[Pkg-gnome-extras-maintainers] Bug#1139632: trixie-pu: package gimp/3.0.4-3+deb13u9
Adrian Bunk
bunk at debian.org
Wed Jun 10 13:03:52 BST 2026
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: gimp at packages.debian.org, security at debian.org
Control: affects -1 + src:gimp
User: release.debian.org at packages.debian.org
Usertags: pu
* CVE-2026-4154: XPM parsing integer overflow
* CVE-2026-40915: FITS parsing integer overflow
-------------- next part --------------
diffstat for gimp-3.0.4 gimp-3.0.4
changelog | 8
patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch | 89 ++++++++++
patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch | 78 ++++++++
patches/series | 2
4 files changed, 177 insertions(+)
diff -Nru gimp-3.0.4/debian/changelog gimp-3.0.4/debian/changelog
--- gimp-3.0.4/debian/changelog 2026-04-12 22:07:17.000000000 +0300
+++ gimp-3.0.4/debian/changelog 2026-06-10 10:56:42.000000000 +0300
@@ -1,3 +1,11 @@
+gimp (3.0.4-3+deb13u9) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2026-4154: XPM parsing integer overflow
+ * CVE-2026-40915: FITS parsing integer overflow
+
+ -- Adrian Bunk <bunk at debian.org> Wed, 10 Jun 2026 10:56:42 +0300
+
gimp (3.0.4-3+deb13u8) trixie-security; urgency=medium
* CVE-2026-4150
diff -Nru gimp-3.0.4/debian/patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch gimp-3.0.4/debian/patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch
--- gimp-3.0.4/debian/patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch 1970-01-01 02:00:00.000000000 +0200
+++ gimp-3.0.4/debian/patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch 2026-06-10 10:56:14.000000000 +0300
@@ -0,0 +1,89 @@
+From d8780cce185bb80bc36b08fc72621bc7c3b6a7a5 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student at gmail.com>
+Date: Fri, 6 Mar 2026 13:54:44 +0000
+Subject: plug-in: Resolve ZDI-CAN-28901 for file-xpm
+
+Resolves #15971
+It was possible to set a XPM image to have a width and/or height
+that is larger than what GIMP can create an image for. In addition to
+causing gimp_image_new () to fail, it can also lead to buffer overflow
+when allocating space to read in the image.
+
+This patch adds a GError parameter to parse_image (), then uses it to
+pass up an error for either oversized images or buffer overflows.
+---
+ plug-ins/common/file-xpm.c | 32 ++++++++++++++++++++++++++++----
+ 1 file changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/plug-ins/common/file-xpm.c b/plug-ins/common/file-xpm.c
+index d9ee6504c3..acf7248341 100644
+--- a/plug-ins/common/file-xpm.c
++++ b/plug-ins/common/file-xpm.c
+@@ -125,7 +125,8 @@ static GimpImage * load_image (GFile *file,
+ static guchar * parse_colors (XpmImage *xpm_image);
+ static void parse_image (GimpImage *image,
+ XpmImage *xpm_image,
+- guchar *cmap);
++ guchar *cmap,
++ GError **error);
+ static gboolean export_image (GFile *file,
+ GimpImage *image,
+ GimpDrawable *drawable,
+@@ -385,12 +386,28 @@ load_image (GFile *file,
+
+ cmap = parse_colors (&xpm_image);
+
++ if (xpm_image.width > GIMP_MAX_IMAGE_SIZE)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("Unsupported or invalid image width: %d"),
++ xpm_image.width);
++ return NULL;
++ }
++
++ if (xpm_image.height > GIMP_MAX_IMAGE_SIZE)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("Unsupported or invalid image height: %d"),
++ xpm_image.height);
++ return NULL;
++ }
++
+ image = gimp_image_new (xpm_image.width,
+ xpm_image.height,
+ GIMP_RGB);
+
+ /* fill it */
+- parse_image (image, &xpm_image, cmap);
++ parse_image (image, &xpm_image, cmap, error);
+
+ g_free (cmap);
+
+@@ -472,7 +489,8 @@ parse_colors (XpmImage *xpm_image)
+ static void
+ parse_image (GimpImage *image,
+ XpmImage *xpm_image,
+- guchar *cmap)
++ guchar *cmap,
