ISN 2023-35: GIMP Vulnerabilities

First published 22 January 2023

CVSS 3.1: 8.2 (High)

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Summary

Multiple security vulnerabilities have been discovered in the GIMP image processing library used in IGEL OS. This affects the following IGEL products:

• IGEL OS 11 (not in the default configuration)

Details

GIMP is vulnerable to crafted files in several formats: Processing DDS, PSP or PSD files can cause overflows and enable remote code execution (CVE-2023-44441, CVE-2023-44442, CVE-2023-44443). This is rated as high. Crafted XCF files can exhaust memory or trigger an unhandled exception, which may lead to a denial of service (CVE-2022-30067, CVE-2022-32990), which is rated as medium.

Mitigation

GIMP is not active in the IGEL OS 11 default configuration. It is only mounted if you activate Scanner Support / SANE (Limited Support …) in System > Firmware Customization > Features in Setup. If you have it activated, you can deactivate it to mitigate this vulnerability.

Update Instructions

• OS 11: Update to IGEL OS version 11.09.210 or newer

References

• CVE-2023-44441: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44441
• CVE-2023-44442: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44442
• CVE-2023-44443: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44443
• CVE-2023-44444: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44444
• CVE-2022-30067: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30067  
• CVE-2022-32990: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32990