Version in base suite: 3.0.4-3+deb13u7 Base version: gimp_3.0.4-3+deb13u7 Target version: gimp_3.0.4-3+deb13u8 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gimp/gimp_3.0.4-3+deb13u7.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gimp/gimp_3.0.4-3+deb13u8.dsc changelog | 9 ++ patches/CVE-2026-4150.patch | 173 ++++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2026-4151.patch | 43 ++++++++++ patches/CVE-2026-4152.patch | 34 ++++++++ patches/CVE-2026-4153.patch | 41 ++++++++++ patches/series | 5 + 6 files changed, 305 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp850kll13/gimp_3.0.4-3+deb13u7.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp850kll13/gimp_3.0.4-3+deb13u8.dsc: no acceptable signature found diff -Nru gimp-3.0.4/debian/changelog gimp-3.0.4/debian/changelog --- gimp-3.0.4/debian/changelog 2026-02-28 16:14:52.000000000 +0000 +++ gimp-3.0.4/debian/changelog 2026-04-12 19:07:17.000000000 +0000 @@ -1,3 +1,12 @@ +gimp (3.0.4-3+deb13u8) trixie-security; urgency=medium + + * CVE-2026-4150 + * CVE-2026-4151 + * CVE-2026-4152 + * CVE-2026-4153 + + -- Moritz Mühlenhoff Sun, 12 Apr 2026 21:07:17 +0200 + gimp (3.0.4-3+deb13u7) trixie-security; urgency=medium * CVE-2026-0797 (Closes: #1128601) diff -Nru gimp-3.0.4/debian/patches/CVE-2026-4150.patch gimp-3.0.4/debian/patches/CVE-2026-4150.patch --- gimp-3.0.4/debian/patches/CVE-2026-4150.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-3.0.4/debian/patches/CVE-2026-4150.patch 2026-04-12 19:04:25.000000000 +0000 @@ -0,0 +1,173 @@ +From 7e1241f75147bf6e705a31c81e4d5efab1df1668 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Fri, 6 Mar 2026 10:01:09 -0500 +Subject: [PATCH] plug-ins: fix #15967 integer overflow in psd-load + +--- gimp-3.0.4.orig/plug-ins/file-psd/psd-load.c ++++ gimp-3.0.4/plug-ins/file-psd/psd-load.c +@@ -2813,14 +2813,13 @@ add_merged_image (GimpImage *image, + guint16 bps; + guint32 *rle_pack_len[MAX_CHANNELS]; + guint32 alpha_id; +- gint32 layer_size; ++ gsize layer_size; + GimpLayer *layer = NULL; + GimpChannel *channel = NULL; + gint16 alpha_opacity; + gint cidx; /* Channel index */ + gint rowi; /* Row index */ + gint offset; +- gint i; + gboolean alpha_visible; + gboolean alpha_channel = FALSE; + GeglBuffer *buffer; +@@ -2975,11 +2974,11 @@ add_merged_image (GimpImage *image, + image_type = get_gimp_image_type (img_a->base_type, + img_a->transparency || alpha_channel); + +- layer_size = img_a->columns * img_a->rows; ++ layer_size = (gsize) img_a->columns * img_a->rows; + pixels = g_malloc (layer_size * base_channels * bps); + for (cidx = 0; cidx < base_channels; ++cidx) + { +- for (i = 0; i < layer_size; ++i) ++ for (gint64 i = 0; i < layer_size; ++i) + { + memcpy (&pixels[((i * base_channels) + cidx) * bps], + &chn_a[cidx].data[i * bps], bps); +@@ -3051,7 +3050,7 @@ add_merged_image (GimpImage *image, + { + gfloat *data = iter->items[0].data; + +- for (i = 0; i < iter->length; i++) ++ for (gint i = 0; i < iter->length; i++) + { + gint c; + +@@ -3103,7 +3102,7 @@ add_merged_image (GimpImage *image, + + /* Draw channels */ + IFDBG(2) g_debug ("Number of channels: %d", extra_channels); +- for (i = 0; i < extra_channels; ++i) ++ for (gint i = 0; i < extra_channels; ++i) + { + /* Alpha channel name */ + alpha_name = NULL; +@@ -3144,8 +3143,8 @@ add_merged_image (GimpImage *image, + } + + cidx = base_channels + i; +- pixels = g_realloc (pixels, chn_a[cidx].columns * chn_a[cidx].rows * bps); +- memcpy (pixels, chn_a[cidx].data, chn_a[cidx].columns * chn_a[cidx].rows * bps); ++ pixels = g_realloc (pixels, (gsize) chn_a[cidx].columns * chn_a[cidx].rows * bps); ++ memcpy (pixels, chn_a[cidx].data, (gsize) chn_a[cidx].columns * chn_a[cidx].rows * bps); + channel = gimp_channel_new (image, alpha_name, + chn_a[cidx].columns, chn_a[cidx].rows, + alpha_opacity, alpha_rgb); +@@ -3332,7 +3331,6 @@ read_channel_data (PSDchannel *chann + gchar *raw_data = NULL; + gchar *src; + guint32 readline_len; +- gint i, j; + + if (bps == 1) + readline_len = ((channel->columns + 7) / 8); +@@ -3364,7 +3362,7 @@ read_channel_data (PSDchannel *chann + break; + + case PSD_COMP_RLE: +- for (i = 0; i < channel->rows; ++i) ++ for (gint i = 0; i < channel->rows; ++i) + { + src = gegl_scratch_alloc (rle_pack_len[i]); + /* FIXME check for over-run +@@ -3433,12 +3431,11 @@ read_channel_data (PSDchannel *chann + case 32: + { + guint32 *data; +- guint64 pos; + + if (compression == PSD_COMP_ZIP_PRED) + { + IFDBG(3) g_debug ("Converting 32 bit predictor data"); +- channel->data = (gchar *) g_malloc0 (channel->rows * channel->columns * 4); ++ channel->data = (gchar *) g_malloc0 ((gsize) channel->rows * channel->columns * 4); + decode_32_bit_predictor (raw_data, channel->data, + channel->rows, channel->columns); + } +@@ -3450,7 +3447,7 @@ read_channel_data (PSDchannel *chann + } + + data = (guint32*) channel->data; +- for (pos = 0; pos < channel->rows * channel->columns; ++pos) ++ for (gsize pos = 0; pos < (gsize) channel->rows * channel->columns; ++pos) + data[pos] = GUINT32_FROM_BE (data[pos]); + + break; +@@ -3463,14 +3460,14 @@ read_channel_data (PSDchannel *chann + channel->data = raw_data; + raw_data = NULL; + +- for (i = 0; i < channel->rows * channel->columns; ++i) ++ for (gsize i = 0; i < (gsize) channel->rows * channel->columns; ++i) + data[i] = GUINT16_FROM_BE (data[i]); + + if (compression == PSD_COMP_ZIP_PRED) + { + IFDBG(3) g_debug ("Converting 16 bit predictor data"); +- for (i = 0; i < channel->rows; ++i) +- for (j = 1; j < channel->columns; ++j) ++ for (gsize i = 0; i < channel->rows; ++i) ++ for (gsize j = 1; j < channel->columns; ++j) + data[i * channel->columns + j] += data[i * channel->columns + j - 1]; + } + break; +@@ -3483,14 +3480,14 @@ read_channel_data (PSDchannel *chann + if (compression == PSD_COMP_ZIP_PRED) + { + IFDBG(3) g_debug ("Converting 8 bit predictor data"); +- for (i = 0; i < channel->rows; ++i) +- for (j = 1; j < channel->columns; ++j) ++ for (gsize i = 0; i < channel->rows; ++i) ++ for (gsize j = 1; j < channel->columns; ++j) + channel->data[i * channel->columns + j] += channel->data[i * channel->columns + j - 1]; + } + break; + + case 1: +- channel->data = (gchar *) g_malloc (channel->rows * channel->columns); ++ channel->data = (gchar *) g_malloc ((gsize) channel->rows * channel->columns); + convert_1_bit (raw_data, channel->data, channel->rows, channel->columns); + break; + +@@ -3540,7 +3537,7 @@ decode_32_bit_predictor (gchar *src, + + /* restore byte order */ + dstpos = 0; +- for (row = 0; row < rows * rowsize; row += rowsize) ++ for (row = 0; row < (gsize) rows * rowsize; row += rowsize) + { + guint64 offset; + +@@ -3567,18 +3564,17 @@ convert_1_bit (const gchar *src, + Rows are padded out to a byte boundary. + */ + guint32 row_pos = 0; +- gint i, j; + + IFDBG(3) g_debug ("Start 1 bit conversion"); + +- for (i = 0; i < rows * ((columns + 7) / 8); ++i) ++ for (gsize i = 0; i < (gsize) rows * ((columns + 7) / 8); ++i) + { + guchar mask = 0x80; +- for (j = 0; j < 8 && row_pos < columns; ++j) ++ for (gint j = 0; j < 8 && row_pos < columns; ++j) + { + *dst = (*src & mask) ? 0 : 1; + IFDBG(4) g_debug ("byte %d, bit %d, offset %d, src %d, dst %d", +- i , j, row_pos, *src, *dst); ++ (gint) i , j, row_pos, *src, *dst); + dst++; + mask >>= 1; + row_pos++; diff -Nru gimp-3.0.4/debian/patches/CVE-2026-4151.patch gimp-3.0.4/debian/patches/CVE-2026-4151.patch --- gimp-3.0.4/debian/patches/CVE-2026-4151.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-3.0.4/debian/patches/CVE-2026-4151.patch 2026-04-12 19:04:57.000000000 +0000 @@ -0,0 +1,43 @@ +From 09e5459de913172fc51da3bd6b6adc533acd368e Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Thu, 5 Mar 2026 23:58:45 +0000 +Subject: [PATCH] plug-ins: Resolve ZDI-CAN-28813 in ANI loading + +--- gimp-3.0.4.orig/plug-ins/file-ico/ico-load.c ++++ gimp-3.0.4/plug-ins/file-ico/ico-load.c +@@ -893,7 +893,16 @@ ani_load_image (GFile *file, + if (inam) + g_free (inam); + +- inam = g_new0 (gchar, size + 1); ++ inam = g_try_new0 (gchar, size + 1); ++ if (inam == NULL) ++ { ++ fclose (fp); ++ g_set_error (error, G_FILE_ERROR, ++ g_file_error_from_errno (errno), ++ _("Invalid ANI metadata")); ++ return NULL; ++ } ++ + n_read = fread (inam, sizeof (gchar), size, fp); + inam[size] = '\0'; + } +@@ -924,7 +933,16 @@ ani_load_image (GFile *file, + if (iart) + g_free (iart); + +- iart = g_new0 (gchar, size + 1); ++ iart = g_try_new0 (gchar, size + 1); ++ if (iart == NULL) ++ { ++ fclose (fp); ++ g_set_error (error, G_FILE_ERROR, ++ g_file_error_from_errno (errno), ++ _("Invalid ANI metadata")); ++ return NULL; ++ } ++ + n_read = fread (iart, sizeof (gchar), size, fp); + iart[size] = '\0'; + } diff -Nru gimp-3.0.4/debian/patches/CVE-2026-4152.patch gimp-3.0.4/debian/patches/CVE-2026-4152.patch --- gimp-3.0.4/debian/patches/CVE-2026-4152.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-3.0.4/debian/patches/CVE-2026-4152.patch 2026-04-12 19:06:03.000000000 +0000 @@ -0,0 +1,34 @@ +From f64c9c23ba3c37dc7b875a9fb477c23953b4666e Mon Sep 17 00:00:00 2001 +From: Alx Sa +Date: Thu, 12 Mar 2026 13:48:45 +0000 +Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28863 + +--- gimp-3.0.4.orig/plug-ins/common/file-jp2-load.c ++++ gimp-3.0.4/plug-ins/common/file-jp2-load.c +@@ -1235,16 +1235,22 @@ load_image (GimpProcedure *procedure + base_type = GIMP_GRAY; + image_type = GIMP_GRAY_IMAGE; + +- if (num_components == 2) +- image_type = GIMP_GRAYA_IMAGE; ++ if (num_components >= 2) ++ { ++ image_type = GIMP_GRAYA_IMAGE; ++ num_components = 2; ++ } + } + else if (image->color_space == OPJ_CLRSPC_SRGB) + { + base_type = GIMP_RGB; + image_type = GIMP_RGB_IMAGE; + +- if (num_components == 4) +- image_type = GIMP_RGBA_IMAGE; ++ if (num_components >= 4) ++ { ++ image_type = GIMP_RGBA_IMAGE; ++ num_components = 4; ++ } + } + else + { diff -Nru gimp-3.0.4/debian/patches/CVE-2026-4153.patch gimp-3.0.4/debian/patches/CVE-2026-4153.patch --- gimp-3.0.4/debian/patches/CVE-2026-4153.patch 1970-01-01 00:00:00.000000000 +0000 +++ gimp-3.0.4/debian/patches/CVE-2026-4153.patch 2026-04-12 19:06:41.000000000 +0000 @@ -0,0 +1,41 @@ +From 98cb1371fd4e22cca75017ea3252dc32fc218712 Mon Sep 17 00:00:00 2001 +From: Jacob Boerema +Date: Sat, 7 Mar 2026 15:55:04 -0500 +Subject: [PATCH] plug-ins: fix #15970 buffer overflow in file-psp + +--- gimp-3.0.4.orig/plug-ins/common/file-psp.c ++++ gimp-3.0.4/plug-ins/common/file-psp.c +@@ -2103,7 +2103,23 @@ read_layer_block (FILE *f, + + if (can_handle_layer) + { +- pixel = g_malloc0 (height * width * bytespp); ++ gint line_width = width * bytespp; ++ ++ if (ia->depth < 8) ++ { ++ gint min_line_width = (((width * ia->depth + 7) / 8) + (ia->depth - 1)) / 4 * 4; ++ ++ /* For small widths, when depth is 1, or 4, the number of bytes ++ * used can be larger than the width * bytespp. Adjust for that. */ ++ if (min_line_width > line_width) ++ { ++ IFDBG(3) g_message ("Adjusting line width from %d to %d\n", ++ line_width, min_line_width); ++ line_width = min_line_width; ++ } ++ } ++ ++ pixel = g_malloc0 (height * line_width); + if (null_layer) + { + pixels = NULL; +@@ -2112,7 +2128,7 @@ read_layer_block (FILE *f, + { + pixels = g_new (guchar *, height); + for (i = 0; i < height; i++) +- pixels[i] = pixel + width * bytespp * i; ++ pixels[i] = pixel + line_width * i; + } + + buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); diff -Nru gimp-3.0.4/debian/patches/series gimp-3.0.4/debian/patches/series --- gimp-3.0.4/debian/patches/series 2026-02-28 16:14:26.000000000 +0000 +++ gimp-3.0.4/debian/patches/series 2026-04-12 19:07:17.000000000 +0000 @@ -19,3 +19,8 @@ CVE-2026-2045.patch CVE-2026-2047.patch CVE-2026-2048.patch +CVE-2026-4150.patch +CVE-2026-4151.patch +CVE-2026-4152.patch +CVE-2026-4153.patch +