Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1139632,
regarding trixie-pu: package gimp/3.0.4-3+deb13u9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1139632: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139632
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:gimp
User: [email protected]
Usertags: pu

  * CVE-2026-4154: XPM parsing integer overflow
  * CVE-2026-40915: FITS parsing integer overflow
diffstat for gimp-3.0.4 gimp-3.0.4

 changelog                                                         |    8 
 patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch     |   89 
++++++++++
 patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch |   78 
++++++++
 patches/series                                                    |    2 
 4 files changed, 177 insertions(+)

diff -Nru gimp-3.0.4/debian/changelog gimp-3.0.4/debian/changelog
--- gimp-3.0.4/debian/changelog 2026-04-12 22:07:17.000000000 +0300
+++ gimp-3.0.4/debian/changelog 2026-06-10 10:56:42.000000000 +0300
@@ -1,3 +1,11 @@
+gimp (3.0.4-3+deb13u9) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-4154: XPM parsing integer overflow
+  * CVE-2026-40915: FITS parsing integer overflow
+
+ -- Adrian Bunk <[email protected]>  Wed, 10 Jun 2026 10:56:42 +0300
+
 gimp (3.0.4-3+deb13u8) trixie-security; urgency=medium
 
   * CVE-2026-4150
diff -Nru 
gimp-3.0.4/debian/patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch 
gimp-3.0.4/debian/patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch
--- 
gimp-3.0.4/debian/patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch 
    1970-01-01 02:00:00.000000000 +0200
+++ 
gimp-3.0.4/debian/patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch 
    2026-06-10 10:56:14.000000000 +0300
@@ -0,0 +1,89 @@
+From d8780cce185bb80bc36b08fc72621bc7c3b6a7a5 Mon Sep 17 00:00:00 2001
+From: Alx Sa <[email protected]>
+Date: Fri, 6 Mar 2026 13:54:44 +0000
+Subject: plug-in: Resolve ZDI-CAN-28901 for file-xpm
+
+Resolves #15971
+It was possible to set a XPM image to have a width and/or height
+that is larger than what GIMP can create an image for. In addition to
+causing gimp_image_new () to fail, it can also lead to buffer overflow
+when allocating space to read in the image.
+
+This patch adds a GError parameter to parse_image (), then uses it to
+pass up an error for either oversized images or buffer overflows.
+---
+ plug-ins/common/file-xpm.c | 32 ++++++++++++++++++++++++++++----
+ 1 file changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/plug-ins/common/file-xpm.c b/plug-ins/common/file-xpm.c
+index d9ee6504c3..acf7248341 100644
+--- a/plug-ins/common/file-xpm.c
++++ b/plug-ins/common/file-xpm.c
+@@ -125,7 +125,8 @@ static GimpImage      * load_image           (GFile        
         *file,
+ static guchar         * parse_colors         (XpmImage               
*xpm_image);
+ static void             parse_image          (GimpImage              *image,
+                                               XpmImage               
*xpm_image,
+-                                              guchar                 *cmap);
++                                              guchar                 *cmap,
++                                              GError                **error);
+ static gboolean         export_image         (GFile                  *file,
+                                               GimpImage              *image,
+                                               GimpDrawable           
*drawable,
+@@ -385,12 +386,28 @@ load_image (GFile   *file,
+ 
+   cmap = parse_colors (&xpm_image);
+ 
++  if (xpm_image.width > GIMP_MAX_IMAGE_SIZE)
++    {
++      g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                   _("Unsupported or invalid image width: %d"),
++                   xpm_image.width);
++      return NULL;
++    }
++
++  if (xpm_image.height > GIMP_MAX_IMAGE_SIZE)
++    {
++      g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                   _("Unsupported or invalid image height: %d"),
++                   xpm_image.height);
++      return NULL;
++    }
++
+   image = gimp_image_new (xpm_image.width,
+                           xpm_image.height,
+                           GIMP_RGB);
+ 
+   /* fill it */
+-  parse_image (image, &xpm_image, cmap);
++  parse_image (image, &xpm_image, cmap, error);
+ 
+   g_free (cmap);
+ 
+@@ -472,7 +489,8 @@ parse_colors (XpmImage *xpm_image)
+ static void
+ parse_image (GimpImage *image,
+              XpmImage  *xpm_image,
+-             guchar    *cmap)
++             guchar    *cmap,
++             GError   **error)
+ {
+   GeglBuffer *buffer;
+   gint        tile_height;
+@@ -498,7 +516,13 @@ parse_image (GimpImage *image,
+ 
+   tile_height = gimp_tile_height ();
+ 
+-  buf  = g_new (guchar, tile_height * xpm_image->width * 4);
++  buf = g_try_new (guchar, tile_height * xpm_image->width * 4);
++  if (buf == NULL)
++    {
++      g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                   "%s", _("XPM file invalid"));
++      return;
++    }
+ 
+   src  = xpm_image->data;
+   for (i = 0; i < xpm_image->height; i += tile_height)
+-- 
+2.47.3
+
diff -Nru 
gimp-3.0.4/debian/patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch
 
