Security update for gimp SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20055-1 Final 1 1 2026-01-16T16:13:02Z current 2026-01-16T16:13:02Z 2026-01-16T16:13:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gimp This update for gimp fixes the following issues: Changes in gimp: Update to 3.0.6: - Security: - During development, we received reports from the Zero Day Initiative of potential security issues with some of our file import plug-ins. While these issues are very unlikely to occur with real files, developers like Jacob Boerema and Alx Sa proactively improved security for those imports. The resolved reports are: - ZDI-CAN-27793 - ZDI-CAN-27823 - ZDI-CAN-27836 - ZDI-CAN-27878 - ZDI-CAN-27863 - ZDI-CAN-27684 - Core: - Many false-positive build warnings have been cleaned out (and proper issues fixed). - Various crashes fixed. - When creating a layer mask from the layer's alpha, but the layer has no alpha, simply fill the mask with complete opacity instead of a completely transparent layer. - Various core infrastructure code reviewed, cleaned up, refactored and improved, in drawable, layer and filter handling code, tree view code, and more. - GIMP_ICONS_LIKE_A_BOSS environment variable is not working anymore (because "gtk-menu-images" and "gtk-button-images" have been deprecated in GTK3 and removed in GTK4) and was therefore removed. - Lock Content now shows as an undo step. - Add alpha channel for certain transforms. - Add alpha channel on filter merge, when necessary. - Filters can now be applied non-destructively on channels. - Improved Photoshop brush support. - After deleting a palette entry, the next entry is automatically selected. This allows easily deleting several entries in a row, among other usage. - Resize image to layers irrespective to selections. - Improved in-GUI release notes' demo script language: - We can now set a button value to click it: "toolbox:text, tool-options:outline=1, tool-options:outline-direction" - Color selector's module names can be used as identifiers: "color-editor,color-editor:CMYK=1,color-editor:total-ink-coverage" - Fixed Alpha to Selection on single layers with no transparency. - Various code is slowly ported to newer code, preparing for GTK4 port (in an unplanned future step): - Using g_set_str() (optionally redefining it in our core code to avoid bumping the GLib minimum requirement). - Start using GListModel in various pieces of code, in particular getting rid of more and more usage of GtkTreeView when possible (as it will be deprecated with GTK4). - New GimpRow class for all future row widgets. - Use more of G_DECLARE_DERIVABLE_TYPE and G_DECLARE_FINAL_TYPE where relevant. - New GimpContainerListView using a GtkListBox. - New GimpRowSeparator, GimpRowSettings, GimpRowFilter and GimpRowDrawableFilter widgets. - (Experimental) GEX Format was updated. - Palette import: - Set alpha value for image palette imports. - Fix Lab & CMYK ACB palette import. - Add palette format filters to import dialog, making it more apparent what palette formats are supported, and giving the ability to hide irrelevant files. - Improved filter actions' sensitivity to make sure they are set insensitive when relevant. In particular filters which cannot be run non-destructively (e.g. filters with aux inputs, non-interactive filters and GEGL Graph) must be insensitive when trying to run them on group layers. - Fix bad axis centering on zoom out. - Export better SVG when exporting paths. - Tools: - Text tool: make sure the default color is only changed when the user confirms the color change. - Foreground Selection tool: do not create a selection when no strokes has been made. In particular this removes the unnecessary delay which happened when switching to another tool without actually stroking anything. - All Transform tools: transform boundaries for preview is now multi-layers aware. - (Experimental) Seamless Clone tool: made to work again, though it is still too slow to get out of Playground. - Graphical User Interface: - Various improvements to window management: - Keep-Above windows are set with the Utility hint. - Utility windows are not made transient to a parent. - Transient factory dialogs follow the active display, ensuring that new image windows would not hide your