Version in base suite: 3.0.4-3+deb13u2 Base version: gimp_3.0.4-3+deb13u2 Target version: gimp_3.0.4-3+deb13u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gimp/gimp_3.0.4-3+deb13u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gimp/gimp_3.0.4-3+deb13u4.dsc changelog | 14 ++++++ patches/CVE-2025-14422.patch | 29 ++++++++++++++ patches/CVE-2025-14423.patch | 88 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2025-14424.patch | 19 +++++++++ patches/CVE-2025-14425.patch | 60 +++++++++++++++++++++++++++++ patches/series | 5 ++ 6 files changed, 215 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp787843rq/gimp_3.0.4-3+deb13u2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp787843rq/gimp_3.0.4-3+deb13u4.dsc: no acceptable signature found diff -Nru gimp-3.0.4/debian/changelog gimp-3.0.4/debian/changelog --- gimp-3.0.4/debian/changelog 2025-10-30 23:02:54.000000000 +0000 +++ gimp-3.0.4/debian/changelog 2025-12-25 12:10:59.000000000 +0000 @@ -1,3 +1,17 @@ +gimp (3.0.4-3+deb13u4) trixie-security; urgency=medium + + * CVE-2025-14425 + + -- Moritz Mühlenhoff Thu, 25 Dec 2025 13:10:59 +0100 + +gimp (3.0.4-3+deb13u3) trixie-security; urgency=medium + + * CVE-2025-14424 + * CVE-2025-14423 + * CVE-2025-14422 + + -- Moritz Mühlenhoff Thu, 25 Dec 2025 01:08:59 +0100 + gimp (3.0.4-3+deb13u2) trixie-security; urgency=medium * CVE-2025-10934 (Closes: #1119661) diff -Nru gimp-3.0.4/debian/patches/CVE-2025-14422.patch gimp-3.0.4/debian/patches/CVE-2025-14422.patch --- gimp-3.0.4/debian/patches/CVE-2025-14422.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-3.0.4/debian/patches/CVE-2025-14422.patch 2025-12-25 00:08:55.000000000 +0000 @@ -0,0 +1,29 @@ +From 4ff2d773d58064e6130495de498e440f4a6d5edb Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Sun, 23 Nov 2025 16:43:51 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273 + +--- gimp-3.0.4.orig/plug-ins/common/file-pnm.c ++++ gimp-3.0.4/plug-ins/common/file-pnm.c +@@ -1060,6 +1060,7 @@ pnm_load_raw (PNMScanner *scan, + const Babl *format = NULL; + gint bpc; + guchar *data, *d; ++ gsize data_size; + gushort *s; + gint x, y, i; + gint start, end, scanlines; +@@ -1070,7 +1071,12 @@ pnm_load_raw (PNMScanner *scan, + bpc = 1; + + /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */ +- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc); ++ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) || ++ ! g_size_checked_mul (&data_size, data_size, info->np) || ++ ! g_size_checked_mul (&data_size, data_size, bpc)) ++ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value.")); ++ ++ data = g_new (guchar, data_size); + + input = pnmscanner_input (scan); + diff -Nru gimp-3.0.4/debian/patches/CVE-2025-14423.patch gimp-3.0.4/debian/patches/CVE-2025-14423.patch --- gimp-3.0.4/debian/patches/CVE-2025-14423.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-3.0.4/debian/patches/CVE-2025-14423.patch 2025-12-25 00:08:13.000000000 +0000 @@ -0,0 +1,88 @@ +From 481cdbbb97746be1145ec3a633c567a68633c521 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Sun, 23 Nov 2025 04:22:49 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-28311 + +--- gimp-3.0.4.orig/plug-ins/common/file-iff.c ++++ gimp-3.0.4/plug-ins/common/file-iff.c +@@ -335,7 +335,7 @@ load_image (GFile *file, + width = bitMapHeader->w; + height = bitMapHeader->h; + nPlanes = bitMapHeader->nPlanes; +- row_length = (width + 15) / 16; ++ row_length = ((width + 15) / 16) * 2; + pixel_size = nPlanes / 8; + aspect_x = bitMapHeader->xAspect; + aspect_y = bitMapHeader->yAspect; +@@ -366,6 +366,18 @@ load_image (GFile *file, + { + /* EHB mode adds 32 more colors. Each are half the RGB values + * of the first 32 colors */ ++ if (palette_size < 32) ++ { ++ g_set_error (error, G_FILE_ERROR, ++ g_file_error_from_errno (errno), ++ _("Invalid ILBM colormap size")); ++ return NULL; ++ } ++ else if (palette_size > 32) ++ { ++ palette_size = 32; ++ } ++ + for (gint j = 0; j < palette_size * 2; j++) + { + gint offset_index = j + 32; +@@ -377,7 +389,7 @@ load_image (GFile *file, + gimp_cmap[offset_index * 3 + 2] = + colorMap->colorRegister[j].blue / 2; + } +- /* EHB mode always has 64 colors */ ++ /* EHB mode always has 64 colors in total */ + palette_size = 64; + } + } +@@ -438,7 +450,7 @@ load_image (GFile *file, + { + guchar *pixel_row; + +- pixel_row = g_malloc (width * pixel_size * sizeof (guchar)); ++ pixel_row = g_malloc0 (width * pixel_size); + + /* PBM