Arch Linux Security Advisory ASA-201607-5
========================================
Severity: Medium
Date : 2016-07-17
CVE-ID : CVE-2016-4994
Package : gimp
Type : arbitrary code execution
Remote : No
Link : https://wiki.archlinux.org/title/CVE
Summary
======
The package gimp before version 2.8.18-1 is vulnerable to arbitrary code
execution.
Resolution
=========
Upgrade to 2.8.18-1.
# pacman -Syu "gimp>=2.8.18-1"
The problem has been fixed upstream in version 2.8.18.
Workaround
=========
None.
Description
==========
Multiple Use-After-Free when parsing XCF channel and layer properties.
Impact
=====
An attacker is able to use a specially crafted XCF file, that when
opened locally, is leading to arbitrary code execution.
References
=========
https://access.redhat.com/security/cve/CVE-2016-4994
https://bugzilla.gnome.org/show_bug.cgi?id=767873