Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:gimp User: [email protected] Usertags: pu
* CVE-2026-4154: XPM parsing integer overflow * CVE-2026-40915: FITS parsing integer overflow
diffstat for gimp-3.0.4 gimp-3.0.4 changelog | 8 patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch | 89 ++++++++++ patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch | 78 ++++++++ patches/series | 2 4 files changed, 177 insertions(+) diff -Nru gimp-3.0.4/debian/changelog gimp-3.0.4/debian/changelog --- gimp-3.0.4/debian/changelog 2026-04-12 22:07:17.000000000 +0300 +++ gimp-3.0.4/debian/changelog 2026-06-10 10:56:42.000000000 +0300 @@ -1,3 +1,11 @@ +gimp (3.0.4-3+deb13u9) trixie; urgency=medium + + * Non-maintainer upload. + * CVE-2026-4154: XPM parsing integer overflow + * CVE-2026-40915: FITS parsing integer overflow + + -- Adrian Bunk <[email protected]> Wed, 10 Jun 2026 10:56:42 +0300 + gimp (3.0.4-3+deb13u8) trixie-security; urgency=medium * CVE-2026-4150 diff -Nru gimp-3.0.4/debian/patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch gimp-3.0.4/debian/patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch --- gimp-3.0.4/debian/patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch 1970-01-01 02:00:00.000000000 +0200 +++ gimp-3.0.4/debian/patches/0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch 2026-06-10 10:56:14.000000000 +0300 @@ -0,0 +1,89 @@ +From d8780cce185bb80bc36b08fc72621bc7c3b6a7a5 Mon Sep 17 00:00:00 2001 +From: Alx Sa <[email protected]> +Date: Fri, 6 Mar 2026 13:54:44 +0000 +Subject: plug-in: Resolve ZDI-CAN-28901 for file-xpm + +Resolves #15971 +It was possible to set a XPM image to have a width and/or height +that is larger than what GIMP can create an image for. In addition to +causing gimp_image_new () to fail, it can also lead to buffer overflow +when allocating space to read in the image. + +This patch adds a GError parameter to parse_image (), then uses it to +pass up an error for either oversized images or buffer overflows. +--- + plug-ins/common/file-xpm.c | 32 ++++++++++++++++++++++++++++---- + 1 file changed, 28 insertions(+), 4 deletions(-) + +diff --git a/plug-ins/common/file-xpm.c b/plug-ins/common/file-xpm.c +index d9ee6504c3..acf7248341 100644 +--- a/plug-ins/common/file-xpm.c ++++ b/plug-ins/common/file-xpm.c +@@ -125,7 +125,8 @@ static GimpImage * load_image (GFile *file, + static guchar * parse_colors (XpmImage *xpm_image); + static void parse_image (GimpImage *image, + XpmImage *xpm_image, +- guchar *cmap); ++ guchar *cmap, ++ GError **error); + static gboolean export_image (GFile *file, + GimpImage *image, + GimpDrawable *drawable, +@@ -385,12 +386,28 @@ load_image (GFile *file, + + cmap = parse_colors (&xpm_image); + ++ if (xpm_image.width > GIMP_MAX_IMAGE_SIZE) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Unsupported or invalid image width: %d"), ++ xpm_image.width); ++ return NULL; ++ } ++ ++ if (xpm_image.height > GIMP_MAX_IMAGE_SIZE) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Unsupported or invalid image height: %d"), ++ xpm_image.height); ++ return NULL; ++ } ++ + image = gimp_image_new (xpm_image.width, + xpm_image.height, + GIMP_RGB); + + /* fill it */ +- parse_image (image, &xpm_image, cmap); ++ parse_image (image, &xpm_image, cmap, error); + + g_free (cmap); + +@@ -472,7 +489,8 @@ parse_colors (XpmImage *xpm_image) + static void + parse_image (GimpImage *image, + XpmImage *xpm_image, +- guchar *cmap) ++ guchar *cmap, ++ GError **error) + { + GeglBuffer *buffer; + gint tile_height; +@@ -498,7 +516,13 @@ parse_image (GimpImage *image, + + tile_height = gimp_tile_height (); + +- buf = g_new (guchar, tile_height * xpm_image->width * 4); ++ buf = g_try_new (guchar, tile_height * xpm_image->width * 4); ++ if (buf == NULL) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ "%s", _("XPM file invalid")); ++ return; ++ } + + src = xpm_image->data; + for (i = 0; i < xpm_image->height; i += tile_height) +-- +2.47.3 + diff -Nru gimp-3.0.4/debian/patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch gimp-3.0.4/debian/patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch --- gimp-3.0.4/debian/patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch 1970-01-01 02:00:00.000000000 +0200 +++ gimp-3.0.4/debian/patches/0002-plug-ins-Protect-against-too-large-FITS-images.patch 2026-06-10 10:56:14.000000000 +0300 @@ -0,0 +1,78 @@ +From 2ecd051417749c814958dcecd041d8ed56336cf8 Mon Sep 17 00:00:00 2001 +From: Alx Sa <[email protected]> +Date: Thu, 19 Mar 2026 12:05:47 +0000 +Subject: plug-ins: Protect against too-large FITS images + +Resolves #16051 +As reported by mzfr, it is possible to crash the FITS plug-in +if a large enough image is read in. This patch implements their +suggestions of using g_try_malloc () over malloc () (and checking +if it returns NULL), as well as verifying the width & height are +within GIMP's image range. +--- + plug-ins/file-fits/fits.c | 40 +++++++++++++++++++++++++++++++++++---- + 1 file changed, 36 insertions(+), 4 deletions(-) + +diff --git a/plug-ins/file-fits/fits.c b/plug-ins/file-fits/fits.c +index b4a8dbb433..5aeac65474 100644 +--- a/plug-ins/file-fits/fits.c ++++ b/plug-ins/file-fits/fits.c +@@ -474,12 +474,35 @@ load_image (GFile *file, + NULL); + } + +- /* If RGB FITS image, we need to read in the whole image so we can convert +- * the planes format to RGB */ ++ if (width <= 0 || ++ height <= 0 || ++ width > GIMP_MAX_IMAGE_SIZE || ++ height > GIMP_MAX_IMAGE_SIZE) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("'%s' has a larger image size (%d x %d) " ++ "than GIMP can handle."), ++ gimp_file_get_utf8_name (file), width, height); ++ fits_close_file (ifp, &status); ++ return NULL; ++ } ++ ++ /* If RGB FITS image, we need to read in the whole image so we can ++ * convert the planes format to RGB */ + if (hdu.naxis == 2) +- pixels = (gdouble *) malloc (width * sizeof (gdouble) * channels); ++ pixels = ++ (gdouble *) g_try_malloc (width * sizeof (gdouble) * channels); + else +- pixels = (gdouble *) malloc (width * height * sizeof (gdouble) * channels); ++ pixels = ++ (gdouble *) g_try_malloc (width * height * sizeof (gdouble) * channels); ++ ++ if (pixels == NULL) ++ { ++ g_set_error (error, G_FILE_ERROR, 0, ++ "Memory could not be allocated."); ++ fits_close_file (ifp, &status); ++ return NULL; ++ } + + if (! image) + { +@@ -552,6 +575,15 @@ load_image (GFile *file, + + temp = (gdouble *) malloc (width * height * sizeof (gdouble) * channels); + ++ if (temp == NULL) ++ { ++ g_set_error (error, G_FILE_ERROR, 0, ++ "Memory could not be allocated."); ++ fits_close_file (ifp, &status); ++ g_object_unref (buffer); ++ return image; ++ } ++ + if (datamin < datamax) + { + for (gint ii = 0; ii < total_size; ii++) +-- +2.47.3 + diff -Nru gimp-3.0.4/debian/patches/series gimp-3.0.4/debian/patches/series --- gimp-3.0.4/debian/patches/series 2026-04-12 22:07:17.000000000 +0300 +++ gimp-3.0.4/debian/patches/series 2026-06-10 10:56:39.000000000 +0300 @@ -24,3 +24,5 @@ CVE-2026-4152.patch CVE-2026-4153.patch +0001-plug-in-Resolve-ZDI-CAN-28901-for-file-xpm.patch +0002-plug-ins-Protect-against-too-large-FITS-images.patch
