| Summary: | giflib new security issue CVE-2016-3977 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, mageia, marja11, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/684596/ | ||
| Whiteboard: | MGA5-64-OK MGA5-32-OK advisory | ||
| Source RPM: | giflib-4.2.3-4.2.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-04-21 18:33:33 CEST
Assigning to all packagers collectively, since there is no maintainer for this package. CC:
(none) =>
marja11 let's push it now, to clean the list of the update to fix CC:
(none) =>
mageia Advisory: ======================== Updated giflib packages fix security vulnerability: A heap buffer overflow vulnerability was found in giflib. A maliciously crafted gif file could cause the gif2rgb tool to crash (CVE-2016-3977). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3977 https://lists.opensuse.org/opensuse-updates/2016-04/msg00079.html ======================== Updated packages in core/updates_testing: ======================== giflib-progs-4.2.3-4.3.mga5 libgif4-4.2.3-4.3.mga5 libgif-devel-4.2.3-4.3.mga5 from giflib-4.2.3-4.3.mga5.src.rpm Testing on x86_64 real hardware. The report http://bugs.fi/2016-03-gif2rgb.txt gives details of testing a malformed gif using either gdb or asan for debugging. Simply running $ gif2rgb 1.gif generates an inline binary pattern symbol and hangs for a while then terminates. Updated the libraries. Installed giflib-progs manually. $ gif2rgb 1.gif Background color out of range for colormap The response was immediate. From David's comment in the description above it looks like testing of the other gif-tools is uneccessary so a test of gif2rgb on a valid gif is all that is needed. Chose bart.gif from icons directory. $ gif2rgb -v -o bart.rgb bart.gif gif2rgb: Image 1 at (0, 0) [32x32]: 1 $ ls bart* bart.gif bart.rgb.B bart.rgb.G bart.rgb.R The three colour components are not image files of any kind but bitmap or pixel dumps in each colour, without any headers. See this extract: $ od -x bart.rgb.R 0000000 0000 0000 0000 0000 0000 0000 0000 0000 * 0000100 0000 0000 0000 0000 0000 ffff ffff ffff 0000120 00ff 0000 0000 0000 0000 0000 0000 0000 0000140 0000 0000 0000 0000 ffff ffff ffff ffff This looks OK. CC:
(none) =>
tarazed25
Len Lawrence
2016-11-26 01:38:08 CET
Whiteboard:
(none) =>
MGA5-64-OK Before and after tests on i586 in vbox returned the same results with 1.gif. $ gif2rgb -v -o weather partlysunny.gif gif2rgb: Image 1 at (0, 0) [48x48]: 1 $ ls weather.* weather.B weather.G weather.R Inspection showed that the three intensity maps probably matched the original three-colour image. There were signs of dithering in the intensity patterns, unlike bart.gif.
Len Lawrence
2016-11-26 02:20:49 CET
Whiteboard:
MGA5-64-OK =>
MGA5-64-OK MGA5-32-OK
Len Lawrence
2016-11-26 02:21:11 CET
Keywords:
(none) =>
validated_update Oops. Overlooked the source of the PoC gif. $ wget http://bugs.fi/media/afl/giflib/1.gif Advisory from Comment 3 uploaded. CC:
(none) =>
lewyssmith An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0399.html Status:
NEW =>
RESOLVED |
