GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that already exists, as demonstrated by the gimp_write_and_read_file function in app/tests/test-xcf.c. This might be leveraged by attackers to overwrite files or read file content that was intended to be private.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-12713 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue did affect the versions of gimp as shipped with Red Hat Enterprise Linux 7. However, as this is an issue in a unit test, it is not a problem if you are using the precompiled gimp package. This is only a problem if you recompile gimp using the src.rpm/SPEC file. Even then it's only a problem if you do not make use of isolating build tools like mock, but instead use rpmbuild directly.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 6.7 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
| Attack Vector | Local |
| Attack Complexity | High |
| Privileges Required | Low |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | gimp | Affected |
| Red Hat Enterprise Linux 6 | gimp | Not affected |
| Red Hat Enterprise Linux 5 | gimp | Not affected |
Vulmon