[SECURITY] [DLA 4431-1] gimp security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4431-1] gimp security update
From: Andreas Henriksson <andreas@fatal.se>
Date: Fri, 2 Jan 2026 16:46:43 +0100
Message-id: <[🔎] 4reny2y56tolofpgvtqpgls4vmm6sbs3kwncejgsm7lytsstz4@o4qzn4ylu52j>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4431-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Andreas Henriksson
January 02, 2026                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : gimp
Version        : 2.10.22-4+deb11u5
CVE ID         : CVE-2022-30067 CVE-2025-14422 CVE-2025-14425
Debian Bug     : 

Several vulnerabilities were discovered in GIMP, the GNU Image
Manipulation Program, which could result in buffer overflows and
potentially the execution of arbitrary code if malformed XCF, PNM and
JP2 files are opened.

CVE-2022-30067

    GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Through a
    crafted XCF file, the program will allocate for a huge amount of memory,
    resulting in insufficient memory or program crash.

CVE-2025-14422

    GIMP PNM File Parsing Integer Overflow Remote Code Execution
    Vulnerability.
    This vulnerability allows remote attackers to execute arbitrary code on
    affected installations of GIMP. User interaction is required to exploit
    this vulnerability in that the target must visit a malicious page or
    open a malicious file. The specific flaw exists within the parsing of
    PNM files. The issue results from the lack of proper validation of
    user-supplied data, which can result in an integer overflow before
    allocating a buffer. An attacker can leverage this vulnerability to
    execute code in the context of the current process. Was ZDI-CAN-28273.
 
CVE-2025-14425

    GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution
    Vulnerability.
    This vulnerability allows remote attackers to execute arbitrary code on
    affected installations of GIMP. User interaction is required to exploit
    this vulnerability in that the target must visit a malicious page or
    open a malicious file. The specific flaw exists within the parsing of
    JP2 files. The issue results from the lack of proper validation of the
    length of user-supplied data prior to copying it to a heap-based buffer.
    An attacker can leverage this vulnerability to execute code in the
    context of the current process. Was ZDI-CAN-28248.


For Debian 11 bullseye, these problems have been fixed in version
2.10.22-4+deb11u5.

We recommend that you upgrade your gimp packages.

For the detailed security status of gimp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gimp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 4430-1] net-snmp security update
Previous by thread: [SECURITY] [DLA 4430-1] net-snmp security update
Index(es):
- Date
- Thread