News

New version 2.10.36 of the Gimp image editor available

The developer fixed four security leaks. Attackers could use manipulated image files to plant malicious code on unsuspecting victims.

The free open source image editor Gimp has been released in version 2.10.36. It fixes security vulnerabilities that allow code smuggling.

The new version 2.10.36 of the Gimp image editor fixes four security leaks overall. Attackers could use manipulated image files to plant malicious code on unsuspecting victims. A quick update is therefore recommended.

Trend Micro's Zero Day Initiative (ZDI) discovered and reported the security vulnerabilities. They affect the image formats DDS, PSD and PSP, the processing of which can cause errors that attackers can misuse to inject and execute arbitrary code.

Due to a lack of length checking of user-controlled data before copying it to a heap-based buffer, attackers can execute code in the context of the current process when processing DDS files, explains the ZDI in a security notice (CVE-2023-44441, CVSS 7.8, risk high). However, this requires user interaction because they would have to open a malicious page or a malicious file.

The same type of error with the same consequences can be provoked when processing PSD files (CVE-2023-44442, CVSS 7.8, high). Insufficient checking of user-controlled data when processing PSP files can trigger an integer overflow before writing to memory - allowing attackers to smuggle in malicious code (CVE-2023-44443, CVSS 7.8, high). In addition, carefully crafted PSP files can provoke an "off-by-one" error when calculating a write position on the heap buffer, which also enables code smuggling (CVE-2023-44444, CVSS 7.8, high).

The GIMP version announcement does not go into detail about the vulnerabilities, but focuses on things like newly supported color palettes, non-square ratios in GIF images, and other improvements to the software. However, dependencies in the binary packages have also been updated, which patches recently discovered vulnerabilities in the libraries. The Gimp developers therefore always recommend updating Gimp to the latest packages. The new versions are available to download from the Gimp download page.

About Author

I am an editor at UpdateStar. I started as a support engineer, and am now specialized in writing about general software topics from a usability and performance angle among others. I telecommute from UpdateStar’s Berlin office, when I am not working remote as a digital nomad for UpdateStar.

Next Article

Previous Article