gimp:2.8 security update

エラータID: AXSA:2025-10030:01

Release date: 
Thursday, June 19, 2025 - 21:42
Subject: 
gimp:2.8 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The GIMP (GNU Image Manipulation Program) is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo.

Security Fix(es):

* gimp: Multiple use after free in XCF parser (CVE-2025-48798)
* gimp: Multiple heap buffer overflows in TGA parser (CVE-2025-48797)
* gimp: GIMP ICO File Parsing Integer Overflow (CVE-2025-5473)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-48797
A flaw was found in GIMP when processing certain TGA image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing a heap buffer overflow.
CVE-2025-48798
A flaw was found in GIMP when processing XCF image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing use-after-free issues.
CVE-2025-5473
GIMP ICO File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICO files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26752.

Modularity name: "gimp"
Stream name: "2.8"

Solution: 

Update packages.

CVEs: 
CVE-2025-48797
A flaw was found in GIMP when processing certain TGA image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing a heap buffer overflow.
CVE-2025-48798
A flaw was found in GIMP when processing XCF image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing use-after-free issues.
CVE-2025-5473
GIMP ICO File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICO files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26752.
Additional Info: 

N/A

Download: 

SRPMS
  1. gimp-2.8.22-26.module+el8+1888+befc19e5.2.src.rpm
    MD5: 75db57eabac03160ad528f3d424ce7f5
    SHA-256: 33d81d4094d0e18e3c4270bd4ad235ff15e1eb618a0eba5e4ed0abab7e43c022
    Size: 20.06 MB
  2. pygobject2-2.28.7-5.module+el8+1888+befc19e5.src.rpm
    MD5: bb57c138bf3892066766999096fb6655
    SHA-256: b17f9fab9ac53eeb7af7a4d27f8db580e65cf8e00c173ec26fb866745ac9e989
    Size: 750.83 kB
  3. pygtk2-2.24.0-25.module+el8+1888+befc19e5.src.rpm
    MD5: a33a56dc3d6c06282a94ad666318aa51
    SHA-256: 7e3f3ae171dc80fc579595d19f9e69c2abc00533c4474e2808143e5e8d08c505
    Size: 2.28 MB
  4. python2-pycairo-1.16.3-7.module+el8+1888+befc19e5.src.rpm
    MD5: 1b0eceb78f74adf448c07e5cb3716673
    SHA-256: 195dc58bbaed8de289bbd7008224f1f0b85fe244d7f23e1fff6494b9d2488de7
    Size: 199.60 kB

