Mzfr

**Name of the Vulnerable Software and Affected Versions** GIMP (affected versions not specified) **Description** A flaw in the FITS image loader allows a remote attacker to trigger an integer overflow by providing a specially crafted FITS file. This leads to a zero-byte memory allocation, resulting in a heap buffer overflow during the processing of pixel data. This condition can cause a denial of service (DoS) or potentially lead to arbitrary code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GIMP (affected versions not specified) **Description** A stack buffer overflow in the TIM image loader's 4BPP decoding path allows a local user to cause a Denial of Service (DoS). This occurs when the application opens a specially crafted TIM image file, leading to a crash due to an unconditional overflow when writing to a variable-length array. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GIMP (affected versions not specified) **Description** A heap buffer over-read occurs in the `icns slurp()` function when processing specially crafted ICNS image files. This can lead to application crashes or information disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GIMP (affected versions not specified) **Description** Processing a specially crafted PVR image file with large dimensions can lead to a denial of service (DoS). This issue is caused by a stack-based buffer overflow and an out-of-bounds read in the PVR image loader, which results in the application crashing. Systems that process untrusted PVR image files are affected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 **Description** Rack’s `Rack::Sendfile#map accel path` function directly uses the `X-Accel-Mapping` request header value in a regular expression for rewriting file paths used with `X-Accel-Redirect`. Because this header value is not properly sanitized, an attacker can inject regular expression metacharacters into the header and manipulate the generated `X-Accel-Redirect` response header. In deployments using `Rack::Sendfile` with `x-accel-redirect`, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. The issue arises because the `internal` part of the mapping, sourced from the `HTTP X ACCEL MAPPING` request header, is directly inserted into a regular expression without escaping. An attacker can supply metacharacters like `.*` or capture groups to alter path substitution. This differs from the expected behavior of the header-based mapping, which should treat the header value as a literal path prefix. The issue is exploitable when untrusted `X-Accel-Mapping` headers reach Rack, such as in reverse proxy configurations that fail to set the header on some routes. This can lead to unauthorized file disclosure, with the impact depending on the deployment architecture. **Recommendations** Update to Rack version 2.2.23 or later. Update to Rack version 3.1.21 or later. Update to Rack version 3.2.6 or later. Strip or overwrite inbound `X-Accel-Mapping` headers at the reverse proxy. Prefer explicit application-configured sendfile mappings instead of relying on request-header mappings.