34363 – gimp new security issues CVE-2025-276[01], CVE-2025-4879[78], CVE-2025-10934, CVE-2025-1442[25]

Bug 34363 - gimp new security issues CVE-2025-276[01], CVE-2025-4879[78], CVE-2025-10934, CVE-2025-1442[25]

Summary: gimp new security issues CVE-2025-276[01], CVE-2025-4879[78], CVE-2025-10934,...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-06-10 10:01 CEST by Nicolas Salguero
Modified:	2026-01-17 03:49 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	gimp-2.10.36-1.mga9.src.rpm
CVE:	CVE-2025-2760, CVE-2025-2761, CVE-2025-48797, CVE-2025-48798, CVE-2025-10934, CVE-2025-14422, CVE-2025-14425
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-06-10 10:01:08 CEST

Debian has issued an advisory on June 6:
https://lists.debian.org/debian-security-announce/2025/msg00103.html

Nicolas Salguero 2025-06-10 10:02:29 CEST

Source RPM: (none) => gimp-3.0.4-1.mga10.src.rpm, gimp3-2.99.14-4.mga9.src.rpm, gimp-2.10.36-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-2760, CVE-2025-2761, CVE-2025-48797, CVE-2025-48798
Status comment: (none) => Patches available from Debian

Comment 1 Lewis Smith 2025-06-16 21:19:01 CEST

 https://security-tracker.debian.org/tracker/source-package/gimp
This page 'open issues' lists the CVEs with links, but I could not pin down any patches except these 3 (all similar)  "fix #12790 for 32-bit":
https://gitlab.gnome.org/GNOME/gimp/-/commit/12e1ab6b49ac941c6ff0c0a8cfad2a371a109ba1
https://gitlab.gnome.org/GNOME/gimp/-/commit/1e0f8fbee0adb62bb32d28b68b73db82f1127ecc
https://gitlab.gnome.org/GNOME/gimp/-/commit/d9977143f32bd0f3c18a57b2d6c260344924d251
I always lookf for gitlab links.

Complicated.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2025-07-01 13:38:26 CEST

openSUSE has issued an advisory on June 30:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/DVVZTOVQSBY5ON5P7HYQIXK2OLMSUEH5/

Comment 3 Nicolas Salguero 2025-11-04 15:45:53 CET

Cauldron fixed those issues.

Debian has issued an advisory on November 3:
https://lists.debian.org/debian-lts-announce/2025/11/msg00005.html

Source RPM: gimp-3.0.4-1.mga10.src.rpm, gimp3-2.99.14-4.mga9.src.rpm, gimp-2.10.36-1.mga9.src.rpm => gimp3-2.99.14-4.mga9.src.rpm, gimp-2.10.36-1.mga9.src.rpm
CVE: CVE-2025-2760, CVE-2025-2761, CVE-2025-48797, CVE-2025-48798 => CVE-2025-2760, CVE-2025-2761, CVE-2025-48797, CVE-2025-48798, CVE-2025-10934
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Summary: gimp new security issues CVE-2025-276[01], CVE-2025-4879[78] => gimp new security issues CVE-2025-276[01], CVE-2025-4879[78], CVE-2025-10934

Comment 4 Nicolas Salguero 2026-01-06 13:33:07 CET

Debian has issued an advisory on January 4:
https://lists.debian.org/debian-security-announce/2026/msg00001.html

CVE: CVE-2025-2760, CVE-2025-2761, CVE-2025-48797, CVE-2025-48798, CVE-2025-10934 => CVE-2025-2760, CVE-2025-2761, CVE-2025-48797, CVE-2025-48798, CVE-2025-10934, CVE-2025-14422, CVE-2025-14424, CVE-2025-14425
Summary: gimp new security issues CVE-2025-276[01], CVE-2025-4879[78], CVE-2025-10934 => gimp new security issues CVE-2025-276[01], CVE-2025-4879[78], CVE-2025-10934, CVE-2025-1442[245]

Nicolas Salguero 2026-01-15 10:30:30 CET

Source RPM: gimp3-2.99.14-4.mga9.src.rpm, gimp-2.10.36-1.mga9.src.rpm => gimp-2.10.36-1.mga9.src.rpm

Nicolas Salguero 2026-01-15 10:35:48 CET

CVE: CVE-2025-2760, CVE-2025-2761, CVE-2025-48797, CVE-2025-48798, CVE-2025-10934, CVE-2025-14422, CVE-2025-14424, CVE-2025-14425 => CVE-2025-2760, CVE-2025-2761, CVE-2025-48797, CVE-2025-48798, CVE-2025-10934, CVE-2025-14422, CVE-2025-14425
Summary: gimp new security issues CVE-2025-276[01], CVE-2025-4879[78], CVE-2025-10934, CVE-2025-1442[245] => gimp new security issues CVE-2025-276[01], CVE-2025-4879[78], CVE-2025-10934, CVE-2025-1442[25]

Comment 5 Nicolas Salguero 2026-01-15 10:36:15 CET

CVE-2025-14424 only affects gimp3.

Comment 6 Nicolas Salguero 2026-01-15 10:38:10 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

XWD File Parsing Integer Overflow Remote Code Execution Vulnerability. (CVE-2025-2760)

FLI File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. (CVE-2025-2761)

Multiple heap buffer overflows in tga parser. (CVE-2025-48797)

Multiple use after free in xcf parser. (CVE-2025-48798)

XWD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. (CVE-2025-10934)

PNM File Parsing Integer Overflow Remote Code Execution Vulnerability. (CVE-2025-14422)

JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. (CVE-2025-14425)

References:
https://lists.debian.org/debian-security-announce/2025/msg00103.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/DVVZTOVQSBY5ON5P7HYQIXK2OLMSUEH5/
https://lists.debian.org/debian-lts-announce/2025/11/msg00005.html
https://lists.debian.org/debian-security-announce/2026/msg00001.html
========================

Updated packages in core/updates_testing:
========================
gimp-2.10.36-1.1.mga9
lib(64)gimp2.0_0-2.10.36-1.1.mga9
lib(64)gimp2.0-devel-2.10.36-1.1.mga9

from SRPM:
gimp-2.10.36-1.1.mga9.src.rpm

Status comment: Patches available from Debian => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 7 PC LX 2026-01-15 11:40:46 CET

Installed and tested without issues.

Did some basic testing (e.g. opened images in various formats, did some editing, applied some filters, saved to various formats) and nothing seems to be broken.



System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a
Linux jupiter 6.6.116-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Mon Nov  3 15:35:03 UTC 2025 x86_64 GNU/Linux
$ rpm -qa | grep -P 'gimp.*2\.10\.36' | sort -u
gimp-2.10.36-1.1.mga9
lib64gimp2.0_0-2.10.36-1.1.mga9

CC: (none) => mageia

Comment 8 Herman Viaene 2026-01-16 11:31:42 CET

MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
Opened color jpg file and used color to gray transformation. Exported generated image back to jpg and dispalyed it OK in gwenview.
In view of test above Comment 7, good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 9 Thomas Andrews 2026-01-17 00:16:08 CET

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

katnatek 2026-01-17 02:20:24 CET

Keywords: (none) => advisory

Comment 10 Mageia Robot 2026-01-17 03:49:20 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0012.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.