Your submission was sent successfully! Close

CVE-2018-12713

Published: 24 June 2018

GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that already exists, as demonstrated by the gimp_write_and_read_file function in app/tests/test-xcf.c. This might be leveraged by attackers to overwrite files or read file content that was intended to be private.

Notes

AuthorNote
amurray
This code is part of the unit tests for gimp which are not distributed in Ubuntu
Priority

Negligible

CVSS 3 base score: 9.1

Status

Package Release Status
gimp
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Needed

precise Does not exist

trusty Does not exist
(trusty was needs-triage)
upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
Patches:
upstream: https://github.com/GNOME/gimp/commit/c21eff4b031acb04fb4dfce8bd5fdfecc2b6524f