Use-after-free vulnerability in the xcf_load_image function in app/xcf/xcf-load.c in GIMP allows remote attackers to cause a denial of service (program crash) or possibly execute arbitrary code via a crafted XCF file.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Use-after-free vulnerability in the xcf_load_image function in app/xcf/xcf-load.c in GIMP allows remote     attackers to cause a denial of service (program crash) or possibly execute arbitrary code via a crafted     XCF file. (CVE-2016-4994)

Note that Nessus relies on the presence of the package as reported by the vendor.

According to the version of the gimp packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - Use-after-free vulnerability in the xcf_load_image     function in app/xcf/xcf-load.c in GIMP allows remote     attackers to cause a denial of service (program crash)     or possibly execute arbitrary code via a crafted XCF     file.(CVE-2016-4994)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the gimp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Multiple use-after-free vulnerabilities were found in     GIMP in the channel and layer properties parsing     process when loading XCF files.An attacker could create     a specially crafted XCF file which could cause GIMP to     crash. (CVE-2016-4994)

  - GIMP through 2.10.2 makes g_get_tmp_dir calls to     establish temporary filenames, which may result in a     filename that already exists, as demonstrated by the     gimp_write_and_read_file function in     app/tests/test-xcf.c. This might be leveraged by     attackers to overwrite files or read file content that     was intended to be private.(CVE-2018-12713)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the gimp, gimp-help packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - Multiple use-after-free vulnerabilities were found in     GIMP in the channel and layer properties parsing     process when loading XCF files.An attacker could create     a specially crafted XCF file which could cause GIMP to     crash. (CVE-2016-4994)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The following packages have been upgraded to a newer upstream version:
gimp (2.8.16), gimp-help (2.8.2).

Security Fix(es) :

  - Multiple use-after-free vulnerabilities were found in     GIMP in the channel and layer properties parsing process     when loading XCF files. An attacker could create a     specially crafted XCF file which could cause GIMP to     crash. (CVE-2016-4994)

Additional Changes :

An update for gimp and gimp-help is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The GIMP (GNU Image Manipulation Program) is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo.

The following packages have been upgraded to a newer upstream version:
gimp (2.8.16), gimp-help (2.8.2). (BZ#1298226, BZ#1370595)

Security Fix(es) :

* Multiple use-after-free vulnerabilities were found in GIMP in the channel and layer properties parsing process when loading XCF files.
An attacker could create a specially crafted XCF file which could cause GIMP to crash. (CVE-2016-4994)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2016-2589 advisory.

    - avoid buffer overflows in file-xwd plug-in (CVE-2013-1913, CVE-2013-1978)

    gimp-help

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2016:2589 advisory.

    The GIMP (GNU Image Manipulation Program) is an image composition and editing program. GIMP provides a     large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and     anti-aliasing, and conversions, all with multi-level undo.

    The following packages have been upgraded to a newer upstream version: gimp (2.8.16), gimp-help (2.8.2).
    (BZ#1298226, BZ#1370595)

    Security Fix(es):

    * Multiple use-after-free vulnerabilities were found in GIMP in the channel and layer properties parsing     process when loading XCF files. An attacker could create a specially crafted XCF file which could cause     GIMP to crash. (CVE-2016-4994)

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

gimp was updated to fix one security issue. This security issue was fixed :

  - CVE-2016-4994: Use-after-free vulnerabilities in the     channel and layer properties parsing process     (bsc#986021).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The GIMP team reports :

A Use-after-free vulnerability was found in the xcf_load_image function.

New gimp packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix a security issue.

Security fix for CVE-2016-4994

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3025-1 advisory.

    It was discovered that GIMP incorrectly handled malformed XCF files. If a user were tricked into opening a     specially crafted XCF file, an attacker could cause GIMP to crash, or possibly execute arbitrary code with     the user's privileges.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

gimp was updated to version 2.8.16 to fix one security issue.

