Bug 22393

Summary: gifsicle new security issue CVE-2017-1000421
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: shlomif, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: gifsicle-1.88-1.mga6.src.src.rpm CVE:
Status comment:

Description David Walser 2018-01-14 23:45:09 CET 
Debian has issued an advisory on January 12:
https://www.debian.org/security/2018/dsa-4084

The upstream bug and commit to fix it are linked from here:
https://security-tracker.debian.org/tracker/CVE-2017-1000421

Mageia 5 is also affected.
Comment 1 Shlomi Fish 2018-01-15 09:54:31 CET 
Submitted 1.88-1.1mga to http://pkgsubmit.mageia.org/ - please test.
Comment 2 David Walser 2018-01-15 12:35:16 CET 
Advisory:
========================

Updated gifsicle package fixes security vulnerability:

It was discovered that gifsicle contained a flaw that could lead to arbitrary
code execution (CVE-2017-1000421).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000421
https://www.debian.org/security/2018/dsa-4084
========================

Updated packages in core/updates_testing:
========================
gifsicle-1.88-1.1.mga6

from gifsicle-1.88-1.1.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 3 Shlomi Fish 2018-01-15 14:19:58 CET 
Shall I prepare an updated package for mga5 too?
Comment 4 David Walser 2018-01-15 14:25:06 CET 
You may.  It's your call.
Comment 5 Len Lawrence 2018-01-15 14:28:53 CET 
Updated gifsicle on Mageia 6 for 64 bits.

Checked basic functionality:-

Create an animation:
$ gifsicle aninew*.gif --colors 255 > animation.gif
and viewed a five frame animation with ristretto and eom.

$ gifsicle -I curiosity.gif
* curiosity.gif 11 images
  logical screen 1024x1024
  global color table [256]
  background 0
  loop forever
  + image #0 1024x1024
    disposal background delay 0.50s
  + image #1 1024x1024
    local color table [256]
.................

$ gifsicle -e curiosity.gif
gifsicle:curiosity.gif.001: background color not in colormap
..................
$ ls curiosity*
curiosity.gif      curiosity.gif.002  curiosity.gif.005  curiosity.gif.008
curiosity.gif.000  curiosity.gif.003  curiosity.gif.006  curiosity.gif.009
curiosity.gif.001  curiosity.gif.004  curiosity.gif.007  curiosity.gif.010
$ eom curiosity.gif.*
displayed the individual frames on demand.

That looks fine for 64 bits.

CC: (none) => tarazed25

Len Lawrence 2018-01-15 14:29:11 CET

Whiteboard: (none) => MGA6-64-OK

Lewis Smith 2018-01-16 09:01:26 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 David Walser 2018-01-16 12:27:37 CET 
openSUSE has issued an advisory for this on January 15:
https://lists.opensuse.org/opensuse-updates/2018-01/msg00040.html
Comment 7 Mageia Robot 2018-01-16 19:05:24 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0086.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED