Your message dated Wed, 02 Jul 2025 15:19:41 +0000
with message-id <e1uwzfn-00e6p4...@fasolo.debian.org>
and subject line Bug#1107758: fixed in gimp 3.0.4-3
has caused the Debian Bug report #1107758,
regarding gimp: CVE-2025-2760
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1107758: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107758
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gimp
Version: 3.0.4-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/issues/12790
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 2.10.34-1+deb12u2
Control: found -1 2.10.34-1+deb12u3
Control: found -1 2.10.34-1
Control: found -1 3.0.2-3.1
Hi,
The following vulnerability was published for gimp.
CVE-2025-2760[0]:
| GIMP XWD File Parsing Integer Overflow Remote Code Execution
| Vulnerability. This vulnerability allows remote attackers to execute
| arbitrary code on affected installations of GIMP. User interaction
| is required to exploit this vulnerability in that the target must
| visit a malicious page or open a malicious file. The specific flaw
| exists within the parsing of XWD files. The issue results from the
| lack of proper validation of user-supplied data, which can result in
| an integer overflow before allocating a buffer. An attacker can
| leverage this vulnerability to execute code in the context of the
| current process. Was ZDI-CAN-25082.
Please note that the original fix was incomplete, cf. [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-2760
https://www.cve.org/CVERecord?id=CVE-2025-2760
[1] https://gitlab.gnome.org/GNOME/gimp/-/issues/12790
[2] https://gitlab.gnome.org/GNOME/gimp/-/issues/12790#note_2468776
[3] https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2323
[4] https://www.zerodayinitiative.com/advisories/ZDI-25-203/
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gimp
Source-Version: 3.0.4-3
Done: Jeremy Bícha <jbi...@ubuntu.com>
We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1107...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <jbi...@ubuntu.com> (supplier of updated gimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 02 Jul 2025 10:46:57 -0400
Source: gimp
Built-For-Profiles: noudeb
Architecture: source
Version: 3.0.4-3
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Jeremy Bícha <jbi...@ubuntu.com>
Closes: 1107758
Changes:
gimp (3.0.4-3) unstable; urgency=high
.
* plug-ins: ZDI-CAN-26752 mitigation for 32-bit (Closes: #1107758)
- CVE-2025-2760
Checksums-Sha1:
dc535dc547b09938a67c6a64035e4f48a4ef20f9 3891 gimp_3.0.4-3.dsc
c94f6dc15bf1916967ce538822f50e5fd4fcff70 64924 gimp_3.0.4-3.debian.tar.xz
14023b3fc95bb6329735b890800c10a5da0c8ec6 18661 gimp_3.0.4-3_source.buildinfo
Checksums-Sha256:
481a435eaa0e2c61606856a6e003778076940a5bfbcbfba78cc0bbeba565aec5 3891
gimp_3.0.4-3.dsc
8f234ec93473ea6a6887a3a48c9a1c9ffb80b3c733d3a19fa1f53b445cb1864f 64924
gimp_3.0.4-3.debian.tar.xz
65c56a1f0c9dc2b75b88b4b8b65c1d4d051f3bccb58d3e78572400fb8bbc166a 18661
gimp_3.0.4-3_source.buildinfo
Files:
71c0d2c1a1aff66392d9fc093d4824e8 3891 graphics optional gimp_3.0.4-3.dsc
00d80502c669fb03a3018311d6808935 64924 graphics optional
gimp_3.0.4-3.debian.tar.xz
a32b65ff4ebf1d61d01d48f6d76782e2 18661 graphics optional
gimp_3.0.4-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmhlRxcACgkQ5mx3Wuv+
bH2WDg/5AQ/br+jR/awLwGUBclldsHn0P0O+o1QDh8GP0Hz//6QUJHMWn18u3DLA
HPVLz6pOk4CEe2pGPbY8ks8m1HEnaXAsx1HduH6vUfOY1MgsesJljp3vVrqo5Y6f
BcuJE3DmKO0Y/HUgTV/DMZ8JyryA59z2Obb8ncCNw7J/MKcu7y6MamX20XjUKI7Y
jTyOUaSwt8wtK2GoRce7Wkp06Y2ZoMDFP7hqwRMPPO1FF3sogH3U0wpxr/PeNrx1
IlUSv2LXd/S4ZEyG5z4Leljqsm2eHxceaTx+F7pmwpwQwuWUqIqQMaNrwBMRHDUk
qUgLI3g4ZEUx4Lk46aQ/Q9diJPQDCCzgFY1Pyca7Q0PV8Vyp1bwsrPuZDVHp9XqJ
XK1hIDfSPjh0Ql/6KaTUxB4bg/l4bVLCRj6pMqcC5ejCfgmM/R1dHHw5wLh6HC/I
ZmwVaWQSPBuojlfdsnf1//DXND58MLo2fjksGmU2oJxSKwuzr71c/n5UqG0la158
WluatDjaLtkJC5xGh+iupb06DUUOYu4NF2LWCQ3iHbM6Ba8n6T5a0OuxRRtyDSM+
0whbc8vWDk+cWhilNXFB53QbbHVGXNiX0OsytR/19wID+v3I/tO1dUSoPFF6LxTC
d543fkUZbouTTWXVhRxbFaU37inCKnrbDM1ZO3BhhR6NaRbIvfo=
=bg82
-----END PGP SIGNATURE-----
pgpllFpJE4UPS.pgp
Description: PGP signature
--- End Message ---
