Version in base suite: 3.0.4-3+deb13u2 Version in overlay suite: 3.0.4-3+deb13u6 Base version: gimp_3.0.4-3+deb13u6 Target version: gimp_3.0.4-3+deb13u7 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gimp/gimp_3.0.4-3+deb13u6.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gimp/gimp_3.0.4-3+deb13u7.dsc changelog | 10 +++ patches/CVE-2026-0797.patch | 112 ++++++++++++++++++++++++++++++++++ patches/CVE-2026-2044.patch | 16 ++++ patches/CVE-2026-2045.patch | 24 +++++++ patches/CVE-2026-2047.patch | 142 ++++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2026-2048.patch | 73 ++++++++++++++++++++++ patches/series | 5 + 7 files changed, 382 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpg1ayw2cd/gimp_3.0.4-3+deb13u6.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpg1ayw2cd/gimp_3.0.4-3+deb13u7.dsc: no acceptable signature found diff -Nru gimp-3.0.4/debian/changelog gimp-3.0.4/debian/changelog --- gimp-3.0.4/debian/changelog 2026-02-16 16:16:47.000000000 +0000 +++ gimp-3.0.4/debian/changelog 2026-02-28 16:14:52.000000000 +0000 @@ -1,3 +1,13 @@ +gimp (3.0.4-3+deb13u7) trixie-security; urgency=medium + + * CVE-2026-0797 (Closes: #1128601) + * CVE-2026-2044 + * CVE-2026-2045 (Closes: #1128604) + * CVE-2026-2047 (Closes: #1128605) + * CVE-2026-2048 (Closes: #1128606) + + -- Moritz Mühlenhoff Sat, 28 Feb 2026 17:14:52 +0100 + gimp (3.0.4-3+deb13u6) trixie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru gimp-3.0.4/debian/patches/CVE-2026-0797.patch gimp-3.0.4/debian/patches/CVE-2026-0797.patch --- gimp-3.0.4/debian/patches/CVE-2026-0797.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-3.0.4/debian/patches/CVE-2026-0797.patch 2026-02-28 16:12:47.000000000 +0000 @@ -0,0 +1,112 @@ +From ca449c745d58daa3f4b1ed4c2030d35d401a009d Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Fri, 26 Dec 2025 15:49:45 +0000 +Subject: [PATCH] plug-ins: Add more fread () checks in ICO loading + +From 13849c5a9a65c2366c47f703d9d075e4bfb83525 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Sat, 27 Dec 2025 05:24:03 +0000 +Subject: [PATCH] plug-ins: Additional fread () checks in ICO plug-in + + +--- gimp-3.0.4.orig/plug-ins/file-ico/ico-load.c ++++ gimp-3.0.4/plug-ins/file-ico/ico-load.c +@@ -69,7 +69,9 @@ ico_read_int32 (FILE *fp, + total = count; + if (count > 0) + { +- ico_read_int8 (fp, (guint8 *) data, count * 4); ++ if (ico_read_int8 (fp, (guint8 *) data, count * 4) != (count * 4)) ++ return FALSE; ++ + for (i = 0; i < count; i++) + data[i] = GUINT32_FROM_LE (data[i]); + } +@@ -88,7 +90,9 @@ ico_read_int16 (FILE *fp, + total = count; + if (count > 0) + { +- ico_read_int8 (fp, (guint8 *) data, count * 2); ++ if (ico_read_int8 (fp, (guint8 *) data, count * 2) != (count * 2)) ++ return FALSE; ++ + for (i = 0; i < count; i++) + data[i] = GUINT16_FROM_LE (data[i]); + } +@@ -109,8 +113,8 @@ ico_read_int8 (FILE *fp, + while (count > 0) + { + bytes = fread ((gchar *) data, sizeof (gchar), count, fp); +- if (bytes <= 0) /* something bad happened */ +- break; ++ if (bytes != count) /* something bad happened */ ++ return -1; + + count -= bytes; + data += bytes; +@@ -438,16 +442,20 @@ ico_read_icon (FILE *fp, + palette = NULL; + + data.header_size = header_size; +- ico_read_int32 (fp, &data.width, 1); +- ico_read_int32 (fp, &data.height, 1); +- ico_read_int16 (fp, &data.planes, 1); +- ico_read_int16 (fp, &data.bpp, 