Asianux Server 8 for x86_64
  1. gimp-2.8.22-26.module+el8+1888+befc19e5.2.x86_64.rpm
    MD5: 9fa1cf012ad4af8ca4362441fb5c05be
    SHA-256: 3ba4e7862e659a0a9f399fe831ff7fc3e5319605c674fc116a48a7f12f2d4850
    Size: 14.96 MB
  2. gimp-debugsource-2.8.22-26.module+el8+1888+befc19e5.2.x86_64.rpm
    MD5: 26f765d182eb7d147178df5582c86948
    SHA-256: 8a91988e19012162623a95d798b34a06a37afd33d198c3440afb85d07ffa9ad2
    Size: 4.50 MB
  3. gimp-devel-2.8.22-26.module+el8+1888+befc19e5.2.x86_64.rpm
    MD5: 74c7dbc076238d27617871c855c4ee47
    SHA-256: f653ad094e2bbf811b19f8a54428b2c7e52bc9876f2e3405d8db879e5c81955c
    Size: 940.03 kB
  4. gimp-devel-tools-2.8.22-26.module+el8+1888+befc19e5.2.x86_64.rpm
    MD5: 40f71cedb1c10472d4d3e71484558acc
    SHA-256: 493887d0b6cf8f5153de27a74427384711f415d47bb1dcdbbf152bb5ebaea3d5
    Size: 78.98 kB
  5. gimp-libs-2.8.22-26.module+el8+1888+befc19e5.2.x86_64.rpm
    MD5: fb87f00514a434b8f7feca8caafb8c86
    SHA-256: d845943d1ad0171219ae173cb3bb75ff7d9a31f4bd30a9039734f8ac243c2cc4
    Size: 1.40 MB
  6. pygobject2-2.28.7-5.module+el8+1888+befc19e5.x86_64.rpm
    MD5: 33fa48d47bb21f0d64fa019a88bc805c
    SHA-256: 36031c304a5c6ccaff9bbfb1f8c25dcf43b3113d51a435b802b171a01cb198f8
    Size: 235.12 kB
  7. pygobject2-codegen-2.28.7-5.module+el8+1888+befc19e5.x86_64.rpm
    MD5: 1e863da04939becbf91192ab9f0be43f
    SHA-256: b5c8d589ed09482f6209ed1e41363c5da5818a9f421374be1447a9992100857f
    Size: 108.41 kB
  8. pygobject2-debugsource-2.28.7-5.module+el8+1888+befc19e5.x86_64.rpm
    MD5: f3feb51995c50df60b498cf77ef857b5
    SHA-256: a3968addddce60dacbd6cd47d1e1528fbb0e9100da27a65082c147efe1b3fdd9
    Size: 156.12 kB
  9. pygobject2-devel-2.28.7-5.module+el8+1888+befc19e5.x86_64.rpm
    MD5: cdb359d26af7a9b760ce29c1b6d35f44
    SHA-256: 8988c4e595abdf9974a3f0753dde208bc8696f54473331e7cf795bc0f2e1aa5e
    Size: 71.82 kB
  10. pygobject2-doc-2.28.7-5.module+el8+1888+befc19e5.x86_64.rpm
    MD5: 2f5797c4d08f9d549c1e71f5be02bc89
    SHA-256: b9ad93654ff5430c45957726c60487811f7645442cabe546740ee55a07679859
    Size: 129.60 kB
  11. pygtk2-2.24.0-25.module+el8+1888+befc19e5.x86_64.rpm
    MD5: 33b675cc7828ff74b0d884ad8864731e
    SHA-256: 299ea142ae37e1eb50a01a39c33f1f97a67a8587a3a8dd4c9ed4027a4ace92d8
    Size: 928.52 kB
  12. pygtk2-codegen-2.24.0-25.module+el8+1888+befc19e5.x86_64.rpm
    MD5: f5926ad94987ad88864841db63d29db9
    SHA-256: 13cdc30e9278b1aac1d7952f733aa70e783e65d6e65784a0606c8331a3cd6575
    Size: 22.19 kB
  13. pygtk2-debugsource-2.24.0-25.module+el8+1888+befc19e5.x86_64.rpm
    MD5: 06b9c6b5d939082733adca15db2658cc
    SHA-256: 7751f9825c2c38db127d90c6075a9a86d195e53bf21502861ef91ffb36366ba1
    Size: 464.88 kB
  14. pygtk2-devel-2.24.0-25.module+el8+1888+befc19e5.x86_64.rpm
    MD5: 42b5c4c48875cb82cf3f32aa8a612bad
    SHA-256: 0a7a782be6fd83897cc370e6f0198abeca9d4d84a254255f69a0f0616f6e6200
    Size: 151.10 kB
  15. pygtk2-doc-2.24.0-25.module+el8+1888+befc19e5.noarch.rpm
    MD5: e6da90711825ea7f844ac1fa49aa4578
    SHA-256: 2e22816df7978d379a84c204217c4939aadb2354e1251dc63ca23c3a9fd2581f
    Size: 1.19 MB
  16. python2-cairo-1.16.3-7.module+el8+1888+befc19e5.x86_64.rpm
    MD5: fa49a3a4e43b22996493f29af0785205
    SHA-256: 392af36171f2c1c3b9e9824277660ce1c058982e58f0c9c12c4ab3a4e05b9775
    Size: 88.66 kB
  17. python2-cairo-devel-1.16.3-7.module+el8+1888+befc19e5.x86_64.rpm
    MD5: 187452988ba41cdbf1b661bc096e6c37
    SHA-256: c30848e204f4feacc858b8d2d7cceac59417a253bd35e6fa23ec7f8fcc851ab3
    Size: 15.97 kB
  18. python2-pycairo-debugsource-1.16.3-7.module+el8+1888+befc19e5.x86_64.rpm
    MD5: a3d2a1229fa4d8ad518a5a88f8dbfdda
    SHA-256: b7806fce893f3208d4edb288ff80a10c2937c593fb9efda08ea725e0d8ac423f
    Size: 55.97 kB