Your message dated Thu, 19 Feb 2026 23:03:23 +0000
with message-id <[email protected]>
and subject line Bug#1127838: fixed in gimp 3.0.4-3+deb13u6
has caused the Debian Bug report #1127838,
regarding gimp: CVE-2026-2239
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127838: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127838
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gimp
Version: 3.2.0~RC2-3.1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/issues/15812
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for gimp.
CVE-2026-2239[0]:
| PSD loader: heap-buffer-overflow in fread_pascal_string() (no null
| terminator)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-2239
https://www.cve.org/CVERecord?id=CVE-2026-2239
[1] https://gitlab.gnome.org/GNOME/gimp/-/issues/15812
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gimp
Source-Version: 3.0.4-3+deb13u6
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated gimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Feb 2026 17:16:47 +0100
Source: gimp
Architecture: source
Version: 3.0.4-3+deb13u6
Distribution: trixie-security
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1127838 1127841 1127842
Changes:
gimp (3.0.4-3+deb13u6) trixie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* plug-ins: fix PSD loader: heap-buffer-overflow in fread_pascal_string
(CVE-2026-2239) (Closes: #1127838)
* Fix PSP File Parsing Integer Overflow Leading to Heap Corruption
(CVE-2026-2271) (Closes: #1127841)
* plug-ins: Add overflow checks for ICO loading (CVE-2026-2272)
(Closes: #1127842)
* plug-ins: fix crash due to uninitialized ptr_array when loading a specially
crafted PSD
Checksums-Sha1:
1dc0364c68426b21b584640980fc0f0adc5ba0f3 4096 gimp_3.0.4-3+deb13u6.dsc
a6a0a79e5aaa5cb26a752fbffe10075bb87324fa 71940
gimp_3.0.4-3+deb13u6.debian.tar.xz
1762e00a52ddd1594305190a185be87fb86fd262 8594
gimp_3.0.4-3+deb13u6_source.buildinfo
Checksums-Sha256:
260b7f178f00bec57b337bcb76b9da402dcd13de25db17f8e809237276d10927 4096
gimp_3.0.4-3+deb13u6.dsc
8c7ae4a759b8153daf4a8502a8185b0cb2a0adc36d6f189b2cf38d444e937f5d 71940
gimp_3.0.4-3+deb13u6.debian.tar.xz
81ed6d84f87195a04aba4e49922747235923bb28bb218912f1b0c4fa1a1972ff 8594
gimp_3.0.4-3+deb13u6_source.buildinfo
Files:
fae2228bdc13d0055358e14e8d1c95e8 4096 graphics optional
gimp_3.0.4-3+deb13u6.dsc
b8a72879c912ca9c217ca6c0603aaf01 71940 graphics optional
gimp_3.0.4-3+deb13u6.debian.tar.xz
b3f3c75510aa8e3acddf7153b04d1c63 8594 graphics optional
gimp_3.0.4-3+deb13u6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmmTYtlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E73gP/j6hmfamNlfGx3uiNBjhfta0ixINP3gG
r80bmhn23BfqTJZRHf5Rq/Ikwqi12V2N8RjVAQBqKxkulTO7+Mu3ICrhSjznF4KK
Vnply1U0oQvUvcgA/zrKChKN5TYkxy/j/VIGaCGfeLK3pCIAQLe5zuuoor4IZXPw
TCR1m/KbjdGIPVzX8SNuKh1sj4UTk6Dhzny1Hj86eznowk5jSkTRce+NrIx7xi9G
ZUwggvN1e4dN981baUSwaMJ5gmeOsuwNrOAWg3m5ZcmT/QpJMUiGzmYVdPRwK1+1
q3P6im3s9Odl7VqDwSaOwwKp6438m9J0xhqfvK4CAqZczzh5Ak+l7VB4No8sukAT
pSX2OJp6P4La0PSaibKB7viSCC4HJyNc8U5Wj4AbdX/UAPE+0TcBDg/MYw5TB5K8
2PL9Ot5iDhTWRGSSnszcdFIdzMuaLb0Ae0gnkUj/DpQzy34xu8keVucPWzlxu3ok
Qh6FpkeKB8hEMZOHxhwWTSBv/rHfq4k6z3cmCyH6k5H0Jgi+mNUAh8I6m7502KlO
B6Ip/dkn3mzF7FoxnmvViEnhNmMf5Ct1QsQyaiNtGwWPtQaxREi6sP3FjVz0A4LG
KPL8nzBxu4RQk0DA11ChfzBLzIiEHXWNSWsNhxErTwD9YFXKUlF7Xe1QL+q2mXGo
9EKSw6DA5zUj
=59oZ
-----END PGP SIGNATURE-----
pgpohOJnamF9f.pgp
Description: PGP signature
--- End Message ---
