CVE-2025-6035: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-6035) was discovered in the GIMP image editing software, specifically affecting its 'Despeckle' plug-in. The vulnerability was reported on June 12, 2025, and was assigned by Red Hat, Inc. This integer overflow vulnerability impacts multiple versions of GIMP, including those distributed in various Linux distributions (NVD, Wiz).

The vulnerability stems from an integer overflow condition in the GIMP 'Despeckle' plug-in, where unchecked multiplication of image dimensions (width, height) and bytes-per-pixel (img_bpp) occurs. This results in insufficient memory allocation followed by out-of-bounds writes. The vulnerability has been classified as CWE-787 (Out-of-bounds Write) and has been assigned a CVSS v3.1 base score of 6.6 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H (NVD, Wiz).

The vulnerability can lead to multiple severe consequences including heap corruption, denial of service (DoS), and potential arbitrary code execution in certain scenarios. The CVSS scoring indicates low to moderate impact on confidentiality and integrity, but high impact on availability (Wiz).

A fix has been implemented in GIMP version 3.0.4-2 for the unstable (sid) branch of Debian. The fix is documented in GIMP's GitLab repository under commit 548bc3a46d54711d974aae9ce1bce291376c0436. Users are advised to upgrade to the fixed version when available for their distribution (Debian Tracker).