The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of GIMP

vulnerability note 26514

GIMP: file corruption via g_get_tmp_dir

Synthesis of the vulnerability

A local attacker can create a symbolic link used by g_get_tmp_dir(), in order to alter the pointed file, with privileges of GIMP.
Impacted products: GIMP.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 25/06/2018.
Identifiers: VIGILANCE-VUL-26514.

Description of the vulnerability

A local attacker can create a symbolic link used by g_get_tmp_dir(), in order to alter the pointed file, with privileges of GIMP.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2017-17787

GIMP: out-of-bounds memory reading via PSP

Synthesis of the vulnerability

An attacker can force a read at an invalid address via PSP of GIMP, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: Debian, Fedora, GIMP, Ubuntu.
Severity: 1/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 20/12/2017.
Identifiers: 790853, CVE-2017-17787, DLA-1220-1, DSA-4077-1, FEDORA-2018-67b75f73fa, FEDORA-2018-ccef1ced42, USN-3539-1, VIGILANCE-VUL-24829.

Description of the vulnerability

An attacker can force a read at an invalid address via PSP of GIMP, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-17789

GIMP: buffer overflow via PSP

Synthesis of the vulnerability

An attacker can generate a buffer overflow via PSP of GIMP, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Fedora, GIMP, Solaris, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 20/12/2017.
Identifiers: 790849, bulletinapr2018, CVE-2017-17789, DLA-1220-1, DSA-4077-1, FEDORA-2018-67b75f73fa, FEDORA-2018-ccef1ced42, USN-3539-1, VIGILANCE-VUL-24828.

Description of the vulnerability

An attacker can generate a buffer overflow via PSP of GIMP, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-17784

GIMP: out-of-bounds memory reading via GBR

Synthesis of the vulnerability

An attacker can force a read at an invalid address via GBR of GIMP, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: Debian, Fedora, GIMP, Solaris, Ubuntu.
Severity: 1/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 20/12/2017.
Identifiers: 790784, bulletinapr2018, CVE-2017-17784, DLA-1220-1, DSA-4077-1, FEDORA-2018-67b75f73fa, FEDORA-2018-ccef1ced42, USN-3539-1, VIGILANCE-VUL-24827.

Description of the vulnerability

An attacker can force a read at an invalid address via GBR of GIMP, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-17788

GIMP: out-of-bounds memory reading via XCF

Synthesis of the vulnerability

An attacker can force a read at an invalid address via XCF of GIMP, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: Debian, Fedora, GIMP, Ubuntu.
Severity: 1/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 20/12/2017.
Identifiers: 790783, CVE-2017-17788, DLA-1220-1, DSA-4077-1, FEDORA-2018-67b75f73fa, FEDORA-2018-ccef1ced42, USN-3539-1, VIGILANCE-VUL-24826.

Description of the vulnerability

An attacker can force a read at an invalid address via XCF of GIMP, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-17786

GIMP: out-of-bounds memory reading via TGA

Synthesis of the vulnerability

An attacker can force a read at an invalid address via TGA of GIMP, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: Debian, Fedora, GIMP, Ubuntu.
Severity: 1/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 20/12/2017.
Identifiers: 739134, CVE-2017-17786, DLA-1220-1, DSA-4077-1, FEDORA-2018-67b75f73fa, FEDORA-2018-ccef1ced42, USN-3539-1, VIGILANCE-VUL-24825.

Description of the vulnerability

An attacker can force a read at an invalid address via TGA of GIMP, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-17785

GIMP: buffer overflow via FLI

Synthesis of the vulnerability

An attacker can generate a buffer overflow via FLI of GIMP, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Fedora, GIMP, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 20/12/2017.
Identifiers: 739133, CVE-2017-17785, DLA-1220-1, DSA-4077-1, FEDORA-2018-67b75f73fa, FEDORA-2018-ccef1ced42, FLIMP, USN-3539-1, VIGILANCE-VUL-24824.

Description of the vulnerability

An attacker can generate a buffer overflow via FLI of GIMP, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2007-3126

Gimp: denial of service via ICO InfoHeader

Synthesis of the vulnerability

An attacker can generate a fatal error via ICO InfoHeader of Gimp, in order to trigger a denial of service.
Impacted products: GIMP, openSUSE Leap.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 13/04/2017.
Identifiers: CVE-2007-3126, openSUSE-SU-2017:0994-1, VIGILANCE-VUL-22452.

Description of the vulnerability

An attacker can generate a fatal error via ICO InfoHeader of Gimp, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-4994

GIMP: use after free in the XCF parser

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area in the XCF file parserof GIMP, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Fedora, GIMP, openSUSE, openSUSE Leap, Solaris, RHEL, Slackware, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 27/06/2016.
Identifiers: bulletinjan2017, CVE-2016-4994, DLA-525-1, DSA-3612-1, FEDORA-2016-20db5e796b, FEDORA-2016-6122983949, FEDORA-2016-acbd6a75f3, openSUSE-SU-2016:1727-1, RHSA-2016:2589-02, SSA:2016-203-01, USN-3025-1, VIGILANCE-VUL-19972.

Description of the vulnerability

GIMP is an image processing application.

Its native file format XCF allows to record the multiple layers that make an image and information about their transparency. However, some cases of use after free have been identified in the code that parse XCF files.

An attacker can therefore force the usage of a freed memory area in the XCF file parserof GIMP, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 18671

Windows: code execution during application installation

Synthesis of the vulnerability

An attacker can invite the victim to download malicious libraries on Windows, in order to run code during the installation of an application requiring these DLL.
Impacted products: 7-Zip, ZoneAlarm, FileZilla Server, GIMP, Chrome, Kaspersky AV, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, Windows Vista, Opera, Panda AV, Panda Internet Security, PuTTY, OfficeScan, TrueCrypt, VLC.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: document.
Creation date: 11/01/2016.
Identifiers: sk110055, VIGILANCE-VUL-18671.

Description of the vulnerability

When a user installs a new application on Windows, he downloads the installation program (install.exe for example), and then runs it.

However, several installation programs load DLL (for example graph.dll) from the current directory. So, if an attacker invited the victim to download a malicious graph.dll file, before he runs install.exe from the Download directory, the code located in the DLL is run.

See also the bulletin VIGILANCE-VUL-19558 for other impacted products.

An attacker can therefore invite the victim to download malicious libraries on Windows, in order to run code during the installation of an application requiring these DLL.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about GIMP: