[security - high] gimp:2.8 security update
エラータID: AXSA:2026-350:01
The GIMP (GNU Image Manipulation Program) is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo.
Security Fix(es):
* gimp: GIMP: Remote Code Execution via uninitialized memory in PGM file parsing (CVE-2026-2044)
* gimp: GIMP: Remote Code Execution via out-of-bounds write in XWD file parsing (CVE-2026-2045)
* gimp: GIMP: Remote Code Execution via ICO File Parsing Vulnerability (CVE-2026-0797)
* gimp: GIMP: Remote Code Execution via XWD file parsing vulnerability (CVE-2026-2048)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-0797
GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICO files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28599.
CVE-2026-2044
GIMP PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PGM files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28158.
CVE-2026-2045
GIMP XWD File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28265.
CVE-2026-2048
GIMP XWD File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28591.
Modularity name: "gimp"
Stream name: "2.8"
Update packages.
GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICO files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28599.
GIMP PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PGM files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28158.
GIMP XWD File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28265.
GIMP XWD File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28591.
N/A
SRPMS
- gimp-2.8.22-26.module+el8+1965+420e36f1.5.src.rpm
MD5: 86273c8a1111596a97000841ca925e0e
SHA-256: ebcc2d2d17bbd212039a5cdb9054b568b0a0d862aa3965d5beef536a72bc07a1
Size: 20.07 MB - pygobject2-2.28.7-5.module+el8+1965+420e36f1.src.rpm
MD5: 833fab37cbe58e0ef3de250bac71a9d4
SHA-256: 32913f5f938d9dc7cf115702b4ac3e039248cd66f93a7b97799c1788caae6146
Size: 750.83 kB - pygtk2-2.24.0-25.module+el8+1965+420e36f1.src.rpm
MD5: f3dfd1542b9c17177dd4ee03c3faaa49
SHA-256: 72f9f3d9e45ed40c905207110c977b50d59c6db6c2d3ac6b79db9fa02f796815
Size: 2.28 MB - python2-pycairo-1.16.3-7.module+el8+1965+420e36f1.src.rpm
MD5: c9d00cdc079e970e79ca31148d262bb9
SHA-256: 7e5d4cd826a514733df685454c103eb52bd1e545018c0eca5f03845c05b98def
Size: 199.60 kB
Asianux Server 8 for x86_64
- gimp-2.8.22-26.module+el8+1965+420e36f1.5.x86_64.rpm
MD5: 0c02424e866ea20976907452b490277d
SHA-256: 90488c05ac8f92bad6f414fe013759af1919311a36ece90e5a936e98e0fd2edd
Size: 14.96 MB - gimp-debugsource-2.8.22-26.module+el8+1965+420e36f1.5.x86_64.rpm
MD5: af8b41f353ec76ab5d2d498081d2df25
SHA-256: d8ee8066a711dd4bc8e7e2e0b7990e710ca452c5dbb59260d4a6164e21f043af
Size: 4.50 MB - gimp-devel-2.8.22-26.module+el8+1965+420e36f1.5.x86_64.rpm
MD5: 1e55abc664953b72c04706ff5260485b
SHA-256: c2e68c6f37a921950610032f4224f9e6d4e77137a5b8d34da987d990254696f8
