Bug 29458

Summary: gifsicle new security issues fixed upstream in 1.93 (including CVE-2020-19752)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: gifsicle-1.92-2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-09-13 18:35:51 CEST 
openSUSE has issued an advisory today (September 13):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7LT4ZGSUVTVP4M6DZMXIWJ67JSPE3CZI/

The issue is fixed upstream in 1.93:
http://www.lcdf.org/gifsicle/changes.html

Mageia 8 is also affected.
David Walser 2021-09-13 18:36:08 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-09-13 20:55:50 CEST 
'gifsicle' has no listed maintainer, and has been committed by various packagers, so no choice but to assign this update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-09-15 10:34:53 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability on certain resize operations with ‘--resize-method=box’.

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7LT4ZGSUVTVP4M6DZMXIWJ67JSPE3CZI/
http://www.lcdf.org/gifsicle/changes.html
========================

Updated package in core/updates_testing:
========================
gifsicle-1.93-1.mga8

from SRPM:
gifsicle-1.93-1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero

Comment 3 Herman Viaene 2021-09-15 14:23:38 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 23134 for testing and did some reading on the commands.
$ gifsicle --flip-h < P5211854.gif > P5flipped.gif
both the original and flipped images display ccorrectly with gifview and gwenview.
Then trying to understand it
$ gifdiff -h
‘Gifdiff’ compares two GIF files (either images or animations) for identical
visual appearance. An animation and an optimized version of the same animation
should compare as the same. Gifdiff exits with status 0 if the images are
the same, 1 if they’re different, and 2 if there was some error.
then
$ gifdiff P5211854.gif P5flipped.gif 
frame #0 pixels differ: 0,0 <#2A4540 >#071215
and no more. Is it so cleaver to detect that the images are essentially the same???
Cann't find anything drastically wrong, so OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Len Lawrence 2021-09-15 20:15:04 CEST 
mga8, x86_64.

No PoC trail so on with update.

$ gifsicle -e ThoseCats.gif
Split a short animated gif into 70 frames named ThoseCats.gif.000 ... ThoseCats.gif.069.  Many of those showed only the pixels which change from frame to frame.
$ gifview ThoseCats.gif
This presents the animation - start it with keyboard 'a' and stop at any time with 's'.
$ gifsicle --color-info ThoseCats.gif
* ThoseCats.gif 70 images
  logical screen 279x369
  global color table [64]
  |   0: #141922      16: #B7C8E0      32: #EFEBE3      48: #000000
  |   1: #2B3547      17: #BBA98E      33: #E4E9F0      49: #000000
[...]
  |  15: #AB9A88      31: #E7E5E2      47: #000000      63: #000000
  background 32
  loop forever
  + image #0 279x369 transparent 32
    disposal asis delay 0.08s
  + image #1 277x367 at 1,1 transparent 31
    disposal asis delay 0.08s
[...]
  + image #69 277x367 at 1,1 transparent 29
    disposal asis delay 0.08s

Combined a number of gif frames into a single animated gif.
$ gifsicle --colors 256 -m frame*.gif -o new.gif
$ file new.gif
new.gif: GIF image data, version 87a, 597 x 448
$ gifview --min-delay 100 new.gif
'a' started the animation.  's' paused it.  'r' at this point returned to the first frame.
The frames were also viewed as a slideshow by starting gifview without a delay and left-clicking on the frame to advance.

This looks good.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2021-09-15 20:17:31 CEST 
Apologies to Herman.  Started my tests a while ago with a long break.
Comment 6 Thomas Andrews 2021-09-17 14:10:13 CEST 
Of course I can't speak for him, but it reads to me like Herman would appreciate the confirmation this time, Len.

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-09-22 23:21:46 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2021-09-23 06:52:35 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0437.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 8 David Walser 2021-09-23 23:50:28 CEST 
CVE-2020-19752 was also fixed in this update:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7H3ASG2BD4D4SAUUI6TOLUZYP2QYYHXY/

I'm not entirely certain, but it appears to be a different issue.

Summary: gifsicle new security issue fixed upstream in 1.93 => gifsicle new security issues fixed upstream in 1.93 (including CVE-2020-19752)