Control: tags 1127839 + patch Control: tags 1127839 + pending Control: tags 1127841 + patch Control: tags 1127841 + pending Control: tags 1127842 + patch Control: tags 1127842 + pending X-Debbugs-CC: [email protected]
Dear maintainer, I've prepared an NMU for gimp (versioned as 3.2.0~RC2-3.2) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it, or happy to reschedule it to 0 days delays if you agree on. This is a preparation for addressing the same set of CVEs as well in older suites trixie and bookworm via a DSA. Regards, Salvatore
diffstat for gimp-3.2.0~RC2 gimp-3.2.0~RC2 changelog | 12 ++ patches/plug-ins-Add-overflow-checks-for-ICO-loading.patch | 59 ++++++++++ patches/plug-ins-Fix-15732-PSP-File-Parsing-Integer-Overflow.patch | 49 ++++++++ patches/plug-ins-fix-15812-PSD-loader-heap-buffer-overflow.patch | 42 +++++++ patches/series | 3 5 files changed, 165 insertions(+) diff -Nru gimp-3.2.0~RC2/debian/changelog gimp-3.2.0~RC2/debian/changelog --- gimp-3.2.0~RC2/debian/changelog 2026-01-31 13:53:39.000000000 +0100 +++ gimp-3.2.0~RC2/debian/changelog 2026-02-15 17:03:45.000000000 +0100 @@ -1,3 +1,15 @@ +gimp (3.2.0~RC2-3.2) unstable; urgency=medium + + * Non-maintainer upload. + * plug-ins: fix PSD loader: heap-buffer-overflow in fread_pascal_string + (CVE-2026-2239) (Closes: #1127839) + * Fix PSP File Parsing Integer Overflow Leading to Heap Corruption + (CVE-2026-2271) (Closes: #1127841) + * plug-ins: Add overflow checks for ICO loading (CVE-2026-2272) + (Closes: #1127842) + + -- Salvatore Bonaccorso <[email protected]> Sun, 15 Feb 2026 17:03:45 +0100 + gimp (3.2.0~RC2-3.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru gimp-3.2.0~RC2/debian/patches/plug-ins-Add-overflow-checks-for-ICO-loading.patch gimp-3.2.0~RC2/debian/patches/plug-ins-Add-overflow-checks-for-ICO-loading.patch --- gimp-3.2.0~RC2/debian/patches/plug-ins-Add-overflow-checks-for-ICO-loading.patch 1970-01-01 01:00:00.000000000 +0100 +++ gimp-3.2.0~RC2/debian/patches/plug-ins-Add-overflow-checks-for-ICO-loading.patch 2026-02-15 17:02:28.000000000 +0100 @@ -0,0 +1,59 @@ +From: Alx Sa <[email protected]> +Date: Mon, 12 Jan 2026 12:17:00 +0000 +Subject: plug-ins: Add overflow checks for ICO loading +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/058ada8f3ffc0a42b7dd1561a8817c8cc83b7d2a +Bug: https://gitlab.gnome.org/GNOME/gimp/-/issues/15617 +Bug-Debian: https://bugs.debian.org/1127842 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-2272 + +As pointed out by Dhiraj, it is possible to set width and +height values in the ICO header that will overflow a 32 bit +integer when loaded in. This patch adds checks using +g_size_check_mul () and g_try_new () to catch these +overflows and prevent them from crashing the plug-in. +--- + plug-ins/file-ico/ico-load.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c +index 3cb3e033eca5..29ad4c5eb596 100644 +--- a/plug-ins/file-ico/ico-load.c ++++ b/plug-ins/file-ico/ico-load.c +@@ -430,6 +430,7 @@ ico_read_icon (FILE *fp, + gint *height) + { + IcoFileDataHeader data; ++ gsize data_size; + gint length; + gint x, y, w, h; + guchar *xor_map, *and_map; +@@ -479,7 +480,9 @@ ico_read_icon (FILE *fp, + return FALSE; + } + +- if (data.width * data.height * 2 > maxsize) ++ if (! g_size_checked_mul (&data_size, data.width, data.height) || ++ ! g_size_checked_mul (&data_size, data_size, 2) || ++ data_size > maxsize) + { + D(("skipping image: too large\n")); + return FALSE; +@@ -749,7 +752,14 @@ ico_load_image (GFile *file, + image = gimp_image_new (max_width, max_height, GIMP_RGB); + + maxsize = max_width * max_height * 4; +- buf = g_new (guchar, max_width * max_height * 4); ++ buf = g_try_new (guchar, maxsize); ++ if (! buf) ++ { ++ g_free (info); ++ fclose (fp); ++ return NULL; ++ } ++ + for (i = 0; i < icon_count; i++) + { + GimpLayer *layer; +-- +2.51.0 + diff -Nru gimp-3.2.0~RC2/debian/patches/plug-ins-Fix-15732-PSP-File-Parsing-Integer-Overflow.patch gimp-3.2.0~RC2/debian/patches/plug-ins-Fix-15732-PSP-File-Parsing-Integer-Overflow.patch --- gimp-3.2.0~RC2/debian/patches/plug-ins-Fix-15732-PSP-File-Parsing-Integer-Overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ gimp-3.2.0~RC2/debian/patches/plug-ins-Fix-15732-PSP-File-Parsing-Integer-Overflow.patch 