diff -Nru gimp-2.6.12/debian/changelog gimp-2.6.12/debian/changelog
--- gimp-2.6.12/debian/changelog	2012-09-05 17:40:28.000000000 +0000
+++ gimp-2.6.12/debian/changelog	2012-12-06 18:33:05.000000000 +0000
@@ -1,3 +1,12 @@
+gimp (2.6.12-1ubuntu1.2) precise-security; urgency=low
+
+  * SECURITY UPDATE: code execution via malformed xwd files
+    - debian/patches/CVE-2012-5576.patch: validate sizes in
+      plug-ins/common/file-xwd.c.
+    - CVE-2012-5576
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 06 Dec 2012 13:32:41 -0500
+
 gimp (2.6.12-1ubuntu1.1) precise-security; urgency=low
 
   * SECURITY UPDATE: denial of service via malformed .fit file header
diff -Nru gimp-2.6.12/debian/patches/CVE-2012-5576.patch gimp-2.6.12/debian/patches/CVE-2012-5576.patch
--- gimp-2.6.12/debian/patches/CVE-2012-5576.patch	1970-01-01 00:00:00.000000000 +0000
+++ gimp-2.6.12/debian/patches/CVE-2012-5576.patch	2012-12-06 18:32:34.000000000 +0000
@@ -0,0 +1,167 @@
+Description: fix code execution via malformed xwd files
+Origin: upstream, http://git.gnome.org/browse/gimp/commit/?id=2873262fccba12af144ed96ed91be144d92ff2e1
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=687392
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693977
+
+Index: gimp-2.6.12/plug-ins/common/file-xwd.c
+===================================================================
+--- gimp-2.6.12.orig/plug-ins/common/file-xwd.c	2012-01-31 08:50:15.000000000 -0500
++++ gimp-2.6.12/plug-ins/common/file-xwd.c	2012-12-06 13:32:21.137094389 -0500
+@@ -186,11 +186,13 @@
+ static gint32 load_xwd_f2_d24_b32 (const gchar *,
+                                    FILE *,
+                                    L_XWDFILEHEADER *,
+-                                   L_XWDCOLOR *);
++                                   L_XWDCOLOR *,
++                                   GError **);
+ static gint32 load_xwd_f1_d24_b1  (const gchar *,
+                                    FILE *,
+                                    L_XWDFILEHEADER *,
+-                                   L_XWDCOLOR *);
++                                   L_XWDCOLOR *,
++                                   GError **);
+ 
+ static L_CARD32 read_card32  (FILE *,
+                               gint *);
+@@ -536,7 +538,8 @@
+     case 1:    /* Single plane pixmap */
+       if ((depth <= 24) && (bpp == 1))
+         {
+-          image_ID = load_xwd_f1_d24_b1 (filename, ifp, &xwdhdr, xwdcolmap);
++          image_ID = load_xwd_f1_d24_b1 (filename, ifp, &xwdhdr, xwdcolmap,
++                                         error);
+         }
+       break;
+ 
+@@ -555,7 +558,8 @@
+         }
+       else if ((depth <= 24) && ((bpp == 24) || (bpp == 32)))
+         {
+-          image_ID = load_xwd_f2_d24_b32 (filename, ifp, &xwdhdr, xwdcolmap);
++          image_ID = load_xwd_f2_d24_b32 (filename, ifp, &xwdhdr, xwdcolmap,
++                                          error);
+         }
+       break;
+     }
+@@ -565,7 +569,7 @@
+   if (xwdcolmap)
+     g_free (xwdcolmap);
+ 
+-  if (image_ID == -1)
++  if (image_ID == -1 && ! (error && *error))
+     g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+                  _("XWD-file %s has format %d, depth %d and bits per pixel %d. "
+                    "Currently this is not supported."),
+@@ -1615,10 +1619,11 @@
+ /* Load XWD with pixmap_format 2, pixmap_depth up to 24, bits_per_pixel 24/32 */
+ 
+ static gint32
+-load_xwd_f2_d24_b32 (const gchar     *filename,
+-                     FILE            *ifp,
+-                     L_XWDFILEHEADER *xwdhdr,
+-                     L_XWDCOLOR      *xwdcolmap)
++load_xwd_f2_d24_b32 (const gchar      *filename,
++                     FILE             *ifp,
++                     L_XWDFILEHEADER  *xwdhdr,
++                     L_XWDCOLOR       *xwdcolmap,
++                     GError          **error)
+ {
+   register guchar *dest, lsbyte_first;
