#1132846 gimp - Insecurely creates /tmp/gimp/3.2

Package:
gimp
Source:
gimp
Description:
GNU Image Manipulation Program
Submitter:
Bastian Blank
Date:
2026-06-27 08:09:02 UTC
Severity:
normal
Tags:
#1132846#5
Date:
2026-04-06 09:51:53 UTC
From:
To:
Starting gimp creates /tmp/gimp/3.2 in an insecure way.  Neither is the
name randomized, nor is there much care taken with creating the
directory in a secure way in a world writable directory.  This should be
CWE-378.

strace shows:

| execve("/usr/bin/gimp", ["gimp"], 0x7ffd48a2e5a0 /* 57 vars */) = 0
| […]
| newfstatat(AT_FDCWD, "/usr/bin/convert", {st_mode=S_IFREG|0755, st_size=15016, ...}, 0) = 0
| faccessat2(AT_FDCWD, "/tmp/gimp/3.2", F_OK, AT_SYMLINK_NOFOLLOW|AT_EACCESS) = -1 ENOENT (No such file or directory)
| mkdir("/tmp/gimp/3.2", 0777)            = -1 ENOENT (No such file or directory)
| mkdir("/tmp/gimp", 0777)                = 0
| mkdir("/tmp/gimp/3.2", 0777)            = 0
| faccessat2(AT_FDCWD, "/home/waldi/.cache/gimp/3.2", F_OK, AT_SYMLINK_NOFOLLOW|AT_EACCESS) = 0
| newfstatat(AT_FDCWD, "/home/waldi/.cache/gimp/3.2", {st_mode=S_IFDIR|0755, st_size=0, ...}, 0) = 0
| openat(AT_FDCWD, "/home/waldi/.cache/gimp/3.2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 13
#1132846#12
Date:
2026-06-20 13:17:12 UTC
From:
To:
gimp has just been removed from testing because of this bug.
But here, with gimp 3.2.4-2, I observe that a directory like
/tmp/gimp-3.2-XXFLJR3 is created, which seems to be randomized
and not world writable:

907566 mkdir("/tmp/gimp-3.2-XWW9CR3", 0700) = 0
#1132846#17
Date:
2026-06-24 07:51:00 UTC
From:
To:
After seeing the message from Vincent I upgraded as well.

I can confirm Vincent's observation. With gimp 3.2.4-2 directories like
/tmp/gimp-3.2-XQ2UZQ3 and /tmp/gimp-3.2-XXRJER3 are created. Access is
limited to my user.
#1132846#22
Date:
2026-06-27 06:53:21 UTC
From:
To:
Hi,

That's my observation as well, so lets document that the version in
unstable is fixed. (I'm not closing the bug just yet, to allow for
further inspection/tracking).

Paul
#1132846#29
Date:
2026-06-27 08:06:41 UTC
From:
To:
Version: 3.2.4-1

This was fixed with:

| commit a85e5286fd2064bfd684e85f3536626bcc2973cb
| Author: Jehan <jehan@girinstud.io>
| Date:   Mon Apr 6 16:09:09 2026 +0200
|
|     Issue #14681: Permission denied opening image - /tmp/gimp/3.0/ cannot be shared.
|
|     Let's create the folder returned by gimp_temp_directory() ourselves, the
|     first time this function is called, using a randomized name. This will
|     ensure that we won't conflict with another user running GIMP on the same
|     machine if using the base /tmp/ (which is usually the case on Linux).
|
|     Furthermore, since we create the temp folder at this level, we will also
|     delete it when quitting (but only if it's empty, as it should). Also I
|     use a single-level folder above the generic temporary directory, this
|     way, it's easier to track and we don't have to delete 2 levels of
|     directories anymore.
|
|     When the environment variable GIMP3_TEMPDIR is set though, we do not
|     create the folder, nor do we try and delete it.

Bastian