OpenSuSE has issued an advisory on April 20: https://lists.opensuse.org/opensuse-updates/2016-04/msg00079.html Patched package uploaded for Cauldron. Patch added in Mageia 5 SVN. As this is a low severity issue that only affects the gif2rgb tool, I don't feel pushing an update for this is necessary at this time. The fix will be included in any future update for this package.
Assigning to all packagers collectively, since there is no maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
let's push it now, to clean the list of the update to fix
CC: (none) => mageiaAssignee: pkg-bugs => qa-bugs
Advisory: ======================== Updated giflib packages fix security vulnerability: A heap buffer overflow vulnerability was found in giflib. A maliciously crafted gif file could cause the gif2rgb tool to crash (CVE-2016-3977). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3977 https://lists.opensuse.org/opensuse-updates/2016-04/msg00079.html ======================== Updated packages in core/updates_testing: ======================== giflib-progs-4.2.3-4.3.mga5 libgif4-4.2.3-4.3.mga5 libgif-devel-4.2.3-4.3.mga5 from giflib-4.2.3-4.3.mga5.src.rpm
Testing on x86_64 real hardware. The report http://bugs.fi/2016-03-gif2rgb.txt gives details of testing a malformed gif using either gdb or asan for debugging. Simply running $ gif2rgb 1.gif generates an inline binary pattern symbol and hangs for a while then terminates. Updated the libraries. Installed giflib-progs manually. $ gif2rgb 1.gif Background color out of range for colormap The response was immediate. From David's comment in the description above it looks like testing of the other gif-tools is uneccessary so a test of gif2rgb on a valid gif is all that is needed. Chose bart.gif from icons directory. $ gif2rgb -v -o bart.rgb bart.gif gif2rgb: Image 1 at (0, 0) [32x32]: 1 $ ls bart* bart.gif bart.rgb.B bart.rgb.G bart.rgb.R The three colour components are not image files of any kind but bitmap or pixel dumps in each colour, without any headers. See this extract: $ od -x bart.rgb.R 0000000 0000 0000 0000 0000 0000 0000 0000 0000 * 0000100 0000 0000 0000 0000 0000 ffff ffff ffff 0000120 00ff 0000 0000 0000 0000 0000 0000 0000 0000140 0000 0000 0000 0000 ffff ffff ffff ffff This looks OK.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
Before and after tests on i586 in vbox returned the same results with 1.gif. $ gif2rgb -v -o weather partlysunny.gif gif2rgb: Image 1 at (0, 0) [48x48]: 1 $ ls weather.* weather.B weather.G weather.R Inspection showed that the three intensity maps probably matched the original three-colour image. There were signs of dithering in the intensity patterns, unlike bart.gif.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Oops. Overlooked the source of the PoC gif. $ wget http://bugs.fi/media/afl/giflib/1.gif
Advisory from Comment 3 uploaded.
CC: (none) => lewyssmithWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0399.html
Status: NEW => RESOLVEDResolution: (none) => FIXED