CVE-2023-44444: 
Rocky Linux vulnerability analysis and mitigation

CVE-2023-44444 is a remote code execution vulnerability in GIMP (GNU Image Manipulation Program) affecting the PSP file parsing functionality. The vulnerability was discovered by Michael Randrianantenaina and reported to the vendor on September 22, 2023. The issue was fixed with the release of GIMP 2.10.36 on November 7, 2023. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP through specially crafted PSP files (ZDI Advisory, GIMP Release).

The vulnerability stems from an off-by-one error in the PSP file parsing functionality. When calculating a location to write within a heap-based buffer, crafted data in a PSP file can trigger this off-by-one error. The vulnerability has been assigned a CVSS v3.0 base score of 7.8 (HIGH) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The flaw is classified under CWE-193 (Off-by-one Error) (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. User interaction is required for exploitation, as the target must open a malicious PSP file (ZDI Advisory).

The vulnerability has been fixed in GIMP version 2.10.36. Users are strongly advised to update to this version, as it contains several security fixes including this PSP file parsing vulnerability. The update is available through official GIMP distribution channels including Linux flatpaks, Windows installers, and macOS packages (GIMP Release).