@@ -549,8 +567,18 @@ preview_update (GtkWidget *widget) + + src_buffer = gimp_drawable_get_buffer (drawable_ID); + +- dst = g_new (guchar, width * height * img_bpp); +- src = g_new (guchar, width * height * img_bpp); ++ if (! g_size_checked_mul (&bufsize, width, height) || ++ ! g_size_checked_mul (&bufsize, bufsize, img_bpp)) ++ return; ++ ++ src = g_try_malloc (bufsize); ++ dst = g_try_malloc (bufsize); ++ ++ if (src == NULL || dst == NULL) ++ { ++ g_free (src); ++ return; ++ } + + gegl_buffer_get (src_buffer, GEGL_RECTANGLE (x1, y1, width, height), 1.0, + format, src, diff -Nru gimp-2.10.34/debian/patches/series gimp-2.10.34/debian/patches/series --- gimp-2.10.34/debian/patches/series 2025-06-04 21:10:49.000000000 +0000 +++ gimp-2.10.34/debian/patches/series 2025-10-25 16:16:15.000000000 +0000 @@ -14,3 +14,7 @@ CVE-2025-48798-1.patch CVE-2025-48798-2.patch ZDI-CAN-26752.patch +CVE-2025-10922.patch +CVE-2025-6035.patch + +CVE-2025-2760-32bit-followup.patch