CVE-2018-12713

Published: 24 June 2018

GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that already exists, as demonstrated by the gimp_write_and_read_file function in app/tests/test-xcf.c. This might be leveraged by attackers to overwrite files or read file content that was intended to be private.

Priority

CVSS 3 base score: 9.1

Status

Package	Release	Status
gimp Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 21.04 (Hirsute Hippo)	Needs triage
	Ubuntu 20.04 LTS (Focal Fossa)	Needs triage
	Ubuntu 18.04 LTS (Bionic Beaver)	Needs triage
	Ubuntu 16.04 ESM (Xenial Xerus)	Ignored (end of standard support, was needs-triage)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was needs-triage)

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12713
https://github.com/GNOME/gimp/commit/c21eff4b031acb04fb4dfce8bd5fdfecc2b6524f
https://gitlab.gnome.org/GNOME/gimp/issues/1689
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

CVE-2018-12713

Low

Status

References

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading