Bug 24378 - giflib new security issues fixed upstream in 5.1.6 (including CVE-2018-11490)
Summary: giflib new security issues fixed upstream in 5.1.6 (including CVE-2018-11490)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-17 17:11 CET by David Walser
Modified: 2019-02-20 23:19 CET (History)
5 users (show)

See Also:
Source RPM: giflib-5.1.4-1.mga6.src.rpm
CVE: CVE-2018-11490
Status comment:


Attachments

Description David Walser 2019-02-17 17:11:17 CET
GifLib 5.1.6 has been released on February 12, fixing security issues:
https://sourceforge.net/p/giflib/code/ci/master/tree/NEWS

I've updated Cauldron.  We should update Mageia 6 too.  To quote NEWS:

* Fix SF bug #114: Null dereferences in main() of gifclrmp
* Fix SF bug #113: Heap Buffer Overflow-2 in function DGifDecompressLine()
  in cgif.c.  This had been assigned CVE-2018-11490.
# Fix SF bug #111: segmentation fault in PrintCodeBlock
* Fix SF bug #109: Segmentation fault of giftool reading a crafted file
* Fix SF bug #107: Floating point exception in giftext utility
* Fix SF bug: #105 heap buffer overflow in DumpScreen2RGB in gif2rgb.c:317
* Fix SF bug #104: Ineffective bounds check in DGifSlurp
^ Fix SF bug #103: GIFLIB 5.1.4: DGifSlurp fails on empty comment
* Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb).

Possibly every one of those is a security issue (the last one is CVE-2016-3977, which we've previously added a patch for).
Comment 1 Marja Van Waes 2019-02-18 08:01:19 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Salguero 2019-02-20 13:04:08 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Null dereferences in main() of gifclrmp.

Heap Buffer Overflow-2 in function DGifDecompressLine() in cgif.c. (CVE-2018-11490)

Segmentation fault in PrintCodeBlock.

Segmentation fault of giftool reading a crafted file.

Floating point exception in giftext utility.

Heap buffer overflow in DumpScreen2RGB in gif2rgb.c:317.

Ineffective bounds check in DGifSlurp.

GIFLIB 5.1.4: DGifSlurp fails on empty comment.

References:
https://sourceforge.net/p/giflib/code/ci/master/tree/NEWS
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11490
========================

Updated packages in core/updates_testing:
========================
giflib-progs-5.1.6-1.mga6
lib(64)gif7-5.1.6-1.mga6
lib(64)gif-devel-5.1.6-1.mga6

from SRPMS:
giflib-5.1.6-1.mga6.src.rpm

CVE: (none) => CVE-2018-11490
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 3 Len Lawrence 2019-02-20 21:49:30 CET
mga6, x86_64

No reproducer for CVE-2018-11490.
Straight to updates.

- giflib-progs-5.1.6-1.mga6.x86_64
- lib64gif-devel-5.1.6-1.mga6.x86_64
- lib64gif7-5.1.6-1.mga6.x86_64

The NEWS link points out that the names of the giftools have been rationalized:

gifsponge
giftext
giftool
giffilter
giffix
gifinto
gifbuild
gifclrmp
gifecho
gif2rgb
giftogd2
gif2png
giftrans
giftopnm

Not sure if all these are part of the giflib package, particularly the image conversion tools.

Several image manipulation tools have gone because other commonly available packages perform the tasks as well or better.  gifinfo is supposed to be replaced by 'giftool -f', e.g.
$ giftool -f "%v\n%w x %h\n" < Tatiana.gif
GIF89a
1080 x 761

Did not make much headway with other options of the giftool filter.
Extract the colour map from an image:
$ giftext -c < Tatiana.gif
Stdin:
	Screen Size - Width = 1080, Height = 761.
	ColorResolution = 8, BitsPerPixel = 8, BackGround = 255, Aspect = 0.
	Has Global Color Map.
	Global Color Map:
	Sort Flag: off
  0: 04h 04h 04h     1: 05h 06h 0ah     2: 06h 09h 0ch     3: 0bh 05h 02h   
  4: 09h 07h 0ah     5: 0bh 0ah 06h     6: 0bh 0bh 0bh     7: 06h 08h 05h   
  8: 06h 0bh 11h     9: 0bh 0dh 12h    10: 0bh 0dh 17h    11: 0fh 10h 0bh   
[...]
248: f5h d6h cbh   249: feh e6h d7h   250: fch e4h ceh   251: feh f4h e8h   
252: f3h efh edh   253: deh e1h e7h   254: b6h c3h bfh   255: 79h 81h 7fh   

GIF89 graphics control (Ext Code = 249 [ ]):
	Disposal Mode: 0
	User Input Flag: 0
	Transparency on: no
	DelayTime: 0
	Transparent Index: -1
Image #1:
	Image Size - Left = 0, Top = 0, Width = 1080, Height = 761.
	Image is Non Interlaced.
	No Image Color Map.
GIF file terminated normally.

That looks pretty comprehensive.
No man page for gifsponge, or usage information or help option.  The same applies to giffilter.
Experimented with giffix by editing a gif image in emacs, inserting garbage at a couple of places but running
$ giffix < bad.gif > repaired.gif
caused a segfault.  The documentation says that the utility will attempt to repair a damaged gif.  It gave up in this case.
"Following error occurred (and ignored):GIF-LIB error: Image is defective, decoding aborted.
Following unrecoverable error occured:GIF-LIB error: Failed to read from given file.
GIF-LIB undefined error 0.
Segmentation fault (core dumped)"

That is acceptable.
Could not figure out how to drive gifinto, which copies files above a specified size.
gifbuild is too complicated for a newbie.  Quoting the documentation:
<quote>
       If the data types of the “screen height”, “screen width”, “screen
       background”, “image top”, and “image left” declarations aren't obvious
       to you, what are you doing with this software?
</quote>

$ gifclrmp -s < Tatiana.gif > colourmap.txt
$ cat colourmap.txt
0   4   4   4
  1   5   6  10
  2   6   9  12
[...]
253 222 225 231
254 182 195 191
255 121 129 127
$ gifclrmp -g 2.2 < Tatiana.gif > colourmap
This produced a GIF image copy of the original with a gamma correction of 2.2, which made the image much brighter.
$ file colourmap
colourmap: GIF image data, version 87a, 1080 x 761
Note the switch from GIF89a to GIF87a.

$ gifecho -c 244 161 174 -t "Good morning QA" > greeting.gif
This generated an image containing the string, coloured pink on a black background.

$ gif2rgb -c 8 -o rgbtest Tatiana.gif
generated three files rgbtest.{R,G,B} containing binary data.  Quite how they are to be used is not clear.

That is enough testing.  OK for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Dave Hodgins 2019-02-20 22:04:18 CET

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2019-02-20 23:19:55 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0096.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.