GIMP: Code smuggling loophole in version branch 2

Trend Micro's Zero Day Initiative (ZDI) has found two vulnerabilities in the free graphics program GIMP. Attackers can misuse them to smuggle in and execute malicious code. Version 3 of GIMP provides a remedy.

Like the GIMP project, the ZDI has now made the vulnerability reports public. However, CVE vulnerability entries do not yet exist, but these are expected to follow shortly. The ZDI forensic experts discovered the vulnerabilities in GIMP 2.10.38, the latest and most recent version of the 2 development branch.

GIMP: High-risk security leaks

A vulnerability can be found in the processing of FLI files. This makes it possible to write to memory outside the intended limits. According to the security release, this can lead to the execution of malicious code from the network (still without CVE, CVSS 7.8, risk “high”). A second vulnerability concerns the parser for XWD files. This can lead to an integer overflow and subsequent write access outside the intended memory limits, also with the result that malicious code can be executed (still without CVE, CVSS 7.8, risk “high”).

The GIMP developers have closed the security gaps in GIMP 3. GIMP users should therefore update to the new version branch to minimize the attack surface on their systems. On Windows 10 and 11, GIMP 3 can be conveniently installed from the Microsoft Store, which will then also ensure that the software is updated promptly if necessary. On Linux, the software management of the distribution used usually needs to be called up so that it can check for updates and install them.

GIMP 3 was released in mid-March and was long awaited, as it took seven years to develop. The new version features non-destructive filters, improved support for high-resolution displays (HiDPI) and extended color spaces.

(dmk)