CVE-2012-4245 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4245): The scriptfu network server in GIMP 2.6 does not require authentication, which allows remote attackers to execute arbitrary commands via the python-fu-eval command.
It looks like Gimp 2.8.6 is affected too. I have just voiced that impression in a reply on the oss-security mailing list: http://thread.gmane.org/gmane.comp.security.oss.general/8173/focus=11115 What I have in mind for further mitigation would be for upstream, not downstream to do. For details, please check this upstream bug report: https://bugzilla.gnome.org/show_bug.cgi?id=708098 If there is anything we should do downstream, please let me know.
CVE is resolved as of gimp-2.8.0: https://bugzilla.gnome.org/show_bug.cgi?id=708098 Commit message: https://git.gnome.org/browse/gimp/commit/?id=3b72ad8939c3a1463492d102dfe457e5fef68d04 All vulnerable ebuilds are cleared in the tree already.
GLSA Draft: 20c35ef34
This issue was resolved and addressed in GLSA 201603-01 at https://security.gentoo.org/glsa/201603-01 by GLSA coordinator Kristian Fiskerstrand (K_F).