++ GError **error)
+ {
+ GeglBuffer *buffer;
+ gint tile_height;
+@@ -498,7 +516,13 @@ parse_image (GimpImage *image,
+
+ tile_height = gimp_tile_height ();
+
+- buf = g_new (guchar, tile_height * xpm_image->width * 4);
++ buf = g_try_new (guchar, tile_height * xpm_image->width * 4);
++ if (buf == NULL)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ "%s", _("XPM file invalid"));
++ return;
++ }
+
+ src = xpm_image->data;
+ for (i = 0; i < xpm_image->height; i += tile_height)
+--
+2.47.3
+
diff -Nru gimp-3.0.4/debian/patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch gimp-3.0.4/debian/patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch
--- gimp-3.0.4/debian/patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch 1970-01-01 02:00:00.000000000 +0200
+++ gimp-3.0.4/debian/patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch 2026-06-10 10:56:14.000000000 +0300
@@ -0,0 +1,78 @@
+From 2ecd051417749c814958dcecd041d8ed56336cf8 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student at gmail.com>
+Date: Thu, 19 Mar 2026 12:05:47 +0000
+Subject: plug-ins: Protect against too-large FITS images
+
+Resolves #16051
+As reported by mzfr, it is possible to crash the FITS plug-in
+if a large enough image is read in. This patch implements their
+suggestions of using g_try_malloc () over malloc () (and checking
+if it returns NULL), as well as verifying the width & height are
+within GIMP's image range.
+---
+ plug-ins/file-fits/fits.c | 40 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 36 insertions(+), 4 deletions(-)
+
+diff --git a/plug-ins/file-fits/fits.c b/plug-ins/file-fits/fits.c
+index b4a8dbb433..5aeac65474 100644
+--- a/plug-ins/file-fits/fits.c
++++ b/plug-ins/file-fits/fits.c
+@@ -474,12 +474,35 @@ load_image (GFile *file,
+ NULL);
+ }
+
+- /* If RGB FITS image, we need to read in the whole image so we can convert
+- * the planes format to RGB */
++ if (width <= 0 ||
++ height <= 0 ||
++ width > GIMP_MAX_IMAGE_SIZE ||
++ height > GIMP_MAX_IMAGE_SIZE)
++ {
++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
++ _("'%s' has a larger image size (%d x %d) "
++ "than GIMP can handle."),
++ gimp_file_get_utf8_name (file), width, height);
++ fits_close_file (ifp, &status);
++ return NULL;
++ }
++
++ /* If RGB FITS image, we need to read in the whole image so we can
++ * convert the planes format to RGB */
+ if (hdu.naxis == 2)
+- pixels = (gdouble *) malloc (width * sizeof (gdouble) * channels);
++ pixels =
++ (gdouble *) g_try_malloc (width * sizeof (gdouble) * channels);
+ else
+- pixels = (gdouble *) malloc (width * height * sizeof (gdouble) * channels);
++ pixels =
++ (gdouble *) g_try_malloc (width * height * sizeof (gdouble) * channels);
++
++ if (pixels == NULL)
++ {
++ g_set_error (error, G_FILE_ERROR, 0,
++ "Memory could not be allocated.");
++ fits_close_file (ifp, &status);
++ return NULL;
++ }
+
+ if (! image)
+ {
+@@ -552,6 +575,15 @@ load_image (GFile *file,
+
+ temp = (gdouble *) malloc (width * height * sizeof (gdouble) * channels);
+
++ if (temp == NULL)
++ {
++ g_set_error (error, G_FILE_ERROR, 0,
++ "Memory could not be allocated.");
++ fits_close_file (ifp, &status);
++ g_object_unref (buffer);
++ return image;
++ }
++
+ if (datamin < datamax)
+ {
+ for (gint ii = 0; ii < total_size; ii++)
+--
+2.47.3
+
diff -Nru gimp-3.0.4/debian/patches/series gimp-3.0.4/debian/patches/series
--- gimp-3.0.4/debian/patches/series 2026-04-12 22:07:17.000000000 +0300
+++ gimp-3.0.4/debian/patches/series 2026-06-10 10:56:39.000000000 +0300
@@ -24,3 +24,5 @@
CVE-2026-4152.patch
CVE-2026-4153.patch
+0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch
+0002-plug-ins-Protect-against-too-large-FITS-images.patch
More information about the pkg-gnome-extras-maintainers
mailing list