Gentoo alert 202601-03 (GIMP)
| From: | glsamaker@gentoo.org | |
| To: | gentoo-announce@lists.gentoo.org | |
| Subject: | [gentoo-announce] [ GLSA 202601-03 ] GIMP: Arbitrary Code Execution | |
| Date: | Mon, 26 Jan 2026 10:28:40 -0000 | |
| Message-ID: | <176942332112.7.1204702290566633885@3f85d36892cf> |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202601-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: GIMP: Arbitrary Code Execution Date: January 26, 2026 Bugs: #965334 ID: 202601-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in GIMP, which can lead to execution of arbitrary code. Background ========== GIMP is the GNU Image Manipulation Program. XCF is the native image file format used by GIMP. Affected packages ================= Package Vulnerable Unaffected -------------- ------------ ------------- media-gfx/gimp < 2.10.38-r3 >= 2.10.38-r3 Description =========== A vulnerability has been discovered in GIMP. Please review the CVE identifier referenced below for details. Impact ====== This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation of the length of user- supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Workaround ========== There is no known workaround at this time. Resolution ========== All GIMP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/gimp-3.0.6" All GIMP 2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/gimp-2.10.38-r3 =media-gfx/gimp-2*" References ========== [ 1 ] CVE-2025-10934 https://nvd.nist.gov/vuln/detail/CVE-2025-10934 [ 2 ] GHSA-wv7v-cchq-8fjh Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202601-03 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2026 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAml3QdgACgkQFMQkOaVy +9nkOw//UZeUsBLzyqODiJBeOoaQ2dHOUuIxk6SMpWLbC56+pC5SNrz1gDcrTyOo Guu8qlv5GS1BUBcYPZ3Gf8KfY4ELG4GxXrh6Zh0bZ1IkaXWPx9S6VcHDpqjrlBD3 RFSIYNJqko+ms9qWeFVCJICJaV8YT551Zr94yHYQrdL8qxolE1RTTY42/VAVc64x 90EJWOyX1Xbmuz2zEzClx2o3TUjWRQajIBrfE2iGMD7jSHVbfYkmQNrh1k/0kq5f l3wAGm8PoDbm3BHm9h7HhPlC9FZ5kACv35o10HRlI4RVEhtX8DJB8WMX7MlcGafX yk7C+31EgEnFygL5AbLGgP3kgJeQ/F6LfUNkQ6bbJrxRaqQu7WMh+8j2y8a7HGpI y8Oz7mqDiE6x9ei6DTc8vAgWt5MZfW6Lrs4E5D9d+6CwwDThuZeLf4X1aCBbvPYY vddJoAeq5uaEQNRqpYxcATES5AMPUMOyQ6g75bmMVoxZQGxSnNX6gbjgawBw7NhH GmgQlGr0txvMk0o0zRd/SbqSXF13uSlb5dpwuRuT/K2h2wICriOFEUospaOGZjYQ iLEm0tX31X92HHeDl8SCRaYqhNzOTawEOhPmSDxDM8ZU7uxUJI/MqSORoe65wZ78 903Tv9UfhEI+5pRYRqZo6JVkBL6+enUDtoElY/a0N4cKwoJAFJw= =Mtr+ -----END PGP SIGNATURE-----