GIMP Users Beware: Critical Vulnerabilities Demand Immediate Action

GIMP, the GNU Image Manipulation Program, is a widely used open-source image editing software that has gained immense popularity among graphic designers and enthusiasts. However, recent discoveries have revealed four critical security vulnerabilities that could pose a significant threat to users.

Created with GIMP

Vulnerability Overview

These vulnerabilities, collectively known as CVE-2023-44441, CVE-2023-44442, CVE-2023-44443, and CVE-2023-44444, all allow remote attackers to execute arbitrary code on affected installations of GIMP. This means that an attacker could gain complete control of a user’s computer simply by tricking them into opening a malicious file or visiting a malicious website.

The Technical Details

The vulnerabilities stem from improper validation of user-supplied data when parsing DDS, PSD, and PSP image files. This can lead to buffer overflows, integer overflows, and off-by-one errors, allowing attackers to inject their code into the running GIMP process.

These vulnerabilities, identified by security researcher MICHAEL RANDRIANANTENAINA via the Zero Day Initiative program [1, 2, 3, 4], pose a significant risk to GIMP users, as they can be exploited simply by opening a malicious file or visiting a malicious website.

Impact and Mitigation

These vulnerabilities are all rated as having a CVSS score of 7.8, indicating a high severity level. GIMP users must update to the latest version, GIMP 2.10.36, as this release addresses all four vulnerabilities.

Recommendations for Users

To stay safe, GIMP users should:

  • Update to GIMP 2.10.36 immediately.
  • Exercise caution when opening files from unknown sources.
  • Avoid visiting suspicious websites.