| Summary: | giflib new security issue CVE-2022-28506 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, mhrambo3501, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | giflib-5.2.1-6.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-07-25 17:29:55 CEST
David Walser
2022-07-25 17:30:07 CEST
Status comment:
(none) =>
Patch available from Fedora Another update for a quiet and parentless SRPM, so assigning globally. Assignee:
bugsquad =>
pkg-bugs Updated packages built for cauldron and Mageia 8 Advisory: ======================== Updated giflib package fixes security vulnerability: It was discovered that giflib 5.2.1 (including mingw-giflib which has giflib 5.2.1 bundled) contained a heap-buffer-overflow in function DumpScreen2RGB() (CVE-2022-28506). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/B4CJSHXBD2RS5OJNWSHQZVMTQCCTIPYS/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28506 https://sourceforge.net/p/giflib/bugs/159/ ======================== Updated packages in core/updates_testing: ======================== giflib-progs-5.2.1-5.1.mga8 lib64gif7-5.2.1-5.1.mga8 lib64gif-devel-5.2.1-5.1.mga8 from giflib-5.2.1-5.1.mga8.src.rpm mingw32-giflib-5.2.1-2.1.mga8.noarch.rpm mingw32-giflib-static-5.2.1-2.1.mga8.noarch.rpm mingw32-giflib-tools-5.2.1-2.1.mga8.noarch.rpm mingw64-giflib-5.2.1-2.1.mga8.noarch.rpm mingw64-giflib-static-5.2.1-2.1.mga8.noarch.rpm mingw64-giflib-tools-5.2.1-2.1.mga8.noarch.rpm from mingw-giflib-5.2.1-2.1.mga8.src.rpm Possible testing help: https://bugs.mageia.org/show_bug.cgi?id=24378#c3 Keywords:
(none) =>
has_procedure MGA8-64 Plasma on Acer Aspire 5253 No installation issues Following lead in Comment 2 $ giftool -f "%v\n%w x %h\n" < riet.gif GIF87a 1770 x 1253 [tester8@mach7 Pictures]$ giftext -c < riet.gif Stdin: Screen Size - Width = 1770, Height = 1253. ColorResolution = 8, BitsPerPixel = 8, BackGround = 0, Aspect = 0. Has Global Color Map. Global Color Map: Sort Flag: off 0: 27h 27h 28h 1: 30h 28h 20h 2: 30h 20h 30h 3: 30h 20h 26h 4: 30h 30h 28h 5: 28h 30h 2fh 6: 28h 28h 30h 7: 38h 27h 27h 8: 38h 30h 28h 9: 38h 38h 28h 10: 38h 28h 30h 11: 30h 38h 30h etc... and at the end: Image #1: Image Size - Left = 0, Top = 0, Width = 1770, Height = 1253. Image is Non Interlaced. No Image Color Map. GIF file terminated normally. $ gifclrmp -s < riet.gif > colourmap.txt $ cat colourmap.txt 0 39 39 40 1 48 40 32 2 48 32 48 3 48 32 38 4 48 48 40 5 40 48 47 etc.... $ gifclrmp -g 2.2 <riet.gif > colourmap Generates image with brighter tones [tester8@mach7 Pictures]$ file colourmap colourmap: GIF image data, version 87a, 1770 x 1253 [tester8@mach7 Pictures]$ gifecho -c 244 161 174 -t "Good morning QA" > greeting.gif bash: gifecho: command not found Checked in MCC, command is not included, no further comments. [tester8@mach7 Pictures]$ gif2rgb -c 8 -o rgbtest riet.gif Generates 3 binary files Resullts similar enough to refered bug 24378, giving OK. CC:
(none) =>
herman.viaene Validating. Advisory in Comment 2. Keywords:
(none) =>
validated_update
Dave Hodgins
2022-08-05 16:41:39 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0275.html Resolution:
(none) =>
FIXED |