Version in base suite: 2.10.34-1+deb12u3
Version in overlay suite: 2.10.34-1+deb12u4

Base version: gimp_2.10.34-1+deb12u4
Target version: gimp_2.10.34-1+deb12u5
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gimp/gimp_2.10.34-1+deb12u4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gimp/gimp_2.10.34-1+deb12u5.dsc

 changelog                    |    6 ++++++
 patches/CVE-2025-10934.patch |   24 ++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 31 insertions(+)

gpgv: Signature made Sat Oct 25 18:10:57 2025 UTC
gpgv:                using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: Bad public key
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpz3tuvurz/gimp_2.10.34-1+deb12u4.dsc: no acceptable signature found
gpgv: Signature made Thu Oct 30 23:45:42 2025 UTC
gpgv:                using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: Bad public key
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpz3tuvurz/gimp_2.10.34-1+deb12u5.dsc: no acceptable signature found
diff -Nru gimp-2.10.34/debian/changelog gimp-2.10.34/debian/changelog
--- gimp-2.10.34/debian/changelog	2025-10-25 16:17:22.000000000 +0000
+++ gimp-2.10.34/debian/changelog	2025-10-30 23:20:11.000000000 +0000
@@ -1,3 +1,9 @@
+gimp (2.10.34-1+deb12u5) bookworm-security; urgency=medium
+
+  * CVE-2025-10934 (Closes: #1119661)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 31 Oct 2025 00:20:11 +0100
+
 gimp (2.10.34-1+deb12u4) bookworm-security; urgency=medium
 
   * CVE-2025-10922 (Closes: #1116459)
diff -Nru gimp-2.10.34/debian/patches/CVE-2025-10934.patch gimp-2.10.34/debian/patches/CVE-2025-10934.patch
--- gimp-2.10.34/debian/patches/CVE-2025-10934.patch	1970-01-01 00:00:00.000000000 +0000
+++ gimp-2.10.34/debian/patches/CVE-2025-10934.patch	2025-10-30 23:20:08.000000000 +0000
@@ -0,0 +1,24 @@
+
+--- gimp-2.10.34.orig/plug-ins/common/file-xwd.c
++++ gimp-2.10.34/plug-ins/common/file-xwd.c
+@@ -1606,9 +1606,18 @@ load_xwd_f2_d16_b16 (const gchar     *fi
+           greenval = (green * 255) / maxgreen;
+           for (blue = 0; blue <= maxblue; blue++)
+             {
++              guint32 offset = ((red << redshift) + (green << greenshift) +
++                                (blue << blueshift)) * 3;
++
++              if (offset+2 >= maxval)
++                {
++                  g_free (data);
++                  g_free (ColorMap);
++                  g_object_unref (buffer);
++                  return NULL;
++                }
+               blueval = (blue * 255) / maxblue;
+-              cm = ColorMap + ((red << redshift) + (green << greenshift)
+-                               + (blue << blueshift)) * 3;
++              cm = ColorMap + offset;
+               *(cm++) = redval;
+               *(cm++) = greenval;
+               *cm = blueval;
diff -Nru gimp-2.10.34/debian/patches/series gimp-2.10.34/debian/patches/series
--- gimp-2.10.34/debian/patches/series	2025-10-25 16:16:15.000000000 +0000
+++ gimp-2.10.34/debian/patches/series	2025-10-30 23:20:03.000000000 +0000
@@ -18,3 +18,4 @@
 CVE-2025-6035.patch
 
 CVE-2025-2760-32bit-followup.patch
+CVE-2025-10934.patch