Source: gimp Version: 3.0.4-2 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/issues/12790 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.10.34-1+deb12u2 Control: found -1 2.10.34-1+deb12u3 Control: found -1 2.10.34-1 Control: found -1 3.0.2-3.1
Hi, The following vulnerability was published for gimp. CVE-2025-2760[0]: | GIMP XWD File Parsing Integer Overflow Remote Code Execution | Vulnerability. This vulnerability allows remote attackers to execute | arbitrary code on affected installations of GIMP. User interaction | is required to exploit this vulnerability in that the target must | visit a malicious page or open a malicious file. The specific flaw | exists within the parsing of XWD files. The issue results from the | lack of proper validation of user-supplied data, which can result in | an integer overflow before allocating a buffer. An attacker can | leverage this vulnerability to execute code in the context of the | current process. Was ZDI-CAN-25082. Please note that the original fix was incomplete, cf. [2]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-2760 https://www.cve.org/CVERecord?id=CVE-2025-2760 [1] https://gitlab.gnome.org/GNOME/gimp/-/issues/12790 [2] https://gitlab.gnome.org/GNOME/gimp/-/issues/12790#note_2468776 [3] https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2323 [4] https://www.zerodayinitiative.com/advisories/ZDI-25-203/ Regards, Salvatore
