A security update has been released for the GNU Image Manipulation Program (GIMP) in Debian GNU/Linux 11 (Bullseye) LTS, addressing multiple vulnerabilities that could lead to buffer overflows and arbitrary code execution. The vulnerabilities, identified as CVE-2022-30067, CVE-2025-14422, and CVE-2025-14425, affect GIMP's handling of XCF, PNM, and JP2 files, respectively. These issues can be exploited by an attacker to execute malicious code on a user's system if they visit a malicious page or open a malicious file, requiring user interaction.

[DLA 4431-1] gimp security update

[SECURITY] [DLA 4431-1] gimp security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4431-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
January 02, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : gimp
Version : 2.10.22-4+deb11u5
CVE ID : CVE-2022-30067 CVE-2025-14422 CVE-2025-14425
Debian Bug :

Several vulnerabilities were discovered in GIMP, the GNU Image
Manipulation Program, which could result in buffer overflows and
potentially the execution of arbitrary code if malformed XCF, PNM and
JP2 files are opened.

CVE-2022-30067

GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Through a
crafted XCF file, the program will allocate for a huge amount of memory,
resulting in insufficient memory or program crash.

CVE-2025-14422

GIMP PNM File Parsing Integer Overflow Remote Code Execution
Vulnerability.
This vulnerability allows remote attackers to execute arbitrary code on
affected installations of GIMP. User interaction is required to exploit
this vulnerability in that the target must visit a malicious page or
open a malicious file. The specific flaw exists within the parsing of
PNM files. The issue results from the lack of proper validation of
user-supplied data, which can result in an integer overflow before
allocating a buffer. An attacker can leverage this vulnerability to
execute code in the context of the current process. Was ZDI-CAN-28273.

CVE-2025-14425

GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution
Vulnerability.
This vulnerability allows remote attackers to execute arbitrary code on
affected installations of GIMP. User interaction is required to exploit
this vulnerability in that the target must visit a malicious page or
open a malicious file. The specific flaw exists within the parsing of
JP2 files. The issue results from the lack of proper validation of the
length of user-supplied data prior to copying it to a heap-based buffer.
An attacker can leverage this vulnerability to execute code in the
context of the current process. Was ZDI-CAN-28248.

For Debian 11 bullseye, these problems have been fixed in version
2.10.22-4+deb11u5.

We recommend that you upgrade your gimp packages.

For the detailed security status of gimp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gimp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS