The scriptfu network server in GIMP 2.6 does not require authentication,
which allows remote attackers to execute arbitrary commands via the
It looks like Gimp 2.8.6 is affected too.
I have just voiced that impression in a reply on the oss-security mailing list:
What I have in mind for further mitigation would be for upstream, not downstream to do. For details, please check this upstream bug report:
If there is anything we should do downstream, please let me know.
CVE is resolved as of gimp-2.8.0:
All vulnerable ebuilds are cleared in the tree already.
GLSA Draft: 20c35ef34
This issue was resolved and addressed in
GLSA 201603-01 at https://security.gentoo.org/glsa/201603-01
by GLSA coordinator Kristian Fiskerstrand (K_F).