Your message dated Mon, 02 Mar 2026 23:50:50 +0000
with message-id <[email protected]>
and subject line Bug#1128601: fixed in gimp 3.2.0~RC3-1
has caused the Debian Bug report #1128601,
regarding gimp: CVE-2026-0797
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128601: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128601
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gimp
Version: 3.2.0~RC2-3.3
Severity: grave
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/issues/15555
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for gimp.
CVE-2026-0797[0]:
| GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code
| Execution Vulnerability. This vulnerability allows remote attackers
| to execute arbitrary code on affected installations of GIMP. User
| interaction is required to exploit this vulnerability in that the
| target must visit a malicious page or open a malicious file. The
| specific flaw exists within the parsing of ICO files. The issue
| results from the lack of proper validation of the length of user-
| supplied data prior to copying it to a heap-based buffer. An
| attacker can leverage this vulnerability to execute code in the
| context of the current process. Was ZDI-CAN-28599.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-0797
https://www.cve.org/CVERecord?id=CVE-2026-0797
[1] https://gitlab.gnome.org/GNOME/gimp/-/issues/15555
[2]
https://gitlab.gnome.org/GNOME/gimp/-/commit/c54bf22acb04b83ae38ed50add58f300e898dd81
[3]
https://gitlab.gnome.org/GNOME/gimp/-/commit/905ce4b48782c5e71c79714b7ba7f6ebe4d0329d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gimp
Source-Version: 3.2.0~RC3-1
Done: Jeremy Bícha <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <[email protected]> (supplier of updated gimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Mar 2026 18:36:30 -0500
Source: gimp
Built-For-Profiles: noudeb
Architecture: source
Version: 3.2.0~RC3-1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Extras Maintainers
<[email protected]>
Changed-By: Jeremy Bícha <[email protected]>
Closes: 1128601 1128604 1128605 1128606
Changes:
gimp (3.2.0~RC3-1) unstable; urgency=high
.
* New upstream release including multiple plug-in security fixes:
- CVE-2026-0797 (Closes: #1128601)
- CVE-2026-2045 (Closes: #1128604)
- CVE-2026-2047 (Closes: #1128605)
- CVE-2026-2048 (Closes: #1128606)
- https://www.gimp.org/news/2026/03/02/gimp-3-2-RC3-released/
* Add Build-Depends: bash-completion
* debian/libgimp-3.0-0.symbols: Add new symbols
* Bump minimum babl
* Remove all patches: applied in new release
Checksums-Sha1:
357a9a4084cf9a53ce0ec7a42d2a0ea1bba3fc33 3913 gimp_3.2.0~RC3-1.dsc
ac5fa216536817dfecf3db04eba8f3a8e8965c90 39997044 gimp_3.2.0~RC3.orig.tar.xz
bbdef7d45673a46cd643b17c296d12ced816a41a 65752 gimp_3.2.0~RC3-1.debian.tar.xz
2b784a6dfb8542d3f58b7fce78df323549c9928b 11080
gimp_3.2.0~RC3-1_source.buildinfo
Checksums-Sha256:
de34897e56e8c002de23dc2c3ca2189d9afeadd2d30d770730323c3b9c46a097 3913
gimp_3.2.0~RC3-1.dsc
291f3696154511683bf9c9315b0d82945ca1ece4d9c577640dd4bcc801c1a449 39997044
gimp_3.2.0~RC3.orig.tar.xz
38e9fd34a581a892145ea1e2e2abce79310df860f2d3c022f4eed7c5fbeafab9 65752
gimp_3.2.0~RC3-1.debian.tar.xz
25f933c5b1206802bb905b0f2947d3b371a7f5c86b276dad8b454e4d948e3f45 11080
gimp_3.2.0~RC3-1_source.buildinfo
Files:
b20cd00f5e4b3c05637e7f2cab79b66a 3913 graphics optional gimp_3.2.0~RC3-1.dsc
6220a7239b4a163948128eecfbfcdc9f 39997044 graphics optional
gimp_3.2.0~RC3.orig.tar.xz
af414d356ab8ad3b6f8df899437625f2 65752 graphics optional
gimp_3.2.0~RC3-1.debian.tar.xz
e8f8c33de0690f6ac17a5227950c7d1f 11080 graphics optional
gimp_3.2.0~RC3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmmmH0cACgkQ5mx3Wuv+
bH1lrQ/+OKjpTfglKecKoI59k5vZYXVcwQTr6tLt4rH+GKt/iHV/udrMHYA8fPIp
YZEtLqXTn0ylt4+ywOYtororokPQxFow7ff7cND035yWuvwE1rbvWpuH52j25FD2
1HI5e36T4Nc3eRF2UsM7xvhunaaB5t/qJxURXNqtI+tQHYmwK839a2tawWoTtg2i
x10j8KUtzXV0qae7JO4VZ9D37mEWFcShDs3bWDr3Fc0IEKFxFaECPoUIQmSDQT3Q
bC5OqSl9dhbd6cZoCQu/IiXGsC3vkfmcXHKa3XSJjS1a7cdt7qWPFs1B/qsluZAK
ej3/Gl5gcNJgSi4522Xm5Wxh5Ievm41LlqwuotSdkKoi2Yo9FALjnLn4MDrsoWw0
9dHAnciiilJNHtm/V64hyJVlJDirW/C9vEJJ4Z6mTYF4jeS6j9NjobON2mg57IKW
qi6vqbGy32wASMSAjfUYlNZZshWkNwE8R53jmImO/p0IGXQT5vXF+MwDBQPPqmMp
B6mXiO9+8a9+nUIF1Z5LN2eL1FrAIQxPNUoVQEHIcJdKUPiyeEGG2CAs6H2HXmt5
BrjDlm2VlZVcM34GV2FVAakVhdurdFY0XYYMNzFk/3ivRL90GwI6C834mPsMFKWr
RUwmWmeaIvw1Lr3rcIyH5ybUwueSyF4Ul4I5K7gUQqXzBw1zf7g=
=UJ28
-----END PGP SIGNATURE-----
pgpf6WQkpihq1.pgp
Description: PGP signature
--- End Message ---
