GIMP 2.8.14(Windows)上存在漏洞
[英]Vulnerability found on GIMP 2.8.14 (Windows)
问题描述
I have advised of a security issue found on the software GIMP 2.8.14. 
我已建议在GIMP 2.8.14软件上发现一个安全问题。 The vulnerability description can be found here: Vulnerability Description 漏洞描述可以在这里找到: 漏洞描述
And the CVE here: CVE-2016-4994 此处的CVE: CVE-2016-4994
When I was advised of the vulnerability, I also was advised about a solution, which is update the software with a particular version sent to me in that advise. 当我被告知该漏洞时,我也被告知一个解决方案,该解决方案是使用该通知中发送给我的特定版本更新软件。 The thing is that the upgrade is available only for linux, and we have GIMP on Windows. 事实是升级仅适用于linux,而Windows上具有GIMP。
Do you know something about the risks of this vulnerability on 2.8.16 version (which is the one that we have)? 您是否知道2.8.16版本(我们拥有的版本)中此漏洞的风险? And if there are risks, do you know the proper actions to avoid that? 而且,如果存在风险,您知道采取适当的措施来避免这种情况吗?
I haven't found anything about GIMP on Windows, all the solutions are set for Linux. 我还没有在Windows上找到有关GIMP的任何信息,所有解决方案都针对Linux。
Thanks beforehand. 预先感谢。
1 个解决方案
解决方案1
1 已采纳 2016-07-14 14:13:01
The new version 2.8.18 of GIMP fixes this vulnerability. GIMP的新版本2.8.18修复了此漏洞。 Check the releaase notes at: http://www.gimp.org/news/2016/07/14/gimp-2-8-18-released/ 在以下网址查看发布说明: http : //www.gimp.org/news/2016/07/14/gimp-2-8-18-released/
However, I don'think that is a big issue at all. 但是,我认为这根本不是一个大问题。
GIMP is not meant to be "secure software" - it runs as a user processor, and have to deal with tens of file formats, each one able to have up to hundreds of different data structures. GIMP并不是要成为“安全软件”,它必须作为用户处理器运行,并且必须处理数十种文件格式,每种文件格式最多可以具有数百种不同的数据结构。 It uses third-party libraries to handle some of those data formats. 它使用第三方库来处理其中一些数据格式。
One can't expect any version of GIMP to be secure against opening a file and have that file execute arbitrary code, with the same privileges the program itself has. 不能指望任何版本的GIMP都能安全地防止打开文件并使该文件执行任意代码,并具有程序本身具有的特权。 While this particular vulnerability tells about GIMP's native XCF files, which may be fixed in that respect, one can simply open a postscript file, which is by definition a complete program - and will run arbitrary code, even for well-formed images. 尽管此特殊漏洞说明了GIMP的本机XCF文件,该文件可能在这方面已得到修复,但可以仅打开一个postscript文件(根据定义它是一个完整的程序),并且可以运行任意代码,即使是格式正确的图像也是如此。 In most cases, the postcript libraries in use should sandbox the running program and prevent it from accessing, say, the filesystem, but it will be able to use CPU as a DoS attack nevertheless. 在大多数情况下,正在使用的后记库应该将正在运行的程序沙箱化,并阻止其访问文件系统,但是仍然可以将CPU用作DoS攻击。
It is up to your OS to control what resources an user application can access. 取决于您的操作系统来控制用户应用程序可以访问哪些资源。 Vulnerabilities in GIMP won't offer privilege escalation, if the OS is tight. 如果操作系统很紧凑,GIMP中的漏洞将不会提供特权升级。 And one could even use finer grained security features (eg SELinux) to further restrict application access. 而且甚至可以使用更细粒度的安全功能(例如SELinux)来进一步限制应用程序访问。
As for GIMP, the 2.8.18 version is out as of yesterday - if this particular issue is marked as fixed, you should try to grab that one. 对于GIMP,2.8.18版本已于昨天发布-如果此特定问题标记为已修复,则应尝试使用该版本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.