Alpine: multiple gimp packages: security update to 2.10.36-r0

high Tenable Self-Hosted Container Security Plugin ID 426957

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- GIMP DDS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability
allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is
required to exploit this vulnerability in that the target must visit a malicious page or open a malicious
file. The specific flaw exists within the parsing of DDS files. The issue results from the lack of proper
validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can
leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-22093.
(CVE-2023-44441)

- GIMP PSD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability
allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is
required to exploit this vulnerability in that the target must visit a malicious page or open a malicious
file. The specific flaw exists within the parsing of PSD files. The issue results from the lack of proper
validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can
leverage this vulnerability to execute arbitrary code in the context of the current process. Was ZDI-
CAN-22094. (CVE-2023-44442)

- GIMP PSP File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows
remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required
to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The
specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation
of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can
leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-22096.
(CVE-2023-44443)

- GIMP PSP File Parsing Off-By-One Remote Code Execution Vulnerability. This vulnerability allows remote
attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The
specific flaw exists within the parsing of PSP files. Crafted data in a PSP file can trigger an off-by-one
error when calculating a location to write within a heap-based buffer. An attacker can leverage this
vulnerability to execute code in the context of the current process. . Was ZDI-CAN-22097. (CVE-2023-44444)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-44441

https://security.alpinelinux.org/vuln/CVE-2023-44442

https://security.alpinelinux.org/vuln/CVE-2023-44443

https://security.alpinelinux.org/vuln/CVE-2023-44444

Plugin Details

Severity: High

ID: 426957

Version: Revision 1.8

Type: Local

Published: 5/16/2025

Updated: 1/13/2026

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-44444

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 11/21/2023

Reference Information

CVE: CVE-2023-44441, CVE-2023-44442, CVE-2023-44443, CVE-2023-44444