Version in base suite: 2.10.34-1+deb12u5
Version in overlay suite: 2.10.34-1+deb12u7

Base version: gimp_2.10.34-1+deb12u7
Target version: gimp_2.10.34-1+deb12u8
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gimp/gimp_2.10.34-1+deb12u7.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gimp/gimp_2.10.34-1+deb12u8.dsc

 changelog                                                          |   14 ++
 patches/plug-ins-Add-overflow-checks-for-ICO-loading.patch         |   54 ++++++++++
 patches/plug-ins-Fix-15732-PSP-File-Parsing-Integer-Overflow.patch |   49 +++++++++
 patches/plug-ins-fix-15812-PSD-loader-heap-buffer-overflow.patch   |   37 ++++++
 patches/plug-ins-fix-crash-due-to-uninitialized-ptr_array.patch    |   43 +++++++
 patches/series                                                     |    4 
 6 files changed, 201 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpid_bkmx7/gimp_2.10.34-1+deb12u7.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpid_bkmx7/gimp_2.10.34-1+deb12u8.dsc: no acceptable signature found
diff -Nru gimp-2.10.34/debian/changelog gimp-2.10.34/debian/changelog
--- gimp-2.10.34/debian/changelog	2026-01-24 17:26:34.000000000 +0000
+++ gimp-2.10.34/debian/changelog	2026-02-16 16:20:06.000000000 +0000
@@ -1,3 +1,17 @@
+gimp (2.10.34-1+deb12u8) bookworm-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * plug-ins: fix PSD loader: heap-buffer-overflow in fread_pascal_string
+    (CVE-2026-2239) (Closes: #1127838)
+  * Fix PSP File Parsing Integer Overflow Leading to Heap Corruption
+    (CVE-2026-2271) (Closes: #1127841)
+  * plug-ins: Add overflow checks for ICO loading (CVE-2026-2272)
+    (Closes: #1127842)
+  * plug-ins: fix crash due to uninitialized ptr_array when loading a specially
+    crafted PSD
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 16 Feb 2026 17:20:06 +0100
+
 gimp (2.10.34-1+deb12u7) bookworm-security; urgency=medium
 
   * CVE-2025-15059 (Closes: #1126267)
diff -Nru gimp-2.10.34/debian/patches/plug-ins-Add-overflow-checks-for-ICO-loading.patch gimp-2.10.34/debian/patches/plug-ins-Add-overflow-checks-for-ICO-loading.patch
--- gimp-2.10.34/debian/patches/plug-ins-Add-overflow-checks-for-ICO-loading.patch	1970-01-01 00:00:00.000000000 +0000
+++ gimp-2.10.34/debian/patches/plug-ins-Add-overflow-checks-for-ICO-loading.patch	2026-02-16 09:59:25.000000000 +0000
@@ -0,0 +1,54 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Mon, 12 Jan 2026 12:17:00 +0000
+Subject: plug-ins: Add overflow checks for ICO loading
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/058ada8f3ffc0a42b7dd1561a8817c8cc83b7d2a
+Bug: https://gitlab.gnome.org/GNOME/gimp/-/issues/15617
+Bug-Debian: https://bugs.debian.org/1127842
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-2272
+
+As pointed out by Dhiraj, it is possible to set width and
+height values in the ICO header that will overflow a 32 bit
+integer when loaded in. This patch adds checks using
+g_size_check_mul () and g_try_new () to catch these
+overflows and prevent them from crashing the plug-in.