Size: 940.39 kB - gimp-devel-tools-2.8.22-26.module+el8+1965+420e36f1.5.x86_64.rpm
MD5: 5f3e17efa0cc2361e79124cb4d150fbc
SHA-256: 263903c9fd6d805f8858fcc004b45afba155440896210be3cb7583b72a9490bf
Size: 79.37 kB - gimp-libs-2.8.22-26.module+el8+1965+420e36f1.5.x86_64.rpm
MD5: b86b1d396011047009312420fc9d6ddf
SHA-256: 1c4b543bf3116b6ae4fb4afab3891a8a6399574a0cb3d34bc97c60593d23edac
Size: 1.40 MB - pygobject2-2.28.7-5.module+el8+1965+420e36f1.x86_64.rpm
MD5: 07c4e3abe5f00ef56eee8351670ef657
SHA-256: bf0617ae7f9b492dd84b02448ca6afe50bd0274eda546a5e157db9e6eac0ec4d
Size: 235.13 kB - pygobject2-codegen-2.28.7-5.module+el8+1965+420e36f1.x86_64.rpm
MD5: a7b41e34247f5f4e1205a59ff87ecde1
SHA-256: 280719674b446e2d45178bd7c055436eb58b7cb3e8a99fc004183f548021a4ea
Size: 108.42 kB - pygobject2-debugsource-2.28.7-5.module+el8+1965+420e36f1.x86_64.rpm
MD5: 0d2dd2599fa97cd2a1ccac7603f73d44
SHA-256: 71dde25d10d48577677267f143f0987b198b8bcfa929ec7bcf304aa8fc063df9
Size: 156.13 kB - pygobject2-devel-2.28.7-5.module+el8+1965+420e36f1.x86_64.rpm
MD5: c8c5e26ebceb3800588ea952ee68f117
SHA-256: 60021b8b02dbe2ee77b31a7f70b5010330686aa56cfd7fb4196cb722e454d886
Size: 71.82 kB - pygobject2-doc-2.28.7-5.module+el8+1965+420e36f1.x86_64.rpm
MD5: 7b177f2d79772c4f8192461191a8a265
SHA-256: 93d6fdb5acfaee4119bfde471813afe815656dcf5ce3c7ee4c4ed2a0ce6148b9
Size: 129.60 kB - pygtk2-2.24.0-25.module+el8+1965+420e36f1.x86_64.rpm
MD5: 2e979cb9b1ec542473364952264c3a2d
SHA-256: 5d301b5092a587b81702da4260ffe0c88e9e7c024009422e945cd5be6397f04d
Size: 928.62 kB - pygtk2-codegen-2.24.0-25.module+el8+1965+420e36f1.x86_64.rpm
MD5: 54f008c1836cfff38c24da74e140c09f
SHA-256: 3af63481d29d443247bb00b7de0e9b1c3c12f2768854bd794b2def8e97cd3e0a
Size: 22.19 kB - pygtk2-debugsource-2.24.0-25.module+el8+1965+420e36f1.x86_64.rpm
MD5: 4f15e6ab68c79f7c1257f622d44a12da
SHA-256: 8f36a55d6f86dc2ecadf457886a9fa2ba070fcfb2e7c8dcc88c2f8560afb41d1
Size: 464.88 kB - pygtk2-devel-2.24.0-25.module+el8+1965+420e36f1.x86_64.rpm
MD5: e3f37a8b22fdbb5e29a5ab27f424e479
SHA-256: eec954712d9f4cf9693d0e692d78274b9ebebb37cd5e615b1971779b87397608
Size: 151.10 kB - pygtk2-doc-2.24.0-25.module+el8+1965+420e36f1.noarch.rpm
MD5: df63490ad6b4a6c5c0f1c1f4b79163ce
SHA-256: 4eb28b89ade10d7c454b45b8fd8d3dbccdb2223b121b7e80c4f8d138c7dd0e9c
Size: 1.19 MB - python2-cairo-1.16.3-7.module+el8+1965+420e36f1.x86_64.rpm
MD5: 6894d1f45ce81383138984755a10efca
SHA-256: 50901719862741fd7ef2a9c90105b9eeb1dc40fcc94130ec6eefc0d808a0fb56
Size: 88.65 kB - python2-cairo-devel-1.16.3-7.module+el8+1965+420e36f1.x86_64.rpm
MD5: 0c22e128afc6b06a5b66029fa56b01b6
SHA-256: 7c6d672c10cbb66d493c40c67d02372def096949307857baa477e4eb1bcefb91
Size: 15.97 kB - python2-pycairo-debugsource-1.16.3-7.module+el8+1965+420e36f1.x86_64.rpm
MD5: 50aecf255435696bbcaa253b1a7fe09c
SHA-256: 7383bc6c2dc9302a4e1d67a239e271e14e1cc7b9b455ccf3c346892238d2ed76
Size: 55.97 kB