toolbox and dock windows. - Various CSS improvements for styling of the interface. Some theme leaks were also fixed. - New toggle button in Brushes and Fonts dockable, allowing brush and font previews to optionally follow the color theme. For instance, when using a dark theme, the brush and font previews could be drawn on the theme background, using the theme foreground colors. By default, these data previews are still drawn as black on white. - Palette grid is now drawn with the theme's background color. - Consistent naming patterns on human-facing options (first word only capitalized). - About dialog: - We will now display the date and time of the last check in a "Up to date as of <date> at <time>" string, differing from the "Last checked on <date> at <time>" string. The former will be used to indicate that GIMP is indeed up-to-date whereas the latter when a new version was released and that you should update. - We now respect the system time/date format on macOS and Windows. - The search popup won't pop up without an image. - Better zoom step algorithm for data previews in container popup (e.g. the brush popup in paint Tool Options). - Disable animation in the Input Controller, Preferences and Welcome dialogs for stack transition when animation are disabled in system settings. - Fixed crosshair hotspot on Windows (crosshair cursor for brushes was offset with a non-100% display scale factor). - Debug/CRITICAL dialog: - Make sure it is non-modal. - Follow the theme mode under Windows. - While loading images, all widgets in the file dialog are made insensitive, except for the Cancel button and the progress bar. - Both grid and list views can now zoom via scroll and zoom gestures (it used to only work in list views). - Pop an error message up on startup when GIO modules to read HTTPS links are not found and that we therefore fail to load the remote gimp_versions.json file. With the AppImage package in particular, we depend on an environment daemon which cannot be shipped in the package. So the next best thing is to warn people and tell them what they should install to get version checks. - Welcome dialog: - The "Community Tutorials" link is now shown after the "Documentation" link. - The "Learn more" link in Release Notes tab leads to the actual release news for this version. - Plug-ins: - PDF export: do not draw disabled layer masks. - Jigsaw: the plug-in can now draw on transparent layers. - Various file format fixes and improvements: JPEG 2000 import, TIFF import, DDS import, SVG import, PSP import, FITS export, ICNS import, Dicom import, WBMP import, Farbfeld import, XWD import, ILBM import. - Sphere Designer: use spin scale instead of spin entries (the latter is unusable with little horizontal space). - Animation Play: frames are shown again in the playback progress bar. - Vala Goat Exercise: ignoring C warning in this Vala plug-in as it is generated code and we cannot control it. - file-gih: brush pipe selection modes now have nice, translatable names. - Metadata viewer: port from GtkTreeView to GtkListBox. - File Raw Data: reduce Raw Data load dialogue height by moving to a 2-column layout. - SVG import: it is now possible to break aspect ratio with specific width/height arguments, when calling the PDB procedure non-interactively (from other plug-ins). - Print: when run through a portal print dialog, the "Image Settings" will be exposed as a secondary dialog, outputted after the portal dialog, instead of a tab on the main print dialog (because it is not possible to tweak the print dialog when it is created by a portal). This will bring back usable workflow of printing with GIMP when run in a sandbox (e.g. Flatpak or Snap). - Recompose: fixed for YCbCr decomposed images. - Fixed vulnerabilities: ZDI-CAN-27684, ZDI-CAN-27863, ZDI-CAN-27878, ZDI-CAN-27836, ZDI-CAN-27823, ZDI-CAN-27793. - C Source and HTML export can now be run non-interactively too (e.g. from other plug-ins). - Map Object: fix missing spin boxes. - Small Tiles: fix display lag. - CVE-2025-10925: Fix GIMP ILBM file parsing stack-based buffer overflow remote code execution vulnerability. (ZDI-25-914, ZDI-CAN-27793, bsc#1250501) - CVE-2025-10922: Fix GIMP DCM file parsing heap-based buffer overflow remote code execution