+---
+ plug-ins/file-ico/ico-load.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/plug-ins/file-ico/ico-load.c
++++ b/plug-ins/file-ico/ico-load.c
+@@ -422,6 +422,7 @@ ico_read_icon (FILE    *fp,
+                gint    *height)
+ {
+   IcoFileDataHeader   data;
++  gsize               data_size;
+   gint                length;
+   gint                x, y, w, h;
+   guchar             *xor_map, *and_map;
+@@ -467,7 +468,9 @@ ico_read_icon (FILE    *fp,
+       return FALSE;
+     }
+ 
+-  if (data.width * data.height * 2 > maxsize)
++  if (! g_size_checked_mul (&data_size, data.width, data.height) ||
++      ! g_size_checked_mul (&data_size, data_size, 2)            ||
++      data_size > maxsize)
+     {
+       D(("skipping image: too large\n"));
+       return FALSE;
+@@ -714,7 +717,14 @@ ico_load_image (const gchar  *filename,
+   gimp_image_set_filename (image, filename);
+ 
+   maxsize = max_width * max_height * 4;
+-  buf = g_new (guchar, max_width * max_height * 4);
++  buf     = g_try_new (guchar, maxsize);
++  if (! buf)
++    {
++      g_free (info);
++      fclose (fp);
++      return NULL;
++    }
++
+   for (i = 0; i < icon_count; i++)
+     {
+       ico_load_layer (fp, image, i, buf, maxsize, info+i);
diff -Nru gimp-2.10.34/debian/patches/plug-ins-Fix-15732-PSP-File-Parsing-Integer-Overflow.patch gimp-2.10.34/debian/patches/plug-ins-Fix-15732-PSP-File-Parsing-Integer-Overflow.patch
--- gimp-2.10.34/debian/patches/plug-ins-Fix-15732-PSP-File-Parsing-Integer-Overflow.patch	1970-01-01 00:00:00.000000000 +0000
+++ gimp-2.10.34/debian/patches/plug-ins-Fix-15732-PSP-File-Parsing-Integer-Overflow.patch	2026-02-16 09:56:43.000000000 +0000
@@ -0,0 +1,49 @@
+From: Jacob Boerema <jgboerema@gmail.com>
+Date: Fri, 23 Jan 2026 11:35:50 -0500
+Subject: plug-ins: Fix #15732 PSP File Parsing Integer Overflow...
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/0e63f096fa5f7dc3fae0a8e865fd5a05ebe45da8
+Bug: https://gitlab.gnome.org/GNOME/gimp/-/issues/15732
+Bug-Debian: https://bugs.debian.org/1127841
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-2271
+
+Leading to Heap Corruption
+
+An integer overflow vulnerability has been identified in the PSP
+(Paint Shop Pro) file parser of GIMP. The issue occurs in the
+read_creator_block() function, where the Creator metadata block is
+processed. Specifically, a 32-bit length value read from the file is
+used directly for memory allocation without proper validation.
+Trigger -> when length is set to 0xFFFFFFFF
+
+To fix this, we check that using that length doesn't exceed the end
+of the creator block. If it does, we return with an error message.
+---
+ plug-ins/common/file-psp.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index 9004998ab6c1..0ce72402ab80 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1121,7 +1121,17 @@ read_creator_block (FILE      *f,
+         }
+       keyword = GUINT16_FROM_LE (keyword);
+       length = GUINT32_FROM_LE (length);
+-      switch (keyword)
++
++      if ((goffset) ftell (f) + length > (goffset) data_start + total_len)
++        {
++          /* FIXME: After string freeze is over, we should consider changing
++           * this error message to be a bit more descriptive. */
++          g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                        _("Error reading creator keyword data"));
++          return -1;
++        }
++
++        switch (keyword)
+         {
+         case PSP_CRTR_FLD_TITLE:
+         case PSP_CRTR_FLD_ARTIST:
+-- 
+2.51.0
+
diff -Nru gimp-2.10.34/debian/patches/plug-ins-fix-15812-PSD-loader-heap-buffer-overflow.patch gimp-2.10.34/debian/patches/plug-ins-fix-15812-PSD-loader-heap-buffer-overflow.patch
--- gimp-2.10.34/debian/patches/plug-ins-fix-15812-PSD-loader-heap-buffer-overflow.patch	1970-01-01 00:00:00.000000000 +0000
+++ gimp-2.10.34/debian/patches/plug-ins-fix-15812-PSD-loader-heap-buffer-overflow.patch	2026-02-16 09:14:11.000000000 +0000
@@ -0,0 +1,37 @@
+From: Jacob Boerema <jgboerema@gmail.com>
+Date: Fri, 6 Feb 2026 15:56:07 -0500
+Subject: plug-ins: fix #15812 PSD loader: heap-buffer-overflow ...
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/51a2d65a2df403f6da582173e0ddd7904356f5ae
+Bug: https://gitlab.gnome.org/GNOME/gimp/-/issues/15812
+Bug-Debian: https://bugs.debian.org/1127838
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-2239
+
+in fread_pascal_string
+
+In plug-ins/file-psd/psd-util.c, the function fread_pascal_string()
+allocates a buffer with g_malloc(len) and reads len bytes from the file
+into it. The buffer is not null-terminated, but is assumed to be in
+later code.
