Version in base suite: 2.10.34-1+deb12u3
Version in overlay suite: 2.10.34-1+deb12u5

Base version: gimp_2.10.34-1+deb12u5
Target version: gimp_2.10.34-1+deb12u6
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gimp/gimp_2.10.34-1+deb12u5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gimp/gimp_2.10.34-1+deb12u6.dsc

 changelog                    |    6 ++++
 patches/CVE-2025-14422.patch |   48 ++++++++++++++++++++++++++++++++++++
 patches/CVE-2025-14425.patch |   57 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    2 +
 4 files changed, 113 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpu8dteifc/gimp_2.10.34-1+deb12u5.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpu8dteifc/gimp_2.10.34-1+deb12u6.dsc: no acceptable signature found
diff -Nru gimp-2.10.34/debian/changelog gimp-2.10.34/debian/changelog
--- gimp-2.10.34/debian/changelog	2025-10-30 23:20:11.000000000 +0000
+++ gimp-2.10.34/debian/changelog	2025-12-30 14:18:38.000000000 +0000
@@ -1,3 +1,9 @@
+gimp (2.10.34-1+deb12u6) bookworm-security; urgency=medium
+
+  * CVE-2025-14422 / CVE-2025-14425
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Tue, 30 Dec 2025 15:18:38 +0100
+
 gimp (2.10.34-1+deb12u5) bookworm-security; urgency=medium
 
   * CVE-2025-10934 (Closes: #1119661)
diff -Nru gimp-2.10.34/debian/patches/CVE-2025-14422.patch gimp-2.10.34/debian/patches/CVE-2025-14422.patch
--- gimp-2.10.34/debian/patches/CVE-2025-14422.patch	1970-01-01 00:00:00.000000000 +0000
+++ gimp-2.10.34/debian/patches/CVE-2025-14422.patch	2025-12-30 14:18:38.000000000 +0000
@@ -0,0 +1,48 @@
+From 4ff2d773d58064e6130495de498e440f4a6d5edb Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sun, 23 Nov 2025 16:43:51 +0000
+Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273
+
+--- gimp-2.10.34.orig/plug-ins/common/file-pnm.c
++++ gimp-2.10.34/plug-ins/common/file-pnm.c
+@@ -554,7 +554,7 @@ load_image (GFile   *file,
+             GError **error)
+ {
+   GInputStream    *input;
+-  GeglBuffer      *buffer;
++  GeglBuffer      *buffer    = NULL;
+   gint32 volatile  image_ID = -1;
+   gint32           layer_ID;
+   char             buf[BUFLEN + 4];  /* buffer for random things like scanning */
+@@ -584,6 +584,9 @@ load_image (GFile   *file,
+       g_object_unref (input);
+       g_free (pnminfo);
+ 
++      if (buffer)
++	g_object_unref (buffer);
++
+       if (image_ID != -1)
+         gimp_image_delete (image_ID);
+ 
+@@ -819,6 +822,7 @@ pnm_load_raw (PNMScanner *scan,
+   GInputStream *input;
+   gint          bpc;
+   guchar       *data, *d;
++  gsize         data_size;
+   gushort      *s;
+   gint          x, y, i;
+   gint          start, end, scanlines;
+@@ -829,7 +833,12 @@ pnm_load_raw (PNMScanner *scan,
+     bpc = 1;
+ 
+   /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */
+-  data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc);
++  if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) ||
++      ! g_size_checked_mul (&data_size, data_size, info->np)             ||
++      ! g_size_checked_mul (&data_size, data_size, bpc))
++    CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value."));
++
++  data = g_new (guchar, data_size);
+ 
+   input = pnmscanner_input (scan);
+ 
diff -Nru gimp-2.10.34/debian/patches/CVE-2025-14425.patch gimp-2.10.34/debian/patches/CVE-2025-14425.patch
--- gimp-2.10.34/debian/patches/CVE-2025-14425.patch	1970-01-01 00:00:00.000000000 +0000
+++ gimp-2.10.34/debian/patches/CVE-2025-14425.patch	2025-12-30 14:18:38.000000000 +0000
@@ -0,0 +1,57 @@
+From cd1c88a0364ad1444c06536731972a99bd8643fd Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Wed, 12 Nov 2025 13:25:44 +0000
+Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images
+
+--- gimp-2.10.34.orig/plug-ins/common/file-jp2-load.c
++++ gimp-2.10.34/plug-ins/common/file-jp2-load.c
+@@ -1052,12 +1052,13 @@ load_image (const gchar       *filename,
+   gint32             layer_ID;
+   GimpImageType      image_type;
+   GimpImageBaseType  base_type;
++  GeglBuffer        *buffer     = NULL;
++  guchar            *pixels     = NULL;
++  gsize              pixels_size;
+   gint               width;
+   gint               height;
+   gint               num_components;
+-  GeglBuffer        *buffer;
+   gint               i, j, k, it;
+-  guchar            *pixels;
+   const Babl        *file_format;
+   gint               bpp;
+   GimpPrecision      image_precision;
+@@ -1298,7 +1299,14 @@ load_image (const gchar       *filename,
+   bpp = babl_format_get_bytes_per_pixel (file_format);
+ 
+   buffer = gimp_drawable_get_buffer (layer_ID);
+-  pixels = g_new0 (guchar, width * bpp);
++  if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8))))
++    {
++      g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
++                   _("Defined row size is too large in JP2 image '%s'."),
++                   gimp_file_get_utf8_name (filename));
++      goto out;
++    }
++  pixels = g_new0 (guchar, pixels_size);
+ 
+   for (i = 0; i < height; i++)
+     {
+@@ -1324,13 +1332,13 @@ load_image (const gchar       *filename,
+         gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0,
+                          file_format, pixels, GEGL_AUTO_ROWSTRIDE);
+     }
+-
+-  g_free (pixels);
+-
+-  g_object_unref (buffer);
+   gimp_progress_update (1.0);
+ 
+  out:
++  if (pixels)
++    g_free (pixels);
++  if (buffer)
++    g_object_unref (buffer);
+   if (profile)
+     g_object_unref (profile);
+   if (image)
diff -Nru gimp-2.10.34/debian/patches/series gimp-2.10.34/debian/patches/series
--- gimp-2.10.34/debian/patches/series	2025-10-30 23:20:03.000000000 +0000
+++ gimp-2.10.34/debian/patches/series	2025-12-30 14:18:38.000000000 +0000
@@ -19,3 +19,5 @@
 
 CVE-2025-2760-32bit-followup.patch
 CVE-2025-10934.patch
+CVE-2025-14422.patch
+CVE-2025-14425.patch