vulnerability. (ZDI-25-911, ZDI-CAN-27863, bsc#1250497) - CVE-2025-10920: Prevent overflow attack by checking if output >= max, not just output > max. (ZDI-25-909, ZDI-CAN-27684, bsc#1250495) - CVE-2025-10924: Fix integer overflow while parsing FF files. (bsc#1250499) - CVE-2025-2760: A vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. The specific flaw exists within parsing of XWD files. An integer overflow happens before allocating a buffer. This fixed in GIMP 3.0.0. https://www.gimp.org/news/2025/03/16/gimp-3-0-released (bsc#1241690) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-packagehub-81 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1241690 SUSE Bug 1241690 https://bugzilla.suse.com/1250495 SUSE Bug 1250495 https://bugzilla.suse.com/1250497 SUSE Bug 1250497 https://bugzilla.suse.com/1250499 SUSE Bug 1250499 https://bugzilla.suse.com/1250501 SUSE Bug 1250501 https://www.suse.com/security/cve/CVE-2025-10920/ SUSE CVE CVE-2025-10920 page https://www.suse.com/security/cve/CVE-2025-10922/ SUSE CVE CVE-2025-10922 page https://www.suse.com/security/cve/CVE-2025-10924/ SUSE CVE CVE-2025-10924 page https://www.suse.com/security/cve/CVE-2025-10925/ SUSE CVE CVE-2025-10925 page https://www.suse.com/security/cve/CVE-2025-2760/ SUSE CVE CVE-2025-2760 page openSUSE Leap 16.0 gimp-3.0.6-bp160.1.1 gimp-devel-3.0.6-bp160.1.1 gimp-extension-goat-excercises-3.0.6-bp160.1.1 gimp-lang-3.0.6-bp160.1.1 gimp-plugin-aa-3.0.6-bp160.1.1 gimp-plugin-python3-3.0.6-bp160.1.1 gimp-vala-3.0.6-bp160.1.1 libgimp-3_0-0-3.0.6-bp160.1.1 libgimpui-3_0-0-3.0.6-bp160.1.1 gimp-3.0.6-bp160.1.1 as a component of openSUSE Leap 16.0 gimp-devel-3.0.6-bp160.1.1 as a component of openSUSE Leap 16.0 gimp-extension-goat-excercises-3.0.6-bp160.1.1 as a component of openSUSE Leap 16.0 gimp-lang-3.0.6-bp160.1.1 as a component of openSUSE Leap 16.0 gimp-plugin-aa-3.0.6-bp160.1.1 as a component of openSUSE Leap 16.0 gimp-plugin-python3-3.0.6-bp160.1.1 as a component of openSUSE Leap 16.0 gimp-vala-3.0.6-bp160.1.1 as a component of openSUSE Leap 16.0 libgimp-3_0-0-3.0.6-bp160.1.1 as a component of openSUSE Leap 16.0 libgimpui-3_0-0-3.0.6-bp160.1.1 as a component of openSUSE Leap 16.0 GIMP ICNS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICNS files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27684. CVE-2025-10920 openSUSE Leap 16.0:gimp-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.1.1 openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.1.1 openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-10920.html CVE-2025-10920 https://bugzilla.suse.com/1250495 SUSE Bug 1250495 GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DCM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27863. CVE-2025-10922 openSUSE Leap 16.0:gimp-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.1.1 openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.1.1 openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-10922.html CVE-2025-10922 https://bugzilla.suse.com/1250497 SUSE Bug 1250497 GIMP FF File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of FF files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27836. CVE-2025-10924 openSUSE Leap 16.0:gimp-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.1.1 openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.1.1 openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-10924.html CVE-2025-10924 https://bugzilla.suse.com/1250499 SUSE Bug 1250499 GIMP ILBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ILBM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27793. CVE-2025-10925 openSUSE Leap 16.0:gimp-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.1.1 openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.1.1 openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-10925.html CVE-2025-10925 https://bugzilla.suse.com/1250501 SUSE Bug 1250501 GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25082. CVE-2025-2760 openSUSE Leap 16.0:gimp-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.1.1 openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.1.1 openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.1.1 openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-2760.html CVE-2025-2760 https://bugzilla.suse.com/1241690 SUSE Bug 1241690