+This causes it to read past the end of its allocated region with a
+specially crafted PSD, causing a heap-buffer-overflow.
+
+Fix this by alloocating one more byte than its length and set that
+to '\0'.
+
+(cherry picked from commit 8cf2772f5631719ae0e4e701bd7ef793b1f59cfa)
+---
+ plug-ins/file-psd/psd-util.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/plug-ins/file-psd/psd-util.c
++++ b/plug-ins/file-psd/psd-util.c
+@@ -227,7 +227,8 @@ fread_pascal_string (gint32   *bytes_rea
+       return NULL;
+     }
+ 
+-  str = g_malloc (len);
++  str = g_malloc (len + 1);
++  str[len] = '\0';
+   if (fread (str, len, 1, f) < 1)
+     {
+       psd_set_error (feof (f), errno, error);
diff -Nru gimp-2.10.34/debian/patches/plug-ins-fix-crash-due-to-uninitialized-ptr_array.patch gimp-2.10.34/debian/patches/plug-ins-fix-crash-due-to-uninitialized-ptr_array.patch
--- gimp-2.10.34/debian/patches/plug-ins-fix-crash-due-to-uninitialized-ptr_array.patch	1970-01-01 00:00:00.000000000 +0000
+++ gimp-2.10.34/debian/patches/plug-ins-fix-crash-due-to-uninitialized-ptr_array.patch	2026-02-16 16:20:01.000000000 +0000
@@ -0,0 +1,43 @@
+From: Jacob Boerema <jgboerema@gmail.com>
+Date: Fri, 6 Feb 2026 16:00:11 -0500
+Subject: plug-ins: fix crash due to uninitialized ptr_array...
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/02886e626df5e4c5f73f838a64fd3f21809dda09
+
+when loading a specially crafted PSD.
+After fixing the issue in the previous commit, using the poc from that
+issue, a new issue surfaced where the ptr_array used for
+img_a->alpha_name did not contain any names. Trying to access the
+first index then caused a crash, because apparently that is only
+valid if at least one item has been added.
+
+Let's fix this by only creating the ptr_array when we know for sure
+that we are going to add an item.
+---
+ plug-ins/file-psd/psd-image-res-load.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/file-psd/psd-image-res-load.c b/plug-ins/file-psd/psd-image-res-load.c
+index 234c9abc39fe..c12be85d89c6 100644
+--- a/plug-ins/file-psd/psd-image-res-load.c
++++ b/plug-ins/file-psd/psd-image-res-load.c
+@@ -660,8 +660,6 @@ load_resource_1006 (const PSDimageres  *res_a,
+       return 0;
+     }
+ 
+-  img_a->alpha_names = g_ptr_array_new ();
+-
+   block_rem = res_a->data_len;
+   while (block_rem > 1)
+     {
+@@ -671,6 +669,8 @@ load_resource_1006 (const PSDimageres  *res_a,
+       IFDBG(3) g_debug ("String: %s, %d, %d", str, read_len, write_len);
+       if (write_len >= 0)
+         {
++          if (! img_a->alpha_names)
++            img_a->alpha_names = g_ptr_array_new ();
+           g_ptr_array_add (img_a->alpha_names, (gpointer) str);
+         }
+       block_rem -= read_len;
+-- 
+2.51.0
+
diff -Nru gimp-2.10.34/debian/patches/series gimp-2.10.34/debian/patches/series
--- gimp-2.10.34/debian/patches/series	2026-01-24 17:26:10.000000000 +0000
+++ gimp-2.10.34/debian/patches/series	2026-02-16 16:20:01.000000000 +0000
@@ -22,3 +22,7 @@
 CVE-2025-14422.patch
 CVE-2025-14425.patch
 CVE-2025-15059.patch
+plug-ins-fix-15812-PSD-loader-heap-buffer-overflow.patch
+plug-ins-Fix-15732-PSP-File-Parsing-Integer-Overflow.patch
+plug-ins-Add-overflow-checks-for-ICO-loading.patch
+plug-ins-fix-crash-due-to-uninitialized-ptr_array.patch