Login

congress_sandbar · 03-19-2026, 02:35 PM

According to this article, there are severe security flaws in Gimp > 3.2
https://www.heise.de/news/Gimp-Update-sc...14979.html

We installed Gimp with the systempackage that come along with Linux Mint Cinnamon 22.2

As this is a severe security flaw, do you think that the maintenance team of Linux Mint will update the systempackages to the patched version or would we have to upgrade to a higher Mint version in order to achieve this?

***rich2005*** · (This post was last modified: 03-19-2026, 05:37 PM by rich2005.)

(03-19-2026, 02:35 PM)congress_sandbar Wrote: According to this article, there are severe security flaws in Gimp > 3.2
https://www.heise.de/news/Gimp-Update-sc...14979.html

As far as I can tell from a quick look through a translation there are two file types involved Amiga Interchange format and HDR images. Not going to affect many Gimp users. This sort of scare has happened before, be careful what you download.

Quote:We installed Gimp with the systempackage that come along with Linux Mint Cinnamon 22.2

Unless you got Gimp from a PPA , the Gimp in the repo is 2.10.36 not Gimp 3.2

Quote:As this is a severe security flaw, do you think that the maintenance team of Linux Mint will update the systempackages to the patched version or would we have to upgrade to a higher Mint version in order to achieve this?

No Mint packagers here

EDIT: I am not just brushing your concerns off. The Gimp developers do investigate and fix
As an example: https://gitlab.gnome.org/GNOME/gimp/-/issues/15617 and this is the place to report concerns.

CmykStudent_ · 03-20-2026, 06:03 AM

"Severe" also oversells it in my opinion. Generally we get reports from security researchers like Zero Day Initiative with a file they created specifically to crash the image loading plug-in. And that's usually all it does - GIMP itself still runs fine.

We still try to fix everything of couse, but it's not a report of an epidemic of malicious files. Smile

Not to say that someone *couldn't* make a malicious file, but it's rather unlikely to occur in real usage.

congress_sandbar · 03-20-2026, 09:12 AM

Thanks for your replies.
@rich2005:

Quote:Unless you got Gimp from a PPA , the Gimp in the repo is 2.10.36 not Gimp 3.2

Yes, we don't use a ppa and that's where our concern stems from. We are still on 2.10.36 and would like to go to 3.2 with the system repositories, that is without any ppa if possible.

So even if the GIMP team fix that, maybe it doesn't make it into the official system repositories of Linux Mint 22.
I guess it's hard to get a hold of people in charge of putting together the repos for Mint. Big Grin

I think I've seen HDR images in the context of Apple.

@CmykStudent_:
You might be right that GIMP would still be running fine. The concern is rather that you can encrust a malicious process in the running GIMP process.
And of course, attackers would manipulate images exactly for this purpose.
I quote from the article, both in original language and translated to English:

Quote:Auch hier können bösartige Akteure mit sorgsam präparierten Dateien Schadcode einschleusen, der im Kontext des laufenden Prozesses ausgeführt wird ||
Here, too, malicious actors can use carefully crafted files to inject malicious code that is executed within the context of the running process

CmykStudent_ · 03-20-2026, 12:10 PM

congress_sandbar: Sure, and I can't say that it's impossible someone could do something malicious.

All I can say (as someone who both gets these reports and works to update them in GIMP), is that I've never seen one that says "I opened this file I downloaded in GIMP and it damaged my computer". It's always "In theory, if someone made this kind of change to a file, it could possibly do this".

congress_sandbar · 03-20-2026, 03:52 PM

(03-20-2026, 12:10 PM)CmykStudent_ Wrote: congress_sandbar: Sure, and I can't say that it's impossible someone could do something malicious.

All I can say (as someone who both gets these reports and works to update them in GIMP), is that I've never seen one that says "I opened this file I downloaded in GIMP and it damaged my computer". It's always "In theory, if someone made this kind of change to a file, it could possibly do this".

Thanks for your insight.
Just wondering: Could it be that typically the not so tech savvy people open such files, maybe even assuming it's something else? So they would not be so inclined to report it back to you, as they don't even know that such thing as a bug report is possible?

***rich2005*** · (This post was last modified: 03-20-2026, 05:02 PM by rich2005.)

Just from my point of view as a linux user.

Guessing that you are on some sort of local network rather than an individual installation.

Using: quote - Linux Mint Cinnamon 22.2
That is downsteam from Debian -> Ubuntu 24.04 -> Mint 22
So you are never going to get Gimp 3.2 from Mint repo until maybe Mint 23 (or 24 based on Debian 13 -> ubuntu 26.04) comes along.

I have a Mint 22.3 using Gimp 3.2 from the PPA that works very well, but it is not going to be updated to include every daily patch for these CVE reports.

As CmykStudent states it is "in theory" I have seen these reports from way back. If you are truly worried, stick to file types known to be safe.

As far as I know, Mint is not going to patch any of the file plugins. For truly up-to-date you need something like a daily version, either compile yourself or a dev "nightly" flatpak or a dev appimage They all have their limitations.

Login
Username:
Password:	Lost Password?
	Remember me