2026-02-15 16:59:53.000000000 +0100 @@ -0,0 +1,49 @@ +From: Jacob Boerema <[email protected]> +Date: Fri, 23 Jan 2026 11:35:50 -0500 +Subject: plug-ins: Fix #15732 PSP File Parsing Integer Overflow... +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/0e63f096fa5f7dc3fae0a8e865fd5a05ebe45da8 +Bug: https://gitlab.gnome.org/GNOME/gimp/-/issues/15732 +Bug-Debian: https://bugs.debian.org/1127841 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-2271 + +Leading to Heap Corruption + +An integer overflow vulnerability has been identified in the PSP +(Paint Shop Pro) file parser of GIMP. The issue occurs in the +read_creator_block() function, where the Creator metadata block is +processed. Specifically, a 32-bit length value read from the file is +used directly for memory allocation without proper validation. +Trigger -> when length is set to 0xFFFFFFFF + +To fix this, we check that using that length doesn't exceed the end +of the creator block. If it does, we return with an error message. +--- + plug-ins/common/file-psp.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c +index 9004998ab6c1..0ce72402ab80 100644 +--- a/plug-ins/common/file-psp.c ++++ b/plug-ins/common/file-psp.c +@@ -1121,7 +1121,17 @@ read_creator_block (FILE *f, + } + keyword = GUINT16_FROM_LE (keyword); + length = GUINT32_FROM_LE (length); +- switch (keyword) ++ ++ if ((goffset) ftell (f) + length > (goffset) data_start + total_len) ++ { ++ /* FIXME: After string freeze is over, we should consider changing ++ * this error message to be a bit more descriptive. */ ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Error reading creator keyword data")); ++ return -1; ++ } ++ ++ switch (keyword) + { + case PSP_CRTR_FLD_TITLE: + case PSP_CRTR_FLD_ARTIST: +-- +2.51.0 + diff -Nru gimp-3.2.0~RC2/debian/patches/plug-ins-fix-15812-PSD-loader-heap-buffer-overflow.patch gimp-3.2.0~RC2/debian/patches/plug-ins-fix-15812-PSD-loader-heap-buffer-overflow.patch --- gimp-3.2.0~RC2/debian/patches/plug-ins-fix-15812-PSD-loader-heap-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ gimp-3.2.0~RC2/debian/patches/plug-ins-fix-15812-PSD-loader-heap-buffer-overflow.patch 2026-02-15 16:58:10.000000000 +0100 @@ -0,0 +1,42 @@ +From: Jacob Boerema <[email protected]> +Date: Fri, 6 Feb 2026 15:56:07 -0500 +Subject: plug-ins: fix #15812 PSD loader: heap-buffer-overflow ... +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/51a2d65a2df403f6da582173e0ddd7904356f5ae +Bug: https://gitlab.gnome.org/GNOME/gimp/-/issues/15812 +Bug-Debian: https://bugs.debian.org/1127839 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-2239 + +in fread_pascal_string + +In plug-ins/file-psd/psd-util.c, the function fread_pascal_string() +allocates a buffer with g_malloc(len) and reads len bytes from the file +into it. The buffer is not null-terminated, but is assumed to be in +later code. +This causes it to read past the end of its allocated region with a +specially crafted PSD, causing a heap-buffer-overflow. + +Fix this by alloocating one more byte than its length and set that +to '\0'. + +(cherry picked from commit 8cf2772f5631719ae0e4e701bd7ef793b1f59cfa) +--- + plug-ins/file-psd/psd-util.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/plug-ins/file-psd/psd-util.c b/plug-ins/file-psd/psd-util.c +index e0cca2b4db0e..734155c57ab8 100644 +--- a/plug-ins/file-psd/psd-util.c ++++ b/plug-ins/file-psd/psd-util.c +@@ -274,7 +274,8 @@ fread_pascal_string (gint32 *bytes_read, + return NULL; + } + +- str = g_malloc (len); ++ str = g_malloc (len + 1); ++ str[len] = '\0'; + if (psd_read (input, str, len, error) < len) + { + psd_set_error (error); +-- +2.51.0 + diff -Nru gimp-3.2.0~RC2/debian/patches/series gimp-3.2.0~RC2/debian/patches/series --- gimp-3.2.0~RC2/debian/patches/series 2026-01-31 13:50:51.000000000 +0100 +++ gimp-3.2.0~RC2/debian/patches/series 2026-02-15 17:02:51.000000000 +0100 @@ -1,2 +1,5 @@ devel-docs-Use-API-version-not-app-version-for-install-lo.patch plug-ins-fix-15284-ZDI-CAN-28232-vulnerability-in-fi.patch +plug-ins-fix-15812-PSD-loader-heap-buffer-overflow.patch +plug-ins-Fix-15732-PSP-File-Parsing-Integer-Overflow.patch +plug-ins-Add-overflow-checks-for-ICO-loading.patch