uses one byte per pixel index */ + if (ILBM_imageIsPBM (true_image)) +@@ -450,7 +462,7 @@ load_image (GFile *file, + else + deleave_rgb_row (bitplanes, pixel_row, width, nPlanes, pixel_size); + +- bitplanes += (row_length * 2 * nPlanes); ++ bitplanes += (row_length * nPlanes); + + gegl_buffer_set (buffer, GEGL_RECTANGLE (0, y_height, width, 1), 0, + NULL, pixel_row, GEGL_AUTO_ROWSTRIDE); +@@ -519,7 +531,7 @@ deleave_ham_row (const guchar *gimp_cmap + /* Deleave rows */ + for (gint i = 0; i < row_length; i++) + { +- for (gint j = 0; j < 8; j++) ++ for (gint j = 0; j < nPlanes; j++) + { + guint8 bitmask = (1 << (8 - j)) - (1 << (7 - j)); + guint8 control = 0; +@@ -581,11 +593,11 @@ deleave_ham_row (const guchar *gimp_cmap + } + + static void +-deleave_rgb_row (IFF_UByte *bitplanes, +- guchar *pixel_row, +- gint width, +- gint nPlanes, +- gint pixel_size) ++deleave_rgb_row (IFF_UByte *bitplanes, ++ guchar *pixel_row, ++ gint width, ++ gint nPlanes, ++ gint pixel_size) + { + gint row_length = ((width + 15) / 16) * 2; + gint current_pixel = 0; diff -Nru gimp-3.0.4/debian/patches/CVE-2025-14424.patch gimp-3.0.4/debian/patches/CVE-2025-14424.patch --- gimp-3.0.4/debian/patches/CVE-2025-14424.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-3.0.4/debian/patches/CVE-2025-14424.patch 2025-12-25 00:07:02.000000000 +0000 @@ -0,0 +1,19 @@ +From 5cc55d078b7fba995cef77d195fac325ee288ddd Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Thu, 13 Nov 2025 18:26:51 -0500 +Subject: [PATCH] app: fix #15288 crash when loading malformed xcf + +--- gimp-3.0.4.orig/app/core/gimpitemlist.c ++++ gimp-3.0.4/app/core/gimpitemlist.c +@@ -343,7 +343,10 @@ gimp_item_list_named_new (GimpImage *i + g_return_val_if_fail (GIMP_IS_IMAGE (image), NULL); + + for (iter = items; iter; iter = iter->next) +- g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL); ++ { ++ g_return_val_if_fail (iter->data && ((GTypeInstance*) (iter->data))->g_class, NULL); ++ g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL); ++ } + + if (! items) + { diff -Nru gimp-3.0.4/debian/patches/CVE-2025-14425.patch gimp-3.0.4/debian/patches/CVE-2025-14425.patch --- gimp-3.0.4/debian/patches/CVE-2025-14425.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-3.0.4/debian/patches/CVE-2025-14425.patch 2025-12-25 12:10:24.000000000 +0000 @@ -0,0 +1,60 @@ +From cd1c88a0364ad1444c06536731972a99bd8643fd Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Wed, 12 Nov 2025 13:25:44 +0000 +Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images + +--- gimp-3.0.4.orig/plug-ins/common/file-jp2-load.c ++++ gimp-3.0.4/plug-ins/common/file-jp2-load.c +@@ -1027,14 +1027,15 @@ load_image (GimpProcedure *procedure + GimpColorProfile *profile = NULL; + GimpImage *gimp_image = NULL; + GimpLayer *layer; ++ GeglBuffer *buffer = NULL; ++ guchar *pixels = NULL; ++ gsize pixels_size; + GimpImageType image_type; + GimpImageBaseType base_type; + gint width; + gint height; + gint num_components; +- GeglBuffer *buffer; + gint i, j, k, it; +- guchar *pixels; + const Babl *file_format; + gint bpp; + GimpPrecision image_precision; +@@ -1283,7 +1284,15 @@ load_image (GimpProcedure *procedure + bpp = babl_format_get_bytes_per_pixel (file_format); + + buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); +- pixels = g_new0 (guchar, width * bpp); ++ ++ if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8)))) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("Defined row size is too large in JP2 image '%s'."), ++ gimp_file_get_utf8_name (file)); ++ goto out; ++ } ++ pixels = g_new0 (guchar, pixels_size); + + for (i = 0; i < height; i++) + { +@@ -1309,13 +1318,13 @@ load_image (GimpProcedure *procedure + gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0, + file_format, pixels, GEGL_AUTO_ROWSTRIDE); + } +- +- g_free (pixels); +- +- g_object_unref (buffer); + gimp_progress_update (1.0); + + out: ++ if (pixels) ++ g_free (pixels); ++ if (buffer) ++ g_object_unref (buffer); + if (profile) + g_object_unref (profile); + if (image) diff -Nru gimp-3.0.4/debian/patches/series gimp-3.0.4/debian/patches/series --- gimp-3.0.4/debian/patches/series 2025-10-30 23:02:54.000000000 +0000 +++ gimp-3.0.4/debian/patches/series 2025-12-25 12:10:47.000000000 +0000 @@ -4,3 +4,8 @@ CVE-2025-10922.patch CVE-2025-10920.patch CVE-2025-10934.patch +CVE-2025-14424.patch +CVE-2025-14423.patch +CVE-2025-14422.patch +CVE-2025-14425.patch +