1); +- ico_read_int32 (fp, &data.compression, 1); +- ico_read_int32 (fp, &data.image_size, 1); +- ico_read_int32 (fp, &data.x_res, 1); +- ico_read_int32 (fp, &data.y_res, 1); +- ico_read_int32 (fp, &data.used_clrs, 1); +- ico_read_int32 (fp, &data.important_clrs, 1); ++ if (ico_read_int32 (fp, &data.width, 1) != 4 || ++ ico_read_int32 (fp, &data.height, 1) != 4 || ++ ico_read_int16 (fp, &data.planes, 1) != 2 || ++ ico_read_int16 (fp, &data.bpp, 1) != 2 || ++ ico_read_int32 (fp, &data.compression, 1) != 4 || ++ ico_read_int32 (fp, &data.image_size, 1) != 4 || ++ ico_read_int32 (fp, &data.x_res, 1) != 4 || ++ ico_read_int32 (fp, &data.y_res, 1) != 4 || ++ ico_read_int32 (fp, &data.used_clrs, 1) != 4 || ++ ico_read_int32 (fp, &data.important_clrs, 1) != 4) ++ { ++ D(("skipping image: invalid header\n")); ++ return FALSE; ++ } + + D((" header size %i, " + "w %i, h %i, planes %i, size %i, bpp %i, used %i, imp %i.\n", +@@ -492,16 +500,31 @@ ico_read_icon (FILE *fp, + data.used_clrs, data.bpp)); + + palette = g_new0 (guint32, data.used_clrs); +- ico_read_int8 (fp, (guint8 *) palette, data.used_clrs * 4); ++ if (ico_read_int8 (fp, ++ (guint8 *) palette, ++ data.used_clrs * 4) != (data.used_clrs * 4)) ++ { ++ D(("skipping image: too large\n")); ++ return FALSE; ++ } ++ + } + + xor_map = ico_alloc_map (w, h, data.bpp, &length); +- ico_read_int8 (fp, xor_map, length); ++ if (ico_read_int8 (fp, xor_map, length) != length) ++ { ++ D(("skipping image: too large\n")); ++ return FALSE; ++ } + D((" length of xor_map: %i\n", length)); + + /* Read in and_map. It's padded out to 32 bits per line: */ + and_map = ico_alloc_map (w, h, 1, &length); +- ico_read_int8 (fp, and_map, length); ++ if (ico_read_int8 (fp, and_map, length) != length) ++ { ++ D(("skipping image: too large\n")); ++ return FALSE; ++ } + D((" length of and_map: %i\n", length)); + + dest_vec = (guint32 *) buf; diff -Nru gimp-3.0.4/debian/patches/CVE-2026-2044.patch gimp-3.0.4/debian/patches/CVE-2026-2044.patch --- gimp-3.0.4/debian/patches/CVE-2026-2044.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-3.0.4/debian/patches/CVE-2026-2044.patch 2026-02-28 16:13:20.000000000 +0000 @@ -0,0 +1,16 @@ +From 3b5f9ec2b4c03cf4a51a5414f2793844c26747e5 Mon Sep 17 00:00:00 2001 +From: Gabriele Barbero +Date: Fri, 5 Dec 2025 19:13:01 +0100 +Subject: [PATCH] ZDI-CAN-28158: use g_malloc0 instead of g_malloc + +--- gimp-3.0.4.orig/plug-ins/common/file-pnm.c ++++ gimp-3.0.4/plug-ins/common/file-pnm.c +@@ -693,7 +693,7 @@ load_image (GFile *file, + return NULL; + + /* allocate the necessary structures */ +- pnminfo = g_new (PNMInfo, 1); ++ pnminfo = g_new0 (PNMInfo, 1); + + pnminfo->tupltype = NULL; + diff -Nru gimp-3.0.4/debian/patches/CVE-2026-2045.patch gimp-3.0.4/debian/patches/CVE-2026-2045.patch --- gimp-3.0.4/debian/patches/CVE-2026-2045.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-3.0.4/debian/patches/CVE-2026-2045.patch 2026-02-28 16:13:44.000000000 +0000 @@ -0,0 +1,24 @@ +From bb896f67942557658b3fbfc67a1c073775c002c7 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Thu, 15 Jan 2026 10:12:07 -0500 +Subject: [PATCH] plug-ins: fix #15293 security issue ZDI-CAN-28265 + +--- gimp-3.0.4.orig/plug-ins/common/file-xwd.c ++++ gimp-3.0.4/plug-ins/common/file-xwd.c +@@ -1712,7 +1712,15 @@ load_xwd_f2_d16_b16 (GFile *fi + + for (j = 0; j < ncols; j++) + { +- cm = ColorMap + xwdcolmap[j].l_pixel * 3; ++ goffset offset = xwdcolmap[j].l_pixel * 3; ++ ++ if (offset+2 >= maxval) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("Invalid colormap offset. Possibly corrupt image.")); ++ return NULL; ++ } ++ cm = ColorMap + offset; + *(cm++) = (xwdcolmap[j].l_red >> 8); + *(cm++) = (xwdcolmap[j].l_green >> 8); + *cm = (xwdcolmap[j].l_blue >> 8); diff -Nru gimp-3.0.4/debian/patches/CVE-2026-2047.patch gimp-3.0.4/debian/patches/CVE-2026-2047.patch --- gimp-3.0.4/debian/patches/CVE-2026-2047.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-3.0.4/debian/patches/CVE-2026-2047.patch 2026-02-28 16:14:14.000000000 +0000 @@ -0,0 +1,142 @@ +From 5873e16f80cf4152d25a4c86b08553008a331e90 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Sat, 17 Jan 2026 16:59:17 +0000 +Subject: [PATCH] plug-ins: Resolve ZDI-CAN-28530 for ICNS load + +--- gimp-3.0.4.orig/plug-ins/file-icns/file-icns-load.c ++++ gimp-3.0.4/plug-ins/file-icns/file-icns-load.c +@@ -40,7 +40,7 @@ + + IcnsResource * resource_load (FILE *file); + +-IcnsResource * resource_find (IcnsResource *list, ++IcnsResource * resource_find (GList *resources, + gchar *type, + gint max); + +@@ -118,14 +118,18 @@ resource_load (FILE *file) + } + + IcnsResource * +-resource_find (IcnsResource *list, ++resource_find (GList *resources, + gchar *type, + gint max) + { +- for (gint i = 0; i < max; i++) ++ GList *list; ++ ++ for (list = resources; list; list = g_list_next (list)) + { +- if (! strncmp (list[i].type, type, 4)) +- return &list[i]; ++ IcnsResource *res = list->data; ++ ++ if (! strncmp (res->type, type, 4)) ++ return res; + } + return NULL; + } +@@ -145,10 +149,14 @@ resource_get_next (IcnsResource *icns, + res->cursor = sizeof (IcnsResourceHeader); + res->data = &(icns->data[icns->cursor]); + ++ if (! res->size) ++ return FALSE; ++ + icns->cursor += res->size; + if (icns->cursor > icns->size) + { + gchar typestring[5]; ++ + fourcc_get_string (icns->type, typestring); + g_message ("icns resource_get_next: resource too big! type '%s', size %u\n", + typestring, icns->size); +@@ -162,18 +170,25 @@ GimpImage * + icns_load (IcnsResource *icns, + GFile *file) + { +- IcnsResource *resources; ++ GList *resources; ++ IcnsResource *resource; + guint nResources; + gfloat current_resources = 0; + GimpImage *image; + +- resources = g_new (IcnsResource, 256); ++ resources = NULL; ++ resource = g_new (IcnsResource, 1); + + /* Largest .icns icon is 1024 x 1024 */ + image = gimp_image_new (1024, 1024, GIMP_RGB); + + nResources = 0; +- while (resource_get_next (icns, &resources[nResources++])) {} ++ while (resource_get_next (icns, resource)) ++ { ++ resources = g_list_append (resources, resource); ++ ++ resource = g_new (IcnsResource, 1); ++ } + + for (gint i = 0; iconTypes[i].type; i++) + { +@@ -192,7 +207,8 @@ icns_load (IcnsResource *icns, + } + + gimp_image_resize_to_layers (image); +- g_free (resources); ++ g_list_free_full (resources, g_free); ++ g_free (resource); + return image; + } + +@@ -585,7 +601,8 @@ icns_load_thumbnail_image (GFile *file + FILE *fp; + GimpImage *image = NULL; + IcnsResource *icns; +- IcnsResource *resources; ++ GList *resources; ++ IcnsResource *resource; + IcnsResource *mask = NULL; + guint i; + gint match = -1; +@@ -610,15 +627,22 @@ icns_load_thumbnail_image (GFile *file + fclose (fp); + + if (! icns) +- { +- g_message ("Invalid