Your message dated Fri, 13 Mar 2026 18:32:24 +0000
with message-id <[email protected]>
and subject line Bug#1128606: fixed in gimp 2.10.34-1+deb12u9
has caused the Debian Bug report #1128606,
regarding gimp: CVE-2026-2048
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128606: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128606
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gimp
Version: 3.2.0~RC2-3.1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/issues/15554
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for gimp.
CVE-2026-2048[0]:
| GIMP XWD File Parsing Out-Of-Bounds Write Remote Code Execution
| Vulnerability. This vulnerability allows remote attackers to execute
| arbitrary code on affected installations of GIMP. User interaction
| is required to exploit this vulnerability in that the target must
| visit a malicious page or open a malicious file. The specific flaw
| exists within the parsing of XWD files. The issue results from the
| lack of proper validation of user-supplied data, which can result in
| a write past the end of an allocated buffer. An attacker can
| leverage this vulnerability to execute code in the context of the
| current process. Was ZDI-CAN-28591.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-2048
https://www.cve.org/CVERecord?id=CVE-2026-2048
[1] https://gitlab.gnome.org/GNOME/gimp/-/issues/15554
[2]
https://gitlab.gnome.org/GNOME/gimp/-/commit/57712677007793118388c5be6fb8231f22a2b341
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gimp
Source-Version: 2.10.34-1+deb12u9
Done: Moritz Mühlenhoff <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated gimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Feb 2026 14:16:35 +0100
Source: gimp
Architecture: source
Version: 2.10.34-1+deb12u9
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1128601 1128604 1128606
Changes:
gimp (2.10.34-1+deb12u9) bookworm-security; urgency=medium
.
* CVE-2026-0797 (Closes: #1128601)
* CVE-2026-2044
* CVE-2026-2045 (Closes: #1128604)
* CVE-2026-2048 (Closes: #1128606)
Checksums-Sha1:
368210a03a70e9a04715c12bcd9463287404e830 3534 gimp_2.10.34-1+deb12u9.dsc
ce0a63921769a5c3c2d8b4c86d0146bd08fbd131 76824
gimp_2.10.34-1+deb12u9.debian.tar.xz
7694731575139a8c7790b196807b4b5896b0efc7 21962
gimp_2.10.34-1+deb12u9_amd64.buildinfo
Checksums-Sha256:
6d6dbbb191ca9b8daf4dd036404351826689d396889acb4a0169e1c3cdc2fa7b 3534
gimp_2.10.34-1+deb12u9.dsc
bde4ad2066090a99a1ca9cef3049767c2c6391afc8a285bf6807d4aafe70db54 76824
gimp_2.10.34-1+deb12u9.debian.tar.xz
e17bdc16083728be78824264291f4f102a7023369e268de5415b728f11a226c6 21962
gimp_2.10.34-1+deb12u9_amd64.buildinfo
Files:
1bca37c673ca2dbfd1c291462edca8d2 3534 graphics optional
gimp_2.10.34-1+deb12u9.dsc
38ddd3cdc03e547a163ce21d936c2309 76824 graphics optional
gimp_2.10.34-1+deb12u9.debian.tar.xz
a7fde4118bb55330d0135527e1fbef8a 21962 graphics optional
gimp_2.10.34-1+deb12u9_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmmi9kMACgkQEMKTtsN8
TjYZcQ//V1iDWZWWSLPpkMwwzOBAwncCnlqSoLt2oOoi3lgB3PiWm8fHYo25iVLR
yBG0tk486yxM9xhWRvtT6MzpG6A8qsUSQUQG+VtsAFS6yKGVYmz2XWQIsRTQ6ZWa
amhNhFIGFxMMWbq0Am3UF181kScyaIP/ycbNen5pEupIZZaWusX4EPSy6wOBTr9i
sRn4H/5eZp44Zzwr6Hf/l0SInJOZgLvXcs2KS5ipG0sVWaADXY+o4gAqSZMZr3Ft
E3I6VqDYKrswFEgxUPambUuPooE66XqEH6VZ5hXfb4F+mVF/5kE+aUiyP/fAm6VZ
0/Wr5rsW6A6wHmOKp4xxv6sKiffINeyNLveU5paG00nJbCcPbj/CYgr7AhSukRVx
2YM3jZ4X6KFOSnR+Vaibw1L4O8doclL2+k78lPSuDGB0wDCj5wkq+8ljJgGNrjaT
C/wQNVGd4xPbCAohM1AyKvzjrnVEgVzrvL+5iPGLP+GupMqJJIoKbfX2koZSfFoU
9baPRnLM5WQLknKBnzjPFisGYkmbe85NXCvBVBFYzDb+U9HIcoRSjn6NaNoMtZvy
LU01DM7FRTqGziUfythWfiD70bNKKXelmGz/9Bkr2020+3sUAph9eKPt6RQW5fwD
29qNRQqsj7ZKriEejKCsDwk5MmQQX2ghCp07DFdrzAA01RZz4xM=
=/ewT
-----END PGP SIGNATURE-----
pgpS3Pvazziup.pgp
Description: PGP signature
--- End Message ---