This security issue was fixed :

  - CVE-2016-4994: Use-after-free vulnerabilities in the     channel and layer properties parsing process     (bsc#986021).

This non-security issues were fixed :

  - Core :

  - Seek much less when writing XCF

  - Don't seek past the end of the file when writing XCF

  - Fix velocity parameter on .GIH brushes

  - Fix brokenness while transforming certain sets of linked     layers

  - GUI :

  - Always show image tabs in single window mode

  - Fix switching of dock tabs by DND hovering

  - Don't make the scroll area for tags too small

  - Fixed a crash in the save dialog

  - Fix issue where ruler updates made things very slow on     Windows

-Plug-ins :

  - Fix several issues in the BMP plug-in

  - Make Gfig work with the new brush size behavior again

  - Fix font export in the PDF plug-in

  - Support layer groups in OpenRaster files

  - Fix loading of PSD files with layer groups

Shmuel H discovered that GIMP, the GNU Image Manipulation Program, is prone to a use-after-free vulnerability in the channel and layer properties parsing process when loading a XCF file. An attacker can take advantage of this flaw to potentially execute arbitrary code with the privileges of the user running GIMP if a specially crafted XCF file is processed.

It was discovered that there was a use-after-free vulnerability in the channel and layer properties parsing process in Gimp, the GNU Image Manipulation Program.

For Debian 7 'Wheezy', this issue has been fixed in gimp version 2.8.2-2+deb7u2.

We recommend that you upgrade your gimp packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
219682	Linux Distros Unpatched Vulnerability : CVE-2016-4994	Nessus	Misc.	high
131624	EulerOS 2.0 SP2 : gimp (EulerOS-SA-2019-2471)	Nessus	Huawei Local Security Checks	high
129214	EulerOS 2.0 SP3 : gimp (EulerOS-SA-2019-2021)	Nessus	Huawei Local Security Checks	critical
99835	EulerOS 2.0 SP1 : gimp, gimp-help (EulerOS-SA-2016-1075)	Nessus	Huawei Local Security Checks	high
95839	Scientific Linux Security Update : gimp on SL7.x x86_64 (20161103)	Nessus	Scientific Linux Local Security Checks	high
95335	CentOS 7 : gimp / gimp-help (CESA-2016:2589)	Nessus	CentOS Local Security Checks	high
94710	Oracle Linux 7 : gimp (ELSA-2016-2589)	Nessus	Oracle Linux Local Security Checks	high
94552	RHEL 7 : gimp (RHSA-2016:2589)	Nessus	Red Hat Local Security Checks	high
93190	SUSE SLED12 Security Update : gimp (SUSE-SU-2016:1962-1)	Nessus	SuSE Local Security Checks	high
92651	FreeBSD : The GIMP -- Use after Free vulnerability (6fb8a90f-c9d5-4d14-b940-aed3d63c2edc)	Nessus	FreeBSD Local Security Checks	high
92498	Slackware 14.0 / 14.1 / 14.2 / current : gimp (SSA:2016-203-01)	Nessus	Slackware Local Security Checks	high
92332	Fedora 22 : 2:gimp (2016-acbd6a75f3)	Nessus	Fedora Local Security Checks	high
92253	Fedora 24 : 2:gimp (2016-6122983949)	Nessus	Fedora Local Security Checks	high
92233	Fedora 23 : 2:gimp (2016-20db5e796b)	Nessus	Fedora Local Security Checks	high
91955	Ubuntu 14.04 LTS : GIMP vulnerability (USN-3025-1)	Nessus	Ubuntu Local Security Checks	high
91942	openSUSE Security Update : gimp (openSUSE-2016-822)	Nessus	SuSE Local Security Checks	high
91923	Debian DSA-3612-1 : gimp - security update	Nessus	Debian Local Security Checks	high
91831	Debian DLA-525-1 : gimp security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2016-4994

high

Tenable Plugins

high

high

critical

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high