Bug 23134 - gifsicle new security issue CVE-2017-18120
Summary: gifsicle new security issue CVE-2017-18120
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-07 22:16 CEST by David Walser
Modified: 2018-06-14 20:16 CEST (History)
3 users (show)

See Also:
Source RPM: gifsicle-1.88-1.1.mga6.src.rpm
CVE:
Status comment: Fixed upstream in 1.91


Attachments

Description David Walser 2018-06-07 22:16:06 CEST
Fedora has issued an advisory on May 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BGGLSEKCDM2OZ67XRI7KOASI4G7PRUX2/

The issue is fixed upstream in 1.91.

The upstream bug and commit are linked from the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1542035
David Walser 2018-06-07 22:16:18 CEST

Status comment: (none) => Fixed upstream in 1.91

Comment 1 David Walser 2018-06-08 13:58:55 CEST
Patched package uploaded by Shlomi.

Advisory:
========================

Updated gifsicle package fixes security vulnerability:

A double-free bug in the read_gif function in gifread.c in gifsicle 1.90 allows
a remote attacker to cause a denial-of-service attack or unspecified other
impact via a maliciously crafted file, because last_name is mishandled
(CVE-2017-18120).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18120
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BGGLSEKCDM2OZ67XRI7KOASI4G7PRUX2/
========================

Updated packages in core/updates_testing:
========================
gifsicle-1.88-1.2.mga6

from gifsicle-1.88-1.2.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 2 Len Lawrence 2018-06-08 18:11:22 CEST
Mageia 6, x86_64

Before update:

Only one of the PoC links led to anything useful.

CVE-2017-18120
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881120
$ gifsicle poc poc -o output
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range
*** Error in `gifsicle': double free or corruption (fasttop): 0x0000000000885d20 ***
[.....]
Aborted (core dumped)

$ gifdiff poc poc
gifdiff: While reading ‘poc’ frame #0:
gifdiff:   error: unknown block type 49 at file offset 13
gifdiff: While reading ‘poc’ frame #0:
gifdiff:   error: image position and/or dimensions out of range
gifdiff: While reading ‘poc’ frame #0:
gifdiff:   error: unknown block type 49 at file offset 13
gifdiff: While reading ‘poc’ frame #0:
gifdiff:   error: image position and/or dimensions out of range
Segmentation fault (core dumped)

After the update:

gifdiff still segfaults but;
$ gifsicle poc poc -o output
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range

which looks like a good result.

gifsicle supplies many options for splitting, modifying and combining GIF file
animations.  Tried a few.
$ gifsicle -e any.gif
splits the input file into individual files named any.gif.000, any.gif.001, and so on.  Each frame is viewable using eom or gifview.  The whole set can be viewed as an overlaid stack using
$ gifview sample.gif.*

Used gifview to step through an animation frame by frame (slideshow mode) and in animation mode.  These modes are controlled from the keyboard by 's' and 'a'.
$ gifview --min-delay 100 sample.gif
Press 's' and slideshow mode starts at 1 frame per second.

gifsicle successfully recombined the extracted frames into a new animated gif.
$ gifsicle -m any.gif.* -o new.gif

$ gifsicle --color-info new.gif
* new.gif 32 images
  logical screen 438x236
  global color table [256]
  |   0: #080809      64: #CE9C8C     128: #E9DEE2     192: #FA7884
  |   1: #B86A65      65: #D65456     129: #D7BCC7     193: #A11F22
[.....]
  + image #30 438x236 transparent 18
    disposal asis delay 0.10s
  + image #31 438x236 transparent 55
    disposal asis delay 0.10s

No luck with setting properties of GIF files.  Tried 'gifsicle --gamma 2.2 ....' for instance and it had no visible effect.  That probably indicates ignorance on the part of the user.  Otherwise it all looks good.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 3 claire robinson 2018-06-14 18:13:15 CEST
Good testing. Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 claire robinson 2018-06-14 18:37:31 CEST
Advisoried

Keywords: (none) => advisory

Comment 5 Mageia Robot 2018-06-14 20:16:03 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0280.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.