gimp-3.0.4/debian/patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch
--- 
gimp-3.0.4/debian/patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch
 1970-01-01 02:00:00.000000000 +0200
+++ 
gimp-3.0.4/debian/patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch
 2026-06-10 10:56:14.000000000 +0300
@@ -0,0 +1,78 @@
+From 2ecd051417749c814958dcecd041d8ed56336cf8 Mon Sep 17 00:00:00 2001
+From: Alx Sa <[email protected]>
+Date: Thu, 19 Mar 2026 12:05:47 +0000
+Subject: plug-ins: Protect against too-large FITS images
+
+Resolves #16051
+As reported by mzfr, it is possible to crash the FITS plug-in
+if a large enough image is read in. This patch implements their
+suggestions of using g_try_malloc () over malloc () (and checking
+if it returns NULL), as well as verifying the width & height are
+within GIMP's image range.
+---
+ plug-ins/file-fits/fits.c | 40 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 36 insertions(+), 4 deletions(-)
+
+diff --git a/plug-ins/file-fits/fits.c b/plug-ins/file-fits/fits.c
+index b4a8dbb433..5aeac65474 100644
+--- a/plug-ins/file-fits/fits.c
++++ b/plug-ins/file-fits/fits.c
+@@ -474,12 +474,35 @@ load_image (GFile        *file,
+                                     NULL);
+         }
+ 
+-      /* If RGB FITS image, we need to read in the whole image so we can 
convert
+-       * the planes format to RGB */
++      if (width  <= 0                  ||
++          height <= 0                  ||
++          width  > GIMP_MAX_IMAGE_SIZE ||
++          height > GIMP_MAX_IMAGE_SIZE)
++        {
++          g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
++                       _("'%s' has a larger image size (%d x %d) "
++                         "than GIMP can handle."),
++                       gimp_file_get_utf8_name (file), width, height);
++          fits_close_file (ifp, &status);
++          return NULL;
++        }
++
++      /* If RGB FITS image, we need to read in the whole image so we can
++       * convert the planes format to RGB */
+       if (hdu.naxis == 2)
+-        pixels = (gdouble *) malloc (width * sizeof (gdouble) * channels);
++        pixels =
++          (gdouble *) g_try_malloc (width * sizeof (gdouble) * channels);
+       else
+-        pixels = (gdouble *) malloc (width * height * sizeof (gdouble) * 
channels);
++        pixels =
++          (gdouble *) g_try_malloc (width * height * sizeof (gdouble) * 
channels);
++
++      if (pixels == NULL)
++        {
++          g_set_error (error, G_FILE_ERROR, 0,
++                       "Memory could not be allocated.");
++          fits_close_file (ifp, &status);
++          return NULL;
++        }
+ 
+       if (! image)
+         {
+@@ -552,6 +575,15 @@ load_image (GFile        *file,
+ 
+               temp = (gdouble *) malloc (width * height * sizeof (gdouble) * 
channels);
+ 
++              if (temp == NULL)
++                {
++                  g_set_error (error, G_FILE_ERROR, 0,
++                               "Memory could not be allocated.");
++                  fits_close_file (ifp, &status);
++                  g_object_unref (buffer);
++                  return image;
++                }
++
+               if (datamin < datamax)
+                 {
+                   for (gint ii = 0; ii < total_size; ii++)
+-- 
+2.47.3
+
diff -Nru gimp-3.0.4/debian/patches/series gimp-3.0.4/debian/patches/series
--- gimp-3.0.4/debian/patches/series    2026-04-12 22:07:17.000000000 +0300
+++ gimp-3.0.4/debian/patches/series    2026-06-10 10:56:39.000000000 +0300
@@ -24,3 +24,5 @@
 CVE-2026-4152.patch
 CVE-2026-4153.patch
 
+0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch
+0002-plug-ins-Protect-against-too-large-FITS-images.patch

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to