Your message dated Thu, 05 Mar 2026 20:32:07 +0000
with message-id <[email protected]>
and subject line Bug#1128605: fixed in gimp 3.0.4-3+deb13u7
has caused the Debian Bug report #1128605,
regarding gimp: CVE-2026-2047
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128605: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128605
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gimp
Version: 3.2.0~RC2-3.1
Severity: grave
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/issues/15437
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for gimp.
CVE-2026-2047[0]:
| GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code
| Execution Vulnerability. This vulnerability allows remote attackers
| to execute arbitrary code on affected installations of GIMP. User
| interaction is required to exploit this vulnerability in that the
| target must visit a malicious page or open a malicious file. The
| specific flaw exists within the parsing of ICNS files. The issue
| results from the lack of proper validation of the length of user-
| supplied data prior to copying it to a heap-based buffer. An
| attacker can leverage this vulnerability to execute code in the
| context of the current process. Was ZDI-CAN-28530.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-2047
https://www.cve.org/CVERecord?id=CVE-2026-2047
[1] https://gitlab.gnome.org/GNOME/gimp/-/issues/15437
[2]
https://gitlab.gnome.org/GNOME/gimp/-/commit/dd2faac351f1ff2588529fedc606e6a5f815577c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gimp
Source-Version: 3.0.4-3+deb13u7
Done: Moritz Mühlenhoff <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated gimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Feb 2026 17:14:52 +0100
Source: gimp
Architecture: source
Version: 3.0.4-3+deb13u7
Distribution: trixie-security
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1128601 1128604 1128605 1128606
Changes:
gimp (3.0.4-3+deb13u7) trixie-security; urgency=medium
.
* CVE-2026-0797 (Closes: #1128601)
* CVE-2026-2044
* CVE-2026-2045 (Closes: #1128604)
* CVE-2026-2047 (Closes: #1128605)
* CVE-2026-2048 (Closes: #1128606)
Checksums-Sha1:
427c8b73eef4c0da017831f88036ff38085b4232 3923 gimp_3.0.4-3+deb13u7.dsc
1bdb7b9f009453a0950575bd93d20e7641c8729c 74440
gimp_3.0.4-3+deb13u7.debian.tar.xz
600baea445838b2cf4b55b29d3327d32b05415e4 24257
gimp_3.0.4-3+deb13u7_amd64.buildinfo
Checksums-Sha256:
89286ed613598fc745813d5e7cbeea9899698811aec1f12da9f894feb355ed8e 3923
gimp_3.0.4-3+deb13u7.dsc
7f9556e2ba9727b57daa3a9bd6ac2d1d355a7c93e1d45d9a4f431ecd5643f10f 74440
gimp_3.0.4-3+deb13u7.debian.tar.xz
4eb8a44adc07b42d84219d5ebc3f8c53858baf89f61409f1e37df5624824e85f 24257
gimp_3.0.4-3+deb13u7_amd64.buildinfo
Files:
8f68a22b5a7238be2ecbccc56a0d1287 3923 graphics optional
gimp_3.0.4-3+deb13u7.dsc
6407aa45ab5f0a34957ecf37e90d6f66 74440 graphics optional
gimp_3.0.4-3+deb13u7.debian.tar.xz
22490841179a5228f4167aae2c6d369e 24257 graphics optional
gimp_3.0.4-3+deb13u7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmmjF9gACgkQEMKTtsN8
TjagHBAAgii+MWmK3ghMPpqCP30iiAM+AhTav6r+EwH5+JYJtECZUetHTb9In4ca
XvILZsVGYmRmi2aCU8Ox0wr6xKKTu4W+0fQK/He+vfi47FdSu/+E+sH8DzPMio/N
42GnVyGgGekft3kUJ8M1KpojaOsnCeWdig4XSbzqtC6BSHHh86ykOVTr27WqnQfs
PQGieIwYJBg/xS3AB6jwfM1s2AAFSfORgyGGuUEB03DeQxfZ87JbkueiXoSUnz9O
jhr1nHLySkXpfz2Tl2DBaqFqS1j4iBwaau239nDr3n4h+rK1mzTzDSHU+Llzu2s7
P85U9gevN124fwesI2H3alAXq3hPijMs4QDj7nHLu6vq2kvKoF41+i0hQ/icAESb
M0ezNHoxxnbLTCD8o1RhbbcKiBgWDHLMJsETCUwfZq2IbkT8I+zD7YkA+sYD7m2G
tbtd8FkjMYoOXTwN+HzdBu1eBaBTjn3Qyz7EG95mpnMSLWUWUHVtaiez8NWwBk7x
1jQN7wMQOlxs0BNiBQIgTd20+D37gRSZKjgE5rBh4lPtKnA7i5BKGQVAxMaJQhRk
4+yayufqAjBUkVEluIXMm7VlyaQAx7jdsow/UVCjPAKnVyv+uRW9X1zcTHI+40rQ
zgl0+ezz8eqW7d6Hmu/w34xC0/hes/C1qAkw9EdVKlw9bumUBzs=
=QQXT
-----END PGP SIGNATURE-----
pgpR1qwEMVIby.pgp
Description: PGP signature
--- End Message ---
