GIMP Users Beware: Critical Vulnerabilities Demand Immediate Action
GIMP, the GNU Image Manipulation Program, is a widely used open-source image editing software that has gained immense popularity among graphic designers and enthusiasts. However, recent discoveries have revealed four critical security vulnerabilities that could pose a significant threat to users.
These vulnerabilities, collectively known as CVE-2023-44441, CVE-2023-44442, CVE-2023-44443, and CVE-2023-44444, all allow remote attackers to execute arbitrary code on affected installations of GIMP. This means that an attacker could gain complete control of a user’s computer simply by tricking them into opening a malicious file or visiting a malicious website.
The Technical Details
The vulnerabilities stem from improper validation of user-supplied data when parsing DDS, PSD, and PSP image files. This can lead to buffer overflows, integer overflows, and off-by-one errors, allowing attackers to inject their code into the running GIMP process.
These vulnerabilities, identified by security researcher MICHAEL RANDRIANANTENAINA via the Zero Day Initiative program [1, 2, 3, 4], pose a significant risk to GIMP users, as they can be exploited simply by opening a malicious file or visiting a malicious website.
Impact and Mitigation
These vulnerabilities are all rated as having a CVSS score of 7.8, indicating a high severity level. GIMP users must update to the latest version, GIMP 2.10.36, as this release addresses all four vulnerabilities.
Recommendations for Users
To stay safe, GIMP users should:
- Update to GIMP 2.10.36 immediately.
- Exercise caution when opening files from unknown sources.
- Avoid visiting suspicious websites.