or corrupt icns resource file."); +- return NULL; +- } ++ { ++ g_message ("Invalid or corrupt icns resource file."); ++ return NULL; ++ } + + image = gimp_image_new (1024, 1024, GIMP_RGB); + +- resources = g_new (IcnsResource, 256); +- while (resource_get_next (icns, &resources[nResources++])) {} ++ resources = NULL; ++ resource = g_new (IcnsResource, 1); ++ ++ while (resource_get_next (icns, resource)) ++ { ++ resources = g_list_append (resources, resource); ++ ++ resource = g_new (IcnsResource, 1); ++ } + + *width = 0; + *height = 0; +@@ -671,7 +695,8 @@ icns_load_thumbnail_image (GFile *file + return NULL; + } + +- g_free (resources); ++ g_list_free_full (resources, g_free); ++ g_free (resource); + + gimp_progress_update (1.0); + diff -Nru gimp-3.0.4/debian/patches/CVE-2026-2048.patch gimp-3.0.4/debian/patches/CVE-2026-2048.patch --- gimp-3.0.4/debian/patches/CVE-2026-2048.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-3.0.4/debian/patches/CVE-2026-2048.patch 2026-02-28 16:14:45.000000000 +0000 @@ -0,0 +1,73 @@ +From fa69ac5ec5692f675de5c50a6df758f7d3e45117 Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Wed, 31 Dec 2025 14:45:15 +0000 +Subject: [PATCH] plug-ins: Add OoB check for loading XWD + +--- gimp-3.0.4.orig/plug-ins/common/file-xwd.c ++++ gimp-3.0.4/plug-ins/common/file-xwd.c +@@ -2249,6 +2249,7 @@ load_xwd_f1_d24_b1 (GFile *fi + guint32 redmask, greenmask, bluemask; + guint redshift, greenshift, blueshift; + guint32 g; ++ guint32 maxval; + guchar redmap[256], greenmap[256], bluemap[256]; + guchar bit_reverse[256]; + guchar *xwddata, *xwdin, *data; +@@ -2340,7 +2341,8 @@ load_xwd_f1_d24_b1 (GFile *fi + &layer, &buffer); + + tile_height = gimp_tile_height (); +- data = g_malloc (tile_height * width * bytes_per_pixel); ++ data = g_malloc (tile_height * width * bytes_per_pixel); ++ maxval = tile_height * width * bytes_per_pixel; + + ncols = xwdhdr->l_colormap_entries; + if (xwdhdr->l_ncolors < ncols) +@@ -2365,6 +2367,8 @@ load_xwd_f1_d24_b1 (GFile *fi + + for (tile_start = 0; tile_start < height; tile_start += tile_height) + { ++ guint current_dest = 0; ++ + memset (data, 0, width*tile_height*bytes_per_pixel); + + tile_end = tile_start + tile_height - 1; +@@ -2392,7 +2396,18 @@ load_xwd_f1_d24_b1 (GFile *fi + else /* 3 bytes per pixel */ + { + fromright = xwdhdr->l_pixmap_depth-1-plane; +- dest += 2 - fromright/8; ++ ++ current_dest += 2 - fromright / 8; ++ if (current_dest < maxval) ++ { ++ dest += 2 - fromright / 8; ++ } ++ else ++ { ++ err = 1; ++ break; ++ } ++ + outmask = (1 << (fromright % 8)); + } + +@@ -2447,7 +2462,17 @@ load_xwd_f1_d24_b1 (GFile *fi + + if (g & inmask) + *dest |= outmask; +- dest += bytes_per_pixel; ++ ++ current_dest += bytes_per_pixel; ++ if (current_dest < maxval) ++ { ++ dest += bytes_per_pixel; ++ } ++ else ++ { ++ err = 1; ++ break; ++ } + + inmask >>= 1; + } diff -Nru gimp-3.0.4/debian/patches/series gimp-3.0.4/debian/patches/series --- gimp-3.0.4/debian/patches/series 2026-02-16 16:16:30.000000000 +0000 +++ gimp-3.0.4/debian/patches/series 2026-02-28 16:14:26.000000000 +0000 @@ -14,3 +14,8 @@ plug-ins-Fix-15732-PSP-File-Parsing-Integer-Overflow.patch plug-ins-Add-overflow-checks-for-ICO-loading.patch plug-ins-fix-crash-due-to-uninitialized-ptr_array.patch +CVE-2026-0797.patch +CVE-2026-2044.patch +CVE-2026-2045.patch +CVE-2026-2047.patch +CVE-2026-2048.patch