+   gint             width, height, linepad, i, j, c0, c1, c2, c3;
+@@ -1643,12 +1648,6 @@
+   width  = xwdhdr->l_pixmap_width;
+   height = xwdhdr->l_pixmap_height;
+ 
+-  image_ID = create_new_image (filename, width, height, GIMP_RGB,
+-                               &layer_ID, &drawable, &pixel_rgn);
+-
+-  tile_height = gimp_tile_height ();
+-  data = g_malloc (tile_height * width * 3);
+-
+   redmask   = xwdhdr->l_red_mask;
+   greenmask = xwdhdr->l_green_mask;
+   bluemask  = xwdhdr->l_blue_mask;
+@@ -1676,6 +1675,22 @@
+   maxblue = 0; while (bluemask >> (blueshift + maxblue)) maxblue++;
+   maxblue = (1 << maxblue) - 1;
+ 
++  if (maxred   > sizeof (redmap)   ||
++      maxgreen > sizeof (greenmap) ||
++      maxblue  > sizeof (bluemap))
++    {
++      g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                   _("XWD-file %s is corrupt."),
++                   gimp_filename_to_utf8 (filename));
++      return -1;
++    }
++
++  image_ID = create_new_image (filename, width, height, GIMP_RGB,
++                               &layer_ID, &drawable, &pixel_rgn);
++
++  tile_height = gimp_tile_height ();
++  data = g_malloc (tile_height * width * 3);
++
+   /* Set map-arrays for red, green, blue */
+   for (red = 0; red <= maxred; red++)
+     redmap[red] = (red * 255) / maxred;
+@@ -1815,10 +1830,11 @@
+ /* Load XWD with pixmap_format 1, pixmap_depth up to 24, bits_per_pixel 1 */
+ 
+ static gint32
+-load_xwd_f1_d24_b1 (const gchar     *filename,
+-                    FILE            *ifp,
+-                    L_XWDFILEHEADER *xwdhdr,
+-                    L_XWDCOLOR      *xwdcolmap)
++load_xwd_f1_d24_b1 (const gchar      *filename,
++                    FILE             *ifp,
++                    L_XWDFILEHEADER  *xwdhdr,
++                    L_XWDCOLOR       *xwdcolmap,
++                    GError          **error)
+ {
+   register guchar *dest, outmask, inmask, do_reverse;
+   gint             width, height, linepad, i, j, plane, fromright;
+@@ -1853,13 +1869,6 @@
+   indexed         = (xwdhdr->l_pixmap_depth <= 8);
+   bytes_per_pixel = (indexed ? 1 : 3);
+ 
+-  image_ID = create_new_image (filename, width, height,
+-                               indexed ? GIMP_INDEXED : GIMP_RGB,
+-                               &layer_ID, &drawable, &pixel_rgn);
+-
+-  tile_height = gimp_tile_height ();
+-  data = g_malloc (tile_height * width * bytes_per_pixel);
+-
+   linepad =   xwdhdr->l_bytes_per_line
+     - (xwdhdr->l_pixmap_width+7)/8;
+   if (linepad < 0)
+@@ -1908,6 +1917,16 @@
+       maxblue = 0; while (bluemask >> (blueshift + maxblue)) maxblue++;
+       maxblue = (1 << maxblue) - 1;
+ 
++      if (maxred   > sizeof (redmap)   ||
++          maxgreen > sizeof (greenmap) ||
++          maxblue  > sizeof (bluemap))
++        {
++          g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                       _("XWD-file %s is corrupt."),
++                       gimp_filename_to_utf8 (filename));
++          return -1;
++        }
++
+       /* Set map-arrays for red, green, blue */
+       for (red = 0; red <= maxred; red++)
+         redmap[red] = (red * 255) / maxred;
+@@ -1917,6 +1936,13 @@
+         bluemap[blue] = (blue * 255) / maxblue;
+     }
+ 
++  image_ID = create_new_image (filename, width, height,
++                               indexed ? GIMP_INDEXED : GIMP_RGB,
++                               &layer_ID, &drawable, &pixel_rgn);
++
++  tile_height = gimp_tile_height ();
++  data = g_malloc (tile_height * width * bytes_per_pixel);
++
+   ncols = xwdhdr->l_colormap_entries;
+   if (xwdhdr->l_ncolors < ncols)
+     ncols = xwdhdr->l_ncolors;
diff -Nru gimp-2.6.12/debian/patches/series gimp-2.6.12/debian/patches/series
--- gimp-2.6.12/debian/patches/series	2012-09-05 17:39:45.000000000 +0000
+++ gimp-2.6.12/debian/patches/series	2012-12-06 18:31:09.000000000 +0000
@@ -7,3 +7,4 @@
 CVE-2012-3236.patch
 CVE-2012-3403.patch
 CVE-2012-3481.patch
+CVE-2012-5576.patch